a0106 oreilly application security for the android platform dec 201 morebook vn 9658
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (4.94 MB, 7 trang )
Application Security for the Android
Platform
Jeff Six
Beijing • Cambridge • Farnham • Köln • Sebastopol • Tokyo
Application Security for the Android Platform
by Jeff Six
Copyright © 2012 Jeff Six. All rights reserved.
Printed in the United States of America.
Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472.
O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions
are also available for most titles (). For more information, contact our
corporate/institutional sales department: (800) 998-9938 or
Editors: Andy Oram and Mike Hendrickson
Production Editor: Melanie Yarbrough
Proofreader: Melanie Yarbrough
Cover Designer: Karen Montgomery
Interior Designer: David Futato
Illustrator: Robert Romano
Revision History for the First Edition:
2011-12-02
First release
See for release details.
Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of
O’Reilly Media, Inc., Application Security for the Android Platform, the image of a red gunard, and related
trade dress are trademarks of O’Reilly Media, Inc.
Many of the designations used by manufacturers and sellers to distinguish their products are claimed as
trademarks. Where those designations appear in this book, and O’Reilly Media, Inc. was aware of a
trademark claim, the designations have been printed in caps or initial caps.
While every precaution has been taken in the preparation of this book, the publisher and authors assume
no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.
ISBN: 978-1-449-31507-8
[LSI]
1322594274
Table of Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Application Security: Why You Should Care
The Current State of Mobile Application Security on Android
Security: Risk = Vulnerability + Threat + Consequences
Evolution of Information Security: Why Applications Matter the Most
Your Role: Protect the Data
Secure Software Development Techniques
Unique Characteristics of Android
Moving On
2
3
4
7
8
9
10
12
2. Android Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Introduction to the Android Architecture
The Linux Security Model
The Resulting Android Security Model
Application Signing, Attribution, and Attestation
Process Design
Android Filesystem Isolation
Android Preferences and Database Isolation
Moving up the Layers to System API and Component Permissions
14
15
15
16
18
21
22
24
3. Application Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Android Permission Basics
Using Restricted System APIs and the User Experience
Custom Permissions
27
29
32
4. Component Security and Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
The Types of Android Components
Intercomponent Signaling Using Intents
Public and Private Components
37
38
41
iii
About the Author
Jeff Six is a senior security engineer at a major financial institution based in Baltimore,
Maryland, where he works to secure customer and firm data. A major component of
Jeff’s job is working with developers to enhance the security of applications through
education, code reviews, and deployment of modern application security techniques
and frameworks. He also develops security-related applications, primarily using the
Java EE platform. Prior to this position and a comparable one at another financial
services firm, Jeff worked at the National Security Agency on similar application security projects and development efforts, focused on information assurance. Jeff has
been a member of the Adjunct Faculty at the University of Delaware since 2000, teaching an object-oriented programming with Java course for ten years and, more recently,
a course on Secure Software Design. He has been a lifeguard since 1993, and an instructor since 1995. Additionally, Jeff is an amateur triathlete, competing at the sprint,
Olympic, and 70.3 distances.
