3+ Hours of Video Instruction

Android applications make use of advanced hardware and software,

as well as local and server data, exposed through the platform to

bring innovation and value to consumers. To protect that value, the

platform must offer an application environment that ensures the

security of users, data, applications, the device, and the network.

Securing an open platform requires a robust security architecture

and rigorous security programs, as well as developers who are aware

of the security issues that may come up.

Android Security Essentials LiveLessonsalerts developers to

the security issues that can arise when using the Android platform

and guides them though solutions. Godfrey Nolan covers best

practices for Android security by examining common security

scenarios. Each lesson begins by presenting the concept behind the

security problem at hand, with snippets of code introduced as the

problem is explored. This is then followed by examination of code

or demonstration of tools showing you how to implement the concepts

presented.

The source code repository for this LiveLesson can be found at

https://github.com/godfreynolan/LiveLessons .

Godfrey Nolanis founder and president of RIIS, a mobile

development firm in the Detroit metro area. Godfrey has spoken at

AnDevCon, JavaOne, ASP-Connections, VSLive, CodeMash, Code PaLOUsa,

1DevDay, and many local Java and .NET user groups on a wide range

of topics, including continuous integration, executable

requirements and mobile security.

Skill Level

• All levels

What You Will Learn

• How to write secure Android apps using the OWASP top 10 as a

  guideline

• How to do an audit your own Android app

Who Should Take This Course

• Android developers
• Security professionals
• Android project managers
• CIOs

Course Requirements

• Basic understanding of functionality of Android phones, some

  Java experience would be helpful but not essential.

Lesson 1: Android Security Basics

This lesson explains the problems with Android from a security

perspective. We dive right in and show how to reverse engineer an

Android APK to view its source as well as backup an APK’s data to

see what runtime customer information is exposed. The lesson also

introduces the OWASP Mobile top 10 risks from the Open Web

Application Security Project which we cover detail in each

lesson.

Lesson 2: Dealing with Insecure Data

Lesson 2 walks you through where runtime data is stored on the

Android device, how to use Android file permissions to securely

write data to an SD-card and also looks at how to write securely to

a SQLite database.

Lesson 3: Weak Server Side Controls

This lesson deals with storing and securing data stored on

backend web servers or in the cloud. You learn what the

implications are of using remote servers for storing application

data as well as how to secure the data.

Lesson 4: Insufficient Transport Layer Protection

This lesson builds on what we learned in Lesson 3. You learn how

to perform a man-in-the-middle attack to see how insecure data is

transmitted and how SSL can secure the traffic.

Lesson 5: Client Side Injection

Many Android apps are not 100% native and contain one or more

HTML pages as webviews. Learn how to secure these hybrid apps by

understanding how cross-site scripting and SQL injection are used

to attack your web server.

Lesson 6: Poor Authorization

This lesson explains what the options are for logging in to an

Android app, how they can be compromised and best practices for

user authorization.

Lesson 7: Improper Session Handling

Building on Lesson 6, this lesson explains why mobile sessions

are different from web sessions. Learn how to implement mobile

sessions securely as well as use OAuth to log in to social media

websites.

Lesson 8: Security Decisions via Untrusted Inputs

Learn how the Android framework manages communication between

Android apps and how that can be exploited. Understand the

principle of minimum Android manifest permissions and what

permissions should be avoided.

Lesson 9: Side Channel Data Leakage

Android apps, probably more than other mobile platform, have a

tendency to leak information in log files. In the past, third party

libraries from advertising companies have also collected more

customer information than they needed. In this lesson learn how to

remove all logging for your production app and how to use proxy

servers and decompilers to know exactly what your third party apps

are collecting.

Lesson 10: Broken Cryptography

Learn what types of synchronous and asynchronous encryption can

be used in Android apps, why it’s not a good idea to store the keys

in the code or on the device, how to store the key using the NDK as

well as encryption best practices using asynchronous

techniques.

Lesson 11: Sensitive Information Disclosure

While Lesson 2 looked at the runtime information that may or may

not be exposed, Lesson 11 looks at how developers are exposing

information hard coded in the compiled application such as

encryption keys and how this potentially exposes more customer

information.

Lesson 12: Conclusion

In the final lesson we review the OWASP top 10 and use a tool

from OWASP called GoatDroid that will help you get a better

understanding of how to write more secure Android code.

LiveLessons Video Training series publishes hundreds of

hands-on, expert-led video tutorials covering a wide selection of

technology topics designed to teach you the skills you need to

succeed. This professional and personal technology video series

features world-leading author instructors published by your trusted

technology brands: Addison-Wesley, Cisco Press, IBM Press, Pearson

IT Certification, Prentice Hall, Sams, and Que. Topics include: IT

Certification, Programming, Web Development, Mobile Development,

Home & Office Technologies, Business & Management, and

more. View all LiveLessons on InformIT at

http://www.informit.com/imprint/series_detail.aspx?ser=2185116