Android Application Security Essentials电子书

Android Application Security Essentials

Table of Contents

Android Application Security Essentials

Credits

Foreword

About the Author

About the Reviewer

www.PacktPub.com

Support files, eBooks, discount offers and more

Why Subscribe?

Free Access for Packt account holders

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Errata

Piracy

Questions

1. The Android Security Model – the Big Picture

Installing with care

Android platform architecture

Linux kernel

Middleware

Dalvik virtual machine

Application layer

Android application structure

Application signing

Data storage on the device

Crypto APIs

Device Administration

Summary

2. Application Building Blocks

Application components

Activity

Activity declaration

Saving the Activity state

Saving user data

Service

Service declaration

Service modes

Lifecycle management

Binder

Content Provider

Provider declaration

Other security consideration

Broadcast Receiver

Receiver declaration

Secure sending and receiving broadcasts

Local broadcasts

Intents

Explicit Intents

Implicit Intent

Intent Filter

Pending Intent

Summary

3. Permissions

Permission protection levels

Application level permissions

Component level permissions

Activity

Service

Content Provider

Broadcast receiver

Extending Android permissions

Adding a new permission

Creating a permission group

Creating a permission tree

Summary

4. Defining the Application's Policy File

The AndroidManifest.xml file

Application policy use cases

Declaring application permissions

Declaring permissions for external applications

Applications running with the same Linux ID

External storage

Setting component visibility

Debugging

Backup

Putting it all together

Example checklist

Application level

Component level

Summary

5. Respect Your Users

Principles of data security

Confidentiality

Integrity

Availability

Identifying assets, threats, and attacks

What and where to store

End-to-end security

The mobile ecosystem

Three states of data

Digital rights management

Summary

6. Your Tools – Crypto APIs

Terminology

Security providers

Random number generation

Hashing functions

Public key cryptography

RSA

Key generation

Encryption

Decryption

Padding

The Diffie-Hellman algorithm

Symmetric key cryptography

Stream cipher

Block cipher

Block cipher modes

Electronic Code Book (ECB)

Cipher Block Chaining (CBC)

Cipher Feedback Chaining (CFB)

Output Feedback Mode (OFB)

Advanced Encryption Standard (AES)

Message Authentication Codes

Summary

7. Securing Application Data

Data storage decisions

Privacy

Data retention

Implementation decisions

User preferences

Shared preferences

Creating a preference file

Writing preference

Reading preference

Preference Activity

File

Creating a file

Writing to a file

Reading from a file

File operations on an external storage

Cache

Database

Account manager

SSL/TLS

Installing an application on an external storage

Summary

8. Android in the Enterprise

The basics

Understanding the Android ecosystem

Device administration capabilities

Device administration API

Policies

DeviceAdminReceiver

Protecting data on a device

Encryption

Backup

Secure connection

Identity

Next steps

Device specific decisions

Knowing your community

Defining boundaries

Android compatibility program

Rolling out support

Policy and compliance

FINRA

Android Update Alliance

Summary

9. Testing for Security

Testing overview

Security testing basics

Security tenets

Security testing categories

Application review

Manual testing

Dynamic testing

Sample test case scenarios

Testing on the server

Testing the network

Securing data in transit

Secure storage

Validating before acting

The principle of least privilege

Managing liability

Cleaning up

Usability versus security

Authentication scheme

Thinking like a hacker

Integrating with caution

Security testing the resources

OWASP

Android utilities

Android Debug Bridge

Setting up the device

SQlite3

Dalvik Debug Monitor Service

BusyBox

Decompile APK

Summary

10. Looking into the Future

Mobile commerce

Product discovery using a mobile device

Mobile payments

Configurations

PCI Standard

Point of Sale

Proximity technologies

Social networking

Healthcare

Authentication

Two-factor authentication

Biometrics

Advances in hardware

Hardware security module

TrustZone

Mobile trusted module

Application architecture

Summary

Index