Android has quickly become one of the most popular mobile operating systems, not only to users but also developers companies of all kinds. Of course, because of this it's also become quite a popular platform to malicious adversaries.
Android has been around in the public domain since 2005 and has seen massive growth in capability and complexity. Mobile smart phones in general now harbor very sensitive information about their users as well as access to their e-mails, text messages, and social and professional networking services. As with any software, this rise in capability and complexity also brings about a rise in security risk; the more powerful and more complex the software becomes, the harder they are to manage and adapt to the big bad world.
This applies especially to software on mobile smart phones. These hot beds of personal and sensitive information present an interesting security context in which solve problems. From one perspective, the mobile smart phone security context is very difficult to compare to the servers on a network or in the "cloud" because, by their very nature, they are not mobile. They cannot be moved or stolen very easily; we can enforce both software and physical security measures to protect unauthorized access to them. We can also monitor them constantly and rapidly respond to the security incidents autonomously. For the devices we carry around in our pockets and handbags, and forget in taxi cabs, the playing field is quite different!
Android users and developers express a need to be constantly aware of their mobile security risks and, because of this need, mobile security and risk assessment specialists and security engineers are in high demand. This book aims to smoothen the learning curve for budding Android security assessment specialists and acts as a tool for experienced Android security professionals with which to hack away at common Android security problems.
Chapter 1, Android Development Tools, introduces us to setting up and running the tools developers use to cook up Android applications and native-level components on the Android platform. This chapter also serves as an introduction to those who are new to Android and would like to know what goes into setting up the common development environments and tools.
Chapter 2, Engaging with Application Security, introduces us to the components offered by the Android operating system, dedicated to protecting the applications. This chapter covers the manual inspection and usage of some of the security-relevant tools and services used to protect applications and their interaction with the operating system.
Chapter 3, Android Security Assessment Tools, introduces some of the popular as well as new and upcoming security tools and frameworks used by Android security specialists to gauge the technical risks that applications expose their users to. Here you will learn to set up, run, and extend the hacking and reverse engineering tools that will be used in later chapters.
Chapter 4, Exploiting Applications, covers the casing exploitation techniques that target the Android applications. The content in this chapter spans all the Android application component types and details how to examine them for security risks, both from a source code and inter-application context. It also introduces more advanced usage of the tools introduced in Chapter 3, Android Security Assessment Tools.
Chapter 5, Protecting Applications, is designed to be the complete opposite of Chapter 4, Exploiting Applications. Instead of talking purely about application flaws, this chapter talks about application fixes. It walks readers through the useful techniques that developers can use to protect the applications from some of the attacks, which are detailed in Chapter 4, Exploiting Applications.
Chapter 6, Reverse Engineering Applications, helps the readers to learn to crack open the applications and teaches them the techniques that Android reverse engineers use to examine and analyze applications. You learn about the Dex file format in great detail, as well as how to interpret Dex bytecode into useful representations that make reverse engineering easier. The chapter also covers the novel methods that reverse engineers can use to dynamically analyze applications and native components while they are running on an Android operating system.
Chapter 7, Secure Networking, helps the readers to delve into the practical methods that application developers can follow to protect data while in transit across the network. With these techniques, you will be able to add stronger validation to the Secure Sockets Layer (SSL) communications.
Chapter 8, Native Exploitation and Analysis, is dedicated to covering the security assessment and testing techniques focused on the native context of the Android platform. Readers will learn to look for security flaws that can be used to root phones and escalate privileges on the Android systems as well as perform low-level attacks against native services, including memory corruption and race condition exploitation.
Chapter 9, Encryption and Developing Device Administration Policies, is focused heavily on how to use encryption correctly and avoid some of the common anti-patterns to keep data within your application secure. It recommends several robust and timesaving third-party libraries to quickly yet securely enhance the security of your applications. To wrap up, we will cover how to use the Android Device Administration API to implement and enforce enterprise security policies.
Though there are some software requirements for the book, many of the walkthroughs in the book discuss downloading and installing the required software before actually getting down to using them to contribute to the topic being discussed.
That being said, here is a list of the software you will probably need to have before starting with the walkthroughs:
The Android Software Development Kit (SDK)
The Android Native Development Kit (NDK)
The GNU C/C++ Compiler (GCC)
The GNU Debugger (GDB)
Python, preferably 2.7 but 3.0 should work fine
Virtual box
Ettercap (for Windows or Linux/Unix systems)
Dex2Jar
Objdump
Radamsa
JD-GUI
The Java Development Kit (JDK)
drozer, an Android security assessment framework
The OpenSSL command-line tool
The keytool command-line tool
With some chapters dedicated to exploiting Android applications and others focused on hardening them, this book aims to show the two sides of the coin, the attacker and the defender.
Security researchers, analysts, and penetration testers will enjoy the specifics of how to exploit the Android apps. Application developers with an appetite to learn more about security will gain practical advice on how to protect their applications from attacks.
In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles and an explanation of their meaning.
Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: "The system image ID you selected from the previous step must be specified using the –t switch."
A block of code is set as follows:
from drozer import android from drozer.modules import common, Module class AttackSurface(Module,common.Filters, common.PackageManager):
When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold as follows:
from drozer import android
from drozer.modules import common, Module
class AttackSurface(Module,common.Filters, common.PackageManager):
Any command-line input or output is written as follows:
sudo aptitude update //If you have aptitude installed
New terms and important words are shown in bold. Words that you see on the screen, in menus, or dialog boxes, for example, appear in the text like this: "Once you've accepted the licenses, you can collect your documentation and APIs by clicking on Install".
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or may have disliked. Reader feedback is important for us to develop titles that you really get the most out of.
To send us general feedback, simply send an e-mail to <[email protected]>, and mention the book title via the subject of your message.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide on www.packtpub.com/authors.
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
You can download the example code files for all Packt books you have purchased from your account at http://www.packtpub.com. If you purchased this book elsewhere, you can visit http://www.packtpub.com/support and register to have the files e-mailed directly to you.
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code— we would be grateful if you would report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visitinghttp://www.packtpub.com/submit-errata, selecting your book, clicking on the errata submission form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded on our website, or added to any list of existing errata, under the Errata section of that title. Any existing errata can be viewed by selecting your title from http://www.packtpub.com/support.
Piracy of copyright material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works, in any form, on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at <[email protected]> with a link to the suspected pirated material.
We appreciate your help in protecting our authors, and our ability to bring you valuable content.
You can contact us at <[email protected]> if you are having a problem with any aspect of the book, and we will do our best to address it.