close search bar

Sorry, not available in this language yet

close language selection

Android Security

Course Description

The Android operating system has several built-in security features to protect application users from attackers (e.g., network sniffers, malicious app writers, device thieves, and more). It is important for Android application developers to understand what protections these features provide but also where they can fall short in protecting users. It is the responsibility of the Android application developer to practice defensive programming to protect the users of their application from the common attacks which attackers use to compromise applications and their data. This course teaches important information about the Android platform but also focuses on these defensive programming techniques which developers must know in order to write secure apps.

Learning Objectives

  • Appreciate the risks to Android applications.
  • Understand the structure of Android package files.
  • Understand the Android security model and the protections provided by the Android OS.
  • Apply defensive programming techniques for common Android vulnerabilities.

Details

Delivery Format: eLearning

Duration: 1 hour 15 minutes

Level: Intermediate

Intended Audience:

  • Mobile Developers

Competencies: Familiarity with Java and web technologies

Prerequisites: 

Course Outline

Introduction: The Risks to Android Apps

  • Man-in-the-Middle Attacks
  • Reverse Engineering
  • Malicious User with a Proxy
  • Malicious App Installed on the Device
  • Rooted Device
  • Rooted Device: Stolen!

Android APK Structure

  • Getting into the APK
  • Keep Secrets Out of the Packages
  • Android Security Model
  • Full-Disk Encryption
  • File-Based Encryption
  • Sandboxing
  • Permissions Model: Protection and Consent

Permissions Issues

  • Permission Redelegation
  • Overly Permissioned Apps
  • Consequences of Overly Permissioned Apps
  • Augmented Gaming and Permissions

Intent Issues

  • Unauthorized Intent Recipient
  • Unauthorized Intent Recipient: An Example
  • Intent Forging
  • Sticky Broadcasts
  • How Easily Can Attackers Find and Exploit Vulnerable Apps?

Insecure Storage

  • Insecure Storage
  • Saving Files Without Using MODE_PRIVATE
  • Saving Files to the SD Card
  • Saving Sensitive Data to SQLite Databases
  • Logging Sensitive Data
  • WebViews
  • How Likely Is It That a Device Will Be Lost or Stolen?

Use of Client-Side Controls

  • RSA Conference Mobile App
  • Overreliance on Device Interrogation
  • Client-Side Controls to Prevent Access to Functionality
  • Reliance on Root Detection
  • Reliance on Root Detection: Biometrics

Secure Communications

  • Secure Communications
  • Insecure Certificate Validation
  • SSL/TLS Best Practices
  • Certificate Pinning
  • Scanning for SSL/TLS Best Practices

Compromised Certificate Authorities
 

Training

Developer Security Training

Equip development teams with the skills and education to write secure code and fix issues faster