Android Application Security Essentials
Table of Contents
Android Application Security Essentials
Credits
Foreword
About the Author
About the Reviewer
www.PacktPub.com
Support files, eBooks, discount offers and more
Why Subscribe?
Free Access for Packt account holders
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Reader feedback
Customer support
Errata
Piracy
Questions
1. The Android Security Model – the Big Picture
Installing with care
Android platform architecture
Linux kernel
Middleware
Dalvik virtual machine
Application layer
Android application structure
Application signing
Data storage on the device
Crypto APIs
Device Administration
Summary
2. Application Building Blocks
Application components
Activity
Activity declaration
Saving the Activity state
Saving user data
Service
Service declaration
Service modes
Lifecycle management
Binder
Content Provider
Provider declaration
Other security consideration
Broadcast Receiver
Receiver declaration
Secure sending and receiving broadcasts
Local broadcasts
Intents
Explicit Intents
Implicit Intent
Intent Filter
Pending Intent
Summary
3. Permissions
Permission protection levels
Application level permissions
Component level permissions
Activity
Service
Content Provider
Broadcast receiver
Extending Android permissions
Adding a new permission
Creating a permission group
Creating a permission tree
Summary
4. Defining the Application's Policy File
The AndroidManifest.xml file
Application policy use cases
Declaring application permissions
Declaring permissions for external applications
Applications running with the same Linux ID
External storage
Setting component visibility
Debugging
Backup
Putting it all together
Example checklist
Application level
Component level
Summary
5. Respect Your Users
Principles of data security
Confidentiality
Integrity
Availability
Identifying assets, threats, and attacks
What and where to store
End-to-end security
The mobile ecosystem
Three states of data
Digital rights management
Summary
6. Your Tools – Crypto APIs
Terminology
Security providers
Random number generation
Hashing functions
Public key cryptography
RSA
Key generation
Encryption
Decryption
Padding
The Diffie-Hellman algorithm
Symmetric key cryptography
Stream cipher
Block cipher
Block cipher modes
Electronic Code Book (ECB)
Cipher Block Chaining (CBC)
Cipher Feedback Chaining (CFB)
Output Feedback Mode (OFB)
Advanced Encryption Standard (AES)
Message Authentication Codes
Summary
7. Securing Application Data
Data storage decisions
Privacy
Data retention
Implementation decisions
User preferences
Shared preferences
Creating a preference file
Writing preference
Reading preference
Preference Activity
File
Creating a file
Writing to a file
Reading from a file
File operations on an external storage
Cache
Database
Account manager
SSL/TLS
Installing an application on an external storage
Summary
8. Android in the Enterprise
The basics
Understanding the Android ecosystem
Device administration capabilities
Device administration API
Policies
DeviceAdminReceiver
Protecting data on a device
Encryption
Backup
Secure connection
Identity
Next steps
Device specific decisions
Knowing your community
Defining boundaries
Android compatibility program
Rolling out support
Policy and compliance
FINRA
Android Update Alliance
Summary
9. Testing for Security
Testing overview
Security testing basics
Security tenets
Security testing categories
Application review
Manual testing
Dynamic testing
Sample test case scenarios
Testing on the server
Testing the network
Securing data in transit
Secure storage
Validating before acting
The principle of least privilege
Managing liability
Cleaning up
Usability versus security
Authentication scheme
Thinking like a hacker
Integrating with caution
Security testing the resources
OWASP
Android utilities
Android Debug Bridge
Setting up the device
SQlite3
Dalvik Debug Monitor Service
BusyBox
Decompile APK
Summary
10. Looking into the Future
Mobile commerce
Product discovery using a mobile device
Mobile payments
Configurations
PCI Standard
Point of Sale
Proximity technologies
Social networking
Healthcare
Authentication
Two-factor authentication
Biometrics
Advances in hardware
Hardware security module
TrustZone
Mobile trusted module
Application architecture
Summary
Index
Android Application Security Essentials
Copyright © 2013 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: August 2013
Production Reference: 1140813
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham B3 2PB, UK.
ISBN 978-1-84951-560-3
www.packtpub.com
Author
Pragati Ogal Rai
Reviewer
Alessandro Parisi
Acquisition Editor
Martin Bell
Lead Technical Editor
Madhuja Chaudhari
Technical Editors
Sampreshita Maheshwari
Larissa Pinto
Project Coordinator
Hardik Patel
Proofreader
Maria Gould
Indexer
Priya Subramani
Graphics
Abhinash Sahu
Ronak Druv
Production Coordinator
Prachali Bhiwandkar
Cover Work
Prachali Bhiwandkar
When I first began working at GO Corporation in the early 1990s, the state of the art in mobile computing was an 8-lb, clipboard sized device with minimal battery life and an optional 9600 baud modem. But the vision that drove that device could just as easily be applied to the newest Android and iOS devices released this year: the desire for an integrated, task-centric computing platform with seamless connectivity. Back then, we thought that the height of that vision would be the ability to "send someone a fax from the beach." By the time I helped AOL...