Mobile
Reader small image

You're reading from  Android High Performance Programming

Product typeBook
Published inAug 2016
Reading LevelBeginner
PublisherPackt
ISBN-139781785288951
Edition1st Edition
Languages
Python
Tools
Android
Concepts
Android Development
Right arrow
Authors (3):
Emil Atanasov
Emil Atanasov
author image
Emil Atanasov

Emil Atanasov is an IT consultant with broad experience in mobile technologies. He has been exploring the field of mobile development since 2006. Emil has a MSc in Media Informatics from RWTH Aachen University, Germany and a MSc in Computer Science from Sofia Unversity "St. Kliment Ohridsky", Bulgaria. He has worked for several huge USA companies and has been a freelancer for several years. Emil has experience in software design and development. He was involved in the process of redesigning, improving and creating a number of mobile apps. Currently, he is focused on the rapidly growing mobile sector and manages a great team of developers that provides software solutions to clients around the world. As an Android team leader and project manager, Emil was leading a team that was developing a part of the Nook Color firmware -a e-magazine/ e-book reader, which supports the proprietary Barnes & Nobel and some other e-book formats. He is one of the people behind the "Getting Started with Flurry Analytics" book. He also contributed largely to the book "Objective C Memory Management". "I want to thank my family and friends for being so cool. Thank you for supporting me even though I'm such a bizarre geeky person, who is spending most of the time in the digital world. Thank you, guys!"
Read more about Emil Atanasov

Enrique López Mañas
Enrique López Mañas
author image
Enrique López Mañas

Enrique Lpez Maas is a Google Developer Expert and independent IT consultant. He has been working with mobile technologies and learning from them since 2007. He is an avid contributor to the open source community and a FLOSS (Free Libre Open Source Software) kind of guy, being among the top 10 open source Java contributors in Germany. He is a part of the Google LaunchPad accelerator, where he participates in Google global initiatives to influence hundreds of the best startups from all around the globe. He is also a big data and machine learning aficionado. In his free time he rides his bike, take pictures, and travels until exhaustion. He also writes literature and enjoys all kinds of arts. He likes to write about himself in third person. You can follow him on Twitter (@eenriquelopez) to stay updated on his latest movements.
Read more about Enrique López Mañas

Diego Grancini
Diego Grancini
author image
Diego Grancini

Diego Grancini has a degree in telecommunications and IT engineering from Perugia University. He has developed his skills on Android development for more than six years leading and contributed to several projects, teaching and sharing his skills during his career. He joined Engineering Ingegneria Informatica S.P.A. after his degree, defining his own knowledge about Java and Android development working as the lead Android developer for years. Then he joined J.P. Morgan & Chase, strengthening his skills about security and performance in software development and Android platform in particular.
Read more about Diego Grancini

View More author details
Right arrow

Chapter 7. Security

Security is defined in Wikipedia as "the degree of resistance to, or protection from, harm. It applies to any vulnerable and valuable asset, such as a person, dwelling, community, item, nation, or organization."

When we think of security in software, our mind depicts pictures of hackers working with black screens and green fonts, typing always in console commands very fast to gain access to a system or to break a firewall. The reality is different to that seen in Hollywood. Security in software refers to a robust system that protects the privacy of its users, avoids undesired interaction from an attacker, and has integrity.

A computer system can experience several vulnerabilities or attack vectors:

  • Backdoors: A backdoor is a point used to bypass the security of the application, traditionally left by the developers of the system. In 2013, a scandal exposed by Snowden suggested that the NSA had backdoors to many operative systems and platforms, including those from Google...

WhatsApp – the eternal showcase of "no-gos"

WhatsApp can showcase some of the flags an application can present. A bug was reported in 2011, stating that communications within WhatsApp were not encrypted. A device connected to the same Wi-Fi network could access the communications between other devices. It took almost a year to get this bug fixed, a bug that was not especially complex to solve.

