Table of Contents
Preface
Organization of the Book
Conventions Used in This Book
Using Code Examples
Safari® Books Online
How to Contact Us
Acknowledgments
Chapter 1. Introduction
Application Security: Why You Should Care
The Current State of Mobile Application Security on Android
Security: Risk = Vulnerability + Threat + Consequences
Evolution of Information Security: Why Applications Matter the Most
Your Role: Protect the Data
Secure Software Development Techniques
Unique Characteristics of Android
Moving On
Chapter 2. Android Architecture
Introduction to the Android Architecture
The Linux Security Model
The Resulting Android Security Model
Application Signing, Attribution, and Attestation
Process Design
Android Filesystem Isolation
Android Preferences and Database Isolation
Moving up the Layers to System API and Component Permissions
Chapter 3. Application Permissions
Android Permission Basics
Using Restricted System APIs and the User Experience
Custom Permissions
Chapter 4. Component Security and Permissions
The Types of Android Components
Intercomponent Signaling Using Intents
Public and Private Components
Imposing Restrictions on Access to Components
Securing Activities
Securing Services
Securing Content Providers
Securing Broadcast Intents
Putting It All Together: Securing Communications in a Multi-Tier App
Chapter 5. Protecting Stored Data
The Threats and Vulnerabilities Against Stored Data
Vulnerabilities of Stored Data
Threats to, and Mitigations for, Stored Data
Protection Principles
Cryptography Primer: Encryption
Symmetric Encryption
Asymmetric Key Encryption
Cryptography Primer: Hashing
Cryptographic Practicalities
Computational Infeasibility
Algorithm Choice and Key Size
Cipher Operation Modes, Initialization Vectors, and Salt
Public Keys and Their Management
Key Derivation and Management
Motivation
Key Derivation
Encryption Without User-Supplied Key Derivation
Practical Cryptography: Applying a Technique Against a Threat
Chapter 6. Securing Server Interactions
Confidentiality and Authentication
SSL/TLS: The Industry Standard
Authentication of the Entities
Encryption of Data
Protecting Data En Route to Public Services
Introducing the Android SSL/TLS Environment
Server Verification
Handling SSL/TLS Connection Errors
Protecting Data En Route to Private Services
Using Only Specific Certificates for SSL/TLS
One Step Further: Using Client-Side Authentication SSL/TLS
Threats Against Devices Using Data in Transit
Input Validation: The Central Tenant of Application Security
Reject-Known-Bad
Accept-Known-Good
Wrapping It Up: Input Validation
Preventing Command Injection
Chapter 7. Summary
Key Themes
It’s All About Risk
The Principle of Least Privilege
Use the Permissions System
Android Is an Open Architecture
Get the Cryptography Right
Never Trust User Input
Wrapping It Up