Android Security: Attacks and Defenses is for anyone interested in learning about the strengths and weaknesses of the Android platform from a security perspective. Starting with an introduction to Android OS architecture and application programming, it will help readers get up to speed on the basics of the Android platform and its security issues.
Explaining the Android security model and architecture, the book describes Android permissions, including Manifest permissions, to help readers analyze applications and understand permission requirements. It also rates the Android permissions based on security implications and covers JEB Decompiler.
The authors describe how to write Android bots in JAVA and how to use reversing tools to decompile any Android application. They also cover the Android file system, including import directories and files, so readers can perform basic forensic analysis on file system and SD cards. The book includes access to a wealth of resources on its website: www.androidinsecurity.com. It explains how to crack SecureApp.apk discussed in the text and also makes the application available on its site.
The book includes coverage of advanced topics such as reverse engineering and forensics, mobile device pen-testing methodology, malware analysis, secure coding, and hardening guidelines for Android. It also explains how to analyze security implications for Android mobile devices/applications and incorporate them into enterprise SDLC processes.
The book’s site includes a resource section where readers can access downloads for applications, tools created by users, and sample applications created by the authors under the Resource section. Readers can easily download the files and use them in conjunction with the text, wherever needed. Visit www.androidinsecurity.com for more information.
… a must-have for security architects and consultants as well as enterprise security managers who are working with mobile devices and applications.
—Dr. Dena Haritos Tsamitis, Director of the Information Networking Institute; and Director of Education, CyLab, Carnegie Mellon University
If you are facing the complex challenge of securing data and applications for Android, this book provides valuable insight into the security architecture and practical guidance for safeguarding this modern platform.
—Gerhard Eschelbeck, Chief Technology Officer and Senior Vice President, Sophos
… a great introduction to Android security, both from a platform and applications standpoint. … provides the groundwork for anybody interested in mobile malware analysis … a great starting point for anybody interested in cracking the nitty-gritty of most Android apps.
—Nicholas Falliere, Founder of JEB Decompiler
… Dubey and Misra have filled a critical gap in software security literature by providing a unique and holistic approach to addressing this critical and often misunderstood topic. They have captured the essential threats and countermeasures that are necessary to understand and effectively implement secure Android-driven mobile environments.
—James Ransome, Senior Director of Product Security, McAfee, An Intel Company
Good book for Android security enthusiasts and developers that also covers advanced topics like reverse engineering of Android applications. A must have book for all security professionals.
—Sanjay Kartkar, Cofounder of Quick Heal Technologies
… an excellent book for professional businesses that are trying to move their corporate applications on mobile/Android platforms. It helped me understand the threats foreseen in Android applications and how to protect against them.
—Jagmeet Malhotra, Vice President of Markets & International Banking, Royal Bank of Scotland
The book gives security professionals and executives a practical guide to the security implications and best practices for deploying Android platforms and applications in the (corporate) environment.
—Steve Martino, VP Information Security, Cisco
Evolution of Mobile Threats
Android ArchitectureAndroid Architecture Overview
Android Start Up and Zygote
Android SDK and Tools
Downloading and Installing the Android SDK
Developing with Eclipse and ADT
Anatomy of the "Hello World" Application
Understanding Hello World
Android Application Architecture
Android (in)SecurityAndroid Security Model
Android’s Manifest Permissions
Putting It All Together
Mobile Security Issues
Recent Android Attacks—A Walkthrough
Analysis of DroidDream Variant
Analysis of Zsone
Analysis of Zitmo Trojan
Pen Testing Android
Penetration Testing Methodology
External Penetration Test
Internal Penetration Test
Penetration Test Methodologies
Steps to Pen Test Android OS and Devices
Tools for Penetration Testing Android
Vulnerabilities in the Android OS
Penetration Testing—Android Applications
Reverse Engineering Android ApplicationsIntroduction
What is Malware?
Identifying Android Malware
Reverse Engineering Methodology for Android Applications
Modifying the Behavior of Android Applications without Source CodeIntroduction
To Add Malicious Behavior
To Eliminate Malicious Behavior
To Bypass Intended Functionality
DEX File Format
Case Study: Modifying the Behavior of an Application
Real World Example 1—Google Wallet Vulnerability
Real World Example 2—Skype Vulnerability (CVE-2011-1717)
Perform Code Obfuscation
Perform Server Side Processing
Perform Iterative Hashing and Use Salt
Choose the Right Location for Sensitive Information
Android File System
Android Application Data
Rooting Android Devices
Accessing Application Databases
Extracting Data from Android Devices
Securing Android for the Enterprise EnvironmentAndroid in Enterprise
Security Concerns for Android in Enterprise
Recommended Security Practices for Mobile Devices
Deploying Android Securely
Browser Security and Future Threat LandscapeMobile HTML Security
Cross-Site Request Forgery
Mobile Browser Security
The Future Landscape
The Phone as a Spying/Tracking Device
Controlling Corporate Networks and Other Devices through Mobile Devices
Mobile Wallets and NFC
B.2 Code Views
B.3 Keyboard Shortcuts