Later that year, a problem that allowed an attacker to impersonate a user and take control over his account was also reported. In January 2012, a hacker published a website that made it possible to change the status of any device with WhatsApp installed, if the phone number was known. The only measure taken by WhatsApp to fix this bug was to block the IP address of the website (as any reader can imagine, this is far from being an effective measure).

A big problem present for many years in WhatsApp is that the messages are stored in a local database. This was done in the external storage, which is the...

Going deeper into the code

When we make developments in a particular technology, we generally program in a high-level language (such as C, C++, or Java) and later compile our code and resources into a file that will be executed in an independent platform. The process of compiling varies between technologies (Java has a different process than C++, since Java will run in a JVM). With more or less difficulty, code that has already been compiled can be "reversed" and accessed from the compiled code, which was generally unreadable, to something more user-friendly.

The following diagram shows how we develop applications in Android:

Here is the explanation for the above:

  1. Initially, we develop our application making use of the Android SDK and external libraries. Eventually, we also use NDK, which follows a different process of development and compiling.

  2. When our application is ready and we want to compile it, it will be compiled to be executed in the Android virtual machine. This will be compiled in...

Capturing an APK file

There are different methods we can use to capture an APK file. We will present in this book three of them, available at the time of writing (last quarter, 2015). Please note that the information provided in this chapter is only for educational purposes. There are some rules and legislation that need to be observed when performing reverse engineering, which will be discussed later.

Pulling a file from the device

If our device is rooted or we are using an emulator with Google Play Services installed, it is possible to pull an APK that has been installed. Please note that a rooted device can be targeted by malicious applications and attackers. If you are going to root your device there is a lot of free information available on the Internet.

When the application has been installed from the Play Store or an alternative market, you will first need to connect the adb to your computer. First you need to determine the package name of the target application:

adb shell pm list packages...

Autopsy of an APK file

Let's suppose we have obtained an APK file. For the purpose of this section, and to keep the exercise easy, we will create a HelloWorld application, including merely a TextView inside Activity.

To proceed analyzing the interior of our application, let's first unzip the APK and check its content. We will see content similar to the following:

For the newbies in this world, we can see that the Android manifest and the resources inside the res folder are directly accessible. The file, classes.dex, includes the compiled Java files as we explained in the previous section. The file, Resources.arsc (Application Resource Files), contains a list of binary resources, including any kind of data used by the program. This file is created by the Android Asset Packaging Tool (aapt).

We will now introduce the first technique to read the code of a file that has not been obfuscated, and is transforming the file into a JAR file and then opening it with a decompiler. We will need two tools...

Code injection

Another big security risk is a code injection. Code injections happen when a piece of software is deliberately modified to insert a module of code, generally malicious, that performs an unintended operation. These unintended operations can range from data stealing, to user surveillance among others. Hence, in this particular case, it is particularly important that applications are signed. An application that has been signed from a trusted manufacturer will not contain injected code.

Georgie Casey, an Irish engineer, proved in an article in 2013 a scary proof of concept. He decompiled SwiftKey, the award-winning keyboard for Android, and injected a piece of code that logged all the keystrokes and sent them through a web service connected to a public website, where they were displayed. The point was to prove that anybody could have done this and upload the manipulated APK to one of the alternative stores. A person looking for a free APK could have downloaded it and used it, sending...

Insecure storage

The storage is the process that saves information into our device or computer. Android API basically offers five different types of storage:

SharedPreferences

The first and basic one is known as SharedPreferences. This type of storage saves into XML files, in the private folder, the information we have saved as pairs of primitives associated with each value. In the following screenshot we can see all the files under the folder, shared_prefs. Those files are SharedPreferences files.

If we pull one of them from the device, we will be able to see the following content:

Each value inside the XML file has the following structure:

<string name="AppStateRepository:AppVersion">2.0.0_1266 p P 1/11/16 10:53 AM</string>

The name is composed of a combination of the filename and the variable name (the name we used to store the value). The type of the primitive SharedPreference is also delimited within the XML tag (for example, <string…</string>). And finally, the value...

