ebook img

Android Apps Security PDF

236 Pages·2012·6.52 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Android Apps Security

Create apps that are safe from hacking, attacks, and security breaches Android Apps Security Sheran A. Gunasekera www.it-ebooks.info For your convenience Apress has placed some of the front matter material after the index. Please use the Bookmarks and Contents at a Glance links to access them. www.it-ebooks.info Contents at a Glance About the Author ���������������������������������������������������������������������������������������������������������xiii About the Technical Reviewer ��������������������������������������������������������������������������������������xv Acknowledgments ������������������������������������������������������������������������������������������������������xvii ■ Chapter 1: Android Architecture ����������������������������������������������������������������������������������1 ■ Chapter 2: Information: The Foundation of an App ����������������������������������������������������13 ■ Chapter 3: Android Security Architecture �����������������������������������������������������������������31 ■ Chapter 4: Concepts in Action – Part 1 ����������������������������������������������������������������������47 ■ Chapter 5: Data Storage and Cryptography ���������������������������������������������������������������55 ■ Chapter 6: Talking to Web Apps ���������������������������������������������������������������������������������87 ■ Chapter 7: Security in the Enterprise ����������������������������������������������������������������������121 ■ Chapter 8: Concepts in Action: Part 2 ����������������������������������������������������������������������137 ■ Chapter 9: Publishing and Selling Your Apps ����������������������������������������������������������163 ■ Chapter 10: Malware and Spyware �������������������������������������������������������������������������203 Appendix A: Android Permission Constants ���������������������������������������������������������������213 Index ���������������������������������������������������������������������������������������������������������������������������223 v www.it-ebooks.info 1 Chapter Android Architecture Google entered the mobile phone market in a style that only multibillion-dollar companies can afford: it bought a company. In 2005, Google, Inc. purchased Android, Inc. At the time, Android was relatively unknown, despite having four very successful people as its creators. Founded by Andy Rubin, Rich Miner, Chris White, and Nick Sears in 2003, Android flew under the radar, developing an operating system for mobile phones. With a quest to develop a smarter mobile phone that was more aware of its owner’s preferences, the team behind the Android operating system toiled away in secrecy. Admitting only that they were developing software for mobile phones, the team remained quiet about the true nature of the Android operating system until the acquisition in 2005. With the full might of Google’s resources behind it, Android development increased at a rapid pace. By the second quarter of 2011, Android had already captured nearly a 50% market share in mobile phone operating systems shipped to end users. The four founders stayed on after the acquisition, with Rubin taking the lead as Senior Vice President of Mobile. The official launch of version 1.0 of Android took place on September 23, 2008, and the first device to run it was the HTC Dream (see Figure 1-1). 1 www.it-ebooks.info 2 CHAPTER 1: Android Architecture Figure 1-1. An HTC Dream (Courtesy Michael Oryl) One of the unique features of the Android operating system that has allowed it to grow rapidly has been that the binaries and source code are released as open source software. You can download the entire source code of the Android operating system, and it takes up approximately 2.6 GB of disk space. In theory, this allows anyone to design and build a phone that runs Android. The idea of keeping the software open source was followed until version 3.0. Versions of Android including and higher than 3.0 are still closed source. In an interview given to Bloomberg Businessweek, Rubin said that the version 3.x code base took many shortcuts to ensure it was released to market quickly and worked with very specific hardware. If other hardware vendors adopted this version of Android, then the chances for a negative user experience would be a possibility, and Google wished to avoid this.1 Components of the Android Architecture The Android architecture is divided into the following four main components (see Figure 1-2): 1. The kernel 2. The libraries and Dalvik virtual machine 3. The application framework 4. The applications 1 Bloomberg Businessweek, “Google Holds Honeycomb Tight,” Ashlee Vance and Brad Stone, www.businessweek.com/technology/content/mar2011/tc20110324_269784.htm, March 24, 2011. www.it-ebooks.info CHAPTER 1: Android Architecture 3 Application App0 App1 App2 App3 App4 Layer Activity Window Content View Notification Manager Manager Providers System Manager Frameworks Layer Package Resource XMPP Manager Manager Service Surface Media SQLite Manager Framework Core Libraries Runtime OpenGL/ES FreeType WebKit Layer Dalvik Virtual Machine (DVM) SGL SSL libc Display Mouse Ethernet Flash Memory Binder (IPC) Driver Driver Driver Driver Driver Kernel Layer USB Keyboard WiFi Audio Power Driver Driver Driver Drivers Management Hardware C, C++, Native Code Java = Linux Kernel = Android Frameworks = Libraries = Applications = Android Runtime Figure 1-2. The Android architecture The Kernel Android runs on top of a Linux 2.6 kernel. The kernel is the first layer of software that interacts with the device hardware. Similar to a desktop computer running Linux, the Android kernel will take care of power and memory management, device drivers, process management, networking, and security. The Android kernel is available at http://android.git.kernel.org/. Modifying and building a new kernel is not something you will want to consider as an application developer. Generally, only hardware or device manufacturers will want to modify the kernel to ensure that the operating system works with their particular type of hardware. www.it-ebooks.info 4 CHAPTER 1: Android Architecture The Libraries The libraries component also shares its space with the runtime component. The libraries component acts as a translation layer between the kernel and the application framework. The libraries are written in C/C++ but are exposed to developers through a Java API. Developers can use the Java application framework to access the underlying core C/C++ libraries. Some of the core libraries include the following:  LibWebCore: Allows access to the web browser.  Media libraries: Allows access to popular audio- and video-recording and playback functions.  