Back to course catalog

Android security

CL-AND
3 days
Java
Course page in PDF Inquiry

Course information

Preparedness

General Java development on Android

Exercises

Hands-on

Delivery methods

Classroom

Course Reviews

Trainer is very professional.

July 2014 Beijing

View all reviews

A lot of useful info.

July 2014 Beijing

View all reviews

Shown us what we have never imagined.

July 2014 Beijing

View all reviews

Very good speed and clear examples.

June 2014 Oulu

View all reviews

Covered everyday code issues and addressed common concerns.

June 2014 Oulu

View all reviews

Wide aspects of security.

June 2014 Oulu

View all reviews

Exercises were well prepared, no lost time, direct to target.

April 2014 Rennes

View all reviews

High quality example code.

April 2014 Rennes

View all reviews

The training material provided by the trainer were well prepared, good focused on the item.

April 2014 Rennes

View all reviews

Very good quality of the labs experiments.

April 2014 Rennes

View all reviews

Nice examples, easy to understand.

March 2014 Oulu

View all reviews

Very good trainer. Useful tips and good examples from real life situations. Easy to follow topics.

March 2014 Oulu

View all reviews

Good confirmation on many subjects I was feeling a bit unsecure about.

March 2014 Oulu

View all reviews

Clearly presented information.

March 2014 Oulu

View all reviews

Description

Android is an open platform for mobile devices such as handsets and tablets. It has a large variety of security features to make developing secure software easier; however, it is also missing certain security aspects that are present in other hand-held platforms. The course gives a comprehensive overview of these features, and points out the most critical shortcomings to be aware of related to the underlying Linux, the file system and the environment in general, as well as regarding using permissions and other Android software development components.

Typical security pitfalls and vulnerabilities are described both for native code and Java applications, along with recommendations and best practices to avoid and mitigate them. In many cases discussed issues are supported with real-life examples and case studies. Finally, we give a brief overview on how to use security testing tools to reveal any security relevant programming bugs.

Participants attending this course will

  • Understand basic concepts of security, IT security and secure coding
  • Learn the security solutions on Android
  • Learn to use various security features of the Android platform
  • Have a practical understanding of cryptography
  • Get information about some recent vulnerabilities in Java on Android
  • Learn about typical coding mistakes and how to avoid them
  • Get practical knowledge in using security testing tools for Android
  • Get sources and further readings on secure coding practices

Outline

  • IT security and secure coding
  • Android security overview
  • Android application security
  • Practical cryptography
  • Protecting Android applications
  • Input validation
  • Improper error and exception handling
  • Code quality problems
  • Testing Android code
  • Principles of security and secure coding
  • Knowledge sources

Table of Contents

  • Day 1
    • IT security and secure coding
      • Nature of security
      • What is risk?
      • IT security vs. secure coding
      • From vulnerabilities to botnets and cybercrime
        • Nature of security flaws
        • Reasons of difficulty
        • From an infected computer to targeted attacks
      • Classification of security flaws
        • Landwehr’s taxonomy
        • The Seven Pernicious Kingdoms
        • OWASP Top Ten 2017
        • OWASP Mobile Top Ten 2016 (release candidate)
    • Android security overview
      • Android fragmentation challenges
      • The Android software stack
      • OS security features and exploit mitigation techniques
      • The Linux kernel
        • User and process separation
        • Anonymous shared memory (ashmem)
        • ANDROID_PARANOID_NETWORK kernel option
        • SELinux Type Enforcement policies
        • SELinux policies
        • SELinux policy example –
        • Adding custom policy files
        • Exercise: compiling and using SELinux policies
        • SELinux Role-Based Access Control
        • SELinux Multi-Level Security
      • Filesystem security
        • Filesystems used for external storage
        • Filesystem encryption
        • Encrypting individual files and external SD cards
      • Dalvik
        • Dalvik VM
        • VM Separation
        • Zygote
        • Bytecode verifier
      • Android Runtime (ART)
        • ART architecture
        • ART backward compatibility
        • ART security features
        • Ahead-of-time (AOT) compilation
      • Deploying applications
        • Application signing
        • No validation of developer identity
        • Google’s review process
        • Installing using Google Play
        • Installing outside of Google Play
        • Verify App
    • Android application security
      • Permissions
        • Using permissions
        • Exercise – using permissions
        • Using custom permissions
        • Exercise – using custom permissions
        • Permissions – best practices
      • Writing secure Android applications
        • Activity, Fragment and Service – basics
        • Intents
        • Implicit intents
        • Intent hijacking
        • BroadcastReceiver security
        • Activity hijacking
        • Best practices against activity hijacking
        • Sticky broadcasts
        • Content provider
        • Content provider permissions
  • Day 2
    • Practical cryptography
      • Rule #1 of implementing cryptography
      • Cryptosystems
        • Elements of a cryptosystem
      • Symmetric-key cryptography
        • Providing confidentiality with symmetric cryptography
        • Symmetric encryption algorithms
        • Modes of operation
      • Other cryptographic algorithms
        • Hash or message digest
        • Hash algorithms
        • SHAttered
        • Message Authentication Code (MAC)
        • Providing integrity and authenticity with a symmetric key
        • Random numbers and cryptography
        • Cryptographically-strong PRNGs
        • Hardware-based TRNGs
      • Asymmetric (public-key) cryptography
        • Providing confidentiality with public-key encryption
        • Rule of thumb – possession of private key
        • The RSA algorithm
          • Introduction to RSA algorithm
          • Encrypting with RSA
          • Combining symmetric and asymmetric algorithms
          • Digital signing with RSA
      • Public Key Infrastructure (PKI)
        • Man-in-the-Middle (MitM) attack
        • Digital certificates against MitM attack
        • Certificate Authorities in Public Key Infrastructure
        • X.509 digital certificate
      • Cryptography on Android
        • Java Cryptography Architecture / Extension (JCA/JCE)
        • Using Cryptographic Service Providers
        • Engine classes and algorithms
        • Cryptographic Service Providers in Android
        • Exercise Sign – Generating and verifying signatures
    • Protecting Android applications
      • Digital Rights Management (DRM)
        • DRM architecture
        • Android DRM overview
        • Challenges of DRM protection
        • DRM protection without hardware support - hardening
        • DRM protection – decrypted content
      • Reverse engineering and debugging
        • Reverse engineering methods and tools
        • Getting the package name
        • Reverse engineering exercise
      • Improper use of security features
        • Typical problems related to the use of security features
        • Insecure randomness
          • Weak PRNGs in Java
          • Exercise RandomTest
          • Using random numbers in Java – spot the bug!
        • Password management
          • Exercise – Weakness of hashed passwords
          • Password management and storage
          • Special purpose hash algorithms for password storage
          • Argon2 and PBKDF2 implementations in Java
          • bcrypt and scrypt implementations in Java
          • Password hash implementations on Android
          • KitKat changes concerning SecretKeyFactory
          • Case study – the Ashley Madison data breach
        • Signing and integrity protection weaknesses
          • Instagram vulnerability
          • Multiple file names in an APK
        • Access control weaknesses
          • Vulnerability in Skype for Android
          • Vulnerability in Firefox for Android
          • Google Wallet vulnerabilities
  • Day 3
    • Input validation
      • Input validation concepts
      • Injection
        • SQL Injection on Android
        • Typical SQL Injection attack methods
        • SQL Injection protection methods
        • Using parameterized queries in Android
      • Cross-site scripting
        • Android WebView XSS
        • XSS prevention
        • Android WebView security best practices
      • Integer problems
        • Representation of negative integers
        • Integer overflow
        • Exercise IntOverflow
        • What is the value of Math.abs(Integer.MIN_VALUE)?
        • Integer problem – best practices
          • Integer problem – best practices
          • Avoiding arithmetic overflow – addition
          • Avoiding arithmetic overflow – multiplication
        • Java case study
          • A real-world integer overflow vulnerability in Java
          • The actual mistake in java.utils.zip.CRC32
        • Case study – Android Stagefright
          • Stagefright – a quick introduction
          • Some Stagefright code examples – spot the bugs!
      • Path traversal vulnerability
        • Path traversal – best practices
      • Unsafe reflection
        • Implementation of a command dispatcher
        • Unsafe reflection – spot the bug!
        • Mitigation of unsafe reflection
      • Log forging
        • Some other typical problems with log files
    • Improper error and exception handling
      • Typical problems with error and exception handling
      • Empty catch block
      • Overly broad throws
      • Overly broad catch
      • Using multi-catch
      • Catching NullPointerException
      • Exception handling – spot the bug!
      • Exercise ScademyPay – Error handling
      • Exercise – Error handling
    • Code quality problems
      • Dangers arising from poor code quality
      • Poor code quality – spot the bug!
      • Unreleased resources
      • Private arrays – spot the bug!
      • Private arrays – typed field returned from a public method
      • Exercise Object Hijack
      • Public method without final – object hijacking
      • Serialization – spot the bug!
      • Exercise Serializable Sensitive
      • Immutable String – spot the bug!
      • Exercise Immutable Strings
      • Immutability and security
    • Testing Android code
      • Testing Android code
      • Android Lint
      • Android Lint – Security features
      • Lint exercise
      • PMD
      • PMD exercise
      • FindBugs
      • FindBugs exercise
    • Principles of security and secure coding
      • Matt Bishop’s principles of robust programming
      • The security principles of Saltzer and Schroeder
    • Knowledge sources
      • Secure coding sources – a starter kit
      • Vulnerability databases
      • Java secure coding sources
      • Android secure coding sources
      • Recommended books – Java
      • Recommended books – Android
Show full table of contents

Get more information