Android Security

Android Security: Attacks and Defenses

Published:
Content:
Author(s):
Free Standard Shipping

Purchasing Options

Hardback
$59.95 $47.96
ISBN 9781439896464
Cat# K14268
Add to cart
SAVE 20%
eBook (VitalSource)
$59.95 $41.97
ISBN 9781439896471
Cat# KE15440
Add to cart
SAVE 30%
eBook Rentals
Other eBook Options:
 
 

Features

    • Introduces Android OS architecture, the Android security mode, and application programming
    • Describes Android permissions (including Manifest permissions) so readers can analyze applications and understand permission requirements
    • Explains how to write Android bots in JAVA and how to use reverse engineering tools to decompile any Android application
    • Provides step-by-step instruction on how to reverse engineer Android Malware for security analysis
    • Covers all aspects of Android Platform security from Android App Security and Android Forensics to Android malware, Penetration Testing ,and Reverse Engineering
    • Includes proof-of-concept code for readers to analyze, debug, and modify
    • Considers the security implications of using Android in enterprise and the corporate environment
    • Details security best practices on how to use Android within a corporate infrastructure
    • Demonstrates how to write secure applications and prevent them from malicious use and reverse engineering by hackers
    • Examines the emerging features of Android devices and the future landscape of evolving threats for the platform

    Summary

    Android Security: Attacks and Defenses is for anyone interested in learning about the strengths and weaknesses of the Android platform from a security perspective. Starting with an introduction to Android OS architecture and application programming, it will help readers get up to speed on the basics of the Android platform and its security issues.

    Explaining the Android security model and architecture, the book describes Android permissions, including Manifest permissions, to help readers analyze applications and understand permission requirements. It also rates the Android permissions based on security implications and covers JEB Decompiler.

    The authors describe how to write Android bots in JAVA and how to use reversing tools to decompile any Android application. They also cover the Android file system, including import directories and files, so readers can perform basic forensic analysis on file system and SD cards. The book includes access to a wealth of resources on its website: www.androidinsecurity.com. It explains how to crack SecureApp.apk discussed in the text and also makes the application available on its site.

    The book includes coverage of advanced topics such as reverse engineering and forensics, mobile device pen-testing methodology, malware analysis, secure coding, and hardening guidelines for Android. It also explains how to analyze security implications for Android mobile devices/applications and incorporate them into enterprise SDLC processes.

    The book’s site includes a resource section where readers can access downloads for applications, tools created by users, and sample applications created by the authors under the Resource section. Readers can easily download the files and use them in conjunction with the text, wherever needed. Visit www.androidinsecurity.com for more information.

    Table of Contents

    Introduction
    Why Android
    Evolution of Mobile Threats
    Android Overview
    Android Marketplaces
    Summary

    Android Architecture
    Android Architecture Overview 
         Linux Kernel 
         Libraries 
         Android Runtime 
         Application Framework
         Applications
    Android Start Up and Zygote
    Android SDK and Tools 
         Downloading and Installing the Android SDK 
         Developing with Eclipse and ADT 
         Android Tools 
         DDMS 
         ADB 
         ProGuard
    Anatomy of the "Hello World" Application 
         Understanding Hello World
    Summary

    Android Application Architecture
    Application Components 
         Activities 
         Intents 
         Broadcast Receivers
         Services 
         Content Providers
    Activity Lifecycles
    Summary

    Android (in)Security
    Android Security Model
    Permission Enforcement—Linux
    Android’s Manifest Permissions 
         Requesting Permissions 
         Putting It All Together
    Mobile Security Issues 
         Device 
         Patching 
         External Storage 
         Keyboards 
         Data Privacy 
         Application Security
         Legacy Code
    Recent Android Attacks—A Walkthrough
         Analysis of DroidDream Variant 
         Analysis of Zsone 
         Analysis of Zitmo Trojan
    Summary

    Pen Testing Android
    Penetration Testing Methodology 
         External Penetration Test 
         Internal Penetration Test 
         Penetration Test Methodologies 
         Static Analysis 
         Steps to Pen Test Android OS and Devices
    Tools for Penetration Testing Android 
         Nmap 
         BusyBox 
         Wireshark 
         Vulnerabilities in the Android OS
    Penetration Testing—Android Applications 
         Android Applications
         Application Security
    Miscellaneous Issues
    Summary

    Reverse Engineering Android Applications
    Introduction
    What is Malware?
    Identifying Android Malware
    Reverse Engineering Methodology for Android Applications
    Summary

    Modifying the Behavior of Android Applications without Source Code
    Introduction 
         To Add Malicious Behavior
         To Eliminate Malicious Behavior 
         To Bypass Intended Functionality
    DEX File Format
    Case Study: Modifying the Behavior of an Application
    Real World Example 1—Google Wallet Vulnerability
    Real World Example 2—Skype Vulnerability (CVE-2011-1717)
    Defensive Strategies
         Perform Code Obfuscation 
         Perform Server Side Processing 
         Perform Iterative Hashing and Use Salt 
         Choose the Right Location for Sensitive Information 
         Cryptography 
         Conclusion
    Summary

