In today's techno-savvy world, more and more of our lives are going digital and all this information is accessible anytime and anywhere using mobile devices. There are thousands of apps available for users to download and play with. With so much information easily accessible using application on the mobile devices, the biggest challenge is to secure the users' private information and respect their privacy.
The first Android phone came out in 2009. The mobile ecosystem has not been the same since then. The openness of the platform and a far less restrictive application model created excitement in the developer community and also fostered innovation and experimentation. But just as every coin has two sides, so does openness. The Android platform irked the imagination of the so-called bad guys. Android provides a perfect test bed for them to try out their ideas. It is thus of great importance not only as a developer, but also as a consumer, to be aware of Android's security model and how to use it judiciously to protect yourself and your consumers.
Android Application Security Essentials is a deep dive into Android security from the kernel level to the application level, with practical hands-on examples, illustrations, and everyday use cases. This book will show you how to secure your Android applications and data. It will equip you with tricks and tips that will come in handy as you develop your applications.
You will learn the overall security architecture of the Android stack. Securing components with permissions, defining security in manifest file, cryptographic algorithms, and protocols on Android stack, secure storage, security focused testing, and protecting enterprise data on device is also discussed in detail. You will also learn how to be security aware when integrating newer technologies and use cases such as NFC and mobile payments into your Android applications.
Chapter 1, Android Security Model – the Big Picture, focuses on the overall security of the Android stack all the way from platform security to application security. This chapter will form a baseline on which the subsequent chapters will be built upon.
Chapter 2, Application Building Blocks, introduces application components, permissions, manifest files, and application signing from a security perspective. These are all basic components of an Android application and knowledge of these components is important to build our security knowledge.
Chapter 3, Permissions, talks about existing permissions in the Android platform, how to define new permissions, how to secure application components with permissions, and provides an analysis of when to define a new permission.
Chapter 4, Defining the Application's Policy File, drills down into the mechanics of the manifest file, which is the application's policy file. We talk about tips and tricks to tighten up the policy file.
Chapter 5, Respect Your Users, covers best practices on handling users' data properly. This is important as a developer's reputation depends on user reviews and ratings. The developer should also be careful about handling user private information carefully so as not to fall into legal traps.
Chapter 6, Your Tools – Crypto APIs, discusses cryptographic capabilities provided by the Android platform. These include symmetric encryption, asymmetric encryption, hashing, cipher modes, and key management.
Chapter 7, Securing Application Data, is all about secure storage of application data both at rest and in transit. We talk about how private data is sandboxed with the application, how to securely store data on the device, on external memory cards, drives, and databases.
Chapter 8, Android in the Enterprise, talks about device security artifacts that are provided by the Android Platform and what they mean to an application developer. This chapter is of special interest to enterprise application developers.
Chapter 9, Testing for Security, focuses on designing and developing security-focused test cases.
Chapter 10, Looking into the Future, discusses upcoming use cases in the mobile space and how it affects Android, especially from a security perspective.
This book is much more valuable if you have an Android environment set up and can play with the concepts and examples discussed in this book. Please refer to developer.android.com for detailed instructions on how to set up your environment and get started with Android development. If you are interested in kernel development, please refer to source.android.com.
At the time of writing this book, Jelly Bean (Android 4.2, API level 17) is the latest release. I have tested all my code snippets on this platform. Ever since the first release of Cupcake in 2009, Google has been continuously enhancing the security of Android with successive releases. For example, remote wipe and device management APIs were added in Android 2.2 (API level 8) to make Android more appealing to the business community. Whenever relevant, I have referenced the release that started supporting a particular feature.
This book is an excellent resource for anyone interested in mobile security. Developers, test engineers, engineering managers, product managers, and architects may use this book as a reference when designing and writing their applications. Senior management and technologists may use this book to gain a broader perspective on mobile security. Some prior knowledge of development on the Android stack is desirable but not required.
In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meaning.
Code words in text are shown as follows: "The PackageManager class handles the task of installing and uninstalling the application."
A block of code is set as follows:
<intent-filter> <action android:name="android.intent.action.MAIN" /> <category android:name="android.intent.category.LAUNCHER" /> </intent-filter>
When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:
Intent intent = new Intent("my-local-broadcast");
Intent.putExtra("message", "Hello World!");
LocalBroadcastManager.getInstance(this).sendBroadcast(intent);
Any command-line input or output is written as follows:
dexdump –d –f –h data@[email protected]@classes .dex > dump
New terms and important words are shown in bold. Words that you see on the screen, in menus or dialog boxes for example, appear in the text like this: "clicking the Next button moves you to the next screen".
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or may have disliked. Reader feedback is important for us to develop titles that you really get the most out of.
To send us general feedback, simply send an e-mail to <[email protected]>, and mention the book title via the subject of your message.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide on www.packtpub.com/authors.
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you would report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/submit-errata, selecting your book, clicking on the errata submission form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded on our website, or added to any list of existing errata, under the Errata section of that title. Any existing errata can be viewed by selecting your title from http://www.packtpub.com/support.
Piracy of copyright material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works, in any form, on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at <[email protected]> with a link to the suspected pirated material.
We appreciate your help in protecting our authors, and our ability to bring you valuable content.
You can contact us at <[email protected]> if you are having a problem with any aspect of the book, and we will do our best to address it.