Android is an open platform for mobile devices such as handsets and tablets. It has a large variety of security features to make developing secure software easier; however, it is also missing certain security aspects that are present in other hand-held platforms. The course gives a comprehensive overview of these features, and points out the most critical shortcomings to be aware of related to the underlying Linux, the file system and the environment in general, as well as regarding using permissions and other Android software development components.

Typical security pitfalls and vulnerabilities are described both for native code and Java applications, along with recommendations and best practices to avoid and mitigate them. In case of native code applications we go into more details, discussing memory management related issues, protection techniques as well as their circumvention (such as Return Oriented Programming). Finally, the most important cryptographic algorithms in symmetric cryptography, hashing, asymmetric cryptography and PKI are also discussed and put into the context of Android.

In many cases discussed issues are supported with real-life examples and case studies. Finally, we give a brief overview on how to use security testing tools to reveal any programming bugs.

Audience

Android application developers, architects and testers

Course Objectives

Participants attending this course will:

§ Understand basic concepts of security, IT security and secure coding

§ Learn the security solutions on Android

§ Learn to use various security features of the Android platform

§ Have a practical understanding of cryptography

§ Get understanding on native code vulnerabilities on Android

§ Realize the severe consequences of unsecure buffer handling in native code

§ Understand the architectural protection techniques and their weaknesses

§ Get information about some recent vulnerabilities in Java on Android

§ Learn about typical coding mistakes and how to avoid them

§ Get sources and further readings on secure coding practices

Preparedness

Professional

Outline

§ IT security and secure coding

§ Android security overview

§ Application security

§ Practical cryptography

§ Android native code security

§ Principles of security and secure coding

§ Android and Java vulnerabilities

§ Knowledge sources