Back to course catalog

Android Java and native code security

CL-AAN
4 days
C/C++, Java
Course page in PDF Inquiry

Course information

Preparedness

General Java and C/C++ development on Android

Exercises

Hands-on

Delivery methods

Classroom

Course Reviews

Useful tips and good examples from real life situations. Easy to follow topics.

March 2014, Oulu, Finland

View all reviews

Description

Android is an open platform for mobile devices such as handsets and tablets. It has a large variety of security features to make developing secure software easier; however, it is also missing certain security aspects that are present in other hand-held platforms. The course gives a comprehensive overview of these features, and points out the most critical shortcomings to be aware of related to the underlying Linux, the file system and the environment in general, as well as regarding using permissions and other Android software development components.

Typical security pitfalls and vulnerabilities are described both for native code and Java applications, along with recommendations and best practices to avoid and mitigate them. In case of native code applications we go into more details, discussing memory management related issues, protection techniques as well as their circumvention (such as Return Oriented Programming). Finally, the most important cryptographic algorithms in symmetric cryptography, hashing, asymmetric cryptography and PKI are also discussed and put into the context of Android.

In many cases discussed issues are supported with real-life examples and case studies. Finally, we give a brief overview on how to use security testing tools to reveal any programming bugs.

Participants attending this course will

  • Understand basic concepts of security, IT security and secure coding
  • Learn the security solutions on Android
  • Have a practical understanding of cryptography
  • Learn to use various security features of the Android platform
  • Learn about denial of service attacks and protections
  • Get information about some recent vulnerabilities in Java on Android
  • Learn about typical coding mistakes and how to avoid them
  • Get understanding on native code vulnerabilities on Android
  • Realize the severe consequences of unsecure buffer handling in native code
  • Understand the architectural protection techniques and their weaknesses
  • Get practical knowledge in using security testing tools for Android
  • Get sources and further readings on secure coding practices

Outline

  • IT security and secure coding
  • Android security overview
  • Practical cryptography
  • Android application security
  • Protecting Android applications
  • Denial of service
  • Input validation
  • Android native code security
  • Improper use of security features
  • Improper error and exception handling
  • Information leakage through error reporting
  • Code quality problems
  • Testing Android code
  • Principles of security and secure coding
  • Knowledge sources

