Sunday, May 26, 2013

Review: Android Security

I recently picked up a new book on Android security.  Looks to be the only (so far) book on the topic, so they have kind of set the bar for subsequent works.  The book is Android Security: Attacks and Defenses by Anmol Misra and Abhishek Dubey (CRC Press, ISBN 978-1-4398-9659-4).  They have an accompanying website and blog, where there is also resources from the book.  (but there's not much traffic on the blog, hope this changes.)

Having read over it, I have to give it an overall grade of B+.  (or if you prefer, 4 out of 5 stars).

While I thought the overall book was good, I was annoyed that they didn't make sure to be as up-to-date as possible.  I know there is a delay in book production, but I wish they had made sure to be up to date as of 2012.  I saw very little mention of Android 4.1/4.2 (Jelly Bean), which was released last year.  I was also disappointed that there was no citations for any of their information or sources for further reading (either books or on-line).  This may be because the authors assumed a level of knowledge for their readers, and didn't feel they needed to include that.  Also, this is not a book to just read random chapters.  The first few chapters have a progression, and should be read in order.

So, a more chapter by chapter breakdown.

We start off with a good introductory chapter.  For most avid Android users, much of this will be a review of things, but there is some information here that some may not be aware of.  This chapter, sadly, was a good example of the need for updating, as the charts are undated (and probably outdated), no mention was made of the latest Android version, and the Android Market is now Google Play Store (renamed in early 2012).  Nothing was said about Bouncer, the new feature of the Play Store to get rid of malicious apps.

Chapter 2, Android Architecture, gets into the internals of Android, showing how the OS is organized, and since its based on Linux, how the kernel has been modified for Android.  It then gets into how Android apps are developed, with info on the SDK and related tools.  Overall, a good chapter, tho it may be a bit much for some readers who may not understand OS architecture.  I would have liked more pointers for those wanting more on app development.

The next chapter, Chapter 3, Android Application Architecture, builds off of chapter 2.  It gets into the components that makeup Android apps.  Since applications are one of the main vectors of security issues, this is important.  Not being very knowledgeable about Android apps, I can't comment on how well things are explained.

Then we have Chapter 4, Android (in)Security, which builds on the prior 2 chapters.  Here we get into the built-in security of the platform and application layers.  We learn about the virtual machines or sandboxes that applications are run in, as well as the permissions that applications are given.  Next up is a coverage of basic mobile security issues, and then some "recent" (as of 2011) Android application attacks are looked at.  Again, I would have like to have seen pointers to further information on these, and which this area had been updated to atleast 2012.

From the foundation of those chapters, we then move into Chapter 5, Pen Testing Android, which gets into penetration testing, but also into some other recent security issues for Android.  Not being a pen tester, I thought the information on some of the tools a bit scant.  I would have liked more detail.  I did see a few problems in the chapter.  In one area, there is a table (table 5.1) which covers security flaws in Android apps.  But the accompanying summary doesn't quite match the table.  Also, the other security issues should have had more space devoted to them, and I think their own chapter.

The next chapter, Chapter 6, Reverse Engineering Android Applications, gets into malware.  This is an area in Android security that has gotten the most press.  The authors use a custom app they created to show the concepts of malware.  I would have liked to have seen some discussion about Google's Bouncer app to show if it is effective in getting rid of malware apps in the Google Play Store or not.

Moving on to Chapter 7, Modifying the Behavior of Android Applications without Source Code, we build off chapter 6 looking at recompiling & modifying apps to make them malicious.  Some real world examples are given.  I would like to know where things stand today with those apps.  Have the issues been fixed, are there more recent examples?  And the authors conclude with some methods to thwart such modifications.

Android forensics is the subject of Chapter 8, Hacking Android.  Information is also given about rooting Android devices. I would have liked to seen some information on the dangers of rooting the device, as it affects the security of the system.

Then we have Chapter 9, Securing Android for the Enterprise Environment, which is probably a concern for a lot of potential readers.  There the whole "mobile device management" concept is looked at, along with the issues of mobile device security within the enterprise.  They used a list from the NIST 800-124 report as their model, which I thought good.  However, the issue of patching apps & OS is less often caused by users as by manufacturers and carriers.  The main reason there are so many Android devices with older version is less the user's fault then the manufacturers & carriers not updating them.  Most older devices will just not be getting official updates.  Some recommendations on how to secure devices is also given.

Finally, with Chapter 10, Browser Security and Future Threat Landscape, we get into the area of HTML & Browser security.  This is important, as this is probably a large vector for attacks on Android, as users use them to browse the web, thinking themselves more secure then on a PC.  Then we get a brief (maybe too brief) discussion on future threats.

The book also has 3 appendixes.  A gives the manifest permissions list references in Chapter 4, B gives info on the JEB disassembler & decompiler used in Chapters 6 & 7, and C gives info on the SecureApp.apk used in Chapter 7.  Well, not really.  Its really at the book's website, the appendix tells you how to access it.

There is also a glossary, but the authors broke it up by chapter.  I would have preferred a unified glossary.

As I said, overall I thought it a good work.  I wish it was more up to date throughout the work.  I think it sets the bar for future works to be assessed against.  I hope the authors use their book website for updates.

1 comment: