• Table of Contents

  Page III

• + Preface

  Page VII

  • Organization of the Book

    Page VII

  • Conventions Used in This Book

    Page VIII

  • Using Code Examples

    Page IX

  • Safari® Books Online

    Page IX

  • How to Contact Us

    Page IX

  • Acknowledgments

    Page X

• + Chapter 1. Introduction

  Page 1

  • Application Security: Why You Should Care

    Page 2

  • The Current State of Mobile Application Security on Android

    Page 3

  • Security: Risk = Vulnerability + Threat + Consequences

    Page 4

  • Evolution of Information Security: Why Applications Matter the Most

    Page 7

  • Your Role: Protect the Data

    Page 8

  • Secure Software Development Techniques

    Page 9

  • Unique Characteristics of Android

    Page 10

  • Moving On

    Page 12

• + Chapter 2. Android Architecture

  Page 13

  • Introduction to the Android Architecture

    Page 14

  • The Linux Security Model

    Page 15

  • The Resulting Android Security Model

    Page 15

  • Application Signing, Attribution, and Attestation

    Page 16

  • Process Design

    Page 18

  • Android Filesystem Isolation

    Page 21

  • Android Preferences and Database Isolation

    Page 22

  • Moving up the Layers to System API and Component Permissions

    Page 24

• + Chapter 3. Application Permissions

  Page 25

  • Android Permission Basics

    Page 27

  • Using Restricted System APIs and the User Experience

    Page 29

  • Custom Permissions

    Page 32

• + Chapter 4. Component Security and Permissions

  Page 37

  • The Types of Android Components

    Page 37

  • Intercomponent Signaling Using Intents

    Page 38

  • Public and Private Components

    Page 41

  • + Imposing Restrictions on Access to Components

    Page 42

    • Securing Activities

      Page 42

    • Securing Services

      Page 42

    • Securing Content Providers

      Page 44

    • Securing Broadcast Intents

      Page 49

  • Putting It All Together: Securing Communications in a Multi-Tier App

    Page 51

• + Chapter 5. Protecting Stored Data

  Page 53

  • + The Threats and Vulnerabilities Against Stored Data

    Page 53

    • Vulnerabilities of Stored Data

      Page 53

    • Threats to, and Mitigations for, Stored Data

      Page 54

  • Protection Principles

    Page 55

  • + Cryptography Primer: Encryption

    Page 56

    • Symmetric Encryption

      Page 56

    • Asymmetric Key Encryption

      Page 57

  • Cryptography Primer: Hashing

    Page 58

  • + Cryptographic Practicalities

    Page 60

    • Computational Infeasibility

      Page 60

    • Algorithm Choice and Key Size

      Page 61

    • Cipher Operation Modes, Initialization Vectors, and Salt

      Page 61

    • Public Keys and Their Management

      Page 62

  • + Key Derivation and Management

    Page 63

    • Motivation

      Page 64

    • Key Derivation

      Page 64

    • Encryption Without User-Supplied Key Derivation

      Page 67

  • Practical Cryptography: Applying a Technique Against a Threat

    Page 68

• + Chapter 6. Securing Server Interactions

  Page 73

  • Confidentiality and Authentication

    Page 73

  • + SSL/TLS: The Industry Standard

    Page 74

    • Authentication of the Entities

      Page 74

    • Encryption of Data

      Page 76

  • + Protecting Data En Route to Public Services

    Page 76

    • Introducing the Android SSL/TLS Environment

      Page 77

    • Server Verification

      Page 78

    • Handling SSL/TLS Connection Errors

      Page 80

  • + Protecting Data En Route to Private Services

    Page 81

    • Using Only Specific Certificates for SSL/TLS

      Page 81

    • One Step Further: Using Client-Side Authentication SSL/TLS

      Page 85

  • Threats Against Devices Using Data in Transit

    Page 87

  • + Input Validation: The Central Tenant of Application Security

    Page 90

    • Reject-Known-Bad

      Page 90

    • Accept-Known-Good

      Page 90

    • Wrapping It Up: Input Validation

      Page 91

  • Preventing Command Injection

    Page 91

• + Chapter 7. Summary

  Page 95

  • + Key Themes

    Page 95

    • It’s All About Risk

      Page 95

    • The Principle of Least Privilege

      Page 96

    • Use the Permissions System

      Page 96

    • Android Is an Open Architecture

      Page 96

    • Get the Cryptography Right

      Page 96

    • Never Trust User Input

      Page 97

  • Wrapping It Up

    Page 97

With the Android platform fast becoming a target of malicious hackers, application security is crucial. This concise book provides the knowledge you need to design and implement robust, rugged, and secure apps for any Android device. You'll learn how to identify and manage the risks inherent in your design, and work to minimize a hacker's opportunity to compromise your app and steal user data.

How is the Android platform structured to handle security? What services and tools are available to help you protect data? Up until now, no single resource has provided this vital information. With this guide, you'll learn how to address real threats to your app, whether or not you have previous experience with security issues.

• Examine Android's architecture and security model, and how it isolates the filesystem and database

• Learn how to use Android permissions and restricted system APIs

• Explore Android component types, and learn how to secure communications in a multi-tier app

• Use cryptographic tools to protect data stored on an Android device

• Secure the data transmitted from the device to other parties, including the servers that interact with your app