Sorry, not available in this language yet

English
日本語
简体中文

AI-generated code | Harness the power of AI coding assistants while managing the risks.
API Security Testing | Manage software risks with a holistic API security testing program.
AppSec Program Consolidation | Simplify your application security program.
Application Security Testing | Solutions to address security risks at all stages of the application life cycle.
DevSecOps | Solutions to help shift security left without slowing down your development teams.
Software Supply Chain Security | Solutions to identify and manage software supply chain risks end-to-end.
Manage Enterprise AppSec Risk | Scale your application security program without increasing complexity or adding friction.
Cloud & Container Security | Optimize your applications for secure deployment and operation in the cloud.
Open Source License Compliance | Effective solutions for ensuring open source license compliance.
M&A Due Diligence | Identify software risks that could negatively impact the value of acquired IP.
Quality and Security Standards Compliance | Ensure your software complies with the standards critical to customers and regulators.

Static Analysis (SAST) | Analyzing code for security vulnerabilities without executing it.
Software Composition Analysis (SCA) | Analyzing software components for security and license compliance.
Dynamic Analysis (DAST) | Testing running applications for security vulnerabilities.
Interactive Analysis (IAST) | Real-time security testing during application execution.
Penetration Testing | Simulated cyberattacks to identify vulnerabilities.
Mobile Application Security Testing (MAST) | Ensuring the security of mobile applications.
Application Security Posture Management (ASPM) | Managing and improving application security posture.
Fuzz Testing Solutions | Identifying vulnerabilities by inputting random data to applications.

Automotive | Security solutions for automotive industry applications.
Financial Services | Security solutions tailored for financial services.
IoT & Embedded | Security for Internet of Things and embedded systems.
Medical Devices | Security solutions for medical devices.
Public Sector | Security solutions for government and public sector organizations.

Dev and DevOps Teams | Security tools and practices for development and DevOps teams.
Security Teams | Solutions and support for dedicated security teams.
Legal Teams | Resources and compliance tools for legal teams.

Android Security

Course Description

The Android operating system has several built-in security features to protect application users from attackers (e.g., network sniffers, malicious app writers, device thieves, and more). It is important for Android application developers to understand what protections these features provide but also where they can fall short in protecting users. It is the responsibility of the Android application developer to practice defensive programming to protect the users of their application from the common attacks which attackers use to compromise applications and their data. This course teaches important information about the Android platform but also focuses on these defensive programming techniques which developers must know in order to write secure apps.

Learning Objectives

Appreciate the risks to Android applications.
Understand the structure of Android package files.
Understand the Android security model and the protections provided by the Android OS.
Apply defensive programming techniques for common Android vulnerabilities.

Details

Delivery Format: eLearning

Duration: 1 hour 15 minutes

Level: Intermediate

Intended Audience:

Mobile Developers

Competencies: Familiarity with Java and web technologies

Prerequisites:

Course Outline

Introduction: The Risks to Android Apps

Man-in-the-Middle Attacks
Reverse Engineering
Malicious User with a Proxy
Malicious App Installed on the Device
Rooted Device
Rooted Device: Stolen!

Android APK Structure

Getting into the APK
Keep Secrets Out of the Packages
Android Security Model
Full-Disk Encryption
File-Based Encryption
Sandboxing
Permissions Model: Protection and Consent

Permissions Issues

Permission Redelegation
Overly Permissioned Apps
Consequences of Overly Permissioned Apps
Augmented Gaming and Permissions

Intent Issues

Unauthorized Intent Recipient
Unauthorized Intent Recipient: An Example
Intent Forging
Sticky Broadcasts
How Easily Can Attackers Find and Exploit Vulnerable Apps?

Insecure Storage

Insecure Storage
Saving Files Without Using MODE_PRIVATE
Saving Files to the SD Card
Saving Sensitive Data to SQLite Databases
Logging Sensitive Data
WebViews
How Likely Is It That a Device Will Be Lost or Stolen?

Use of Client-Side Controls

RSA Conference Mobile App
Overreliance on Device Interrogation
Client-Side Controls to Prevent Access to Functionality
Reliance on Root Detection
Reliance on Root Detection: Biometrics

Secure Communications

Secure Communications
Insecure Certificate Validation
SSL/TLS Best Practices
Certificate Pinning
Scanning for SSL/TLS Best Practices

Compromised Certificate Authorities

Training

Developer Security Training

Equip development teams with the skills and education to write secure code and fix issues faster

Learn more about developer security training