Android Application Security

publicyardΚινητά – Ασύρματες Τεχνολογίες

10 Δεκ 2013 (πριν από 3 χρόνια και 8 μήνες)

96 εμφανίσεις

SkillBridge, LLC 240 Bear Hill Road, Suite 206 Waltham, MA 02451
Phone 781.466.6615 - Fax 781.466.6621
www.skillbridgetraining.com




Android Application Security

Course Duration:
3 Days

Course Overview:
Mobile devices come with a set of threats that are different from desktops
and servers. They also have some threats in common. Android from Google has a security
model that offers benefits in this new threat environment. However, to use it, developers and
designers must understand the threats and mitigations provided.

Android also has certain weaknesses which must also be understood. This class covers the
threats, security models, the benefits, and drawbacks of the Android mobile environment.

Students can expect to leave with the skills required to develop more secure applications.

Course Objectives:

Students attending this class will learn
 Mobile device threat environment
 Common secure coding errors
 Design issues for secure mobile applications
 Android security models
 Input validation issues for mobile applications
 How to do good input validation
 How to store data securely
 Communicating confidentially and with integrity
 Authentication of users, servers, and applications
 Access control models and using least privilege
 Error handling and security
 Timing, threat, and TOCTTOU race conditions
 Resource management
 Issues associated with the Java environment
 Security testing

Intended Audience:
Students attending this class should be developers with skills in Java
who have already produced at least simple applications for Android. This class also is
appropriate for application designers with a development background.


SkillBridge, LLC 240 Bear Hill Road, Suite 206 Waltham, MA 02451
Phone 781.466.6615 - Fax 781.466.6621
www.skillbridgetraining.com


COURSE OUTLINE

Introduction
Class Introductions
Class Logistics
Class schedule
Breaks
Question policy
Break room and restroom locations
Assumptions about your background
Typographic conventions
What the class covers

Mobile application security
Introduction
Security in all of SDLC
Mobile devices are not desktop computers
Attack surface
Threats against mobile devices
Locations for vulnerabilities
The 2009 CWE/SANS Top 25 Most Dangerous Programming Errors list
Confidentiality, Integrity, and Availability
Fundamental security principles
Defense in depth
Compartmentalization
Least privilege
Separation of privilege
Fail securely
Secure by default
Security myth: security and usability are inversely related
Summary
Lab

Security model
Introduction
System architecture
OS security
standard Linux user-based
one user per app
Permissions granted to an application
Sharing data (content providers)
Application signing
URI permissions
Remote device administration
e.g., remote wipe
Securely loading applications
Pre-Loaded
Application Store
Over The Air (OTA)
SkillBridge, LLC 240 Bear Hill Road, Suite 206 Waltham, MA 02451
Phone 781.466.6615 - Fax 781.466.6621
www.skillbridgetraining.com

Side-Loading
Summary
Lab

Input Validation
Introduction
Examples of input validation
Input validation basics
Length
Syntax
Type
Business rules
White lists
Canonicalization
Input validation frameworks
Summary
Lab

SQL injection
Introduction
Why mobile devices need to worry about SQL injection
SQLite SQL injection attacks
Mitigating the threat
Summary
Lab

Storage
Introduction
confidentiality, integrity
cryptographic limits
Where data might be stored
Preferences
Internal Storage
Things to be shared (e.g., music, pictures) vs private data
External Storage (e.g., microSD)
VFAT limits
SQLite Databases
In the (your) cloud
Permissions for stored data
Sharing data
Backups for critical data
In the cloud
External storage
Libraries for assisting secure storage
javax.crypto, java.security libraries
Erasing data
Summary
Lab


SkillBridge, LLC 240 Bear Hill Road, Suite 206 Waltham, MA 02451
Phone 781.466.6615 - Fax 781.466.6621
www.skillbridgetraining.com

Communication
Introduction
Confidentiality, integrity
Authentication
Cryptographic limits
TLS
SocketFactory, SSLSocketFactory, javax.net.ssl, ManagedClientConnection
IPC
Intents
Content providers
Summary
Lab

Authentication
Introduction
Cryptographic authentication basics
Cryptographic limits
Of user
Android: Pattern
Kerberos?
Of remote server
TLS, X.509 certs
Of application
digital signature
Code examples
Summary
Lab

Access control
Introduction
Access control models for Android
User IDs, File permissions, users, process permissions, sandbox
Least privilege
PrivilegedAction
Separation of privilege
Summary
Lab

Error handling
Introduction
Why log
Logging options
Producing secure logs
confidentiality, integrity
no attacking log consumers
java.util.logging, LogManager, ConsoleHandler
Summary
Lab


SkillBridge, LLC 240 Bear Hill Road, Suite 206 Waltham, MA 02451
Phone 781.466.6615 - Fax 781.466.6621
www.skillbridgetraining.com

Race conditions
Introduction
Timing race conditions
Thread race conditions
Synchronization
Object.wait() etc
java.util.concurrent package
TOCTTOU race conditions
filesystem
database
cloud
Summary
Lab

Resource management
Introduction
The forgotten A in CIA
What are resources?
Resource management in Android
The activity lifecycle and resources
Summary
Lab

Java issues
Introduction
Buffer overflows in the system, JVM
java.security
what it provides
limitations
Summary
Lab

Testing
Introduction
Static analysis
Dynamic analysis
Fuzz testing
Code reviews for security
Summary
Lab


SkillBridge, LLC 240 Bear Hill Road, Suite 206 Waltham, MA 02451
Phone 781.466.6615 - Fax 781.466.6621
www.skillbridgetraining.com

Appendices
Cryptography Fundamentals
Introduction
Cryptographic Applications
Open design
Limits of Cryptography
Cryptographic Primitives
Cryptographic Hash Functions
Symmetric key encryption
Public key encryption
Digital signatures
Random Numbers
Parameter sizes
Insecure Cryptography
Do Not Innovate in Cryptography!
Summary
Lab

Using cryptography to enhance security
Introduction
SSL versus TLS
Consequences of cryptographic problems
Example problems
Developing custom cryptography
Key management problems
Poor random number quality
Leaking sensitive information
Improper use of public key cryptography
Weak cryptographic algorithms
Implementation issues
Example problems and cryptographic solutions
Other hints
Testing
Summary
Lab