Android Application Security Essentials Write secure Android applications using the most up-to-date techniques and concepts Pragati Ogal Rai BIRMINGHAM - MUMBAI Android Application Security Essentials Copyright © 2013 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. First published: August 2013 Production Reference: 1140813 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-84951-560-3 www.packtpub.com Cover Image by Karl Moore ([email protected]) Credits Author Proofreader Pragati Ogal Rai Maria Gould Reviewer Indexer Alessandro Parisi Priya Subramani Acquisition Editor Graphics Martin Bell Abhinash Sahu Ronak Druv Lead Technical Editor Madhuja Chaudhari Production Coordinator Prachali Bhiwandkar Technical Editors Sampreshita Maheshwari Cover Work Larissa Pinto Prachali Bhiwandkar Project Coordinator Hardik Patel Foreword When I first began working at GO Corporation in the early 1990s, the state of the art in mobile computing was an 8-lb, clipboard sized device with minimal battery life and an optional 9600 baud modem. But the vision that drove that device could just as easily be applied to the newest Android and iOS devices released this year: the desire for an integrated, task-centric computing platform with seamless connectivity. Back then, we thought that the height of that vision would be the ability to "send someone a fax from the beach." By the time I helped AOL deliver AIM, its instant messaging client, as one of the launch titles for Apple's iPhone App Store in 2008, that vision was already on its way to becoming a reality. But even at that time, just a few years ago, we couldn't have predicted what a tremendous effect these devices and the app ecosystem they spawned would have on our day-to-day lives. Today, mobile devices are everywhere. They entertain us, they help us pass the time; and of course, they help us keep in touch (though perhaps not so much through fax). The Android operating system by Google is one of the driving forces behind this revolution, having been adopted by hundreds of device vendors and installed on nearly a billion devices worldwide. But as these mobile devices pervade every corner of our lives, keeping them—and their users—secure becomes critical. That's why this book is so important. Viruses, Trojan horses, and malware may still be more prevalent on desktop platforms than they are on mobile. But the growth of the mobile market has meant a sharp rise in malicious software; anti-virus maker Kaspersky reports thousands of new programs detected each month. And today's smartphones and tablets represent an irresistible honey pot to the would-be attacker. Personal information, financial data, passwords, and social graphs, even up to the moment location data—everything that makes these devices so valuable to consumers is also what makes them such an attractive target to pranksters and data thieves. As developers, it's our responsibility to be good stewards of the information our users have entrusted to us. And the open and integrated nature of the Android operating system means it's much more important that each of us do our part to secure our applications and services. Security can't be just a checkbox or an afterthought; it needs to be part of the design, and woven throughout the implementation of your application. I know Pragati Rai understands this intimately, having worked on this problem from both the perspective of the OS and the application developer. That's why she's so well positioned to write this book. She is able to look at the entirety of the Android ecosystem, from device to kernel to application, and present clear and actionable steps developers can take to secure their applications and data, along with source code that illustrates their use and methodologies to test their effectiveness. Moreover, she goes beyond the bits and bytes to explore security policy and best practices that can balance a developer's desire to use personal information with the user's desire to protect it. The convergence of powerful mobile devices, ubiquitous social media, and the ability to transmit, store, and consume vast quantities of data has raised the stakes for everyone when it comes to mobile security. But security is like the air we breathe; we don't really think about it until it's gone, and by then it's often too late—too late to protect our users, and too late to protect the developer's reputation and business. So, it's critically important for every Android developer to understand the role they play in keeping users safe in this complex and ever-changing landscape. As a developer and a user myself, I'm thankful that Pragati has taken the time to write such a comprehensive and informative guide to help us navigate this space, and I'm hopeful that her lessons will enable Android developers everywhere to give us the engaging and innovative applications we crave, while maintaining the security and trust we expect and deserve. Edwin Aoki Technology Fellow, PayPal About the Author Pragati Ogal Rai is a technologist with more than 14 years of experience in mobile operating systems, mobile security, mobile payments, and mobile commerce. From working as a platform security engineer with Motorola Mobility, to designing and developing PayPal's mobile offerings, she has an extensive end-to-end experience in all aspects of mobile technology. Pragati has a dual Master's in Computer Science and has taught and trained computer science students at different levels. She is a recognized speaker at international technology events. My sincere thanks to the entire Packt Publishing team for bringing this book to life. Special thanks to Hardik Patel, Madhuja Chaudhari, and Martin Bell for working diligently with me throughout the writing of this book and accommodating my crazy schedule. I want to acknowledge Alessandro Parisi for his candid comments and suggestions to improve the quality of the book. Thanks to the thriving and vibrant community of Android developers who are the reason behind this book. A big thank you to all my friends and family for encouraging me to write this book. In particular, I want to thank two families, the Khannas and the Kollis, who were my pillars of support during the writing of this book. Special thanks to Selina Garrison for her guidance and for being there for me. Last but most importantly, I want to thank my husband, Hariom Rai, and my son, Arnav Rai, who constantly encouraged, supported, and cheered me in their own ways as I wrote this book. Without them this book could not have been completed. About the Reviewer Alessandro Parisi is an enterprise software architect and an ethical hacker, working as an IT consultant for nearly 20 years now, keen on experimenting non-conventional solutions to problem solving in complex and dynamic contexts, mixing new technologies with lateral thinking and a holistic approach. Founder of InformaticaSicura.com, specializing in IT security consultancy, he is the curator of Hacking Wisdom column appearing on the blog informaticasicura. altervista.org. He is also the author of Sicurezza Informatica e Tutela della Privacy, published by Istituto Poligrafico e Zecca dello Stato, Italy, 2006. I would like to acknowledge Ilaria Sinisi for her support and patience. Thank you very much, Ilaria. www.PacktPub.com Support files, eBooks, discount offers and more You might want to visit www.PacktPub.com for support files and downloads related to your book. Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub. com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details. At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks. TM http://PacktLib.PacktPub.com Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can access, read and search across Packt's entire library of books. Why Subscribe? • Fully searchable across every book published by Packt • Copy and paste, print and bookmark content • On demand and accessible via web browser Free Access for Packt account holders If you have an account with Packt at www.PacktPub.com, you can use this to access PacktLib today and view nine entirely free books. Simply use your login credentials for immediate access.
Description: