IQSOFT - John Brice Oktatóközpont
Azure tanfolyami dömping júniusban! 20532, 20533, MSITIL

Android security

Tanfolyam célja

Android is an open platform for mobile devices such as handsets and tablets. It has a large variety of security features to make developing secure software easier; however, it is also missing certain security aspects that are present in other hand-held platforms. The course gives a comprehensive overview of these features, and points out the most critical shortcomings to be aware of related to the underlying Linux, the file system and the environment in general, as well as regarding using permissions and other Android software development components.

Typical security pitfalls and vulnerabilities are described both for native code and Java applications, along with recommendations and best practices to avoid and mitigate them. In many cases discussed issues are supported with real-life examples and case studies. Finally, we give a brief overview on how to use security testing tools to reveal any security relevant programming bugs.

  •     Understand basic concepts of security, IT security and secure coding
  •     Learn the security solutions on Android
  •     Learn to use various security features of the Android platform
  •     Get information about some recent vulnerabilities in Java on Android
  •     Learn about typical coding mistakes and how to avoid them
  •     Get sources and further readings on secure coding practices
Tematika
  •     IT security and secure coding
  •     Android security overview
  •     Android application security
  •     Cryptography on Android
  •     Android and Java vulnerabilities
  •     Principles of security and secure coding
  •     Knowledge sources

1. IT security and secure coding

  •         Nature of security
  •         What is risk?
  •         IT security vs. secure coding
  •         From vulnerabilities to botnets and cybercrime
    •             Nature of security flaws
    •             Reasons of difficulty
    •             From an infected computer to targeted attacks
  •         Classification of security flaws
    •             Landwehr’s taxonomy
    •             The Seven Pernicious Kingdoms
    •             OWASP Top Ten 2017
    •             OWASP Mobile Top Ten 2016 (release candidate)

    Android security overview

  •         Android fragmentation challenges
  •         The Android software stack
  •         OS security features and exploit mitigation techniques
  •         The Linux kernel
  •             User and process separation
    •             Anonymous shared memory (ashmem)
    •             ANDROID_PARANOID_NETWORK kernel option
    •             SELinux Type Enforcement policies
    •             SELinux policies
    •             SELinux policy example –
    •             Adding custom policy files
    •             Exercise: compiling and using SELinux policies
    •             SELinux Role-Based Access Control
    •             SELinux Multi-Level Security
  •         Filesystem security
    •             Filesystems used for external storage
    •             Filesystem encryption
    •             Encrypting individual files and external SD cards
  •         Dalvik
    •             Dalvik VM
    •             VM Separation
    •             Zygote
    •             Bytecode verifier
  •         Android Runtime (ART)
    •             ART architecture
    •             ART backward compatibility
    •             ART security features
    •             Ahead-of-time (AOT) compilation
  •         Deploying applications
    •             Application signing
    •             No validation of developer identity
    •             Google’s review process
    •             Installing using Google Play
    •             Installing outside of Google Play
    •             Verify App

    Android application security

  •         Permissions
    •             Using permissions
    •             Exercise – using permissions
    •             Using custom permissions
    •             Exercise – using custom permissions
    •             Permissions – best practices
  •         Writing secure Android applications
    •             Activity, Fragment and Service – basics
    •             Intents
    •             Implicit intents
    •             Intent hijacking
    •             BroadcastReceiver security
    •             Activity hijacking
    •             Best practices against activity hijacking
    •             Sticky broadcasts
    •             Content provider
    •             Content provider permissions

2. Cryptography on Android

  •         Java Cryptography Architecture / Extension (JCA/JCE)
  •         Using Cryptographic Service Providers
  •         Engine classes and algorithms
  •         Cryptographic Service Providers in Android
  •         Android KeyStore
  •         Exercise Sign – Generating and verifying signatures

    Android and Java vulnerabilities

  •         Input validation
    •             Input validation concepts
  •         Injection
    •             SQL Injection on Android
    •             Typical SQL Injection attack methods
    •             SQL Injection protection methods
    •             Using parameterized queries in Android
  •         Cross-site scripting
    •             Android WebView XSS
    •             XSS prevention
    •             Android WebView security best practices
    •             Integer problems
      •                 Representation of negative integers
      •                 Integer overflow
      •                 Exercise IntOverflow
      •                 What is the value of Math.abs(Integer.MIN_VALUE)?
      •                 Integer problem – best practices
      •                 Java case study
      •                 Case study – Android Stagefright
  •         Improper use of security features
    •             Typical problems related to the use of security features
    •             Insecure randomness
      •                 Weak PRNGs in Java
      •                 Exercise RandomTest
      •                 Using random numbers in Java – spot the bug!
  •             Password management
    •                 Exercise – Weakness of hashed passwords
    •                 Password management and storage
    •                 Special purpose hash algorithms for password storage
    •                 Argon2 and PBKDF2 implementations in Java
    •                 bcrypt and scrypt implementations in Java
    •                 Password hash implementations on Android
    •                 KitKat changes concerning SecretKeyFactory
  •         Improper error and exception handling
    •             Typical problems with error and exception handling
    •             Empty catch block
    •             Overly broad throws
    •             Overly broad catch
    •             Using multi-catch
    •             Returning from finally block – spot the bug!
    •             Catching NullPointerException
    •             Exercise – Error handling
    •             Information leakage through logging (LogCat)
    •             GoToMeeting vulnerability
    •             Android best practices
    •             Spot the bug
    •             Rooting based on the setuid vulnerability (RATC)
  •         Code quality problems
    •             Dangers arising from poor code quality
    •             Poor code quality – spot the bug!
    •             Unreleased resources
    •             Public method without final – object hijacking
    •             Immutable String – spot the bug!
    •             Immutability and security

    Principles of security and secure coding

  •         Matt Bishop’s principles of robust programming
  •         The security principles of Saltzer and Schroeder

    Knowledge sources

  •         Secure coding sources – a starter kit
  •         Vulnerability databases
  •         Java secure coding sources
  •         Android secure coding sources
  •         Recommended books – Java
  •         Recommended books – Android
Kinek ajánljuk
Előfeltételek

Professional

Kapcsolódó tanfolyamok