Friday, October 23, 2015

Penetration Testing in Android Security

Penetration testing are done by security professionals to evaluate the security of a systems by simulating an attack from malicious insiders or attackers. The goal is to discover issues before they are discovered by an attacker.

Steps to Penetration Test Android OS and Devices

  1. Obtain the IP address of the Android device(s).
  2. Run an NMAP scan to see the services that are running on those devices.
  3. For suspicious devices (e.g., rooted devices), capture and analyze packets through Wireshark.
  4. If device is deemed compromised, use utilities like busybox to explore device internals (which processes are running, etc.) and for forensics.
  5. Perform a static analysis of the source code of the libraries and OS. Specifically look for codes contributed by vendors such as HTC. Code should be reviewed for the following type of issues: resource leaks, null pointer references, illegal access operations, and control flow issues, which can potentially bypass security checks.
  6. Review configuration files and code for plain text passwords and other sensitive data that is being stored without appropriate security considerations.

Things to consider while pen testing an Android application include attack surface, interactions with other components (internally and externally), communications, and storage.

Pen Testing should provide an application benchmark against the following best practices:

  1. Timely patching libraries and applications as vulnerabilities are identified.
  2. Sensitive information (e.g., SSN) is not passed as a parameter through a URL. Information in a URL is accessed through the GET request, and this can be logged at multiple places. A POST request solves this problem. However, although information through a POST request is not visible in a URL, a POST request can still reveal this information in the request-header. For truly sensitive information, one should always use an HTTPS connection.
  3. Brute force attacks are not possible due to a limited number of attempts to authenticate.
  4. A Secure Sockets Layer (SSL) is used pervasively to request resources.
  5. Session identifiers are not sent in URLs.
  6. Tokens are not easily guessable.
  7. Password complexity is enforced.
  8. Log files do not contain sensitive information and are protected appropriately.
  9. Files are encrypted on local and external storage.
  10. Proper data validation is performed to prevent XSS, SQLi, command injection, etc.

Wednesday, December 19, 2012

Google I/O 2011: HTML5 versus Android: Apps or Web for Mobile Development?

Actually there are lot of articles written already about this HTML5 vs. Android (or which one you should use in your mobile project). Just watch this video and take a look at this article Multi-platform Frameworks Destroy Android UX written by Juhani Lehtimäki.

Tuesday, July 3, 2012

Android Design Session Videos - Google I/O 2012

These are the Android design sessions videos from Google I/O 2012. These are worth watching!

Google I/O 2012 - Android Design for Success

Google I/O 2012 - So You've Read the Design Guide; Now What?

Google I/O 2012 - Navigation in Android

Google I/O 2012 - Advanced Design for Engineers

Tuesday, June 26, 2012

Beginning Android Part 4 - Apache Cordova Persistence Support

Revision History
Latest: Revision 0.5 - Aug. 15, 2012
  • Created
  • First draft
  • 2nd draft
  • Added "Running The Demo Application" video
  • 3rd draft
  • Added "Running The Demo Application as Dolphin Garage Web-App"
  • 4th draft
  • Enhancement
  • 5th draft
  • Final

Persistence is a mean of saving applications state and it is one of the most important qualities necessary to reuse an application. Imagine what it would be like if an application like word processors such as Microsoft Office, OpenOffice does not have the quality of saving your documents, or an image manipulation program such as GIMP cannot save your images! An application can save its state into a datastore. The datastore can be a relational databases (RDBMS) such as MySQL, or a flat-file or an XML files.

Android Storage Quickview

Android supports many storage options for you to save your persistent application data. It is important for you to carefully read the official Android Storage Options documentation.
Android data storage options are the following:
  1. Shared Preferences - Store private primitive data in key-value pairs.
  2. Internal Storage - Store private data on the device memory.
  3. External Storage - Store public data on the shared external storage.
  4. SQLite Databases - Store structured data in a private database.
  5. Network Connection - Store data on the web with your own network server.

Persistence Strategy: What kind of data storage should I use?

The decision about which of the Android storage options you choose is usually determined by the following:
  1. Application Properties - You can use SharePreferences here.
  2. Database - You should use SQLite if you need to store structured data.
  3. Filesystem - You can use the Internal/External storage options.
This tutorial will focus on storage options provided by Apache Cordova to store structured data in a database.

Apache Cordova - Android

Apache Cordova is an HTML5 app platform that allows you to author native applications with web technologies and get access to APIs and app stores.
In this article, we will:
  1. Briefly covered the two feasible options of Cordova for offline storage on mobile devices
First - Please carefully read the CordovaStorage documentation along with W3C spec for Web SQL Database support. The W3C docs helped fill in some things that the Cordova documentation didn’t cover such as the error and labels forSQLError.

