Android Apps Security
Mitigate Hacking Attacks and Security Breaches
2nd ed.
This book was a long time coming, and yet I can only feel that now was the perfect time to write it and publish it. Much like a young stand-up comedian who when just starting out has to collect all his life experience with which to deliver as humor, this second edition is a collection of personal experiences and research done along the way. This book is intended as a reference tool rather than an in-depth, granular teaching tool. It is a better friend to those developers and security researchers who are in their early-mid career than those just starting out. It is a collection of how I have done things and the reasons why I chose to do them the way I did.
In this book, I approach Android security from an offensive standpoint. If the first edition were the Blue Team, then this one is definitely the Red Team book. The principle I try to stand by in this book is that the best way to test your app is by breaking it and breaking it into as many pieces as you can. A true test of your app will be if it can withstand some of the techniques that we use in this book because it is a collection of techniques that are being used out there today. To this end, you will find a lot of information about how to intercept network traffic, how to break SSL and SSL Pinning, how to root your device, and then how to figure out that security is a lot more than looking for that silver-bullet piece of tech. It is never the case. You have to do the work. You have to research; you have to test and you have to understand the behavior – of apps and people. There is no silver bullet to security; you have to spend countless hours and, yes, sleepless nights worrying about it.
This book is also a work in progress I feel. As I wrote the chapters, I felt myself taken in different areas that I could not afford to explore. I hope to revisit some of those topics in the future and who knows? Maybe there will be another book. I do hope you find the book useful and that you learn to look at security from a different perspective. If there’s one thing I want you to take away from this book, it is that you can’t have security on autopilot. It is a topic you have to think about and consciously make decisions about at every step of the way. The bad guys out there will not rest, so that means less time to celebrate your wins and more time to spend looking at worst-case scenarios in your very own bubble of paranoia.
I would like to thank my family for their support and understanding during the authoring process. To my wife Tess, thanks for putting up with my absence and for waiting on me hand and foot while I wrote this book. To my daughter Shoshana, thank you for those times of laughter that I desperately needed and for your adultlike understanding of why I was doing what I was doing. My two furry, canine babies Zeus and Morpheus were instant stress reducers whenever they would somehow manage to get past Tess’ guard and nudge my legs. They aren’t at a high enough reading level to appreciate this note, but I’m sure they will get the message somehow.
I would also like to thank my friend and cofounder Prabu for essentially running our company entirely by himself as I dropped off the face of the earth to devote time to this book. Prabs, I don’t tell you enough how much I appreciate what you have done for the company. Thank you for shouldering not only your but my responsibilities in running the company while I wrote this book.
To my friends and cofounders at RedStorm, Ariesto and Ele, thank you for keeping the InfoSec ship running smoothly while I was MIA.
To Thiago, my Technical Editor, thank you! I enjoyed your notes and insights as you reviewed the chapters in this book. It was great fun working with you.
Last but not least, team Apress. Thank you all for your help in making this second edition a reality. Mark Powers, I really enjoyed working with you. You know how to get the best out of an author, and I want to thank you for igniting the spark for me to keep researching even after this book. Steve Anglin, thank you for your patience and persistence. It took almost a decade, but it’s finally done. The rest of the folks behind the scenes that I may have not met or spoken with, thank you!
is a security researcher and software developer. He is cofounder and Director of Research for Madison Technologies, a product development company in Singapore, where he advises the in-house engineering team in both personal computer and mobile device security. He is also one of the co-founders of RedStorm, an Information Security Bug Bounty Platform. Sheran’s foray into mobile security began in 2009 when he started with BlackBerry security research. Since then, he has been in leadership roles in both engineering and security at several startups in Asia. He publishes research that he has done on his blog at https://sheran.blog .
is a professional with more than a decade of experience in the information technology area with a wide experience in designing and dealing with large-scale distributed production environments. He is also a skilled DevOps engineer supporting, automating, and optimizing mission-critical deployments. A Linux lover by nature, he has a broad area of responsibility focused on security, high availability, reliability, and troubleshooting. He has hands-on experience in the administration and maintenance of application services like DNS, OpenLDAP, Samba, Mail, HTTP, Apache Tomcat, Squid, DHCP, SMTP, FTP, IMAP, NIS, and NFS. Last but not least, he is responsible for the ongoing maintenance, growth, and development of large-scale servers running Unix. In his spare time, he loves cooking for his friends and watching Netflix.