What do you get with Print?

Instant access to your digital eBook copy whilst your Print order is Shipped

Paperback book shipped to your preferred address

Download this book in EPUB and PDF formats

Access this title in our online reader with advanced features

DRM FREE - Read whenever, wherever and however you want

Android Security Cookbook

Chapter 1. Android Development Tools

In this chapter, we will cover the following recipes:

Installing the Android Development Tools (ADT)
Installing the Java Development Kit (JDK)
Updating the API sources
Alternative installation of the ADT
Installing the Native Development Kit (NDK)
Emulating Android
Creating Android Virtual Devices (AVDs)
Using the Android Debug Bridge (ADB) to interact with the AVDs
Copying files off/onto an AVD
Installing applications on the AVDs via ADB

Installing the Android Development Tools (ADT)

Given that there are many versions of the Android framework already deployed on mobile platforms and a variety of handsets that support it, Android developers need tools that give them access to many device- and operating system-specific Application Programming Interfaces (APIs) available on the Android platform.

We're talking about not just the Android APIs but also handset-specific APIs. Each handset manufacturer likes to invest in the developer mindshare in their own way by providing exclusive APIs and services to their developers, for example, the HTC OpenSense APIs. The ADT consolidates access to these APIs; provides all the necessary tools to debug, develop, and deploy your Android apps; and makes it easy for you to download them and keep them up to date.

How to do it...

The following steps will walk you through the process of downloading the ADT and getting them up and running:

You'll need to head over to https://developer.android.com and navigate to the ADT Download page or just visit https://developer.android.com/sdk/index.html#download. You should see a page like the one in the following screenshot:
Once you're there, click on Download the SDK and the following screen should appear:
Of course, you will need to accept the license agreement before downloading and select the appropriate CPU type, or register size if you're not sure how to check your CPU type.
On Windows, you need to complete the following steps:
1. Click on Start.
2. Right-click on My Computer.
3. Select Properties.
4. A window with your computer's system-specific information should pop up. The information you are looking for should be under the System section, labeled System type.
To check your system type on Ubuntu, Debian, or Unix-based distributions, perform the following steps:
1. Open a terminal either by pressing Ctrl + Alt + T or simply launching it using the graphical interface.
2. Execute the following command:
```
 	uname -a
```
3. Alternatively, you could use lscpu that should show you something like the following screenshot:
When you're happy with the license agreement and you've selected the correct system type, click on Download in the ADT Download page. Once the ZIP file has been downloaded, it should look like the following screenshot on Windows:

The archive will have the same structure on the Linux- or Unix-based distributions.

Installing the Java Development Kit (JDK)

Android uses a customized version of the Java runtime to support its applications. This means, before we can get going with Eclipse and developing Android applications, we actually need to install the Java runtime and development tools. These are available in the Java Development Kit (JDK).

How to do it...

Installing the JDK on Windows works as follows:

Grab a copy of the JDK from Oracle's Downloads page, http://www.oracle.com/technetwork/java/javase/downloads/index.html. Click on DOWNLOAD. The following screenshot shows the Downloads page:
Make sure to select the appropriate version for your system type; see the previous walkthrough to find out how to check your system type. The following screenshot highlights the Windows system types supported by the Oracle Java JDK:
After downloading the JDK, run the jdk-[version]-[platform version].exe file. For instance, you could have an EXE file named something like jdk-7u21-windows-i586.exe. All you need to do now is follow the prompts until the installation of all the setups is completed. The following screenshot is what the install wizard should look like once it's launched:

Once the install wizard has done its job, you should see a fresh install of your JDK and JRE under C:\Program Files\Java\jdk[version] and should now be able to launch Eclipse.

