Application Security for the Android Platform Jeff Six Beijing • Cambridge • Farnham • Köln • Sebastopol • Tokyo Application Security for the Android Platform by Jeff Six Copyright © 2012 Jeff Six All rights reserved Printed in the United States of America Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472 O’Reilly books may be purchased for educational, business, or sales promotional use Online editions are also available for most titles (http://my.safaribooksonline.com) For more information, contact our corporate/institutional sales department: (800) 998-9938 or corporate@oreilly.com Editors: Andy Oram and Mike Hendrickson Production Editor: Melanie Yarbrough Proofreader: Melanie Yarbrough Cover Designer: Karen Montgomery Interior Designer: David Futato Illustrator: Robert Romano Revision History for the First Edition: 2011-12-02 First release See http://oreilly.com/catalog/errata.csp?isbn=9781449315078 for release details Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of O’Reilly Media, Inc., Application Security for the Android Platform, the image of a red gunard, and related trade dress are trademarks of O’Reilly Media, Inc Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks Where those designations appear in this book, and O’Reilly Media, Inc was aware of a trademark claim, the designations have been printed in caps or initial caps While every precaution has been taken in the preparation of this book, the publisher and authors assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein ISBN: 978-1-449-31507-8 [LSI] 1322594274 Table of Contents Preface vii Introduction Application Security: Why You Should Care The Current State of Mobile Application Security on Android Security: Risk = Vulnerability + Threat + Consequences Evolution of Information Security: Why Applications Matter the Most Your Role: Protect the Data Secure Software Development Techniques Unique Characteristics of Android Moving On 10 12 Android Architecture 13 Introduction to the Android Architecture The Linux Security Model The Resulting Android Security Model Application Signing, Attribution, and Attestation Process Design Android Filesystem Isolation Android Preferences and Database Isolation Moving up the Layers to System API and Component Permissions 14 15 15 16 18 21 22 24 Application Permissions 25 Android Permission Basics Using Restricted System APIs and the User Experience Custom Permissions 27 29 32 Component Security and Permissions 37 The Types of Android Components Intercomponent Signaling Using Intents Public and Private Components 37 38 41 iii About the Author Jeff Six is a senior security engineer at a major financial institution based in Baltimore, Maryland, where he works to secure customer and firm data A major component of Jeff’s job is working with developers to enhance the security of applications through education, code reviews, and deployment of modern application security techniques and frameworks He also develops security-related applications, primarily using the Java EE platform Prior to this position and a comparable one at another financial services firm, Jeff worked at the National Security Agency on similar application security projects and development efforts, focused on information assurance Jeff has been a member of the Adjunct Faculty at the University of Delaware since 2000, teaching an object-oriented programming with Java course for ten years and, more recently, a course on Secure Software Design He has been a lifeguard since 1993, and an instructor since 1995 Additionally, Jeff is an amateur triathlete, competing at the sprint, Olympic, and 70.3 distances ... Application Security for the Android Platform Jeff Six Beijing • Cambridge • Farnham • Kưln • Sebastopol • Tokyo Application Security for the Android Platform by Jeff Six Copyright © 2012 ... Introduction to the Android Architecture The Linux Security Model The Resulting Android Security Model Application Signing, Attribution, and Attestation Process Design Android Filesystem Isolation Android. .. Application Security: Why You Should Care The Current State of Mobile Application Security on Android Security: Risk = Vulnerability + Threat + Consequences Evolution of Information Security: