You are previewing Bulletproof Android™: Practical Advice for Building Secure Apps.
O'Reilly logo
Bulletproof Android™: Practical Advice for Building Secure Apps

Book Description

Battle-Tested Best Practices for Securing Android Apps throughout the Development Lifecycle

Android’s immense popularity has made it today’s #1 target for attack: high-profile victims include eHarmony, Facebook, and Delta Airlines, just to name a few. Today, every Android app needs to resist aggressive attacks and protect data, and in Bulletproof Android™, Godfrey Nolan shows you how.

Unlike “black hat/gray hat” books, which focus on breaking code, this guide brings together complete best practices for hardening code throughout the entire development lifecycle. Using detailed examples from hundreds of apps he has personally audited, Nolan identifies common “anti-patterns” that expose apps to attack, and then demonstrates more secure solutions.

Nolan covers authentication, networking, databases, server attacks, libraries, hardware, and more. He illuminates each technique with code examples, offering expert advice on implementation and trade-offs. Each topic is supported with a complete sample app, which demonstrates real security problems and solutions.

Learn how to

  • Apply core practices for securing the platform

  • Protect code, algorithms, and business rules from reverse engineering

  • Eliminate hardcoding of keys, APIs, and other static data

  • Eradicate extraneous data from production APKs

  • Overcome the unique challenges of mobile authentication and login

  • Transmit information securely using SSL

  • Prevent man-in-the-middle attacks

  • Safely store data in SQLite databases

  • Prevent attacks against web servers and services

  • Avoid side-channel data leakage through third-party libraries

  • Secure APKs running on diverse devices and Android versions

  • Achieve HIPAA or FIPS compliance

  • Harden devices with encryption, SELinux, Knox, and MDM

  • Preview emerging attacks and countermeasures

  • This guide is a perfect complement to Nolan’s Android™ Security Essentials LiveLessons (video training; ISBN-13: 978-0-13-382904-4) and reflects new risks that have been identified since the LiveLessons were released.

    Table of Contents

    1. About This eBook
    2. Title Page
    3. Copyright Page
    4. Dedication Page
    5. Contents at a Glance
    6. Contents
    7. Preface
      1. What This Book Is About
      2. What This Book Is Not About
      3. Why Care?
      4. What This Book Covers
        1. Chapter 1: Android Security Issues
        2. Chapter 2: Protecting Your Code
        3. Chapter 3: Authentication
        4. Chapter 4: Network Communication
        5. Chapter 5: Android Databases
        6. Chapter 6: Web Server Attacks
        7. Chapter 7: Third-Party Library Integration
        8. Chapter 8: Device Security
        9. Chapter 9: The Future
      5. Tools
    8. Acknowledgments
    9. About the Author
    10. 1. Android Security Issues
      1. Why Android?
        1. Decompiling an APK
        2. Art for Art’s Sake
      2. Guidelines
        1. PCI Mobile Payment Acceptance Security Guidelines
        2. Google Security
        3. HIPAA Secure
        4. OWASP Top 10 Mobile Risks (2014)
        5. Forrester Research’s Top 10 Nontechnical Security Issues in Mobile App Development
      3. Securing the Device
        1. SEAndroid
        2. Federal Information Processing Standard (FIPS)
      4. Conclusion
    11. 2. Protecting Your Code
      1. Looking into the classes.dex File
      2. Obfuscation Best Practices
        1. No Obfuscation
        2. ProGuard
        3. DexGuard
        4. Security Through Obscurity
        5. Testing
      3. Smali
        1. Helloworld
        2. Remove App Store Check
      4. Hiding Business Rules in the NDK
      5. Conclusion
    12. 3. Authentication
      1. Secure Logins
      2. Understanding Best Practices for User Authentication and Account Validation
        1. Take 1
        2. Take 2
        3. Take 3
        4. Take 4
      3. Application Licensing with LVL
      4. OAuth
        1. OAuth with Facebook
        2. Web and Mobile Session Management
        3. Vulnerability
      5. User Behavior
        1. Two (or More) Factor Authentication
      6. Conclusion
    13. 4. Network Communication
      1. HTTP(S) Connection
      2. Symmetric Keys
      3. Asymmetric Keys
      4. Ineffective SSL
        1. Man-in-the-Middle Demo
        2. Root Your Phone
        3. Charles Proxy Test
      5. Conclusion
    14. 5. Android Databases
      1. Android Database Security Issues
      2. SQLite
        1. Backing Up the Database Using adb
        2. Disabling Backup
      3. SQLCipher
        1. Finding the Key
      4. Hiding the Key
        1. Ask Each Time
        2. Shared Preferences
        3. In the Code
        4. In the NDK
        5. Web Services
      5. SQL Injection
      6. Conclusion
    15. 6. Web Server Attacks
      1. Web Services
        1. OWASP Web Services Cheat Sheet
        2. Replay Attacks
      2. Cross Platform
      3. WebView Attacks
        1. SQL Injection
        2. XSS
      4. Cloud
        1. OWASP Web Top 10 Risks
        2. OWASP Cloud Top 10 Risks
        3. HIPAA Web Server Compliance
      5. Conclusion
    16. 7. Third-Party Library Integration
      1. Transferring the Risk
      2. Permissions
      3. Installing Third-Party Apps
        1. Installing Crittercism
        2. Installing Crashlytics
      4. Trust but Verify
        1. Decompiling SDKs
        2. Man in the Middle
      5. Conclusion
    17. 8. Device Security
      1. Wiping Your Device
      2. Fragmentation
        1. adb Backup
        2. Logs
      3. Device Encryption
      4. SEAndroid
      5. FIPS 140-2
      6. Mobile Device Management
      7. Conclusion
    18. 9. The Future
      1. More Sophisticated Attacks
      2. Internet of Things
        1. Android Wearables
        2. Ford Sync AppID
      3. Audits and Compliance
      4. Tools
        1. Drozer
        2. OWASP Mobile Top 10 Risks
        3. Lint
      5. Conclusion
    19. Index
    20. Code Snippets