There's more…

Installing the Java Runtime and Development tools on Ubuntu Linux is somewhat simpler. Seeing that Ubuntu has a sophisticated package and repository manager, all you need to do is make use of it by firing off a few simple commands from the terminal window. You need to execute the following steps:

Open a terminal, either by searching for the terminal application via your Unity, KDE, or Gnome desktop or by pressing Ctrl + Alt + T.
You may need to update your package list before installation, unless you've already done that a couple of minutes ago. You can do this by executing either of the following commands:
```
sudo aptitude update //If you have aptitude installed 
```
Or:
```
sudo apt-get update
```
You should see your terminal print out all the downloads it's performing from your repositories as shown in the following screenshot:
Once that's done, execute the following command:
```
sudo apt-get install openjdk-[version]-jdk apt-get 
```
You will need to enter your password if you have been added to your sudoers file correctly. Alternatively, you could borrow root privileges to do this by executing the following command, assuming that you have the root user's password:
```
su root
```
This is displayed in the following screenshot:

Once your JDK is installed properly, you should be able to launch Eclipse and get going with your Android development. When you launch Eclipse, you should see the following screenshot:

After successful installation, the toolbar in your Eclipse installation should look something like the one in the following screenshot:

Alternative installation of the ADT

If the preceding methods for installing Eclipse and the ADT plugin don't work for some reason, you could always take the old school route and download your own copy of Eclipse and install the ADT plugin manually via Eclipse.

How to do it...

Downloading and plugging in the ADT works as follows:

Download Eclipse—Helios or a later version—from http://www.eclipse.org/downloads/. Please make sure to select the appropriate version for your operating system. You should see a page that looks like the following screenshot:
Download the ADT bundle for your platform version from the Android website, http://developer.android.com/sdk/installing/installing-adt.html. The following screenshot displays a part of the page on this website:
Make sure you have the Java JDK installed.
If your JDK installation is good to go, run the Eclipse installer you downloaded in step 1.
Once Eclipse is installed and ready to go, plugin your ADT.
Open Eclipse and click on the Help button in the menu bar.
Click on Install New Software....
The Available Software dialog box will pop up. You need to click on Add….
The Add Repository dialog box will show up. You need to click on the Archive... button.
A file browser should pop up. At this point, you will need to navigate to the ADT ZIP file that you downloaded in the previous steps.
After finding the ADT file, click on Open.
Then click on OK.
You will be shown the available packages in the .zip archive. Click on Select All and then on Next.
You will now need to accept the license agreement; of course, you reserve the right not to. It's always a good idea to give it a read. If you're happy, select the I accept the terms of the license agreements option and then click on Finish.
The software installation will now begin. You may get a warning stating that the content is unsigned and the authenticity cannot be verified. Click on OK.
Restart Eclipse.

The Android SDK, the device emulator, and the supporting Eclipse functionality should be ready to go now. See your Eclipse toolbar. It should have some new icons.

Installing the Native Development Kit (NDK)

If you want to do any low-level exploitation or development on your Android device, you will need to make sure that you can write applications at a lower level on the Android platform. Low level means development in languages like C/C++ using compilers that are built to suit the embedded platform and its various nuances.

What's the difference between Java and the native/low-level programming languages? Well, this topic alone could fill an entire book. But to state just the bare surface-level differences, Java code is compiled and statically—meaning the source code is analyzed—checked before being run in a virtual machine. For Android Java, this virtual machine is called the Dalvik—more on this later. The natively developed components of Android run verbatim—as their source code specifies—on the embedded Linux-like operating system that comes shipped with the Android devices. There is no extra layer of interpretation and checking—besides the odd compiler extensions and optimizations—that goes into getting the native code to run.

The tool chains and documentation provided by the Android team to make native development a painless experience for the Android developers is called the Native Development Kit (NDK). The NDK contains all the tools that the Android developers need to compile their C/C++ code for the Android devices and accommodates ARM-, MIPS-, and x86-embedded platforms. It includes some tools that help the native developers analyze and debug the native applications. This walkthrough discusses how to get the NDK up and running on your machine.

Before we get going, you will need to consult the system requirements list on http://developer.android.com/tools/sdk/ndk/index.html#Reqs to make sure that you're machine is good to go.

How to do it...

