Table Of ContentAndroid Security
Cookbook
Practical recipes to delve into Android's security
mechanisms by troubleshooting common vulnerabilities in
applications and Android OS versions
Keith Makan
Scott Alexander-Bown
BIRMINGHAM - MUMBAI
Android Security Cookbook
Copyright © 2013 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or
transmitted in any form or by any means, without the prior written permission of the publisher,
except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the
information presented. However, the information contained in this book is sold without
warranty, either express or implied. Neither the authors, nor Packt Publishing, and its dealers
and distributors will be held liable for any damages caused or alleged to be caused directly or
indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies
and products mentioned in this book by the appropriate use of capitals. However, Packt
Publishing cannot guarantee the accuracy of this information.
First published: December 2013
Production Reference: 1171213
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham B3 2PB, UK.
ISBN 978-1-78216-716-7
www.packtpub.com
Cover Image by Joseph Kiny (joseph.kiny@gmail.com)
Credits
Authors Technical Editors
Keith Makan Zainab Fatakdawala
Scott Alexander-Bown Hardik B. Soni
Sebastian Rodrigues
Reviewers
Miguel Catalan Bañuls Project Coordinator
Akash Poojary
Seyton Bradford
Nick Glynn
Proofreaders
Rui Gonçalo
Lauren Harkins
Elliot Long
Amy Johnson
Chris Pick
Indexer
Acquisition Editors Rekha Nair
Pramila Balan
Llewellyn F. Rozario Production Coordinator
Kirtee Shingan
Lead Technical Editor
Ritika Dewani Cover Work
Kirtee Shingan
Copy Editors
Alisha Aranha
Roshni Banerjee
Tanvi Gaitonde
Aditya Nair
Karuna Narayanan
Shambhavi Pai
Laxmi Subramanian
About the Authors
Keith Makan is a former computer science and physics student, and a passionate hobbyist
and security researcher. He spends most of his free time reading source code, performing
reverse engineering and fuzz testing, and developing exploits for web application technology.
Keith works professionally as an IT security assessment specialist. His personal research
has won him spots on the Google Application Security Hall of Fame numerous times. He has
developed exploits against Google Chrome's WebKit XSSAuditor, Firefox's NoScript Add-on,
and has often reported security flaws and developed exploits for WordPress plugins.
I would like to thank my mom, dad, and other family members for supporting
my crazy ideas and always being a great motivation to me.
Scott Alexander-Bown is an accomplished developer with experience in financial
services, software development, and mobile app agencies. He lives and breathes Android,
and has a passion for mobile app security.
In his current role as senior developer, Scott specializes in mobile app development, reverse
engineering, and app hardening. He also enjoys speaking about app security and has
presented at various conferences for mobile app developers internationally.
Most importantly, I'd like to thank my wife Ruth. Your love and
encouragement make everything I do possible. High five to my son Jake who
keeps me going with his laughter and cute smiles.
Additionally, I would like to thank the following people:
Keith, Barbara and Kirk Bown, and Mhairi and Robert Alexander for your
love and support.
Andrew Hoog and the viaForensics team for their support, insight, and
expertise in mobile security.
Mark Murphy, Nikolay Elenkov, Daniel Abraham, Eric Lafortune, Roberto
Tyley, Yanick Fratantonio, Moxie Marlinspike, the Guardian Project, and the
Android Security team whose blog articles, papers, presentations, and/or
code samples have been interesting and extremely useful when learning
about Android security.
Keith Makan for his enthusiasm, guidance, and for welcoming me aboard
the Android Security Cookbook ship.
The technical reviewers for their attention to detail and valuable feedback.
Finally, thanks to you, the reader—I hope you find this book useful and it
allows you to create more secure apps.
About the Reviewers
Miguel Catalan Bañuls is a young engineer whose only purpose is to try and make his
little contribution to changing the world. He is mainly a software developer, but is actually
a team leader.
