Android Application Security Essentials

Table of Contents Preface 1 Chapter 1: The Android Security Model – the Big Picture 7 Installing with care 7 Android platform architecture 9 Linux kernel 9 Middleware 11 Dalvik virtual machine 11 Application layer 11 Android application structure 12 Application signing 15 Data storage on the device 15 Crypto APIs 16 Device Administration 17 Summary 17 Chapter 2: Application Building Blocks 19 Application components 19 Activity 20 Activity declaration 20 Saving the Activity state 21 Saving user data 23 Service 23 Service declaration 24 Service modes 25 Lifecycle management 26 Binder 28 Content Provider 29 Provider declaration 30 Other security consideration 33 Table of Contents [ii ] Broadcast Receiver 34 Receiver declaration 35 Secure sending and receiving broadcasts 36 Local broadcasts 37 Intents 38 Explicit Intents 40 Implicit Intent 41 Intent Filter 42 Pending Intent 42 Summary 43 Chapter 3: Permissions 45 Permission protection levels 45 Application level permissions 53 Component level permissions 54 Activity 54 Service 54 Content Provider 55 Broadcast Receiver 56 Extending Android permissions 57 Adding a new permission 57 Creating a permission group 58 Creating a permission tree 59 Summary 60 Chapter 4: Defining the Application's Policy File 61 The AndroidManifest.xml file 61 Application policy use cases 66 Declaring application permissions 66 Declaring permissions for external applications 67 Applications running with the same Linux ID 68 External storage 70 Setting component visibility 72 Debugging 73 Backup 74 Putting it all together 74 Example checklist 75 Application level 76 Component level 77 Summary 78 Table of Contents [iii ] Chapter 5: Respect Your Users 79 Principles of data security 80 Confidentiality 80 Integrity 81 Availability 81 Identifying assets, threats, and attacks 81 What and where to store 86 End-to-end security 87 The mobile ecosystem 88 Three states of data 90 Digital rights management 92 Summary 95 Chapter 6: Your Tools – Crypto APIs 97 Terminology 98 Security providers 99 Random number generation 100 Hashing functions 101 Public key cryptography 103 RSA 104 Key generation 105 Encryption 105 Decryption 106 Padding 106 The Diffie-Hellman algorithm 106 Symmetric key cryptography 108 Stream cipher 109 Block cipher 110 Block cipher modes 111 Electronic Code Book (ECB) 111 Cipher Block Chaining (CBC) 112 Cipher Feedback Chaining (CFB) 113 Output Feedback Mode (OFB) 114 Advanced Encryption Standard (AES) 115 Message Authentication Codes 116 Summary 117 Chapter 7: Securing Application Data 119 Data storage decisions 120 Privacy 120 Data retention 121 Implementation decisions 121 Table of Contents [iv ] User preferences 123 Shared preferences 123 Creating a preference file 123 Writing preference 124 Reading preference 124 Preference Activity 125 File 125 Creating a file 126 Writing to a file 126 Reading from a file 126 File operations on an external storage 127 Cache 128 Database 129 Account manager 131 SSL/TLS 132 Installing an application on an external storage 133 Summary 136 Chapter 8: Android in the Enterprise 137 The basics 138 Understanding the Android ecosystem 138 Device administration capabilities 139 Device administration API 140 Policies 141 DeviceAdminReceiver 142 Protecting data on a device 145 Encryption 146 Backup 147 Secure connection 147 Identity 148 Next steps 149 Device specific decisions 149 Knowing your community 151 Defining boundaries 151 Android compatibility program 151 Rolling out support 152 Policy and compliance 153 FINRA 153 Android Update Alliance 154 Summary 154 Table of Contents [v ] Chapter 9: Testing for Security 155 Testing overview 156 Security testing basics 158 Security tenets 158 Security testing categories 160 Application review 160 Manual testing 161 Dynamic testing 161 Sample test case scenarios 161 Testing on the server 161 Testing the network 162 Securing data in transit 162 Secure storage 162 Validating before acting 162 The principle of least privilege 163 Managing liability 163 Cleaning up 164 Usability versus security 164 Authentication scheme 164 Thinking like a hacker 164 Integrating with caution 164 Security testing the resources 165 OWASP 165 Android utilities 165 Android Debug Bridge 165 Setting up the device 166 SQlite3 166 Dalvik Debug Monitor Service 167 BusyBox 167 Decompile APK 168 Summary 169 Chapter 10: Looking into the Future 171 Mobile commerce 172 Product discovery using a mobile device 172 Mobile payments 173 Configurations 173 PCI Standard 175 Point of Sale 176 Proximity technologies 178 Social networking 178 Table of Contents [vi ] Healthcare 180 Authentication 180 Two-factor authentication 180 Biometrics 181 Advances in hardware 182 Hardware security module 183 TrustZone 184 Mobile trusted module 185 Application architecture 185 Summary 186 Index 187