Android Security is a three-day course focusing specifically on the various security concerns of the Android platform.
We explore the Android architecture and security model, permission system and enforcement, encryption, known exploits, memory protections, data protection, device management, SELinux, as well as tools security researchers use to find Android vulnerabilities. We also focus on best practices for coding and deploying secure Android apps. Learn what to do - and what not to do - to keep your apps, your business, and your customers secure.
Android Overview training or any other NewCircle Android class that contains Android Overview module.
It is highly recommended that participants be familiar with basics of Java, C/C++, and Linux administration to fully take advantage of this course.
To refresh your Java skills, you can review NewCircle's Fundamentals of Java tutorial.
Additionally, knowledge of Eclipse is required. You could watch this 30-minute Eclipse tutorial to get up to speed.
The objective of Android Security training is to give you a solid understanding of inter-workings of the Android operating system, its security model, and ways to tighten potential security holes. By the end of this class, you will be able to identify the issues, and understand how to go about securing the system and applications running on them.
This class does not cover Android application development in Java nor C programming for the lower levels.
Android Stack Overview
- Android design philosophy
- Platform open source licensing issues
- Linux Kernel Layer
- Native User Space Layer
- Application Runtime (Dalvik + ART)
- Application Frameworks Layer
- Applications Layer
- Application (APK) Structure
Android Platform Security
- Application sandbox
- SELinux on Android
- Disk Encryption
- Secure Boot
- Application (APK) Signing
- File system access permissions
- Application Permissions Model
- Using permissions
- Declaring custom permissions
- Android Malware Scanning
- Reasons for rooting devices
- Device rooting process
- Common root exploits
- Rooting under SELinux
- Android bytecode structure
- Unpacking APK resources
- Disassembling APK executable code
- Modifying and repackaging APK contents
- Common disassembly tools
Android Penetration Testing
- Common penetration testing tools
- Finding exposed application components
- "Fuzzing" inputs and testing validation code
- Discovering injection vulnerabilities in data code
Securing Application Code
- Validating input on exposed components
- Protecting exposed IPC endpoints
- Commonly missed side-channel leaks
Secure Network Communications
- Exposing network-related vulnerabilities
- Encryption with SSL/TLS
- Certificate pinning
- Virtual Private Networks (VPNs)
- Protecting WebView code
Securing Persisted Application Data
- Storage APIs
- User authentication credentials
- Avoiding leaks
- Alternatives to storing
- Storing sensitive data
- Encrypting persisted data
Mobile Device Administration (Android for Work)
- Device administration APIs
- Application restrictions
- Device provisioning and profile management
- Integrating with Google's Android for Work program
Adam Breindel brings over 10 years of successes working with cutting-edge technology for small startups as well as major players in the travel, media/entertainment, financial, productivity, and consulting industries.
In addition to web sites, GUI applications, and mobile device software, Adam has also built high-volume middleware for one of the world's largest banks, and produced a new, modern integration to a 1960s-vintage mainframe app for one of the world's largest airlines.
Adam focuses on designing and coding systems in a way that yields predictable results, leverages best practices and high-productivity tools, minimizes excess code, and is fun to do. He has also spoken at tech conferences, written articles and skill assessments, and produced an open source tool for software development. Adam has enjoyed teaching large and small groups, covering topics from nuts-and-bolts Java programming to merging ideal process with real-world constraints in an organization.
Dave Smith is the Android Practice Lead at NewCircle, where he focuses on development and maintenance of courseware materials.
Dave has worked in developing software at all levels of the Android platform since 2009; from writing user applications using the SDK to building and customizing the Android source code for embedded devices. Prior to that, he was an embedded applications developer and hardware systems integrator for the M2M industry, working mostly with 8 and 16-bit microprocessors. His favorite mobile projects are those that integrate custom accessory hardware with consumer devices or involve building Android for embedded platforms. Today he specializes primarily in integrating custom device interfaces, such as USB and UART, with application layer services on embedded Android hardware.
Dave is also passionate about providing resources for developers that they can make use of long term. He is the author of the popular Android book Android Recipes: A Problem Solution Approach published by Apress; a cookbook style text dedicated to getting Android developers up and running quickly by providing real-world useful examples of how to use the Android SDK and NDK to build applications quickly and well. Dave is a regular speaker at Android conferences, where he usually speaks on topics related to hardware integration and framework internals. He frequently shares ideas via the NewCircle Stream, his personal development blog, Twitter (@devunwired), and Google+.
Dave received his degrees in Electrical Engineering and Computer Science from the Colorado School of Mines, and is a licensed Professional Engineer.
Gil Zhaiek joined the NewCircle team from Vancouver, Canada and provides his expertise in the Android framework and the Linux kernel. He has 13 years of software and hardware experience that is critical for the field of board bring-ups. He started as a C++ coder of an online financial calculator, switched to FPGA and digital board design for a couple of years, and later integrated his knowledge in designing C++ Testbenches as a consultant to various hardware teams in more than 20 companies.
Having experience in nearly all the hardware and software components, he was able to transition smoothly to Real Time OS with Embedded Linux where he wrote drivers and was able to debug the hardware independently. A few years ago, Gil and his wife moved to Vancouver where he joined Recon Instruments as the Senior Embedded Android Engineer and later the Embedded Software Manager responsible for board bring-ups and Android framework customization.
Some of Gil's notable products he worked on include the MOD Live which was the first Ski Smart Head-Mounted-Display and the Recon Jet - a light sports HMD.
Gil earned his B.Sc in Mathematics and Computer Science from the University of Arizona. He also holds an MBA from Heriot-Watt University.
Ron is an entrepreneur and software development consultant. He has a long history of developing for performance and safety critical software, leading development groups, training application and platform developers, and helping companies in the process of board bring-ups. He also has experience with the design and execution of embedded systems products, security best practices and product start-up.
He specializes in all aspects of distributed systems and Android internals. As the Founder and CTO of Nubo, the first Remote Android Workspace for the Enterprise, he is the designer and original developer of the first Android Remote Display Protocol.
Additionally, Ron is a lecturer at Afeka's college of Engineering, where he has developed and taught the first ever academic Android Internals Course. Ron holds a Master's of Computer Science from Bar-Ilan University.
Ron has also presented at a number of conferences, including: Embedded Linux Conference, Android Builders Summit, AnDevCon, WearableDevCon, DroidCon, mdevcon, Mobile World Congress, and CommunicAsia.