Android has quickly become one of the most popular mobile operating systems, not only to users but also developers companies of all kinds. Of course, because of this it's also become quite a popular platform to malicious adversaries.
Android has been around in the public domain since 2005 and has seen massive growth in capability and complexity. Mobile smart phones in general now harbor very sensitive information about their users as well as access to their e-mails, text messages, and social and professional networking services. As with any software, this rise in capability and complexity also brings about a rise in security risk; the more powerful and more complex the software becomes, the harder they are to manage and adapt to the big bad world.
This applies especially to software on mobile smart phones. These hot beds of personal and sensitive information present an interesting security context in which solve problems. From one perspective, the mobile smart phone security context is very difficult to compare to the servers on a network or in the "cloud" because, by their very nature, they are not mobile. They cannot be moved or stolen very easily; we can enforce both software and physical security measures to protect unauthorized access to them. We can also monitor them constantly and rapidly respond to the security incidents autonomously. For the devices we carry around in our pockets and handbags, and forget in taxi cabs, the playing field is quite different!
Android users and developers express a need to be constantly aware of their mobile security risks and, because of this need, mobile security and risk assessment specialists and security engineers are in high demand. This book aims to smoothen the learning curve for budding Android security assessment specialists and acts as a tool for experienced Android security professionals with which to hack away at common Android security problems.
Chapter 1, Android Development Tools, introduces us to setting up and running the tools developers use to cook up Android applications and native-level components on the Android platform. This chapter also serves as an introduction to those who are new to Android and would like to know what goes into setting up the common development environments and tools.
Chapter 2, Engaging with Application Security, introduces us to the components offered by the Android operating system, dedicated to protecting the applications. This chapter covers the manual inspection and usage of some of the security-relevant tools and services used to protect applications and their interaction with the operating system.
Chapter 3, Android Security Assessment Tools, introduces some of the popular as well as new and upcoming security tools and frameworks used by Android security specialists to gauge the technical risks that applications expose their users to. Here you will learn to set up, run, and extend the hacking and reverse engineering tools that will be used in later chapters.
Chapter 4, Exploiting Applications, covers the casing exploitation techniques that target the Android applications. The content in this chapter spans all the Android application component types and details how to examine them for security risks, both from a source code and inter-application context. It also introduces more advanced usage of the tools introduced in Chapter 3, Android Security Assessment Tools.
Chapter 5, Protecting Applications, is designed to be the complete opposite of Chapter 4, Exploiting Applications. Instead of talking purely about application flaws, this chapter talks about application fixes. It walks readers through the useful techniques that developers can use to protect the applications from some of the attacks, which are detailed in Chapter 4, Exploiting Applications.
Chapter 6, Reverse Engineering Applications, helps the readers to learn to crack open the applications and teaches them the techniques that Android reverse engineers use to examine and analyze applications. You learn about the Dex file format in great detail, as well as how to interpret Dex bytecode into useful representations that make reverse engineering easier. The chapter also covers the novel methods that reverse engineers can use to dynamically analyze applications and native components while they are running on an Android operating system.
Chapter 7, Secure Networking, helps the readers to delve into the practical methods that application developers can follow to protect data while in transit across the network. With these techniques, you will be able to add stronger validation to the Secure Sockets Layer (SSL) communications.
Chapter 8, Native Exploitation and Analysis, is dedicated to covering the security assessment and testing techniques focused on the native context of the Android platform. Readers will learn to look for security flaws that can be used to root phones and escalate privileges on the Android systems as well as perform low-level attacks against native services, including memory corruption and race condition exploitation.
Chapter 9, Encryption and Developing Device Administration Policies, is focused heavily on how to use encryption correctly and avoid some of the common anti-patterns to keep data within your application secure. It recommends several robust and timesaving third-party libraries to quickly yet securely enhance the security of your applications. To wrap up, we will cover how to use the Android Device Administration API to implement and enforce enterprise security policies.