Training Catalog‎ > ‎

2-Day Advanced Android Secure Application Development

Advanced Android Secure Application Development

Length: 2 Days

Type: Hands-On

Target Audience: Mobile Developers, Security Personnels with Java experience.

In this hands-on course, you will learn how to secure your Android Applications, as well as how the Android Platform handles security from the inside-out. You will learn to harden both the Operating System (for device builders), and the application code itself, to protect the organization’s Intellectual Property and the user’s data.

Note: The course is based on the Marshmallow version. Earlier versions can be targeted without additional cost, upon customer request.

Course Outline:

  • Android Overview - Bottom up discussion

    • Hardware overview: What makes an Android device.

    • Linux Kernel boot process and provided functionalities

    • Native User Space: Init services, daemons, executables and libraries

    • Enabling Java (Dalvik + ART)

    • JNI bridge layer

    • Java OS Layer (Android Frameworks)

    • Application (APK) Structure

    • System Applications

    • User Applications

    • Google Play Services

    • Android IPC terminology by example: Browser, Maps.

    • Introduction to working with the AOSP: How and where to find what.

  • Android Platform Security

    • Linux driven security sandbox

    • OS and binary protection and exploitation: ASLR, PIE, DEP, RoP et. al.

    • Android hardware related permission enforcement

    • SELinux on Android

    • Data partition forensics protection via Internal and external storage encryption

    • Secure Boot

    • Android Signature model and verification:

      • Platform keys and platform app signing. Google, OEM’s and integrators.

      • Third party (and play store) application signing.

    • Android application sandbox: Single and multi physical user.

    • Android Permissions:

      • Pre-Marshmallow (API Level < 23)

      • Post-Marshmallow: User policies, user responsibilities, application developer responsibilities, dynamic permission checking and revocation.

      • Defining custom permissions, restricting Application components (Activity, Service, Content Provider, Broadcast Receiver)

    • Android Security Patches

  • Security terminology and real-life attacks, “breaking Android”:

    • Glossary attack vectors, attack surfaces, vulnerabilities and exploits.

    • Privilege escalation attacks - theory and practice

    • Dynamic code loading attacks and mitigation

      • Native code

      • Java code via DexLoader

      • Live (on device) code scanning techniques using the PackageManager

    • Binary exploitation and device rooting

    • Remote exploitation and DoS attacks

    • Signature based attacks

    • SE Linux discussion

    • On device Anti-Virus and Anti-Malware building techniques

  • Android Application Secure Coding I: Code and app behavior

    • Reverse Engineering and Data extraction demo: Motivation.

    • Code protection techniques: Obfuscation, stripping, encryption, anti-tampering techniques. Native code techniques with NDK, gcc, and clang.

    • SQL Injection and protection from it.

    • Manifest level component access control

    • SELinux and Middleware MAC

    • IPC level runtime component access control

    • Webview and Javascript protection/restriction best practices for hybrid apps

    • Protecting from other applications, protecting from user judgement

    • Dynamic loading attack prevention (DEX, .so and .js)

    • Dynamic permission control best practices

    • Introduction to Android cryptography: BouncyCastle, BoringSSL

    • Protecting WebView code

    • Security Provider live-patching using ProviderInstaller

    • Applying Android lint tool, and other commercial static analysis tools

  • Android Application Secure Coding II: Securing User and Application data.

    • Android Storage layout - what’s open and what’s not.

    • SQLite inspection and protection with CQLCipher

    • Introduction to applied cryptography

      • Cryptography goals: Authentication, Integrity, Encryption.

      • Symmetric and Asymmetric cipher suites

      • Key generation techniques and trade-offs

      • Software vs. Hardware based techniques.

    • Android Applied cryptography

      • Protection models (Encryption vs. Authentication)

      • Software based protection via software based cryptography

      • Hardware based protection via the keystore

      • Hardware based authentication via Fingerprint API

      • Timed authentication via gatekeeper

      • Data encryption - protection and optimization.   

  • Android Application Secure Coding III: Secure Network Communications

    • Network privacy dangers: Packet sniffers and interceptors. MITM attacks.

    • Certificate Authority (CA) Chain of trust: A solution and the introduced problems

    • Secure communication with TLS/SSL

    • Encrypted network privacy dangers: Sniffers and interceptors. MITM attacks.

    • CA management in Android: Platform and application management

    • Custom TrustManager’s and Certificate pinning

    • IP layer security, introducing VPN API.

  • Android For Work

    • Introduction to Device Administration API

    • Introduction to Android For Work - where to find what.