This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Mobile Security Project - Android/References"
From OWASP
(added whitepaper on security issues in android custom roms) |
(added book reference) |
||
Line 25: | Line 25: | ||
** [http://anantshri.info/articles/android_cust_rom_security.html Security Issues in android Custom ROMs] at c0c0n Kochi India (Oct 8 2011) | ** [http://anantshri.info/articles/android_cust_rom_security.html Security Issues in android Custom ROMs] at c0c0n Kochi India (Oct 8 2011) | ||
* '''Books''' | * '''Books''' | ||
+ | ** [http://shop.oreilly.com/product/0636920022596.do/ Application Security for the Android Platform] | ||
** [http://www.amazon.com/gp/product/0071633561/ Mobile Application Security] | ** [http://www.amazon.com/gp/product/0071633561/ Mobile Application Security] | ||
*'''Blog posts''' | *'''Blog posts''' |
Revision as of 20:06, 2 December 2011
Here are a number of references related to Android Security
Official documentation
- Main websites: http://www.android.com , http://code.google.com/android , http://developer.android.com/
- Android Security FAQ
- Android Developer's Guide
- Security and Permissions
- Testing and Instrumentation
- AndroidManifest.xml File and Permissions list
- Notepad Tutorial - Recomended starting point to understand Android
Android Security Team
- Report security vulnerabilities in Android: [email protected] (here is the PGP Public key)
- Android Security Mailing list
- Introduction from Android Security Team
Published Research and presentations
- Presentations
- Smart Phones Dumb Apps Presentation about how to unpack, disassemble/decompile, and analyze Android applications. Also has a link to some Perl code to automate parts of this process.
- Coverity SCAN 2010 Open Source Integrity Report which contains information about 88 Kernel bugs in Android
- [https://www.isecpartners.com/files/iSEC_Android_Exploratory_Blackhat_2009.pdf Exploratory Android Security (iSEC Partners, Blackhat_2009)
- Developing Secure Mobile Applications for Android
- Building Android Sandcastles in Android's Sandbox at BlackHat Abu Dhabi (Nov 10 - 11 2010) (NOT PUBLISHED YET)
- Security Issues in android Custom ROMs at c0c0n Kochi India (Oct 8 2011)
- Books
- Blog posts
Tools
- Android Development
- Android Security Review
- Smart Phones Dumb Apps Presentation about how to unpack, disassemble/decompile, and analyze Android applications. Also has a link to some Perl code to automate parts of this process.
- Dex2Jar : "...Android mobile device runs applications which have been converted into a compact Dalvik Executable (.dex) format. Dex2Jar converts .dex files to Java .class files..."
- ApkTool : "...It is a tool for reengineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications; it makes possible to debug smali code step by step. Also it makes working with app easier because of project-like files structure and automation of some repetitive tasks like building apk, etc..."
- JD-GUI and JD-Eclipse, DJ and JAD (mirror) : Java Decompilers
- AXMLPrinter2 - Utility that decodes the Android XML files, such as Manifest.xml ().
- OWASP O2 Platform can be used to review the Android Java source code (create object model of compiled java code, search source-code files, model config files)
- Commercial tools (like Fortify, IBM AppScan Source) can parse Java files (the question is "Do they have Android Specific rules")
- iSec Partners have a number of Android related tools at https://www.isecpartners.com/mobile_application_tools.html
Media Coverage
- Storing data unencrypted: "Firm finds security holes in mobile bank apps": http://news.cnet.com/8301-27080_3-20021874-245.html
- Paypal has issue with lack of SSL in iPhope app: http://online.wsj.com/article/SB10001424052748703506904575592782874885808.html (more to iPhone page)