Android Security Internals: An In-Depth Guide to Android's Security Architecture 1st Edition, Kindle Edition
Use the Amazon App to scan ISBNs and compare prices.
The Amazon Book Review
Author interviews, book reviews, editors picks, and more. Read it now
Enter your mobile number or email address below and we'll send you a link to download the free Kindle App. Then you can start reading Kindle books on your smartphone, tablet, or computer - no Kindle device required.
To get the free app, enter your mobile phone number.
Customers who bought this item also bought
Would you like to tell us about a lower price?
Top customer reviews
There was a problem filtering reviews right now. Please try again later.
My only gripe (and I admit, this is a small one) is that fully grasping everything this book has to offer requires at least a working knowledge of Android application development. While it's nice to see a security book focusing absolutely on security, a quick review of the main terms and usages would have been nice.
Also, for those of you that may not know, the book's official website contains the table of contents and the index and is located here: http://www.nostarch.com/androidsecurity
As I'm going through the book a second time, I figured it would be useful to take a closer look at each chapter. Hope it helps those of you on the fence about pulling the trigger and buying this book. I'd also like to update what the book contains in general so as to not leave anyone with any false impressions. This is a book regarding, through and through, Android's Security Architecture. You won't be learning about hot-topic Android hacking techniques and you won't learn how to root or jailbreak your device (see Wiley's Android Hacker's Handbook if you're into that stuff). This book goes through the security implementations of the many many features Android has to offer. It should also be noted that this can be read as a reference as chapters don't seem to be organized in any necessary arrangement. That's not to say that the chapters don't flow or that you shouldn't read it from front to cover, just that it is absolutely possible to view each chapter as its own entity. That being said, on with the show! This is where it gets long.
1. Android's Security Model - This chapter serves as an effective introduction to Android's security landscape by walking you through the Android architecture stack and describing the Linux security features that Android takes advantage of. It also takes a nice detour to thoroughly explain Binder, Android's IPC mechanism, which is something I haven't seen in other published material on the subject.
2. Permissions - This chapter explains everything you need to know about Android permissions. Using choice code snippets, the author describes how permissions are created, used, and enforced. From specific Android system services to unique application-level permissions defined by developers, you learn the ins and outs of this important primitive.
3. Package Management - We are then led through an extensive and informative tour of Android's package management features. We start by learning about the specifics of the APK format (and its close relative, Java's JAR format). Code signing, which was first introduced in Chapter 1, is the topic of a lengthy discussion detailing the interesting choices made (no Certificate Authorities?!) to enforcement mechanisms and implementation details. The entire install process is explained next by walking us through exactly what occurs when you press that download button in a marketplace (or sideload through your computer or adb).
4. User Management - Android's user management infrastructure is of particular note because the OS has evolved to encompass a much larger marketplace than originally anticipated. As such, it has had to move from single-user devices to multi-user and everything in between. This chapter details all the interesting ways they use the Linux substrate to accomplish this. It begins by describing the different types of users and the rights their associated rights before moving into user management and the metadata that comes from it. Again, code references help solidify the author's points. Finally, he discusses Android's external storage implementation, since multi-tenancy has necessitated a complete re-think of the way it works.
5. Cryptographic Providers - This chapter begins with an in-depth description of the Java Cryptography Architecture (JCA) since Android's cryptographic provider builds heavily upon it. You learn how to instantiate, use, and understand many of the cryptographic primitives available to the Java runtime. Only then does it move to Android specifics, detailing how the mobile platform utilizes it's JCA-provided architecture.
6. Network Security and PKI - Since we now have cryptographic providers under our belt, we can start talking about more complicated security ideals, such as secure communication. The author delves into PKI, server authentication, certificate management, and how to define trust in the modern world.
7. Credential Storage - Well now that we have server authentication down, it's time to talk about client authentication. Android devices need to have a way to securely store their credentials and this chapter helps shed some light on the protections implemented to do so. Again, code snippets abound and there are many helpful illustrations to aid understanding. You learn about HSMs, keychain APIs, and the services that run everything below.
8. Online Account Management - This chapter explains Android's account management infrastructure. Building from early Android device's built-in support for Google accounts and automatic background data synchronization with Google services, new versions supply and API to provide these facilities to third-party sites and applications. This chapter dives into these facilities with the same fervor as any of the others. You learn how to use the user accounts API to add, remove, list, and manage accounts, as well as deal with credentials and authentication tokens. You also hearken back to the user management chapter to discuss how multi-user systems play into this architecture. It finishes with an in-depth look into how Android supports Google Accounts and what happens when you put your passwords into those pop-up boxes.
9. Enterprise Security
10. Device Security
11. NFC and Secure Elements
13. System Updates and Root Access
Instead of showing us how to root the device at the beginning of the book and then showing us exploits and vulnerabilities throughout the rest of it, he covers how root access is achieved in different types of Android builds, and different ways get Root Access, but late in the book.
The book starts out with an overview of the Android security model, and then each chapter is dedicated to a specific feature of Android's security model. I have listed the chapters below.
Chapter 1: Android's Security Model
Chapter 2: Permissions
Chapter 3: Package Management
Chapter 4: User Management
Chapter 5: Cryptographic Providers
Chapter 6: Network Security and PKI
Chapter 7: Credential Storage
Chapter 8: Online Account Management
Chapter 9: Enterprise Security
Chapter 10: Device Security
Chapter 11: NFC and Secure Elements
Chapter 12: SELinux
Chapter 13: System Updates and Root Access
Although the chapter titles give you a pretty good idea of what is in them, I have listed some of the chapters below along with the topics covered that I liked best.
Chapter 2: Permissions covers The Nature of Permissions, Requesting Permissions, Permission Management, Permission Protection Levels, Permission Assignment, Permission Enforcement, System Permissions, Shared User ID, Custom Permissions, Public and Private Components, Activity and Service Permissions, Broadcast Permissions, Content Provider Permissions, and Pending Intents.
Chapter 3: Package Management covers Android Application Package Format, Code signing, APK Install Process, and Package Verification.
Chapter 4: User Management covers, Multi-User Support Overview, Types of Users, User Management, User Metadata, Per-User Application Management, External Storage, and Other Multi-User Features.
Chapter 5: Cryptographic Providers covers JCA Provider Architecture, JCA Engine Classes, Android JCA Providers, and Using a Custom Provider.
Chapter 6: Network Security and PKI covers PKI and SSL Overview, JSSE Introduction, and Android JSSE Implementation.
Chapter 8: Online Account Management covers Android Account Management Overview, Account Management Implementation, and Google Accounts Support.
Chapter 10: Device Security covers Controlling OS Boot-Up and Installation, Verified Boot, Disk Encryption, Screen Security, Secure USB Debugging, and Android Backup.
Chapter 11: NFC and Secure Elements covers NFC Overview, Android NFC Support, Secure Elements, and Software Card Emulation.
There are some books I feel every Android developer should read and this book is definitely one of them. Every Android developer should have this book on their bookshelf. Although, I do not feel it is a beginner's book. You should have a working knowledge of Android programming before attempting to read it, so don't start here, but make sure you eventually get here.
The author's writing style is great. He does an excellent job of covering complex topics in a way that makes them easy to understand. Diagrams, code snippets, and screen shots are used just at the right spots. This may seem stupid to mention, but after attempting to get value out of a book with 2 screenshots and 3 sentences on a page, you learn to appreciate when the learning tools are used right.
The book is not only a great cover to cover read, but it will also make a good reference. Chapter 1: "Android's Security Model" is available on the publisher's site which is a nice introduction to the book and the author's writing style. There is also a very detailed table of contents and the index available.
Amazon also has a lot of the book available for preview. Their preview includes some material from chapters other than chapter 1. You can also use the search on Amazon to see if a topic you are interested in is included.
Overall I found this book excellent. Admittedly, it was a very long read. I have been toting it around for months, but that is because so many things are covered, and they are covered in depth. I also enjoyed reading it, so it was worth the time and toting.