Table of Contents

  • Day 1
    • IT security and secure coding
      • Nature of security
      • IT security related terms
      • What is risk?
      • Different aspects of IT security
      • Requirements of different application areas
      • IT security vs. secure coding
      • From vulnerabilities to botnets and cybercrime
        • Nature of security flaws
        • Reasons of difficulty
        • From an infected computer to targeted attacks
        • Cybercrime – an organized network of criminals
      • Classification of security flaws
        • Landwehr’s taxonomy
        • The Seven Pernicious Kingdoms
        • OWASP Top Ten 2017
        • OWASP Mobile Top Ten 2016 (release candidate)
    • Android security overview
      • Android fragmentation challenges
      • The Android software stack
      • OS security features and exploit mitigation techniques
      • The Linux kernel
        • User and process separation
        • Anonymous shared memory (ashmem)
        • ANDROID_PARANOID_NETWORK kernel option
        • SELinux overview
        • SELinux in practice
        • SELinux command-line tools
        • Exercise: SELinux from a user perspective
        • SELinux Type Enforcement policies
        • SELinux policies
        • SELinux policy example –
        • Adding custom policy files
        • Exercise: compiling and using SELinux policies
        • SELinux Role-Based Access Control
        • SELinux Multi-Level Security
        • TrustZone
      • Filesystem security
        • Filesystems used for external storage
        • Filesystem encryption
        • Encrypting individual files and external SD cards
      • Dalvik
        • Dalvik VM
        • VM Separation
        • Zygote
        • Bytecode verifier
      • Android Runtime (ART)
        • ART architecture
        • ART backward compatibility
        • ART security features
        • Ahead-of-time (AOT) compilation
      • Deploying applications
        • Application signing
        • No validation of developer identity
        • Google’s review process
        • Installing using Google Play
        • Installing outside of Google Play
        • Verify App
  • Day 2
    • Practical cryptography
      • Rule #1 of implementing cryptography
      • Cryptosystems
        • Elements of a cryptosystem
      • Symmetric-key cryptography
        • Providing confidentiality with symmetric cryptography
        • Symmetric encryption algorithms
        • Modes of operation
      • Other cryptographic algorithms
        • Hash or message digest
        • Hash algorithms
        • SHAttered
        • Message Authentication Code (MAC)
        • Providing integrity and authenticity with a symmetric key
        • Random numbers and cryptography
        • Cryptographically-strong PRNGs
        • Hardware-based TRNGs
      • Asymmetric (public-key) cryptography
        • Providing confidentiality with public-key encryption
        • Rule of thumb – possession of private key
        • The RSA algorithm
          • Introduction to RSA algorithm
          • Encrypting with RSA
          • Combining symmetric and asymmetric algorithms
          • Digital signing with RSA
      • Public Key Infrastructure (PKI)
        • Man-in-the-Middle (MitM) attack
        • Digital certificates against MitM attack
        • Certificate Authorities in Public Key Infrastructure
        • X.509 digital certificate
      • Cryptography on Android
        • Java Cryptography Architecture / Extension (JCA/JCE)
        • Using Cryptographic Service Providers
        • Engine classes and algorithms
        • Cryptographic Service Providers in Android
        • Exercise Sign – Generating and verifying signatures
    • Android application security
      • Permissions
        • Using permissions
        • Exercise – using permissions
        • Using custom permissions
        • Exercise – using custom permissions
        • Permissions – best practices
      • Writing secure Android applications
        • Activity, Fragment and Service – basics
        • Intents
        • Implicit intents
        • Intent hijacking
        • BroadcastReceiver security
        • Activity hijacking
        • Best practices against activity hijacking
        • Sticky broadcasts
        • Content provider
        • Content provider permissions
    • Protecting Android applications
      • Digital Rights Management (DRM)
        • DRM architecture
        • Android DRM overview
        • Challenges of DRM protection
        • DRM protection without hardware support - hardening
        • DRM protection – decrypted content
      • Reverse engineering and debugging
        • Reverse engineering methods and tools
        • Getting the package name
        • Reverse engineering exercise
    • Denial of service
      • DoS introduction
      • Asymmetric DoS
      • SSL/TLS renegotiation DoS
      • Asymmetric DOS with JSON deserialization
      • Regular expression DoS (ReDoS)
        • Exercise ReDoS
        • ReDoS mitigation
        • Case study – ReDos in Stack Exchange
      • Hashtable collision attack
        • Using hashtables to store inputs
        • Hashtable collision
        • Hashtable collision in Java
  • Day 3
    • Input validation
      • Input validation concepts
      • Injection
        • SQL Injection on Android
        • Typical SQL Injection attack methods
        • SQL Injection protection methods
        • Using parameterized queries in Android
      • Cross-site scripting
        • Android WebView XSS
        • XSS prevention
        • Android WebView security best practices
      • Integer problems
        • Representation of negative integers
        • Integer overflow
        • Exercise IntOverflow
        • What is the value of Math.abs(Integer.MIN_VALUE)?
        • Integer problem – best practices
          • Integer problem – best practices
          • Avoiding arithmetic overflow – addition