    Hacking Android
    Introduction
    Android File System
         Mount Points 
         File Systems 
         Directory Structure
    Android Application Data
         Storage Options
         /data/data
    Rooting Android Devices
    Imaging Android
    Accessing Application Databases
    Extracting Data from Android Devices
    Summary

    Securing Android for the Enterprise Environment
    Android in Enterprise 
         Security Concerns for Android in Enterprise
         End-User Awareness 
         Compliance/Audit Considerations
         Recommended Security Practices for Mobile Devices
    Hardening Android
         Deploying Android Securely
         Device Administration
    Summary

    Browser Security and Future Threat Landscape
    Mobile HTML Security 
         Cross-Site Scripting
         SQL Injection
         Cross-Site Request Forgery 
         Phishing
    Mobile Browser Security 
         Browser Vulnerabilities
    The Future Landscape
         The Phone as a Spying/Tracking Device
         Controlling Corporate Networks and Other Devices through Mobile Devices
         Mobile Wallets and NFC
    Summary

    Appendix A
    Appendix B
    B.1 Views
    B.2 Code Views
    B.3 Keyboard Shortcuts
    B.4 Options

    Appendix C
    Glossary

    Author Bio(s)

    Anmol Misra is a contributing author of the book Defending the Cloud: Waging War in Cyberspace (Infinity Publishing, December 2011). His expertise includes mobile and application security, vulnerability management, application and infrastructure security assessments, and security code reviews.

    He is currently Program Manager of the Critical Business Security External (CBSE) team at Cisco. The CBSE team is part of the Information Security Team (InfoSec) at Cisco and is responsible for the security of Cisco’s Cloud Hosted Services. Prior to joining Cisco, Anmol was a Senior Consultant with Ernst & Young LLP. In his role, he advised Fortune 500 clients on defining and improving Information Security programs and practices. He helped large corporations to reduce IT security risk and achieve regulatory compliance by improving their security posture.

    Anmol holds a master’s degree in Information Networking from Carnegie Mellon University. He also holds a Bachelor of Engineering degree in Computer Engineering. He served as Vice President of Alumni Relations for the Bay Area chapter of the Carnegie Mellon Alumni Association.In his free time, Anmol enjoys long walks on the beaches of San Francisco. He is a voracious reader of nonfiction books—especially, history and economics—and is an aspiring photographer.

    Abhishek Dubey
    has a wide variety of experience in information security, including reverse engineering, malware analysis, and vulnerability detection. He is currently working as a Lead/Senior Engineer of the Security Services and Cloud Operations team at Cisco. Prior to joining Cisco, Abhishek was Senior Researcher in the Advanced Threat Research Group at Webroot Software.

    Abhishek holds a master’s degree in Information Security and Technology Management from Carnegie Mellon University and also holds a B.Tech degree in Computer Science and Engineering. He is currently pursuing studies in Strategic Decisions and Risk Management at Stanford University. He has served as Vice President of Operations and Alliances for the Bay Area chapter of the Carnegie Mellon Alumni Association. This alumni chapter is 5,000 students strong. In his free time, Abhishek is an avid distance runner and photographer. He also enjoys rock climbing and being a foodie.

    Editorial Reviews

    ... a must-have for security architects and consultants as well as enterprise security managers who are working with mobile devices and applications.
    —Dr. Dena Haritos Tsamitis, Director of the Information Networking Institute; and Director of Education, CyLab, Carnegie Mellon University

    If you are facing the complex challenge of securing data and applications for Android, this book provides valuable insight into the security architecture and practical guidance for safeguarding this modern platform.
    —Gerhard Eschelbeck, Chief Technology Officer and Senior Vice President, Sophos

    ... a great introduction to Android security, both from a platform and applications standpoint. ... provides the groundwork for anybody interested in mobile malware analysis ... a great starting point for anybody interested in cracking the nitty-gritty of most Android apps.
    —Nicholas Falliere, Founder of JEB Decompiler

    ... Dubey and Misra have filled a critical gap in software security literature by providing a unique and holistic approach to addressing this critical and often misunderstood topic. They have captured the essential threats and countermeasures that are necessary to understand and effectively implement secure Android-driven mobile environments.
    —James Ransome, Senior Director of Product Security, McAfee, An Intel Company

    Good book for Android security enthusiasts and developers that also covers advanced topics like reverse engineering of Android applications. A must have book for all security professionals.
    —Sanjay Kartkar, Cofounder of Quick Heal Technologies

    ... an excellent book for professional businesses that are trying to move their corporate applications on mobile/Android platforms. It helped me understand the threats foreseen in Android applications and how to protect against them.
    —Jagmeet Malhotra, Vice President of Markets & International Banking, Royal Bank of Scotland

    The book gives security professionals and executives a practical guide to the security implications and best practices for deploying Android platforms and applications in the (corporate) environment.
    Steve Martino, VP Information Security, Cisco

     
    Textbooks
    Other CRC Press Sites
    Featured Authors
    STAY CONNECTED
    Facebook Page for CRC Press Twitter Page for CRC Press You Tube Channel for CRC Press LinkedIn Page for CRC Press Google Plus Page for CRC Press Pinterest Page for CRC Press
    Sign Up for Email Alerts
    © 2014 Taylor & Francis Group, LLC. All Rights Reserved. Privacy Policy | Cookie Use | Shipping Policy | Contact Us