You are previewing Android Application Security Essentials.
O'Reilly logo
Android Application Security Essentials

Book Description

Security has been a bit of a hot topic with Android so this guide is a timely way to ensure your apps are safe. Includes everything from Android security architecture to safeguarding mobile payments.

  • Understand Android security from kernel to the application layer

  • Protect components using permissions

  • Safeguard user and corporate data from prying eyes

  • Understand the security implications of mobile payments, NFC, and more

  • In Detail

    In today’s techno-savvy world, more and more parts of our lives are going digital, and all this information is accessible anytime and anywhere using mobile devices. It is of the utmost importance that you understand and implement security in your apps that will reduce the likelihood of hazards that will wreck your users' experience.

    "Android Application Security Essentials" takes a deep look into Android security from kernel to the application level, with practical hands-on examples, illustrations, and everyday use cases. This book will show you how to overcome the challenge of getting the security of your applications right.

    "Android Application Security Essentials" will show you how to secure your Android applications and data. It will equip you with tricks and tips that will come in handy as you develop your applications.

    We will start by learning the overall security architecture of the Android stack. Securing components with permissions, defining security in a manifest file, cryptographic algorithms and protocols on the Android stack, secure storage, security focused testing, and protecting enterprise data on your device is then also discussed in detail. You will also learn how to be security-aware when integrating newer technologies like NFC and mobile payments into your Android applications.

    At the end of this book, you will understand Android security at the system level all the way to the nitty-gritty details of application security for securing your Android applications.

    Table of Contents

    1. Android Application Security Essentials
      1. Table of Contents
      2. Android Application Security Essentials
      3. Credits
      4. Foreword
      5. About the Author
      6. About the Reviewer
      7. www.PacktPub.com
        1. Support files, eBooks, discount offers and more
          1. Why Subscribe?
        2. Free Access for Packt account holders
      8. Preface
        1. What this book covers
        2. What you need for this book
        3. Who this book is for
        4. Conventions
        5. Reader feedback
        6. Customer support
          1. Errata
          2. Piracy
          3. Questions
      9. 1. The Android Security Model – the Big Picture
        1. Installing with care
        2. Android platform architecture
          1. Linux kernel
          2. Middleware
            1. Dalvik virtual machine
          3. Application layer
            1. Android application structure
        3. Application signing
        4. Data storage on the device
        5. Crypto APIs
        6. Device Administration
        7. Summary
      10. 2. Application Building Blocks
        1. Application components
          1. Activity
            1. Activity declaration
            2. Saving the Activity state
            3. Saving user data
          2. Service
            1. Service declaration
            2. Service modes
            3. Lifecycle management
            4. Binder
          3. Content Provider
            1. Provider declaration
            2. Other security consideration
          4. Broadcast Receiver
            1. Receiver declaration
            2. Secure sending and receiving broadcasts
            3. Local broadcasts
        2. Intents
          1. Explicit Intents
          2. Implicit Intent
          3. Intent Filter
          4. Pending Intent
        3. Summary
      11. 3. Permissions
        1. Permission protection levels
        2. Application level permissions
        3. Component level permissions
          1. Activity
          2. Service
          3. Content Provider
          4. Broadcast receiver
        4. Extending Android permissions
          1. Adding a new permission
          2. Creating a permission group
          3. Creating a permission tree
        5. Summary
      12. 4. Defining the Application's Policy File
        1. The AndroidManifest.xml file
        2. Application policy use cases
          1. Declaring application permissions
          2. Declaring permissions for external applications
          3. Applications running with the same Linux ID
          4. External storage
          5. Setting component visibility
          6. Debugging
          7. Backup
          8. Putting it all together
        3. Example checklist
          1. Application level
          2. Component level
        4. Summary
      13. 5. Respect Your Users
        1. Principles of data security
          1. Confidentiality
          2. Integrity
          3. Availability
        2. Identifying assets, threats, and attacks
          1. What and where to store
        3. End-to-end security
          1. The mobile ecosystem
          2. Three states of data
        4. Digital rights management
        5. Summary
      14. 6. Your Tools – Crypto APIs
        1. Terminology
        2. Security providers
        3. Random number generation
        4. Hashing functions
        5. Public key cryptography
          1. RSA
            1. Key generation
            2. Encryption
            3. Decryption
            4. Padding
          2. The Diffie-Hellman algorithm
        6. Symmetric key cryptography
          1. Stream cipher
          2. Block cipher
          3. Block cipher modes
            1. Electronic Code Book (ECB)
            2. Cipher Block Chaining (CBC)
            3. Cipher Feedback Chaining (CFB)
            4. Output Feedback Mode (OFB)
          4. Advanced Encryption Standard (AES)
        7. Message Authentication Codes
        8. Summary
      15. 7. Securing Application Data
        1. Data storage decisions
          1. Privacy
          2. Data retention
          3. Implementation decisions
        2. User preferences
          1. Shared preferences
            1. Creating a preference file
            2. Writing preference
            3. Reading preference
          2. Preference Activity
        3. File
          1. Creating a file
          2. Writing to a file
          3. Reading from a file
          4. File operations on an external storage
        4. Cache
        5. Database
        6. Account manager
        7. SSL/TLS
        8. Installing an application on an external storage
        9. Summary
      16. 8. Android in the Enterprise
        1. The basics
        2. Understanding the Android ecosystem
        3. Device administration capabilities
          1. Device administration API
            1. Policies
            2. DeviceAdminReceiver
          2. Protecting data on a device
            1. Encryption
            2. Backup
          3. Secure connection
          4. Identity
        4. Next steps
          1. Device specific decisions
          2. Knowing your community
          3. Defining boundaries
            1. Android compatibility program
          4. Rolling out support
          5. Policy and compliance
            1. FINRA
            2. Android Update Alliance
        5. Summary
      17. 9. Testing for Security
        1. Testing overview
        2. Security testing basics
          1. Security tenets
          2. Security testing categories
            1. Application review
            2. Manual testing
            3. Dynamic testing
        3. Sample test case scenarios
          1. Testing on the server
          2. Testing the network
          3. Securing data in transit
          4. Secure storage
          5. Validating before acting
          6. The principle of least privilege
          7. Managing liability
          8. Cleaning up
          9. Usability versus security
          10. Authentication scheme
          11. Thinking like a hacker
          12. Integrating with caution
        4. Security testing the resources
          1. OWASP
          2. Android utilities
            1. Android Debug Bridge
            2. Setting up the device
            3. SQlite3
            4. Dalvik Debug Monitor Service
          3. BusyBox
          4. Decompile APK
        5. Summary
      18. 10. Looking into the Future
        1. Mobile commerce
          1. Product discovery using a mobile device
          2. Mobile payments
            1. Configurations
            2. PCI Standard
            3. Point of Sale
        2. Proximity technologies
        3. Social networking
        4. Healthcare
        5. Authentication
          1. Two-factor authentication
          2. Biometrics
        6. Advances in hardware
          1. Hardware security module
          2. TrustZone
          3. Mobile trusted module
        7. Application architecture
        8. Summary
      19. Index