- Application Security for the Android Platform: Processes, Permissions, and Other Safeguards Jeff Six on Amazon.com.FREE. shipping on qualifying offers. With the Android platform fast becoming a target of malicious hackers, application security is crucial.
- It focuses on the security features of Android's core platform and doesn't discuss security issues that are unique to specific apps, such as those related to the browser or SMS app. Android provides an open source platform and app environment for mobile devices.
Introducing Android 8.0 Oreo
Smarter, faster, and more powerful than ever. The world's favorite cookie is your new favorite Android release.
Application Security for the Android Platform: Processes, Permissions, and Other Safeguards - Ebook written by Jeff Six. Read this book using Google Play Books app on your PC, android, iOS devices. Download for offline reading, highlight, bookmark or take notes while you read Application Security for the Android Platform: Processes, Permissions, and Other Safeguards. Android security white paper 2. About this document. Applications are an integral part of any mobile platform and users increasingly download applications to their devices. Android provides multiple layers of application protection, enabling users to download. Android application security features. Application sandbox and permissions. Codified Security is a best in class automated testing platform that detects security vulnerabilities in mobile application code. The Codified platform allows you to test your mobile app for security issues before you release it, helping you to find and fix vulnerabilities before they cause your organisation reputation and financial damage.
Behavior changes
System changes that may affect your app on Android Oreo.
Android Oreo gives you many new ways to extend your app and develop more efficiently.
Android 8.0 features
Highlights of features and APIs for your apps (API 26).
Android 8.1 features
Highlights of features and APIs for your apps (API 27).
Latest news and videos
Android incorporates industry-leading security features and works withdevelopers and device implementers to keep the Android platform and ecosystemsafe. A robust security model is essential to enable a vigorous ecosystem ofapps and devices built on and around the Android platform and supportedby cloud services. As a result, through its entire development lifecycle,Android has been subject to a rigorous security program.
Android is designed to be open. Android apps useadvanced hardware and software, as well as local and served data, exposedthrough the platform to bring innovation and value to consumers. To realize thatvalue, the platform offers an app environment that protects theconfidentiality, integrity, and availability of users, data, apps, thedevice, and the network.
Securing an open platform requires a strong security architecture and rigoroussecurity programs. Android was designed with multilayered security that'sflexible enough to support an open platform while still protecting all users ofthe platform. For information about reporting security issues and the updateprocess, see SecurityUpdates and Resources.
Android is designed for developers. Security controls weredesigned to reduce the burden on developers. Security-savvy developers caneasily work with and rely on flexible security controls. Developers lessfamiliar with security are protected by safe defaults.
In addition to providing a stable platform to build upon, Android givesadditional support to developers in a number of ways. The Android security teamlooks for potential vulnerabilities in apps and suggests ways to fix thoseissues. For devices with Google Play, Play Services delivers security updatesfor critical software libraries, such as OpenSSL, which is used to secureapp communications. Android security released a tool for testing SSL(nogotofail) that helpsdevelopers find potential security issues on whichever platform they aredeveloping.
More information for Android app developers can be found ondeveloper.android.com.
Android is designed for users. Users are provided visibilityinto the permissions requested by each app and control over thosepermissions. This design includes the expectation that attackers would attemptto perform common attacks, such as social engineering attacks to convince deviceusers to install malware, and attacks on third-party apps on Android.Android was designed to both reduce the probability of these attacks and greatlylimit the impact of the attack in the event that it was successful. Android securitycontinues to progress after the device is in the user's hands. Android works withpartners and thepublic to provide patches for any Android device that is continuing toreceive security updates.
More information for end users can be found in the Nexus help center,Pixel help center,or your device manufacturer’s help center.
This page outlines the goals of the Android security program, describesthe fundamentals of the Android security architecture, and answers the mostpertinent questions for system architects and security analysts. It focuses onthe security features of Android's core platform and doesn't discuss securityissues that are unique to specific apps, such as those related to thebrowser or SMS app.
Background
Android provides an open source platform and app environment for mobiledevices.
The sections and pages below describe the security features of the Androidplatform. Figure 1 illustrates the security components andconsiderations of the various levels of the Android software stack. Eachcomponent assumes that the components below are properly secured. With theexception of a small amount of Android OS code running as root, all code abovethe Linux kernel is restricted by the Application Sandbox.
Figure 1. Android software stack
The main Android platform building blocks are:
- Device hardware: Android runs on a wide range of hardware configurations including mobile phones, tablets, watches, automobiles, smart TVs, OTT gaming boxes, and set-top-boxes. Android is processor-agnostic, but it takes advantage of some hardware-specific security capabilities such as ARM eXecute-Never.
- Android operating system: The core operating system is built on top of the Linux kernel. All device resources, like camera functions, GPS data, Bluetooth functions, telephony functions, and network connections are accessed through the operating system.
- Android Application Runtime: Android apps are most often written in the Java programming language and run in the Android runtime (ART). However, many apps, including core Android services and apps, are native apps or include native libraries. Both ART and native apps run within the same security environment, contained within the Application Sandbox. Apps get a dedicated part of the file system in which they can write private data, including databases and raw files.
Android apps extend the core Android operating system. There are twoprimary sources for apps:
- Preinstalled apps: Android includes a set of preinstalled apps including phone, email, calendar, web browser, and contacts. These function as user apps and they provide key device capabilities that can be accessed by other apps. Preinstalled apps may be part of the open source Android platform, or they may be developed by a device manufacturer for a specific device.
- User-installed apps: Android provides an open development environment that supports any third-party app. Google Play offers users hundreds of thousands of apps.
Google security services
Google provides a set of cloud-based services that are available to compatibleAndroid devices with Google MobileServices. While these services aren't part of the Android Open SourceProject (AOSP), they are included on many Android devices. For more information onsome of these services, see Android Security’s2018Year in Review.
The primary Google security services are:
- Google Play: Google Play is a collection of services that allow users to discover, install, and purchase apps from their Android device or the web. Google Play makes it easy for developers to reach Android users and potential customers. Google Play also provides community review, app license verification, app security scanning, and other security services.
- Android updates: The Android update service delivers new capabilities and security updates to selected Android devices, including updates through the web or over the air (OTA).
- App services: Frameworks that allow Android apps to use cloud capabilities such as (backing up) app data and settings and cloud-to-device messaging (C2DM) for push messaging.
- Verify Apps: Warn or automatically block the installation of harmful apps, and continually scan apps on the device, warning about or removing harmful apps.
- SafetyNet: A privacy preserving intrusion detection system to assist Google tracking, mitigate known security threats, and identify new security threats.
- SafetyNet Attestation: Third-party API to determine whether the device is CTS compatible. Attestation can also identify the Android app communicating with the app server.
- Android Device Manager: A web app and Android app to locate lost or stolen device.
Security program overview
The key components of the Android Security Program include:
- Design review: The Android security process begins early in the development lifecycle with the creation of a rich and configurable security model and design. Each major feature of the platform is reviewed by engineering and security resources, with appropriate security controls integrated into the architecture of the system.
- Penetration testing and code review: During the development of the platform, Android-created and open source components are subject to vigorous security reviews. These reviews are performed by the Android Security Team, Google’s Information Security Engineering team, and independent security consultants. The goal of these reviews is to identify weaknesses and possible vulnerabilities well before major releases, and to simulate the types of analysis that are performed by external security experts upon release.
- Open source and community review: AOSP enables broad security review by any interested party. Android also uses open source technologies that have undergone significant external security review, such as the Linux kernel. Google Play provides a forum for users and companies to provide information about specific apps directly to users.
- Incident response: Even with these precautions, security issues may occur after shipping, which is why the Android project has created a comprehensive security response process. Full-time Android security team members monitor the Android-specific and the general security community for discussion of potential vulnerabilities and review security bugs filed on the Android bug database. Upon the discovery of legitimate issues, the Android team has a response process that enables the rapid mitigation of vulnerabilities to ensure that potential risk to all Android users is minimized. These cloud-supported responses can include updating the Android platform (AOSP updates), removing apps from Google Play, and removing apps from devices in the field.
- Monthly security updates: The Android security team provides monthly updates to Google Android devices and all our device manufacturing partners.
Platform security architecture
Android seeks to be the most secure and usable operating system for mobileplatforms by repurposing traditional operating system security controls to:
- Protect app and user data
- Protect system resources (including the network)
- Provide app isolation from the system, other apps, and from the user
To achieve these objectives, Android provides these key security features:
Application Security For The Android Platform Pdf Download Free
- Robust security at the OS level through the Linux kernel
- Mandatory app sandbox for all apps
- Secure interprocess communication
- App signing
- App-defined and user-granted permissions