Synopses & Reviews
Battle-Tested Best Practices for Securing Android Apps throughout the Development Lifecycle
Android’s immense popularity has made it today’s #1 target for attack: high-profile victims include eHarmony, Facebook, and Delta Airlines, just to name a few. Today, every Android app needs to resist aggressive attacks and protect data, and in Bulletproof Android™, Godfrey Nolan shows you how.
Unlike “black hat/gray hat” books, which focus on breaking code, this guide brings together complete best practices for hardening code throughout the entire development lifecycle. Using detailed examples from hundreds of apps he has personally audited, Nolan identifies common “anti-patterns” that expose apps to attack, and then demonstrates more secure solutions.
Nolan covers authentication, networking, databases, server attacks, libraries, hardware, and more. He illuminates each technique with code examples, offering expert advice on implementation and trade-offs. Each topic is supported with a complete sample app, which demonstrates real security problems and solutions.
Learn how to
- Apply core practices for securing the platform
- Protect code, algorithms, and business rules from reverse engineering
- Eliminate hardcoding of keys, APIs, and other static data
- Eradicate extraneous data from production APKs
- Overcome the unique challenges of mobile authentication and login
- Transmit information securely using SSL
- Prevent man-in-the-middle attacks
- Safely store data in SQLite databases
- Prevent attacks against web servers and services
- Avoid side-channel data leakage through third-party libraries
- Secure APKs running on diverse devices and Android versions
- Achieve HIPAA or FIPS compliance
- Harden devices with encryption, SELinux, Knox, and MDM
- Preview emerging attacks and countermeasures
This guide is a perfect complement to Nolan’s Android™ Security Essentials LiveLessons (video training; ISBN-13: 978-0-13-382904-4) and reflects new risks that have been identified since the LiveLessons were released.
Synopsis
Battle-Tested Best Practices for Securing Android Apps throughout the Development Lifecycle
Android's immense popularity has made it today's #1 target for attack: high-profile victims include eHarmony, Facebook, and Delta Airlines, just to name a few. Today, every Android app needs to resist aggressive attacks and protect data, and in
Bulletproof Android(TM), Godfrey Nolan shows you how.
Unlike "black hat/gray hat" books, which focus on breaking code, this guide brings together complete best practices for hardening code throughout the entire development lifecycle. Using detailed examples from hundreds of apps he has personally audited, Nolan identifies common "anti-patterns" that expose apps to attack, and then demonstrates more secure solutions.
Nolan covers authentication, networking, databases, server attacks, libraries, hardware, and more. He illuminates each technique with code examples, offering expert advice on implementation and trade-offs. Each topic is supported with a complete sample app, which demonstrates real security problems and solutions.
Learn how to
- Apply core practices for securing the platform
- Protect code, algorithms, and business rules from reverse engineering
- Eliminate hardcoding of keys, APIs, and other static data
- Eradicate extraneous data from production APKs
- Overcome the unique challenges of mobile authentication and login
- Transmit information securely using SSL
- Prevent man-in-the-middle attacks
- Safely store data in SQLite databases
- Prevent attacks against web servers and services
- Avoid side-channel data leakage through third-party libraries
- Secure APKs running on diverse devices and Android versions
- Achieve HIPAA or FIPS compliance
- Harden devices with encryption, SELinux, Knox, and MDM
- Preview emerging attacks and countermeasures
This guide is a perfect complement to Nolan's Android(TM) Security Essentials LiveLessons
(video training; ISBN-13: 978-0-13-382904-4) and reflects new risks that have been identified since the LiveLessons were released. Synopsis
In Bulletproof Android, Godfrey Nolan brings together comprehensive, up-to-date best practices for writing apps that resist attack and won't leak information: yours, or your users. Unlike other Android security books focused on "breaking" code, Bulletproof Android focuses on strengthening code security throughout your entire development lifecycle. Nolan thoroughly addresses crucial issues including:
- Protecting code that communicates with back-end web servers
- Safeguarding Android databases, including SQLite and SQLcipher
- Resisting web service attacks via XSS, SQL injection, and other means
- Using webviews securely
- Enabling secure user login and information transmission
- Protecting code and business rules from reverse engineering
- Safely integrating third-party libraries
- Taking advantage of encryption, SELinux, Knox, and Mobile Device Management
- Futureproofing code: DVM, ART, and beyond
- And much more
Each tactic and technique is presented with working code examples and practical advice -- including expert insights into pros, cons, and tradeoffs. All source code is available for download, and each subsection is supported with a complete sample app that demonstrates security problems and how to solve them.
About the Author
Godfrey Nolan is the founder and president of the mobile and web development company RIIS LLC based in Troy, Michigan, and Belfast, Northern Ireland. This is his fourth book. He has had a healthy obsession with reverse engineering bytecode since he wrote "Decompile Once, Run Anywhere," which first appeared in Web Techniques magazine way back in September 1997. Godfrey is originally from Dublin, Ireland.
Table of Contents
Preface xiii
Acknowledgments xxi
About the Author xxiii
Chapter 1: Android Security Issues 1
Why Android? 1
Guidelines 7
Securing the Device 17
Conclusion 18
Chapter 2: Protecting Your Code 19
Looking into the classes.dex File 19
Obfuscation Best Practices 24
Smali 39
Hiding Business Rules in the NDK 48
Conclusion 49
Chapter 3: Authentication 51
Secure Logins 51
Understanding Best Practices for
User Authentication and Account Validation 54
Application Licensing with LVL 65
OAuth 77
User Behavior 84
Conclusion 86
Chapter 4: Network Communication 87
HTTP(S) Connection 88
Symmetric Keys 92
Asymmetric Keys 94
Ineffective SSL 99
Conclusion 107
Chapter 5: Android Databases 109
Android Database Security Issues 109
SQLite 110
SQLCipher 116
Hiding the Key 120
SQL Injection 127
Conclusion 129
Chapter 6: Web Server Attacks 131
Web Services 131
Cross Platform 135
WebView Attacks 140
Cloud 146
Conclusion 150
Chapter 7: Third-Party Library Integration 151
Transferring the Risk 152
Permissions 152
Installing Third-Party Apps 154
Trust but Verify 160
Conclusion 165
Chapter 8: Device Security 167
Wiping Your Device 168
Fragmentation 168
Device Encryption 172
SEAndroid 174
FIPS 140-2 176
Mobile Device Management 177
Conclusion 178
Chapter 9: The Future 179
More Sophisticated Attacks 179
Internet of Things 186
Audits and Compliance 188
Tools 190
Conclusion 194
Index 195