book

Application Security for the Android Platform

by Jeff Six

December 2011

Intermediate to advanced

110 pages

3h 45m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Organization of the BookConventions Used in This BookUsing Code ExamplesSafari® Books OnlineHow to Contact UsAcknowledgments
Application Security: Why You Should CareThe Current State of Mobile Application Security on AndroidSecurity: Risk = Vulnerability + Threat + ConsequencesEvolution of Information Security: Why Applications Matter the MostYour Role: Protect the DataSecure Software Development TechniquesUnique Characteristics of AndroidMoving On
Introduction to the Android ArchitectureThe Linux Security ModelThe Resulting Android Security ModelApplication Signing, Attribution, and AttestationProcess DesignAndroid Filesystem IsolationAndroid Preferences and Database IsolationMoving up the Layers to System API and Component Permissions
Android Permission BasicsUsing Restricted System APIs and the User ExperienceCustom Permissions
The Types of Android ComponentsIntercomponent Signaling Using IntentsPublic and Private ComponentsImposing Restrictions on Access to ComponentsSecuring ActivitiesSecuring ServicesSecuring Content ProvidersSecuring Broadcast IntentsPutting It All Together: Securing Communications in a Multi-Tier App
The Threats and Vulnerabilities Against Stored DataVulnerabilities of Stored DataThreats to, and Mitigations for, Stored DataProtection PrinciplesCryptography Primer: EncryptionSymmetric EncryptionAsymmetric Key EncryptionCryptography Primer: HashingCryptographic PracticalitiesComputational InfeasibilityAlgorithm Choice and Key SizeCipher Operation Modes, Initialization Vectors, and SaltPublic Keys and Their ManagementKey Derivation and ManagementMotivationKey DerivationEncryption Without User-Supplied Key DerivationPractical Cryptography: Applying a Technique Against a Threat
Confidentiality and AuthenticationSSL/TLS: The Industry StandardAuthentication of the EntitiesEncryption of DataProtecting Data En Route to Public ServicesIntroducing the Android SSL/TLS EnvironmentServer VerificationHandling SSL/TLS Connection ErrorsProtecting Data En Route to Private ServicesUsing Only Specific Certificates for SSL/TLSOne Step Further: Using Client-Side Authentication SSL/TLSThreats Against Devices Using Data in TransitInput Validation: The Central Tenant of Application SecurityReject-Known-BadAccept-Known-GoodWrapping It Up: Input ValidationPreventing Command Injection
Key ThemesIt’s All About RiskThe Principle of Least PrivilegeUse the Permissions SystemAndroid Is an Open ArchitectureGet the Cryptography RightNever Trust User InputWrapping It Up

Overview

With the Android platform fast becoming a target of malicious hackers, application security is crucial. This concise book provides the knowledge you need to design and implement robust, rugged, and secure apps for any Android device. You’ll learn how to identify and manage the risks inherent in your design, and work to minimize a hacker’s opportunity to compromise your app and steal user data.

How is the Android platform structured to handle security? What services and tools are available to help you protect data? Up until now, no single resource has provided this vital information. With this guide, you’ll learn how to address real threats to your app, whether or not you have previous experience with security issues.

Examine Android’s architecture and security model, and how it isolates the filesystem and database
Learn how to use Android permissions and restricted system APIs
Explore Android component types, and learn how to secure communications in a multi-tier app
Use cryptographic tools to protect data stored on an Android device
Secure the data transmitted from the device to other parties, including the servers that interact with your app