256. Securing Android Applications
Version 4.2

Book cover

This course explores the Android mobile operating system from the perspective of user, application, and server security; and shows experienced Android developers how to apply best practices to secure their applications.


  • Java programming experience is required; Course 103, "Java Programming," is excellent preparation.
  • Introductory knowledge of Android programming is required: Course 251, "Introduction to Android Development," or similar
  • We recommend intermediate Android programming in advance of this course -- Course 252, "Intermediate Android Development" would be ideal -- but this is not required.

Learning Objectives

  • Understand the security characteristics of mobile computing, and the Android OS in particular.
  • Manage application data in a secure fashion.
  • Apply appropriate safeguards over entry points to applications, including intent filters, bound services, and broadcast receivers.
  • Use cryptography as appropriate, especially in remote communications.
  • Manage user credentials, including passwords and issued tokens.

Timeline: 1 day.

IDE Support: Eclipse Juno

  • In addition to the primary lab files, an optional overlay is available that adds support for Eclipse Juno. Students can code, build, deploy, and test all exercises from within the IDE. We make full use of the Android SDK and its Eclipse plugin and device emulators. See also our orientation to Using Capstone's Eclipse Overlays.

Chapter 1. Mobile OS Security

  • Vulnerabilities of Mobile Systems
  • Security Overview of Android
  • For Comparison: iOS
  • Analysis and Areas of Concern
  • Digital Signature of Applications
  • Rooted Devices
  • Clickjacking
  • Best Practices
  • The OWASP Mobile Top 10

Chapter 2. Application Security

  • Permissions
  • Custom Permissions
  • Security Configuration
  • Storage Models
  • Internal Storage
  • USB, Bluetooth, WiFi, and External Media
  • File System Security
  • Encrypted File Systems
  • Injection Vulnerabilities
  • Inter-Process Communication
  • Guarding IPC Entrances
  • Services and Broadcast Receivers
  • Logging

Chapter 3. Remote Connectivity

  • Remote Connections from Mobile Devices
  • The INTERNET Permission
  • HTTP and HTTPS Communication
  • Keystores and Cryptography
  • Username/Password Login
  • Managing Credentials
  • HMACs
  • Managing Token Pairs

Appendix A. Learning Resources

System Requirements

Hardware Requirements (Minimum) Core i5, 1.5 GHz, 4 gig RAM, 1 gig disk space.
Hardware Requirements (Recommended) Core i5, 2.5 GHz GHz, 8 gig RAM, 1 gig disk space.
Operating System Tested on Windows 7 and Windows XP Professional. Course software should be viable on all systems which support a Java 6 Developer's Kit.
Network and Security Limited privileges required -- please see our standard security requirements.
Software Requirements All free downloadable tools.