Getting the NDK on your machine is as simple as downloading it and making sure that it actually runs. We can use the following steps:

Downloading the NDK is pretty straightforward. Go to http://developer.android.com/tools/sdk/ndk/index.html to grab the latest copy and make sure to select the appropriate version for your system type.
Unzip the NDK to a convenient location.

Emulating Android

The Android SDK comes with a pretty neat tool called the emulator, which allows you to emulate the Android devices. The emulator is shipped with some of the most popular handsets and lets you create an emulated handset of your own. Using this tool, you can flash new kernels, mess around with the platform and, of course, debug apps and test your Android malware and application exploits. Throughout the book we will use this tool quite a bit, so, it's important that you get to know the Android emulator.

The emulator is pretty straightforward to use. When you want to launch a device, all you need to do is open the Android Virtual Device (AVD) tool either from your SDK folder or straight from Eclipse. Then, you can either set up a new device with its own memory card, CPU, and screen size as well as other custom features or you can select one of the preconfigured devices from a list. In this section, I'm going to cover exactly these things.

Just a quick disclaimer: the following screenshots were taken on a Windows 7 machine, but the AVD manager and device emulator work exactly the same on both Windows and Linux platforms, so Linux users will also be able to follow the walkthrough.

How to do it...

To emulate a device from Eclipse, use the following steps:

Click on the AVD manager icon on your toolbar.
The AVD will pop up. You can either select a preconfigured featured device or you can set up a device according to your own criteria. For this recipe, let's stick to configuring our own devices.
Click on New….
The Create new Android Virtual Device (AVD) dialog box should pop up. You will need to fill in some metrics for the new virtual devices and give it a name. You can enter whatever you feel here as this recipe is just to get you to emulate your first device.
Once you're done, click on OK. The new device should show up in the AVD dialog box.
Click on the device you just created and click on Start….

At this point, the AVD will prompt you for the screen-size options; the default values aren't too bad. Click on Launch when you're done, and in a few seconds your new AVD will start up.

Creating Android Virtual Devices (AVDs)

Some of you may prefer working with your AVDs from the command-line interface for some reason or other. Maybe you have some awesome scripts that you'd like to write to set up some awesome AVDs. This recipe details how to create AVDs and launches them straight from the command line.

How to do it…

Before you can create your own AVDs, you will need to specify some attributes for it; the most important one being the system image that will be used. To do so, execute the following steps:

You can find a list of the system images available to you by using the following command:
```
[path-to-sdk-install]/tools/android list targets
```
Or use the following command from the Windows terminal:
```
C:\[path-to-sdk-install]\tools\android list targets
```
As an example, enter the following into the command prompt:
```
C:\Users\kmakan\Documents\adt-bundle-windows-x86-20130219\sdk\tools\android list targets
```
This command will list the system images available on your system. If you'd like more, you'll need to install them via the SDK manager. The pieces of information that you're looking for in this list are the target IDs because you'll need them to identify the system image, which you will need to specify in the next step.
Create the AVD using the following command:
```
[path-to-sdk-install]/tools/android create avd –n [name of your new AVD] –t [system image target id]
```
You will need to decide on a name for the AVD you've just created, which you will specify using the –n switch. The system image ID you selected from the previous step must be specified using the –t switch. If everything goes well, you should have just created a brand new virtual machine.
You can launch your brand new AVD using the following command:
```
[path-to-sdk-install]/tools/emulator –avd [avd name]
```
Here, [avd name] is the AVD name you decided on in the previous step. If all goes well, your new AVD should start right up.

There's more…

You probably want to know a little more about the commands. Regarding the emulator, it's capable of emulating a device with different configurations.

Emulating a memory card or an external storage

You can specify that your virtual device also emulates some external storage using the –c options when you create it, as shown in the following command:

android create –avd –n [avd name] –t [image id] –c [size][K|M]

For example, see the following command:

android create –avd –n virtdroid –t 1 –c 128

You will obviously need to supply the size of your new emulated memory card. You also need to specify the unit by specifying either K for kilobytes or M for megabytes.