He holds a degree in Industrial Engineering and is a partner at Geeky Theory. Also, he
is the vice president of the IEEE Student Branch of the Miguel Hernandez University
(UMH in Spanish).
I want to thank both my spouse and my parents for their patience and
understanding as they have to share me with my work.
Seyton Bradford is a software developer and an engineer with over 10 years experience in
mobile device security and forensics.
He currently works at viaForensics as a Senior Software Engineer focusing on app and mobile
device security.
He has presented his work across the globe and acted as a reviewer for academic journals.
I'd like to thank my family and friends for their support for my career and
work.
Nick Glynn is currently employed as a technical trainer and consultant delivering courses
and expertise on Android, Python, and Linux at home in the UK and across the globe. He has
a broad range of experience, from board bring-up, Linux driver development, and systems
development through to full-stack deployments, web app development, and security hardening
for both the Linux and Android platforms.
I would like to thank my family for their love, and my beautiful baby girl Inara
for always brightening my day.
Rui Gonçalo is finishing his Masters thesis at University of Minho, Braga, Portugal, in the field
of Android security. He is developing a new feature that aims at providing users with fine-grained
control over Internet connections. His passion for mobile security arose from attending lectures
on both cryptography and information systems security at the same university, and from several
events held by the most important companies in the field in Portugal. He provides the point
of view of an Android security beginner who sees this book as a must read for those keen to
become security experts.
I would like to thank the staff at Packt Publishing in charge of this book for
making me absolutely sure that mobile security will fulfill my needs in the
world of software.
Elliot Long grew up in Silicon Valley and has been creating mobile apps since 2005. He is
the co-founder of the mobile travel guide producer mycitymate SL/GmbH. Since 2009, he has
worked as Lead Android and BlackBerry Developer for Intohand Ltd.
www.PacktPub.com
Support files, eBooks, discount offers and more
You might want to visit www.PacktPub.com for support files and downloads related to
your book.
Did you know that Packt offers eBook versions of every book published, with PDF and ePub
files available? You can upgrade to the eBook version at www.PacktPub.com and as a print
book customer, you are entitled to a discount on the eBook copy. Get in touch with us at
service@packtpub.com for more details.
At www.PacktPub.com, you can also read a collection of free technical articles, sign up
for a range of free newsletters and receive exclusive discounts and offers on Packt books
and eBooks.
TM
http://PacktLib.PacktPub.com
Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book
library. Here, you can access, read and search across Packt's entire library of books.
Why Subscribe?
f Fully searchable across every book published by Packt
f Copy and paste, print and bookmark content
f On demand and accessible via web browser
Free Access for Packt account holders
If you have an account with Packt at www.PacktPub.com, you can use this to access
PacktLib today and view nine entirely free books. Simply use your login credentials for
immediate access.
Table of Contents
Preface 1
Chapter 1: Android Development Tools 7
Introduction 7
Installing the Android Development Tools (ADT) 8
Installing the Java Development Kit (JDK) 12
Updating the API sources 16
Alternative installation of the ADT 17
Installing the Native Development Kit (NDK) 22
Emulating Android 24
Creating Android Virtual Devices (AVDs) 27
Using the Android Debug Bridge (ADB) to interact with the AVDs 29
Copying files off/onto an AVD 30
Installing applications onto the AVDs via ADB 31
Chapter 2: Engaging with Application Security 33
Introduction 33
Inspecting application certificates and signatures 34
Signing Android applications 45
Verifying application signatures 48
Inspecting the AndroidManifest.xml file 49
Interacting with the activity manager via ADB 59
Extracting application resources via ADB 63
Chapter 3: Android Security Assessment Tools 71
Introduction 71
Installing and setting up Santoku 73
Setting up drozer 79
Running a drozer session 87
Enumerating installed packages 90
Enumerating activities 95
Description:has won him spots on the Google Application Security Hall of Fame numerous times. He has High five to my son Jake who . Installing the Android Development Tools (ADT). 8 . Python, preferably 2.7 but 3.0 should work fine. ▻.
