developing secure mobile applications for android

Developing Secure Mobile Applications for Android

http://www.isecpartners.com/files/iSEC_Securing_Android_Apps.pdf

CS 595James Zachary Howland

Background

• Designed with security in mind• Data sharing must be done explicitly• Potentially harmful applications are limited by

user• Every application is its own user• Applications are signed by developers• Uses manifest to specify permissions

Intents and Pending Intents

• What are Intents?• Bad Data and Intent Filters• Callbacks should probably use PendingIntents

Activities

• Allow code reuse• Intent Filter note• Security concerns

Broadcasts

• Allows components to communicate• Sensitive data• Sticky Broadcasts

Services

• Secure calls into Services

Content Providers and File Access

• Permission Style• Avoiding SQL Injection• Nothing should be world-writable• SD Card

Binders

• What are Binders?• Security

Conclusion

• Android developed with security in mind• Very specific methods for IPC• Keep It Simple