Graphics libraries: Allows access to 2D and 3D graphics drawing engines. The runtime component consists of the Dalvik virtual machine that will interact with and run applications. The virtual machine is an important part of the Android operating system and executes system and third-party applications. The Dalvik Virtual Machine Dan Bornstein originally wrote the Dalvik virtual machine. He named it after a small fishing village in Iceland where he believed one of his ancestors once originated. The Dalvik VM was written primarily to allow application execution on devices with very limited resources. Typically, mobile phones will fall into this category because they are limited by processing power, the amount of memory available, and a short battery life. WhAt is A VirtuAl MAchine? A virtual machine is an isolated, guest operating system running within another host operating system. A virtual machine will execute applications as if they were running on a physical machine. One of the main advantages of a virtual machine is portability. Regardless of the underlying hardware, the code that you write will work on the VM. To you as a developer, this means that you write your code only once and can execute it on any hardware platform that runs a compatible VM. The Dalvik VM executes .dex files. A .dex file is made by taking the compiled Java .class or .jar files and consolidating all the constants and data within each .class file into a shared constant pool (see Figure 1-3). The dx tool, included in the Android SDK, performs this conversion. After conversion, .dex files have a significantly smaller file size, as shown in Table 1-1. www.it-ebooks.info CHAPTER 1: Android Architecture 5 .jar file .class file heterogeneous .dex file constant pool string_ids constant pool other data type_ids constant pool .class file proto_ids heterogeneous constant pool constant pool field_ids constant pool method_ids other data constant pool .class file heterogeneous other data constant pool other data Figure 1-3. Conversion of a .jar file to a .dex file Table 1-1. A File Size Comparison (in Bytes) of .jar and .dex Files Application Uncompressed .jar Compressed .jar Uncompressed .dex Common system 21445320 = 100% 10662048 = 50% 10311972 = 48% libraries Web browser app 470312 = 100% 232065 = 49% 209248 = 44% Alarm clock app 119200 = 100% 61658 = 52% 53020 = 44% The Application Framework The application framework is one of the building blocks for the final system or end-user applications. The framework provides a suite of services or systems that a developer will find useful when writing applications. Commonly referred to as the API (application programming interface) component, this framework will provide a developer with access to user interface components such as buttons and text boxes, common content providers so that apps may share data between them, a notification manager so that device owners can be alerted of events, and an activity manager for managing the lifecycle of applications. As a developer, you will write code and use the APIs in the Java programming language. Listing 1-1, taken from Google’s sample API demos (http://developer.android.com/resources/samples/ ApiDemos/index.html), demonstrates how to use the application framework to play a video file. The import statements in bold allow access to the core C/C++ libraries through a Java API. www.it-ebooks.info 6 CHAPTER 1: Android Architecture Listing 1-1. A Video Player Demo (Courtesy Google, Inc.) /* * Copyright (C) 2009 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package com.example.android.apis.media; import com.example.android.apis.R; import android.app.Activity; import android.os.Bundle; import android.widget.MediaController; import android.widget.Toast; import android.widget.VideoView; public class VideoViewDemo extends Activity { /** * TODO: Set the path variable to a streaming video URL or a local media * file path. */ private String path = ""; private VideoView mVideoView; @Override public void onCreate(Bundle icicle) { super.onCreate(icicle); setContentView(R.layout.videoview); mVideoView = (VideoView) findViewById(R.id.surface_view); if (path == "") { // Tell the user to provide a media file URL/path. Toast.makeText( VideoViewDemo.this, "Please edit VideoViewDemo Activity, and set path" + " variable to your media file URL/path", Toast.LENGTH_LONG).show(); } else { www.it-ebooks.info CHAPTER 1: Android Architecture 7 /* * Alternatively,for streaming media you can use * mVideoView.setVideoURI(Uri.parse(URLstring)); */ mVideoView.setVideoPath(path); mVideoView.setMediaController(new MediaController(this)); mVideoView.requestFocus(); } } } The Applications The application component of the Android operating system is the closest to the end user. This is where the Contacts, Phone, Messaging, and Angry Birds apps live. As a developer, your finished product will execute in this space by using the API libraries and the Dalvik VM. In this book, we will extensively look at this component of the Android operating system. Even though every component of the Android operating system can be modified, you will only have direct control over your own application’s security. This does not, however, give you free rein to ignore what happens if the device is compromised with a kernel or VM exploit. Ensuring your application does not fall victim to an attack because of an unrelated exploit is also your responsibility. What This Book Is About Now that you’ve got an overall understanding of the Android architecture, let’s turn to what you will not learn in this book. First, you are not going to learn how to develop Android apps from scratch in this book. You will see many examples and source code listings; and while I will explain each section of code, you might have additional questions that you might not find answered in this book. You are required to have a certain degree of experience and skill at writing Java applications for the Android platform. I also assume that you have already setup your Android development environment using the Eclipse IDE. In this book, I will focus on how you can develop more secure applications for the Android operating system. Android has had its fair share of security setbacks and a burgeoning list of malware that is worth examining and learning from. Armed with where to look and how to tackle security aspects of developing for Android will not necessarily make you a better coder, but it will start you on your way to becoming more responsible with your end users’ privacy and security. I’ve tried to write this book in a manner that will help you understand the concepts of security in relation to the applications you develop. In most cases, the best way I find I can achieve this is by teaching through example. Therefore, you will usually find me asking you to write and execute source code listings first. I will then follow up with an explanation of the specific concept that we are covering. With this in mind, let’s take a look at some of the security controls available on the Android operating system. www.it-ebooks.info

Description:
Android Apps. Security. Sheran A. Gunasekera. Create apps that are safe from hacking, attacks, and security breaches www.it-ebooks.info .. certificate is not required, and Android will happily run any application that has been signed with a self-signed Oracle, Microsoft SQL Server, or MySQL.
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.