Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Newsletter Hub
Free Learning
Arrow right icon
timer SALE ENDS IN
0 Days
:
00 Hours
:
00 Minutes
:
00 Seconds
Android Security Cookbook
Android Security Cookbook

Android Security Cookbook: Practical recipes to delve into Android's security mechanisms by troubleshooting common vulnerabilities in applications and Android OS versions

eBook
€26.98 €29.99
Paperback
€36.99
Subscription
Free Trial
Renews at $19.99p/m

What do you get with Print?

Product feature icon Instant access to your digital copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Redeem a companion digital copy on all Print orders
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
OR
Modal Close icon
Payment Processing...
tick Completed

Shipping Address

Billing Address

Shipping Methods
Table of content icon View table of contents Preview book icon Preview Book

Android Security Cookbook

Chapter 2. Engaging with Application Security

In this chapter, we will cover the following recipes:

  • Inspecting application certificates and signatures
  • Signing Android applications
  • Verifying application signatures
  • Inspecting the AndroidManifest.xml file
  • Interacting with the activity manager via ADB
  • Extracting application resources via ADB

Introduction

In this chapter, we are going to see some components of the Android security architecture in action by directly engaging with them, specifically those focused on protecting applications. "You never really understand anything until you get your hands dirty." This is what this chapter tries to inspire; actually getting down and dirty with some of the security mechanisms, dissecting them, and really getting to know what they are all about.

We're going to cover just the bare minimum here, the tips and tricks that'll get you the information you need from an application, should you ever want to reverse engineer it or perform a pervasive hands-on security assessment for Android applications, or if you're just purely interested in finding out more about application security.

Inspecting application certificates and signatures

Application certificates are what developers use to declare their trust in the applications they publish to the application market. This is done by declaring their identities and associating them to their application(s) cryptographically. Application signatures make sure that no application can impersonate another by providing a simple and effective mechanism to determine and enforce the integrity of Android applications. It is a requirement that all applications be signed with certificates before they are installed.

Android application signing is a repurposing of JAR signing. It works by applying a cryptographic hash function to an application's contents. We will soon see exactly which of the contents in the APK files are hashed. The hashes are then distributed with a certificate that declares the developer's identity, associating it to the developer's public key and effectively, his/her private key, since they are related...

Signing Android applications

All Android applications are required to be signed before they are installed on an Android device. Eclipse and other IDEs pretty much handle application signing for you; but for you to truly understand how application signing works, you should try your hand at signing an application yourself using the tools in the Java JDK and Android SDK.

First, a little background on application signing. Android application signing is simply a repurposing of the JAR signing. It has been used for years to verify the authenticity of Java class file archives. Android's APK files aren't exactly like JAR files and include a little more metadata and resources than JAR files; so, the Android team needed to gear the JAR signing to suit the APK file's structure. They did this by making sure that the extra content included in an Android application forms part of the signing and verification process.

So, without giving away too much about application signing, let's...

Verifying application signatures

In the previous recipes, we walked through how applications are signed and how to generate keys securely to sign them. This recipe will provide details on how application signatures are verified. Being able to do this "by hand" is pretty important because it not only gives you insight into how verification actually works, but also serves as a gateway to deeper introspection of cryptographic application security.

Getting ready

To be able to perform this recipe, you will need the following:

  • The JDK
  • A sample signed application to verify

That's about all that you need for this one. Let's get going!

How to do it...

To verify application signatures, you will need to perform the following steps:

  1. The Java JDK has a tool called jarsigner that will be able to handle all of the hard labor; all you need to do is execute the following command:
    jarsigner –verify –verbose [path-to-your-apk]
    
  2. All you need to do now is look for the jar verified string...

Inspecting the AndroidManifest.xml file

The application manifest is probably the most important source of information for Android application security specialists. It contains all of the information regarding an application's permissions and which components form part of an application, and it gives us quite some details about how these components will be allowed to interact with the rest of the applications on your platform. I'm going to use this recipe as a good excuse to talk about the application manifest, how it's structured, and what each component in the sample manifest means.

Getting ready

Before you can get going, you will need to have the following software:

  • WinZip for Windows
  • The Java JDK
  • A handy text editor; usually Vi/Vim does the trick, but Emacs, Notepad++, and Notepad are all cool; we don't need anything fancy here
  • The Android SDK (no surprise here!)

You may also need to go get something called apktool; it makes decoding the AndroidManifest.xml file really...

Introduction


In this chapter, we are going to see some components of the Android security architecture in action by directly engaging with them, specifically those focused on protecting applications. "You never really understand anything until you get your hands dirty." This is what this chapter tries to inspire; actually getting down and dirty with some of the security mechanisms, dissecting them, and really getting to know what they are all about.

We're going to cover just the bare minimum here, the tips and tricks that'll get you the information you need from an application, should you ever want to reverse engineer it or perform a pervasive hands-on security assessment for Android applications, or if you're just purely interested in finding out more about application security.

Inspecting application certificates and signatures


Application certificates are what developers use to declare their trust in the applications they publish to the application market. This is done by declaring their identities and associating them to their application(s) cryptographically. Application signatures make sure that no application can impersonate another by providing a simple and effective mechanism to determine and enforce the integrity of Android applications. It is a requirement that all applications be signed with certificates before they are installed.

Android application signing is a repurposing of JAR signing. It works by applying a cryptographic hash function to an application's contents. We will soon see exactly which of the contents in the APK files are hashed. The hashes are then distributed with a certificate that declares the developer's identity, associating it to the developer's public key and effectively, his/her private key, since they are related semantically....

Left arrow icon Right arrow icon

Key benefits

  • Analyze the security of Android applications and devices, and exploit common vulnerabilities in applications and Android operating systems
  • Develop custom vulnerability assessment tools using the Drozer Android Security Assessment Framework
  • Reverse-engineer Android applications for security vulnerabilities
  • Protect your Android application with up to date hardening techniques

Description

Android Security Cookbook discusses many common vulnerabilities and security related shortcomings in Android applications and operating systems. The book breaks down and enumerates the processes used to exploit and remediate these vulnerabilities in the form of detailed recipes and walkthroughs. The book also teaches readers to use an Android Security Assessment Framework called Drozer and how to develop plugins to customize the framework. Other topics covered include how to reverse-engineer Android applications to find common vulnerabilities, and how to find common memory corruption vulnerabilities on ARM devices. In terms of application protection this book will show various hardening techniques to protect application components, the data stored, secure networking. In summary, Android Security Cookbook provides a practical analysis into many areas of Android application and operating system security and gives the reader the required skills to analyze the security of their Android devices.

Who is this book for?

"Android Security Cookbook" is aimed at anyone who is curious about Android app security and wants to be able to take the necessary practical measures to protect themselves; this means that Android application developers, security researchers and analysts, penetration testers, and generally any CIO, CTO, or IT managers facing the impeding onslaught of mobile devices in the business environment will benefit from reading this book.

What you will learn

  • Set up the Android development tools and frameworks
  • Engage in Application security concepts
  • Use the Drozer Android Security Assessment Framework
  • Customize and develop your own plugins for the Drozer Framework
  • Exploit, enumerate, and analyze common application level exploits
  • Protect applications from common vulnerabilities and exploits
  • Reverse-engineer applications for common code level vulnerabilities
  • Secure application networking, SSL/TLS
  • Encryption to protect application data
Estimated delivery fee Deliver to France

Premium delivery 7 - 10 business days

€10.95
(Includes tracking information)

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Dec 24, 2013
Length: 350 pages
Edition : 1st
Language : English
ISBN-13 : 9781782167167
Vendor :
Google
Category :
Languages :

What do you get with Print?

Product feature icon Instant access to your digital copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Redeem a companion digital copy on all Print orders
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
OR
Modal Close icon
Payment Processing...
tick Completed

Shipping Address

Billing Address

Shipping Methods
Estimated delivery fee Deliver to France

Premium delivery 7 - 10 business days

€10.95
(Includes tracking information)

Product Details

Publication date : Dec 24, 2013
Length: 350 pages
Edition : 1st
Language : English
ISBN-13 : 9781782167167
Vendor :
Google
Category :
Languages :

Packt Subscriptions

See our plans and pricing
Modal Close icon
$19.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
$199.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts
$279.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total 106.97
Android Application Security Essentials
€36.99
Android Security Cookbook
€36.99
Asynchronous Android
€32.99
Total 106.97 Stars icon

Table of Contents

10 Chapters
1. Android Development Tools Chevron down icon Chevron up icon
2. Engaging with Application Security Chevron down icon Chevron up icon
3. Android Security Assessment Tools Chevron down icon Chevron up icon
4. Exploiting Applications Chevron down icon Chevron up icon
5. Protecting Applications Chevron down icon Chevron up icon
6. Reverse Engineering Applications Chevron down icon Chevron up icon
7. Secure Networking Chevron down icon Chevron up icon
8. Native Exploitation and Analysis Chevron down icon Chevron up icon
9. Encryption and Developing Device Administration Policies Chevron down icon Chevron up icon
Index Chevron down icon Chevron up icon

Customer reviews

Top Reviews
Rating distribution
Full star icon Full star icon Full star icon Full star icon Half star icon 4.8
(6 Ratings)
5 star 83.3%
4 star 16.7%
3 star 0%
2 star 0%
1 star 0%
Filter icon Filter
Top Reviews

Filter reviews by




Philip Arad Mar 27, 2014
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Android has quickly become one of the most popular mobile operating system with more than 46% share, not only to users but also developers and companies.Companies that are looking to be fully adapted to the mobile world, develop their own applications on the Android platform.These applications have seen massive growth in capability and complexity and became quite popular to malicious adversaries.Android users and developers express a need to be constantly aware of their mobile security risks and, because of this need, mobile security and risk assessment specialists and security engineers are in high demand.To address this problem efficiently, I recommend reading the book 'Android Security Cookbook' from 'Packt Publishing' (see[.......] )'Android Security Cookbook' discusses many common vulnerabilities and security related shortcomings in Android applications and operating systems.The book breaks down and enumerates the processes used to exploit and remediate these vulnerabilities in the form of detailed recipes and walkthroughs.The book also teaches readers to use an Android Security Assessment Framework called Drozer and how to develop plugins to customize the framework.Other topics covered include how to reverse-engineer Android applications to find common vulnerabilities, and how to find common memory corruption vulnerabilities on ARM devices.In terms of application protection this book will show various hardening techniques to protect application components, the data stored, secure networking.In summary, 'Android Security Cookbook' provides a practical analysis into many areas of Android application and operating system security and gives the reader the required skills to analyze the security of their Android devices.'Android Security Cookbook' is aimed at anyone who is interested in Android app security and wants to be able to take the necessary practical measures to protect themselves; this means that Android application developers, security researchers and analysts, penetration testers, and generally any CIO, CTO, or IT managers facing the impeding onslaught of mobile devices in the business environment will benefit from reading this book.
Amazon Verified review Amazon
Eli Apr 22, 2014
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book was a great Introduction to almost every aspect of Android Security. It covered all bases and didn't leave out any major topics (SQL Injection, ensuring Permissions are set correctly, and decompiling just to name a few). I would say that the prerequisites for reading this book are the basics of android and some Java programming. The author clearly explains every concept, describes how to accomplish the goal, and then explains why we accomplish the goal in the way that we did. I would recommend this book for anyone that is new to Android Security.
Amazon Verified review Amazon
Aditya Gupta Apr 09, 2014
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Being a Android Security Researcher myself, I was expecting a lot from this book. And to my surprise, this book has all the elements needed in an Android Security book, which is required for learning in depths of Android Security.I personally liked the Native Exploitation chapter the most, as it goes much beyond the normal application level, and gives you a clear picture of how exactly exploits work.If you are planning to get into Android Application Auditing, this is one of the must have books for you. Nothing less than what I was expected. Surely deserves a 5/5 rating.
Amazon Verified review Amazon
Venkata subramanian c. CVS. Jun 18, 2015
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Introduction itselfe is appealing, will submit my full review after completestudy.CVS.
Amazon Verified review Amazon
Benjamin Watson Mar 26, 2014
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book has been a great resource for me when needing to quickly up my IQ in assessing Android mobile applications. The authors have done a great job a laying out many resources and techniques. I would recommend this book to anyone who wants a solid introduction into Android Security concepts.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is the digital copy I get with my Print order? Chevron down icon Chevron up icon

When you buy any Print edition of our Books, you can redeem (for free) the eBook edition of the Print Book you’ve purchased. This gives you instant access to your book when you make an order via PDF, EPUB or our online Reader experience.

