Android Application Security Essentials

Android Application Security Essentials

By : Pragati Rai

Buy this Book

Android Application Security Essentials

By: Pragati Rai

Buy this Book

Overview of this book

In today's techno-savvy world, more and more parts of our lives are going digital, and all this information is accessible anytime and anywhere using mobile devices. It is of the utmost importance that you understand and implement security in your apps that will reduce the likelihood of hazards that will wreck your users' experience. "Android Application Security Essentials" takes a deep look into Android security from kernel to the application level, with practical hands-on examples, illustrations, and everyday use cases. This book will show you how to overcome the challenge of getting the security of your applications right. "Android Application Security Essentials" will show you how to secure your Android applications and data. It will equip you with tricks and tips that will come in handy as you develop your applications.We will start by learning the overall security architecture of the Android stack. Securing components with permissions, defining security in a manifest file, cryptographic algorithms and protocols on the Android stack, secure storage, security focused testing, and protecting enterprise data on your device is then also discussed in detail. You will also learn how to be security-aware when integrating newer technologies like NFC and mobile payments into your Android applications. At the end of this book, you will understand Android security at the system level all the way to the nitty-gritty details of application security for securing your Android applications.

Android Application Security Essentials

Credits

Foreword

About the Author

About the Reviewer

www.PacktPub.com

Preface

Free Chapter

The Android Security Model – the Big Picture

Installing with care

Android platform architecture

Application signing

Data storage on the device

Crypto APIs

Device Administration

Summary

Application Building Blocks

Application components

Intents

Summary

Permissions

Permission protection levels

Application level permissions

Component level permissions

Extending Android permissions

Summary

Defining the Application's Policy File

The AndroidManifest.xml file

Application policy use cases

Example checklist

Summary

Respect Your Users

Principles of data security

Identifying assets, threats, and attacks

End-to-end security

Digital rights management

Summary

Your Tools – Crypto APIs

Terminology

Security providers

Random number generation

Hashing functions

Public key cryptography

Symmetric key cryptography

Message Authentication Codes

Summary

Securing Application Data

Data storage decisions

User preferences

File

Cache

Database

Account manager

SSL/TLS

Installing an application on an external storage

Summary

Android in the Enterprise

The basics

Understanding the Android ecosystem

Device administration capabilities

Next steps

Summary

Testing for Security

Testing overview

Security testing basics

Sample test case scenarios

Security testing the resources

Summary

Looking into the Future

Mobile commerce

Proximity technologies

Application architecture

Summary

Index

Customer Reviews

5 star

4 star

3 star

2 star

1 star

Data storage on the device

Android provides different solutions for secure data storage on devices. Based on the data type and application use case, developers can choose the solution that fits best.

For primitive data types such as ints, booleans, longs, floats, and strings, which need to persist across user sessions, it is best to use shared data types. Data in shared preferences is stored as a key-value pair that allows developers to save, retrieve, and persist data.

All application data is stored along with the application in the sandbox. This means that this data can be accessed only by that application or other applications with the same signature that have been granted the right to share data. It is best to store private data files in this memory. These files will be deleted when the application is uninstalled.

For large datasets, developers have an option to use the SQLite database that comes bundled with the Android software stack.

All Android devices allow users to mount external storage devices such as SD cards. Developers can write their application such that large files can be stored on these external devices. Most of these external storage devices have a VFAT filesystem, and Linux access control does not work here. Sensitive data should be encrypted before storing on these external devices.

Starting with Android 2.2 (API 8), APKs can be stored on external devices. Using a randomly generated key, the APK is stored within an encrypted container called the asec file. This key is stored on the device. The external devices on Android are mounted with noexec. All DEX files, private data, and native shared libraries still reside in the internal memory.

Wherever network connection is possible, developers can store data on their own web servers as well. It is advisable to store data that can compromise the user's privacy on your own servers. An example of such an application is banking applications where user account information and transaction details should be stored on a server rather than user's devices.

Chapter 7, Securing Application Data, discusses the data storage options on Android devices in great detail.

Rights protected content such as video, e-books, and music, can be protected on Android using the DRM framework API. Application developers can use this DRM framework API to register the device with a DRM scheme, acquire licenses associated with content, extract constraints, and associate relevant content with its license.

Android Application Security Essentials

By : Pragati Rai

Android Application Security Essentials

By: Pragati Rai

Overview of this book

Related Content you might be interested in

Current Title:

Android Application Security Essentials

Data storage on the device