Security has been getting a lot more attention recently, due to high-profile
attacks that have garnered lots of news coverage. Mobile security is no
different, as app developers have to take into account how to secure
their apps — and, by extension, their users and those users’ data —
from attackers bent on absconding with, or damaging, data.
During this one-day seminar, we will explore the following:
Overview of Android Security
- What are the various layers of the Android security model that affect developers?
- How does Android use the Linux process model to help secure our apps?
- What impacts does this model have on our ability to work with local files?
- What is going on with removable media on Android, anyway?
Android’s Permission System
- What is Android’s permission system?
- How do we declare our wish to hold certain permissions?
- How do we know if we hold those permissions?
- How do we ask the user to kindly consider granting us those permissions?
- How do we define custom permissions, and what are the problems with doing so?
- What are some things that are secure, but do not use the standard permission system?
App-Level Data Encryption
- Why might we want to encrypt our local data?
- What is SQLCipher for Android?
- How can we use SQLCipher for Android as an encrypted replacement for standard SQLite?
- How can we encrypt other sorts of files?
- What about Facebook’s Conceal library?
- Where do we get our encryption passphrase from?
- What is Android’s keystore, and how can we use it to help with encrypting user data?
- How can we use two-factor authentication, such as fingerprints, to tie into our encryption process?
Defending App APIs and UIs
- What are our app’s APIs?
- When are components exported, and when are they not exported?
- How do I secure my components with permissions?
- How do I grant temporary access to my
ContentProvider, while normally keeping it secured?
- How can my components — or the components that my app talks to — be spoofed?
- How can I check signatures of apps to determine if the partner app is what I think it is?
- What was the tapjacking attack, and what is the activityjack attack?
- What is the camera peeking attack?
- How do I defend against screenshots?
- How do I “defend” against
- How can I use SSL on Android?
- Why might I want to use a self-signed certificate, and how can I use one on Android?
- What is “pinning” with regards to SSL, and how can I employ it in Android?
- What is “memorization” with regards to SSL, and how can I employ it in Android?
- How can I deal with revoked SSL certificates, as we encountered with Heartbleed?
Device Administration and Full-Disk Encryption
- What is device administration?
- How do I make my app be a device administrator?
- What can I do given that I am a device administrator?
- What is the “device owner” stuff that got added to Android 5.0?
- What is the story around full-disk encryption on Android?
- Can Android’s full-disk encryption be defeated?