Encrypted communication

We can never stress enough how important it is to use an encrypted channel of communication when creating web services and communicating them with an application.

Initially, it was intended as a protocol to exchange documents and information between scientific institutions, so security was not an important point at that time.

The Internet evolved pretty quickly, and the initially limited HTTPs were suddenly facing millions of users interacting between them. There are tons of resources to discuss SSL and how the encryption is performed. For the purpose of this book, we will mention that the communications under HTTPS (which stands for HTTP Secure, or HTTP over SSL) are generally protected against man-in-the-middle attacks and cannot be easily sniffed. There are still some ways an attacker can manage to break into the communication channel and steal the communication, but they require a better knowledge and access to the victim. We will, however, mention them, in case...

Summary

This chapter has analyzed security measures in an application. Security itself is a complex topic that could extend to several books. After reading this chapter, the reader will know how data can be intercepted. They will be able to store information securely. A penetration analysis into the code can be performed and in reverse, one can check if the application is exposing sensitive information to it.

ProGuard is an extensive tool to protect our application. We recommend the reader to take a further look at the official documentation.

The reader should be familiar after reading this chapter with all the different options to store information securely in Android, as well as the advantages and disadvantages. The reader should be able to identify SQL injections and know how to prevent them.

The reader will also be aware of the possibilities of sniffing traffic when the network has not been correctly protected. They will be familiar with Wireshark and the possibilities it offers.

Security...

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 13 of 17
Next Chapter
You have been reading a chapter from
Android High Performance Programming
Published in: Aug 2016Publisher: PacktISBN-13: 9781785288951
© 2016 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Authors (3)

author image
Emil Atanasov

Emil Atanasov is an IT consultant with broad experience in mobile technologies. He has been exploring the field of mobile development since 2006. Emil has a MSc in Media Informatics from RWTH Aachen University, Germany and a MSc in Computer Science from Sofia Unversity "St. Kliment Ohridsky", Bulgaria. He has worked for several huge USA companies and has been a freelancer for several years. Emil has experience in software design and development. He was involved in the process of redesigning, improving and creating a number of mobile apps. Currently, he is focused on the rapidly growing mobile sector and manages a great team of developers that provides software solutions to clients around the world. As an Android team leader and project manager, Emil was leading a team that was developing a part of the Nook Color firmware -a e-magazine/ e-book reader, which supports the proprietary Barnes & Nobel and some other e-book formats. He is one of the people behind the "Getting Started with Flurry Analytics" book. He also contributed largely to the book "Objective C Memory Management". "I want to thank my family and friends for being so cool. Thank you for supporting me even though I'm such a bizarre geeky person, who is spending most of the time in the digital world. Thank you, guys!"
Read more about Emil Atanasov

author image
Enrique López Mañas

Enrique Lpez Maas is a Google Developer Expert and independent IT consultant. He has been working with mobile technologies and learning from them since 2007. He is an avid contributor to the open source community and a FLOSS (Free Libre Open Source Software) kind of guy, being among the top 10 open source Java contributors in Germany. He is a part of the Google LaunchPad accelerator, where he participates in Google global initiatives to influence hundreds of the best startups from all around the globe. He is also a big data and machine learning aficionado. In his free time he rides his bike, take pictures, and travels until exhaustion. He also writes literature and enjoys all kinds of arts. He likes to write about himself in third person. You can follow him on Twitter (@eenriquelopez) to stay updated on his latest movements.
Read more about Enrique López Mañas

author image
Diego Grancini

Diego Grancini has a degree in telecommunications and IT engineering from Perugia University. He has developed his skills on Android development for more than six years leading and contributed to several projects, teaching and sharing his skills during his career. He joined Engineering Ingegneria Informatica S.P.A. after his degree, defining his own knowledge about Java and Android development working as the lead Android developer for years. Then he joined J.P. Morgan & Chase, strengthening his skills about security and performance in software development and Android platform in particular.
Read more about Diego Grancini