Android Security Cookbook Practical recipes to delve into Android's security mechanisms by troubleshooting common vulnerabilities in applications and Android OS versions Keith Makan Scott Alexander-Bown BIRMINGHAM - MUMBAI Android Security Cookbook Copyright © 2013 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. First published: December 2013 Production Reference: 1171213 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-78216-716-7 www.packtpub.com Cover Image by Joseph Kiny ([email protected]) Credits Authors Technical Editors Keith Makan Zainab Fatakdawala Scott Alexander-Bown Hardik B. Soni Sebastian Rodrigues Reviewers Miguel Catalan Bañuls Project Coordinator Akash Poojary Seyton Bradford Nick Glynn Proofreaders Rui Gonçalo Lauren Harkins Elliot Long Amy Johnson Chris Pick Indexer Acquisition Editors Rekha Nair Pramila Balan Llewellyn F. Rozario Production Coordinator Kirtee Shingan Lead Technical Editor Ritika Dewani Cover Work Kirtee Shingan Copy Editors Alisha Aranha Roshni Banerjee Tanvi Gaitonde Aditya Nair Karuna Narayanan Shambhavi Pai Laxmi Subramanian About the Authors Keith Makan is a former computer science and physics student, and a passionate hobbyist and security researcher. He spends most of his free time reading source code, performing reverse engineering and fuzz testing, and developing exploits for web application technology. Keith works professionally as an IT security assessment specialist. His personal research has won him spots on the Google Application Security Hall of Fame numerous times. He has developed exploits against Google Chrome's WebKit XSSAuditor, Firefox's NoScript Add-on, and has often reported security flaws and developed exploits for WordPress plugins. I would like to thank my mom, dad, and other family members for supporting my crazy ideas and always being a great motivation to me. Scott Alexander-Bown is an accomplished developer with experience in financial services, software development, and mobile app agencies. He lives and breathes Android, and has a passion for mobile app security. In his current role as senior developer, Scott specializes in mobile app development, reverse engineering, and app hardening. He also enjoys speaking about app security and has presented at various conferences for mobile app developers internationally. Most importantly, I'd like to thank my wife Ruth. Your love and encouragement make everything I do possible. High five to my son Jake who keeps me going with his laughter and cute smiles. Additionally, I would like to thank the following people: Keith, Barbara and Kirk Bown, and Mhairi and Robert Alexander for your love and support. Andrew Hoog and the viaForensics team for their support, insight, and expertise in mobile security. Mark Murphy, Nikolay Elenkov, Daniel Abraham, Eric Lafortune, Roberto Tyley, Yanick Fratantonio, Moxie Marlinspike, the Guardian Project, and the Android Security team whose blog articles, papers, presentations, and/or code samples have been interesting and extremely useful when learning about Android security. Keith Makan for his enthusiasm, guidance, and for welcoming me aboard the Android Security Cookbook ship. The technical reviewers for their attention to detail and valuable feedback. Finally, thanks to you, the reader—I hope you find this book useful and it allows you to create more secure apps. About the Reviewers Miguel Catalan Bañuls is a young engineer whose only purpose is to try and make his little contribution to changing the world. He is mainly a software developer, but is actually a team leader. He holds a degree in Industrial Engineering and is a partner at Geeky Theory. Also, he is the vice president of the IEEE Student Branch of the Miguel Hernandez University (UMH in Spanish). I want to thank both my spouse and my parents for their patience and understanding as they have to share me with my work. Seyton Bradford is a software developer and an engineer with over 10 years experience in mobile device security and forensics. He currently works at viaForensics as a Senior Software Engineer focusing on app and mobile device security. He has presented his work across the globe and acted as a reviewer for academic journals. I'd like to thank my family and friends for their support for my career and work. Nick Glynn is currently employed as a technical trainer and consultant delivering courses and expertise on Android, Python, and Linux at home in the UK and across the globe. He has a broad range of experience, from board bring-up, Linux driver development, and systems development through to full-stack deployments, web app development, and security hardening for both the Linux and Android platforms. I would like to thank my family for their love, and my beautiful baby girl Inara for always brightening my day. Rui Gonçalo is finishing his Masters thesis at University of Minho, Braga, Portugal, in the field of Android security. He is developing a new feature that aims at providing users with fine-grained control over Internet connections. His passion for mobile security arose from attending lectures on both cryptography and information systems security at the same university, and from several events held by the most important companies in the field in Portugal. He provides the point of view of an Android security beginner who sees this book as a must read for those keen to become security experts. I would like to thank the staff at Packt Publishing in charge of this book for making me absolutely sure that mobile security will fulfill my needs in the world of software. Elliot Long grew up in Silicon Valley and has been creating mobile apps since 2005. He is the co-founder of the mobile travel guide producer mycitymate SL/GmbH. Since 2009, he has worked as Lead Android and BlackBerry Developer for Intohand Ltd. www.PacktPub.com Support files, eBooks, discount offers and more You might want to visit www.PacktPub.com for support files and downloads related to your book. Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details. At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks. TM http://PacktLib.PacktPub.com Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can access, read and search across Packt's entire library of books. Why Subscribe? f Fully searchable across every book published by Packt f Copy and paste, print and bookmark content f On demand and accessible via web browser Free Access for Packt account holders If you have an account with Packt at www.PacktPub.com, you can use this to access PacktLib today and view nine entirely free books. Simply use your login credentials for immediate access. Table of Contents Preface 1 Chapter 1: Android Development Tools 7 Introduction 7 Installing the Android Development Tools (ADT) 8 Installing the Java Development Kit (JDK) 12 Updating the API sources 16 Alternative installation of the ADT 17 Installing the Native Development Kit (NDK) 22 Emulating Android 24 Creating Android Virtual Devices (AVDs) 27 Using the Android Debug Bridge (ADB) to interact with the AVDs 29 Copying files off/onto an AVD 30 Installing applications onto the AVDs via ADB 31 Chapter 2: Engaging with Application Security 33 Introduction 33 Inspecting application certificates and signatures 34 Signing Android applications 45 Verifying application signatures 48 Inspecting the AndroidManifest.xml file 49 Interacting with the activity manager via ADB 59 Extracting application resources via ADB 63 Chapter 3: Android Security Assessment Tools 71 Introduction 71 Installing and setting up Santoku 73 Setting up drozer 79 Running a drozer session 87 Enumerating installed packages 90 Enumerating activities 95
Description: