Book Image

Android Security Cookbook

Book Image

Android Security Cookbook

Overview of this book

Android Security Cookbook discusses many common vulnerabilities and security related shortcomings in Android applications and operating systems. The book breaks down and enumerates the processes used to exploit and remediate these vulnerabilities in the form of detailed recipes and walkthroughs. The book also teaches readers to use an Android Security Assessment Framework called Drozer and how to develop plugins to customize the framework. Other topics covered include how to reverse-engineer Android applications to find common vulnerabilities, and how to find common memory corruption vulnerabilities on ARM devices. In terms of application protection this book will show various hardening techniques to protect application components, the data stored, secure networking. In summary, Android Security Cookbook provides a practical analysis into many areas of Android application and operating system security and gives the reader the required skills to analyze the security of their Android devices.
Table of Contents (16 chapters)
Android Security Cookbook
Credits
About the Authors
About the Reviewers
www.PacktPub.com
Preface
Index

Attacking services


Services may not seem very dangerous, and they stick to working in the background. But they are developed to support the other application components, and could potentially perform very sensitive operations such as logging into an online profile, resetting a password, or even facilitating some potentially dangerous processes by serving as a proxy to the system services of the host device. Either way, they must not be overlooked during an application assessment.

When is a service vulnerable? Well, a service is exploitable when you can use its functionality to abuse the user, escalate the privileges of another application/user, or use it to extract sensitive information. This means that you need to be able to interact with the service, which means it must be exported, or respond/accept input from message formats like intents, files, or the network stack. Another thing to consider is what kind of permission is required to interact with the service—whether it's a potentially...