The partition sizes

Another very useful thing that you may want to do is specify how much space you'd like to grant the internal storage partitions. You can do this by using the -partition-size switch, which you specify when you invoke the emulator as shown in the following command:

emulator –avd [name] –partition-size [size in MBs]

You will also need to supply a size for the partitions. By default, the unit of measurement is megabytes (MBs).

Using the Android Debug Bridge (ADB) to interact with the AVDs

Interacting with the emulated Android device is one of the most important skills for both a developer and an Android security engineer/auditor. The Android Debug Bridge (ADB) provides the functionality needed to interact with the native-level components of an Android device. It allows the developers and security engineers to read the contents of the filesystem and interact with the package manager, application manager, kernel driver interfaces, and initialization scripts to mention a few.

How to do it...

Interacting with a virtual device using the ADB works as follows:

You'll need to start an AVD first or, if you like, simply plug in your own Android device via a USB to whatever machine you'd like to use—given that this machine has the SDK installed. You can start the AVD using the following command:
```
emulator –avd [name]
```
We can list all the connected Android Devices by using the following command for a Windows machine:
```
C;\\[path-to-sdk-install]\platform-tools\adb devices
```
Or, if you're using a Linux machine, use the following command:
```
[path-to-sdk-install]/platform-tools/adb devices
```
This command should give you a list of the connected devices, which is basically all the devices that you will be able to connect to using ADB. You need to pay attention to the device names in the list. You will need to identify the devices when you launch a connection to them using ADB.
You can launch a shell connection to your Android device using the following command:
```
/sdk/platform-tools/abd shell –s [specific device]
```
Or, if you happen to know that the Android device you want to connect to is the only emulated device, you can use the following command:
```
/sdk/platform-tools/adb shell –e
```
Or, if the device is the only USB-connected device, you can use the following command:
```
/sdk/platform-tools/adb shell –d
```
The switches –d, -e, and -p apply to the other ADB commands and not just the shell. If this works well, you should see a prompt string—the string displayed to identify the command shell being used—similar to the following command:
```
root@android$
```

You should now have a full-fledged shell with some of the traditional Unix/Linux commands and utilities at your finger tips. Try searching around on the filesystem and getting to know where everything is kept.

There's more…

Now that you have a connected device, you'll need to know a little bit about navigating the Android filesystem and making use of the commands. Here's a small list to get you started:

ls {path}: This will list the contents of the directory at the path
cat {file}: This will print the contents of a text file on the screen
cd {path}: This will change the working directory to the one pointed to by the path
cd ../: This changes the working directory to the one that's exactly one level higher
pwd: This prints the current working directory
id: This checks your user ID

Android Security Cookbook discusses many common vulnerabilities and security related shortcomings in Android applications and operating systems. The book breaks down and enumerates the processes used to exploit and remediate these vulnerabilities in the form of detailed recipes and walkthroughs. The book also teaches readers to use an Android Security Assessment Framework called Drozer and how to develop plugins to customize the framework. Other topics covered include how to reverse-engineer Android applications to find common vulnerabilities, and how to find common memory corruption vulnerabilities on ARM devices. In terms of application protection this book will show various hardening techniques to protect application components, the data stored, secure networking. In summary, Android Security Cookbook provides a practical analysis into many areas of Android application and operating system security and gives the reader the required skills to analyze the security of their Android devices.

Who is this book for?

"Android Security Cookbook" is aimed at anyone who is curious about Android app security and wants to be able to take the necessary practical measures to protect themselves; this means that Android application developers, security researchers and analysts, penetration testers, and generally any CIO, CTO, or IT managers facing the impeding onslaught of mobile devices in the business environment will benefit from reading this book.

What you will learn

Set up the Android development tools and frameworks

Engage in Application security concepts

Use the Drozer Android Security Assessment Framework

Customize and develop your own plugins for the Drozer Framework

Exploit, enumerate, and analyze common application level exploits

Protect applications from common vulnerabilities and exploits

Reverse-engineer applications for common code level vulnerabilities

Secure application networking, SSL/TLS

Encryption to protect application data

What do you get with Print?

Instant access to your digital eBook copy whilst your Print order is Shipped

Paperback book shipped to your preferred address

Download this book in EPUB and PDF formats

Access this title in our online reader with advanced features

DRM FREE - Read whenever, wherever and however you want

Frequently bought together

€32.99

€36.99

€36.99

Total € 106.97

Filter reviews by

All

Amazon verified reviews

Philip Arad Mar 27, 2014

Android has quickly become one of the most popular mobile operating system with more than 46% share, not only to users but also developers and companies.Companies that are looking to be fully adapted to the mobile world, develop their own applications on the Android platform.These applications have seen massive growth in capability and complexity and became quite popular to malicious adversaries.Android users and developers express a need to be constantly aware of their mobile security risks and, because of this need, mobile security and risk assessment specialists and security engineers are in high demand.To address this problem efficiently, I recommend reading the book 'Android Security Cookbook' from 'Packt Publishing' (see[.......] )'Android Security Cookbook' discusses many common vulnerabilities and security related shortcomings in Android applications and operating systems.The book breaks down and enumerates the processes used to exploit and remediate these vulnerabilities in the form of detailed recipes and walkthroughs.The book also teaches readers to use an Android Security Assessment Framework called Drozer and how to develop plugins to customize the framework.Other topics covered include how to reverse-engineer Android applications to find common vulnerabilities, and how to find common memory corruption vulnerabilities on ARM devices.In terms of application protection this book will show various hardening techniques to protect application components, the data stored, secure networking.In summary, 'Android Security Cookbook' provides a practical analysis into many areas of Android application and operating system security and gives the reader the required skills to analyze the security of their Android devices.'Android Security Cookbook' is aimed at anyone who is interested in Android app security and wants to be able to take the necessary practical measures to protect themselves; this means that Android application developers, security researchers and analysts, penetration testers, and generally any CIO, CTO, or IT managers facing the impeding onslaught of mobile devices in the business environment will benefit from reading this book.

Amazon Verified review

Eli Apr 22, 2014

This book was a great Introduction to almost every aspect of Android Security. It covered all bases and didn't leave out any major topics (SQL Injection, ensuring Permissions are set correctly, and decompiling just to name a few). I would say that the prerequisites for reading this book are the basics of android and some Java programming. The author clearly explains every concept, describes how to accomplish the goal, and then explains why we accomplish the goal in the way that we did. I would recommend this book for anyone that is new to Android Security.

Aditya Gupta Apr 09, 2014

Being a Android Security Researcher myself, I was expecting a lot from this book. And to my surprise, this book has all the elements needed in an Android Security book, which is required for learning in depths of Android Security.I personally liked the Native Exploitation chapter the most, as it goes much beyond the normal application level, and gives you a clear picture of how exactly exploits work.If you are planning to get into Android Application Auditing, this is one of the must have books for you. Nothing less than what I was expected. Surely deserves a 5/5 rating.

Venkata subramanian c. CVS. Jun 18, 2015

Introduction itselfe is appealing, will submit my full review after completestudy.CVS.

Benjamin Watson Mar 26, 2014

This book has been a great resource for me when needing to quickly up my IQ in assessing Android mobile applications. The authors have done a great job a laying out many resources and techniques. I would recommend this book to anyone who wants a solid introduction into Android Security concepts.

Android Security Cookbook: Practical recipes to delve into Android's security mechanisms by troubleshooting common vulnerabilities in applications and Android OS versions

What do you get with Print?

Contact Details

Shipping Address

Billing Address

Emulating a memory card or an external storage

The partition sizes

Key benefits

Description

Who is this book for?

What you will learn

Product Details

What do you get with Print?

Contact Details

Shipping Address

Billing Address

Product Details

Packt Subscriptions

Frequently bought together

Table of Contents

Recommendations for you

Customer reviews

Filter reviews by

People who bought this also bought

About the author

FAQs