          • Avoiding arithmetic overflow – multiplication
        • Java case study
          • A real-world integer overflow vulnerability in Java
          • The actual mistake in java.utils.zip.CRC32
        • Case study – Android Stagefright
          • Stagefright – a quick introduction
          • Some Stagefright code examples – spot the bugs!
      • Path traversal vulnerability
        • Path traversal – best practices
      • Unsafe reflection
        • Implementation of a command dispatcher
        • Unsafe reflection – spot the bug!
        • Mitigation of unsafe reflection
      • Log forging
        • Some other typical problems with log files
    • Android native code security
      • Buffer overflow possibilities in Android
      • ARM machine code, memory layout and stack operations
        • ARM Processors – main registers
        • ARM Processors – most important instructions
        • ARM Processors – control instructions
        • ARM Processors – stack handling instructions
        • ARM Processors – condition field
        • Understanding complex ARM instructions
        • The function calling mechanism in ARM
        • The local variables and the stack frame
        • Function calls – prologue and epilogue of a function
        • Stack frame of nested calls
        • Stack frame of recursive functions
      • Buffer overflow on the stack
        • Classic buffer overflow on the stack
        • Exercises – trying to exploit a buffer overflow
        • Stack smashing protection in Android
        • Effects of stack smashing protection
        • Bypassing stack smashing protection
        • Lack of source checking
        • CVE-2011-1823 in vold's method – Spot the bug!
        • Exercise – vold vulnerability
        • Exercise – vold vulnerability exploit analysis
        • WWW exploit with .got overwrite
        • Exercise – overwrite .got with write-what-where
        • Exercise – overwrite .got with WWW after Android 4.1
      • Protection techniques – ASLR, XN, RELRO, ...
        • Address Space Layout Randomization (ASLR)
        • Randomization with ASLR
        • Access Control on memory segments
        • The Never eXecute (NX) bit
        • Read-only relocation and immediate binding – RELRO
        • Bypassing ASLR, XN, RELRO and stack protection
        • Information leakage
        • Spot the bug
        • Exercise – exploit information leakage
        • Use after free – Dangling pointers
        • Use after free – Instance of a class
        • cString class
        • Information leakage with use after free
        • Exercise – information leakage with use after free
        • Exercise – control information leakage
        • Virtual method call
        • Code execution with use after free
        • App name memory corruption – caused Google Play DoS
        • Buffer overflow in Android KeyStore
  • Day 4
    • Improper use of security features
      • Typical problems related to the use of security features
      • Insecure randomness
        • Weak PRNGs in Java
        • Exercise RandomTest
        • Using random numbers in Java – spot the bug!
      • Password management
        • Exercise – Weakness of hashed passwords
        • Password management and storage
        • Special purpose hash algorithms for password storage
        • Argon2 and PBKDF2 implementations in Java
        • bcrypt and scrypt implementations in Java
        • Password hash implementations on Android
        • KitKat changes concerning SecretKeyFactory
        • Case study – the Ashley Madison data breach
          • The loginkey token
          • Revealing the passwords with brute forcing
      • Signing and integrity protection weaknesses
        • Instagram vulnerability
        • Multiple file names in an APK
      • Access control weaknesses
        • Vulnerability in Skype for Android
        • Vulnerability in Firefox for Android
        • Google Wallet vulnerabilities
        • Storing sensitive data on Android
        • Exercise – Storing sensitive data without encryption
        • Storing sensitive data – Best practices
    • Improper error and exception handling
      • Typical problems with error and exception handling
      • Empty catch block
      • Overly broad throws
      • Overly broad catch
      • Using multi-catch
      • Returning from finally block – spot the bug!
      • Catching NullPointerException
      • Exception handling – spot the bug!
      • Exercise ScademyPay – Error handling
    • Information leakage through error reporting
      • Exercise – Error handling
      • Information leakage through logging (LogCat)
      • GoToMeeting vulnerability
      • Android best practices
    • Code quality problems
      • Dangers arising from poor code quality
      • Poor code quality – spot the bug!
      • Unreleased resources
      • Private arrays – spot the bug!
      • Private arrays – typed field returned from a public method
      • Exercise Object Hijack
      • Public method without final – object hijacking
      • Serialization – spot the bug!
      • Exercise Serializable Sensitive
      • Immutable String – spot the bug!
      • Exercise Immutable Strings
      • Immutability and security
    • Testing Android code
      • Testing Android code
      • Android Lint
      • Android Lint – Security features
      • Lint exercise
      • PMD
      • PMD exercise
      • FindBugs
      • FindBugs exercise
    • Principles of security and secure coding
      • Matt Bishop’s principles of robust programming
      • The security principles of Saltzer and Schroeder
    • Knowledge sources
      • Secure coding sources – a starter kit
      • Vulnerability databases
      • Java secure coding sources
      • Android secure coding sources
      • Recommended books – Java
      • Recommended books – Android
Show full table of contents

Get more information