What is the delivery time and cost of print book? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela
What is custom duty/charge? Chevron down icon Chevron up icon

Customs duty are charges levied on goods when they cross international borders. It is a tax that is imposed on imported goods. These duties are charged by special authorities and bodies created by local governments and are meant to protect local industries, economies, and businesses.

Do I have to pay customs charges for the print book order? Chevron down icon Chevron up icon

The orders shipped to the countries that are listed under EU27 will not bear custom charges. They are paid by Packt as part of the order.

List of EU27 countries: www.gov.uk/eu-eea:

A custom duty or localized taxes may be applicable on the shipment and would be charged by the recipient country outside of the EU27 which should be paid by the customer and these duties are not included in the shipping charges been charged on the order.

How do I know my custom duty charges? Chevron down icon Chevron up icon

The amount of duty payable varies greatly depending on the imported goods, the country of origin and several other factors like the total invoice amount or dimensions like weight, and other such criteria applicable in your country.

For example:

  • If you live in Mexico, and the declared value of your ordered items is over $ 50, for you to receive a package, you will have to pay additional import tax of 19% which will be $ 9.50 to the courier service.
  • Whereas if you live in Turkey, and the declared value of your ordered items is over € 22, for you to receive a package, you will have to pay additional import tax of 18% which will be € 3.96 to the courier service.
How can I cancel my order? Chevron down icon Chevron up icon

Cancellation Policy for Published Printed Books:

You can cancel any order within 1 hour of placing the order. Simply contact customercare@packt.com with your order details or payment transaction id. If your order has already started the shipment process, we will do our best to stop it. However, if it is already on the way to you then when you receive it, you can contact us at customercare@packt.com using the returns and refund process.

Please understand that Packt Publishing cannot provide refunds or cancel any order except for the cases described in our Return Policy (i.e. Packt Publishing agrees to replace your printed book because it arrives damaged or material defect in book), Packt Publishing will not accept returns.

What is your returns and refunds policy? Chevron down icon Chevron up icon

Return Policy:

We want you to be happy with your purchase from Packtpub.com. We will not hassle you with returning print books to us. If the print book you receive from us is incorrect, damaged, doesn't work or is unacceptably late, please contact Customer Relations Team on customercare@packt.com with the order number and issue details as explained below:

  1. If you ordered (eBook, Video or Print Book) incorrectly or accidentally, please contact Customer Relations Team on customercare@packt.com within one hour of placing the order and we will replace/refund you the item cost.
  2. Sadly, if your eBook or Video file is faulty or a fault occurs during the eBook or Video being made available to you, i.e. during download then you should contact Customer Relations Team within 14 days of purchase on customercare@packt.com who will be able to resolve this issue for you.
  3. You will have a choice of replacement or refund of the problem items.(damaged, defective or incorrect)
  4. Once Customer Care Team confirms that you will be refunded, you should receive the refund within 10 to 12 working days.
  5. If you are only requesting a refund of one book from a multiple order, then we will refund you the appropriate single item.
  6. Where the items were shipped under a free shipping offer, there will be no shipping costs to refund.

On the off chance your printed book arrives damaged, with book material defect, contact our Customer Relation Team on customercare@packt.com within 14 days of receipt of the book with appropriate evidence of damage and we will work with you to secure a replacement copy, if necessary. Please note that each printed book you order from us is individually made by Packt's professional book-printing partner which is on a print-on-demand basis.

What tax is charged? Chevron down icon Chevron up icon

Currently, no tax is charged on the purchase of any print book (subject to change based on the laws and regulations). A localized VAT fee is charged only to our European and UK customers on eBooks, Video and subscriptions that they buy. GST is charged to Indian customers for eBooks and video purchases.

What payment methods can I use? Chevron down icon Chevron up icon

You can pay with the following card types:

  1. Visa Debit
  2. Visa Credit
  3. MasterCard
  4. PayPal
What is the delivery time and cost of print books? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela