第1页 / 共112页
第2页 / 共112页
第3页 / 共112页
第4页 / 共112页
第5页 / 共112页
第6页 / 共112页
第7页 / 共112页
第8页 / 共112页
Application Security for the Android Platform.pdf
Table of Contents
Preface
Organization of the Book
Conventions Used in This Book
Using Code Examples
Safari® Books Online
How to Contact Us
Acknowledgments
Chapter 1. Introduction
Application Security: Why You Should Care
The Current State of Mobile Application Security on Android
Security: Risk = Vulnerability + Threat + Consequences
Evolution of Information Security: Why Applications Matter the Most
Your Role: Protect the Data
Secure Software Development Techniques
Unique Characteristics of Android
Moving On
Chapter 2. Android Architecture
Introduction to the Android Architecture
The Linux Security Model
The Resulting Android Security Model
Application Signing, Attribution, and Attestation
Process Design
Android Filesystem Isolation
Android Preferences and Database Isolation
Moving up the Layers to System API and Component Permissions
Chapter 3. Application Permissions
Android Permission Basics
Using Restricted System APIs and the User Experience
Custom Permissions
Chapter 4. Component Security and Permissions
The Types of Android Components
Intercomponent Signaling Using Intents
Public and Private Components
Imposing Restrictions on Access to Components
Securing Activities
Securing Services
Securing Content Providers
Securing Broadcast Intents
Putting It All Together: Securing Communications in a Multi-Tier App
Chapter 5. Protecting Stored Data
The Threats and Vulnerabilities Against Stored Data
Vulnerabilities of Stored Data
Threats to, and Mitigations for, Stored Data
Protection Principles
Cryptography Primer: Encryption
Symmetric Encryption
Asymmetric Key Encryption
Cryptography Primer: Hashing
Cryptographic Practicalities
Computational Infeasibility
Algorithm Choice and Key Size
Cipher Operation Modes, Initialization Vectors, and Salt
Public Keys and Their Management
Key Derivation and Management
Motivation
Key Derivation
Encryption Without User-Supplied Key Derivation
Practical Cryptography: Applying a Technique Against a Threat
Chapter 6. Securing Server Interactions
Confidentiality and Authentication
SSL/TLS: The Industry Standard
Authentication of the Entities
Encryption of Data
Protecting Data En Route to Public Services
Introducing the Android SSL/TLS Environment
Server Verification
Handling SSL/TLS Connection Errors
Protecting Data En Route to Private Services
Using Only Specific Certificates for SSL/TLS
One Step Further: Using Client-Side Authentication SSL/TLS
Threats Against Devices Using Data in Transit
Input Validation: The Central Tenant of Application Security
Reject-Known-Bad
Accept-Known-Good
Wrapping It Up: Input Validation
Preventing Command Injection
Chapter 7. Summary
Key Themes
It’s All About Risk
The Principle of Least Privilege
Use the Permissions System
Android Is an Open Architecture
Get the Cryptography Right
Never Trust User Input
Wrapping It Up
Application Security for the Android
Platform
Jeff Six
Beijing•Cambridge•Farnham•Köln•Sebastopol•Tokyo
Application Security for the Android Platform
by Jeff Six
Copyright © 2012 Jeff Six. All rights reserved.
Printed in the United States of America.
Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472.
O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions
are also available for most titles (http://my.safaribooksonline.com). For more information, contact our
corporate/institutional sales department: (800) 998-9938 or corporate@oreilly.com.
Editors: Andy Oram and Mike Hendrickson
Production Editor: Melanie Yarbrough
Proofreader: Melanie Yarbrough
Cover Designer: Karen Montgomery
Interior Designer: David Futato
Illustrator: Robert Romano
Revision History for the First Edition:
2011-12-02
First release
See http://oreilly.com/catalog/errata.csp?isbn=9781449315078 for release details.
Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of
O’Reilly Media, Inc., Application Security for the Android Platform, the image of a red gunard, and related
trade dress are trademarks of O’Reilly Media, Inc.
Many of the designations used by manufacturers and sellers to distinguish their products are claimed as
trademarks. Where those designations appear in this book, and O’Reilly Media, Inc. was aware of a
trademark claim, the designations have been printed in caps or initial caps.
While every precaution has been taken in the preparation of this book, the publisher and authors assume
no responsibility for errors or omissions, or for damages resulting from the use of the information con-
tained herein.
ISBN: 978-1-449-31507-8
[LSI]
1322594274
Table of Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
1.
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
2
Application Security: Why You Should Care
The Current State of Mobile Application Security on Android
3
4
Security: Risk = Vulnerability + Threat + Consequences
7
Evolution of Information Security: Why Applications Matter the Most
8
Your Role: Protect the Data
Secure Software Development Techniques
9
10
Unique Characteristics of Android
Moving On
12
2. Android Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
14
15
15
16
18
21
22
24
Introduction to the Android Architecture
The Linux Security Model
The Resulting Android Security Model
Application Signing, Attribution, and Attestation
Process Design
Android Filesystem Isolation
Android Preferences and Database Isolation
Moving up the Layers to System API and Component Permissions
3. Application Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
27
29
32
Android Permission Basics
Using Restricted System APIs and the User Experience
Custom Permissions
4. Component Security and Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
37
38
41
The Types of Android Components
Intercomponent Signaling Using Intents
Public and Private Components
iii
Imposing Restrictions on Access to Components
Securing Activities
Securing Services
Securing Content Providers
Securing Broadcast Intents
Putting It All Together: Securing Communications in a Multi-Tier App
42
42
42
44
49
51
The Threats and Vulnerabilities Against Stored Data
Protection Principles
Cryptography Primer: Encryption
Vulnerabilities of Stored Data
Threats to, and Mitigations for, Stored Data
Symmetric Encryption
Asymmetric Key Encryption
Cryptography Primer: Hashing
Cryptographic Practicalities
5. Protecting Stored Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
53
53
54
55
56
56
57
58
60
60
61
61
62
63
64
64
67
68
Computational Infeasibility
Algorithm Choice and Key Size
Cipher Operation Modes, Initialization Vectors, and Salt
Public Keys and Their Management
Motivation
Key Derivation
Encryption Without User-Supplied Key Derivation
Practical Cryptography: Applying a Technique Against a Threat
Key Derivation and Management
Protecting Data En Route to Public Services
Confidentiality and Authentication
SSL/TLS: The Industry Standard
Authentication of the Entities
Encryption of Data
Introducing the Android SSL/TLS Environment
Server Verification
Handling SSL/TLS Connection Errors
6. Securing Server Interactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
73
74
74
76
76
77
78
80
81
81
85
87
90
90
90
Threats Against Devices Using Data in Transit
Input Validation: The Central Tenant of Application Security
Using Only Specific Certificates for SSL/TLS
One Step Further: Using Client-Side Authentication SSL/TLS
Protecting Data En Route to Private Services
Reject-Known-Bad
Accept-Known-Good
iv | Table of Contents
Wrapping It Up: Input Validation
Preventing Command Injection
91
91
7. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
95
95
96
96
96
96
97
97
It’s All About Risk
The Principle of Least Privilege
Use the Permissions System
Android Is an Open Architecture
Get the Cryptography Right
Never Trust User Input
Key Themes
Wrapping It Up
Table of Contents
| v
相关推荐
2023年江西萍乡中考道德与法治真题及答案.doc
2012年重庆南川中考生物真题及答案.doc
2013年江西师范大学地理学综合及文艺理论基础考研真题.doc
2020年四川甘孜小升初语文真题及答案I卷.doc
2020年注册岩土工程师专业基础考试真题及答案.doc
2023-2024学年福建省厦门市九年级上学期数学月考试题及答案.doc
2021-2022学年辽宁省沈阳市大东区九年级上学期语文期末试题及答案.doc
2022-2023学年北京东城区初三第一学期物理期末试卷及答案.doc
2018上半年江西教师资格初中地理学科知识与教学能力真题及答案.doc
2012年河北国家公务员申论考试真题及答案-省级.doc
2020-2021学年江苏省扬州市江都区邵樊片九年级上学期数学第一次质量检测试题及答案.doc
2022下半年黑龙江教师资格证中学综合素质真题及答案.doc