Working Offline: Caching

Cordova provides two feasible options for persisting your applications data: LocalStorage and Web SQL.
Web SQL is a thin, asynchronous wrapper around an SQLite database which is currently well-implemented on first-class mobile devices (iOS, Android, and BlackBerry OS 6.0). Note thatWebSQL is not supported on Firefox and IEThe WebSQL spec was deprecated in Nov. 18, 2010.
Web SQL offers a useful interface for storing structured data, it works well if you have a remote server that uses a SQL databases and you want to mirror the structure of your data between platforms. I will use this Web SQL standards in my demo application because it is fast and heavy-duty and because the storage size of SQLite is much bigger compare to local storage and well-implemented on first-class mobile devices such as Android.

Time for Action: A Simple To-Do Application

Ok, so let’s talk about the application. My demo application is called TodoListPhoneGap. It only allows you to add a task (it is your assignment to add the other functionality). You can checkout the source code by issuing the following command on terminal:
Once you’ve checked out the TodoListPhoneGap project, open it with Eclipse.
1. The first thing we need to do when using Cordova is to get a reference to our database, using the openDatabase function:
function createTaskDB() {
        db = window.openDatabase("TaskDB", "1.0", "Simple Tasks", 1000000);
The openDatabase function requires four parameters: the name of the dabase, the version of the database, the display name of the database, and the size in bytes of the database.
2. The next step is to create a table to store our records. To do this, we will start a transaction on ourdb, and execute the SQL query asynchronously:
// start transaction on out db
db.transaction(createTable, sqlErrH, getTaskList);
The function transaction accepts three parameters: the function that will executes the SQL query, the function to handle the errors (if any), and the function to call when transaction is successful.
function createTable(tx) {
        tx.executeSql("CREATE TABLE IF NOT EXISTS task (id unique, taskname)");
3. Finally, we need to populate and query the table in our db. To do this, we will start a transaction again on our db, but this time we will pass a DML (Data Manipulation Language such as INSERT, UPDATE, SELECT, DELETE) instead of DDL (Data Definition Language such as CREATE, DROP, ALTER).
db.transaction(function(tx) {
        tx.executeSql("INSERT INTO task (taskname) VALUES (?)",[ task.taskname ]);
}, sqlErrH, cb);

Running The Demo Application

Running The Demo Application as Dolphin Garage Web-App

Dolphin announced its Garage Open API at Google I/O 2012. PhoneGap and Dolphin browsers recently team up.
Steps to run my demo application as a thin-client web-app for Dolphin users:
1. Checkout my demo application using SVN
2. Copy the files located in <your project's name>/assets/www to your web server (i.e. Tomcat)

3. Place cordova.dolphin.js to your web-server.

4. Make changes to index.html. Just replace js/cordova-1.5.0.js with js/cordova.dolphin.js

5. Run your web-server.

6. Test the demo application:
  1. Download Dolphin Browser HD and the PhoneGap add-on.
  2. Access <your webserver>/TodoListPhoneGap using the Dolphin Browser HD.
The first approach shows you how to run my demo application as an Android Application Package (APK). Usually, the APK’s are release through marketplace such as Google Play.
The second approach shows you how to deploy my demo application to your web-server.

And that’s pretty much it. There’a a lot more you can do with PhoneGap. In this article you learned how to:
1. Persist application state by using the Web SQL standards.
2. Use Dolphin Garage API.

Further Reading:



Sunday, April 8, 2012

Kick-starting Android Projects with Maven 3 and Android Connector for M2E

This screencast shows how to create an Android project from command line with Maven 3 and Android Connector for M2E. You need to install Maven and Android Connector for M2E in Eclipse Marketplace for this purpose.

Thank You!

Sunday, March 4, 2012

Beginning Android (Part 3) - Monetizing Android Apps

Revision History
Latest: Revision 0.6 - July 31, 2012
  • Created
  • First draft
  • Enhancements
  • Added a note to why use compiler level 13 and above
  • Creating The Banner In Pure Java
  • Added PayPal as AdMob Payment Method
  • Retrieving Ad Unit ID
0.4 - 0.5
  • Minor enhancements
  • Added "How To Open PayPal Account"

Catch Up!
If you haven't seen the first and second part of this Beginning Android tutorial series, please take some time to read it before reading this article. Just click on the following links.

Get started Creating Your First Android Project


The Google AdMob Ads provides application developers tools to promote, measure and monetize mobile apps. I created this screencast for you to learn how to add banner ads to your Android apps.

Creating The AdMob Ads Android Project

To display banners in your Android app, simply add the AdMob SDK into your project and add a com.google.ads.AdView to your UI.

Dependencies and prerequisites

  • Android 3.2 compiler or higher

  • Note: According to the official AdMob documentation you should make sure you have the latest copy of the Android SDK and that you're compiling against at least Android v3.2. Compiling against newer versions of Android doesn't mean your apps will not run on older versions of Android. You just have to make your apps backward compatible in terms of binary and functionality.

    See What API Level Should I Target? If you are still compiling against significantly older versions of the SDK you are doing it wrong.

    Error when compiling against API level older than 13

  • Android SDK
  • Google AdMob Ads SDK for Android

Setting Up The Banner

Incorporating the Google AdMob Ads into an Android project is easy. Simply follow these steps:
  1. Sign up with AdMob and download the latest AdMob SDK.

  2. AdMob Payment Details
    When AdMob asks about your Payment Details you can tell AdMob to use your PayPal account as the payment method. Sign up for a PayPal account if you don't have one.

    See How To Open PayPal Account

    Ad Unit ID
    You can retrieve this ID after you've finish setting up your Site/App in AdMob. Just go to your Site/App › Manage Settings.

  3. Add the AdMob SDK to your project build path.
  4. Setup the required network permissions and com.google.ads.AdActivity in AndroidManifest.xml.
  5. Setup the AdView instance.

Add The AdMob SDK To Project Build Path

Create a new folder named "libs" in your project root directory and paste the GoogleAdMobAdsSdk-x.x.x.jar there. Then simply right-click on the GoogleAdMobAdsSdk-x.x.x.jar, click Build Path Add To Build Path in your Eclipse IDE.

Setup The Required Network Permissions and AdActivity in AndroidManifest.xml

Making an ad request requires the INTERNET and ACCESS_NETWORK_STATE permissions. Open AndroidManifest.xml (located in your projects root directory) and add the following permissions:

The AdMob SDK also requires that AdActivity be declared in AndroidManifest.xml:

The project should be able to build without any errors.

Setup the AdView instance

The AdView is simply a view displaying HTML5 ads that responds to user touch. An AdView (like any View in Android) may be created either purely in Java code or in XML. The following example uses XML.

Open main.xml (located in <your project's name>/res/layout) and replace its contents with the code below:

The project will build with error because it cannot find "@string/adMobId". Simply open strings.xml (located in /res/values/) and add the following code to resolve the error:

Replace MY_AD_UNIT_ID with your actual Ad Unit ID and save the project. The project should be able to build without any errors.

All Done!

When you run the project you should see a banner at the top level of the screen:

The complete source code for this application is hosted at Kenai.com. You must have a Subversion client installed on your machine to checkout the project repository.

If you have the command line Subversion client, you can checkout the repository by running:
svn co https://svn.kenai.com/svn/ron-os-sample-code~project-code-repository/BeginningAndroidProjects/AdMobAds

Creating The Banner In Pure Java

You now know how to create banner from XML. I created a new project called AdMobAds2, which is a modified version of AdMobAds project to show you how to create banner in pure Java.

svn co https://svn.kenai.com/svn/ron-os-sample-code~project-code-repository/BeginningAndroidProjects/AdMobAds
svn co https://svn.kenai.com/svn/ron-os-sample-code~project-code-repository/BeginningAndroidProjects/AdMobAds2

Now checkout AdMobAds and AdMobAds2 project using any Subversion client and use a file comparison tool such as Meld to see the difference between the project.

We can see the diff between AdMobAds and AdMobAds2 project using Meld

Once you've checked out the AdMobAds2 project, open it with Eclipse and take a look at the implementation of the onStart() method of AdMobAdsActivity.java.

I instantiated a new AdRequest object at line 62. Then at line 65 to 71 I set the devices which will receive test ads only. I will not explain the detail of the Java code here because I assume you already know how to read and understand Java language. But there's one thing I would like to note, PLEASE DO NOT FORGET TO ADD YOUR ANDROID TEST DEVICE HASH ID IN strings.xml (located in /res/values/) as shown in screen-shot below:

Replace PLEASE_INSERT_YOUR_HASH_ID_HERE with you actual Android test device hash id

This is important because you do not want to make wrong impressions and violate the terms and conditions of AdMob. The easiest way to find you Android device ID is to look at the LogCat and search for a message similar to this one:

I/Ads(5899): To get test ads on this device, call adRequest.addTestDevice("73CC3A21D...");

The quoted string is your hash device ID.

Thank You!