Book Image

Android Application Security Essentials

By : Pragati Rai
Book Image

Android Application Security Essentials

By: Pragati Rai

Overview of this book

In today's techno-savvy world, more and more parts of our lives are going digital, and all this information is accessible anytime and anywhere using mobile devices. It is of the utmost importance that you understand and implement security in your apps that will reduce the likelihood of hazards that will wreck your users' experience. "Android Application Security Essentials" takes a deep look into Android security from kernel to the application level, with practical hands-on examples, illustrations, and everyday use cases. This book will show you how to overcome the challenge of getting the security of your applications right. "Android Application Security Essentials" will show you how to secure your Android applications and data. It will equip you with tricks and tips that will come in handy as you develop your applications.We will start by learning the overall security architecture of the Android stack. Securing components with permissions, defining security in a manifest file, cryptographic algorithms and protocols on the Android stack, secure storage, security focused testing, and protecting enterprise data on your device is then also discussed in detail. You will also learn how to be security-aware when integrating newer technologies like NFC and mobile payments into your Android applications. At the end of this book, you will understand Android security at the system level all the way to the nitty-gritty details of application security for securing your Android applications.

Related Content you might be interested in

Current Title:

Small book image
Android Application Security Essentials
Pragati Rai
Aug, 2013 | 218 pages
No titles found
Table of Contents (18 chapters)
Android Application Security Essentials
Android Application Security Essentials
Credits
Credits
Foreword
Foreword
About the Author
About the Author
About the Reviewer
About the Reviewer
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
The Android Security Model – the Big Picture
The Android Security Model – the Big Picture
Installing with care
Android platform architecture
Application signing
Data storage on the device
Crypto APIs
Device Administration
Summary
2
Application Building Blocks
Application Building Blocks
Application components
Intents
Summary
3
Permissions
Permissions
Permission protection levels
Application level permissions
Component level permissions
Extending Android permissions
Summary
4
Defining the Application's Policy File
Defining the Application's Policy File
The AndroidManifest.xml file
Application policy use cases
Example checklist
Summary
5
Respect Your Users
Respect Your Users
Principles of data security
Identifying assets, threats, and attacks
End-to-end security
Digital rights management
Summary
6
Your Tools – Crypto APIs
Your Tools – Crypto APIs
Terminology
Security providers
Random number generation
Hashing functions
Public key cryptography
Symmetric key cryptography
Message Authentication Codes
Summary
7
Securing Application Data
Securing Application Data
Data storage decisions
User preferences
File
Cache
Database
Account manager
SSL/TLS
Installing an application on an external storage
Summary
8
Android in the Enterprise
Android in the Enterprise
The basics
Understanding the Android ecosystem
Device administration capabilities
Next steps
Summary
9
Testing for Security
Testing for Security
Testing overview
Security testing basics
Sample test case scenarios
Security testing the resources
Summary
10
Looking into the Future
Looking into the Future
Mobile commerce
Proximity technologies
Social networking
Healthcare
Authentication
Advances in hardware
Application architecture
Summary
Index
Index

Installing with care

One of the differentiating factors of Android from other mobile operating systems is the install time review of an application's permissions. All permissions that an application requires have to be declared in the application's manifest file. These permissions are capabilities that an application requires for functioning properly. Examples include accessing the user's contact list, sending SMSs from the phone, making a phone call, and accessing the Internet. Refer Chapter 3, Permissions, for a detailed description of the permissions.

When a user installs an application, all permissions declared in the manifest file are presented to the user. A user then has the option to review the permissions and make an informed decision to install or not to install an application. Users should review these permissions very carefully as this is the only time that a user is asked for permissions. After this step, the user has no control on the application. The best a user can do is to uninstall the application. Refer to the following screenshot for reference. In this example, the application will track or access the user location, it will use the network, read the user's contact list, read the phone state, and will use some development capabilities. When screening this application for security, the user must evaluate if granting a certain power to this application is required or not. If this is a gaming application, it might not need development tool capabilities. If this is an educational application for kids, it should not need access to the contact list or need to access the user location. Also be mindful of the fact that a developer can add their own permissions especially if they want to communicate with other applications that they have developed as well and may be installed on the device. It is the onus of the developer to provide a clear description of such permissions.

At install time, the framework ensures that all permissions used in the application are declared in the manifest file. The OS at runtime then enforces these permissions.

Previous Section
End of Section 2
Next Section