Advanced Android Secure Application Development

Rating:
1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5
Loading...
Please Log in or register to rate

Advanced Android Secure Application Development

SEC-214

In this hands-on course, you will learn how to secure your Android Applications, as well as how the Android Platform handles security from the inside-out. You will learn to harden both the Operating System (for device builders), and the application code itself, to protect the organization’s Intellectual Property and the user’s data.

Note: The course is based on the Marshmallow version. Earlier versions can be targeted without additional cost, upon customer request.

Audience

Target Audience:
Mobile Developers, Security Personnels with Java experience.

Course Topics

Android Overview – Bottom up discussion

Hardware overview: What makes an Android device
Linux Kernel boot process and provided functionalities
Native User Space: Init services, daemons, executables and libraries
Enabling Java (Dalvik + ART)
JNI bridge layer
Java OS Layer (Android Frameworks)
Application (APK) Structure
System Applications
User Applications
Google Play Services
Android IPC terminology by example: Browser, Maps
Introduction to working with the AOSP: How and where to find what

Android Platform Security

Linux driven security sandbox
OS and binary protection and exploitation: ASLR, PIE, DEP, RoP et. al.
Android hardware related permission enforcement
SELinux on Android
Data partition forensics protection via Internal and external storage encryption
Secure Boot
Android Signature model and verification
Android application sandbox: Single and multi physical user
Android Permissions
Android Security Patches

Security terminology and real-life attacks, “breaking Android”

Glossary attack vectors, attack surfaces, vulnerabilities and exploits
Privilege escalation attacks – theory and practice
Dynamic code loading attacks and mitigation
Binary exploitation and device rooting
Remote exploitation and DoS attacks
Signature based attacks
SE Linux discussion
On device Anti-Virus and Anti-Malware building techniques

Android Application Secure Coding I: Code and app behavior

Reverse Engineering and Data extraction demo: Motivation
Code protection techniques
SQL Injection and protection from it
Manifest level component access control
SELinux and Middleware MAC
IPC level runtime component access control
Webview and Javascript protection/restriction best practices for hybrid apps
Protecting from other applications, protecting from user judgement
Dynamic loading attack prevention (DEX, .so and .js)
Dynamic permission control best practices
Introduction to Android cryptography: BouncyCastle, BoringSSL
Protecting WebView code
Security Provider live-patching using ProviderInstaller
Applying Android lint tool, and other commercial static analysis tools

Android Application Secure Coding II: Securing User and Application data

Android Storage layout – what’s open and what’s not
SQLite inspection and protection with CQLCipher
Introduction to applied cryptography
Android Applied cryptography

 

Android Application Secure Coding III: Secure Network Communications

Network privacy dangers: Packet sniffers and interceptors. MITM attacks
Certificate Authority (CA) Chain of trust: A solution and the introduced problems
Secure communication with TLS/SSL
Encrypted network privacy dangers: Sniffers and interceptors. MITM attacks
CA management in Android: Platform and application management
Custom TrustManager’s and Certificate pinning
IP layer security, introducing VPN API.

Android For Work

Introduction to Device Administration API
Introduction to Android For Work – where to find what

Detailed Course Outline
© Copyright - Skilit - Site by Dweb