This document provides an introduction to Android development and security. It begins with a brief history of Android and overview of its architecture. It then discusses the Android development environment and process, including key tools and frameworks. It also outlines Android security features like application sandboxing, permissions, and encryption. Finally, it introduces a series of Android security labs that demonstrate exploits like parameter manipulation, insecure storage, and memory attacks. The goal is to provide hands-on examples of common Android vulnerabilities.

1. An Introduction to Android
Development and Security
Kun Yang
kelwya@gmail.com

2. Android & Me
• I’m a first-year graduate student.
• I developed my first Android APP——BloGeo
two years ago.
• I’ve been an Android user for two years.
• Now I’ve just started to learn Android security.

3. Outline
• Introduction to Android
– Brief history
– Architecture
• Android Development
– Environment
– Programming framework
– Building and running process
– Case Study
• Overview of Android Security Feature
• Android Security Lab (by Security Compass)
• My Future Study

4. Brief History
• Written by Andy Rubin(founder of Android Inc.)
• Acquired by Google in 2005
• Android 1.0 released in 2007
• Android 4.0 released in 2011
• 52.5% of global mobile users

5. Brief Introduction
• First complete, open and free mobile
platform
• Operating System
– Mobile device optimized Linux kernel 2.6
• Application framework
– Mainly Java-based
– Running on Dalvik virtual machine featuring JIT
compilation
• Key applications
– Gmail, Maps, Contacts, Market and etc.

6. Architecture

7. Developing Environment
• Totally free-of-charge
– Open source
– Eclipse with ADT plugin
– SDK tools with an emulator
– Android market
• Dev guide
– http://developer.android.com

8. Android SDK Updater & AVD

9. Android emulator

10. Dalvik Debug Monitor

12. Application Framework Overview
• Components
– Activities
– Views
– Intents
– Services
– Content providers
– Broadcast receivers
• Resources
• Manifest File

13. Activities
• An activity is a single, focused thing that the
user can do
• Typically correspond to one UI screen
• Activities are stacked like a deck of cards
• Active activity is placed on top

14. Activity
Lifecycle
• 4 states
– Active
– Paused(visible, not active)
– Stopped(invisible)
– Destroyed
• Call back functions
– onCreate & onDestroy
– onStart & onStop & onRestart
– onResume & onPause

15. Hello World Activity

16. Views
• Views are GUI controls(E.g. TextView, EditText, Button)
• Activity windows consist of views and viewgroups
• Organized as trees to build up GUIs
• Operations we can perform on views
– Set properties: Use function or define in the XML layout files to load.
– Set focus
– Set up listener
– Set visibility
– Draw anything we like
• We can use Layout to help place views
– E.g. LinearLayout, TableLayout, AbsoluteLayout
– Use function or define in the XML layout files

17. Hello World using Layout XML Files

18. Example Views

19. Intents
• Intents are used to exchange data between
Activities or Applications
• Think of Intents as a verb and object; a
description of what you want done
– E.g. VIEW, CALL, PLAY etc..
• Describes what the application wants
• Provides late runtime binding

20. Services
• Services run in the background
• Don’t interact with the user
• Run on the main thread of the process

21. Content Providers
• Content providers store and retrieve data and make
it accessible to all applications
• It is the only way to share data across packages
• The backend is SQLite
• They are linked to clients
• Data exposed as a unique URI

22. Resources
• Resources are images , strings and etc.
• Externalize resources from application code
• SDK will generate codes to map a resource to
an id, we can use static class R to get
resources
• Layout xml files are also resources

23. Manifest File
• Control file that tells the system what to do
and how the top-level components are related
• It’s the “glue” that actually specifies which
intents your activities receive
• Specifies permissions

24. Building and Running
• Android package format
– Bundle a few files into a file(.apk)
– Just a zip file
– Classes.dex is core file – compiled java classes
– Use ‘DX’ tool to convert Java *.class to Dalvik
bytecode *.dex

25. Building and Running

26. Building and Running
• DEX process flow

27. Building and Running
• Simplified Process Diagram

28. Developing Process
• Create your own android project
• Design the UI
• Externalize resources
• React to events
• Run the application

29. BloGeo

30. Android Security Overview
• Goals
– Protect user data
– Protect system resources (including the network)
– Provide application isolation
• Android security features provided
– Robust security at the OS level through the Linux
kernel
– Mandatory application sandbox for all applications
– Secure interprocess communication
– Application signing
– Application-defined and user-granted permissions

31. Android Security Overview(cont.)
• Application Sandbox: Kernel Level
– Each Application has a user ID(UID) to run
• Interprocess Communication
– Binder
• A lightweight capability-based remote procedure call mechanism
designed for high performance when performing in-process and
cross-process calls.
– Intents
– ContentProviders
• Application signing

32. Android Security Overview(cont.)
• Application-defined and user-granted permissions
– Camera functions
– Location data (GPS)
– Bluetooth functions
– Telephony functions
– SMS/MMS functions
– Network

33. ExploitMe Mobile Android Labs
• By Security Compass
– information security consulting firm
– specializing in secure software development and
training
• An open source project demonstrating
Android mobile hacking
• A bank transfer mobile client
• Server written in python(http/https)
• 8 Labs

34. Lab 1: Secure connections
• python app.py
• emulator.exe -avd emu -tcpdump
test.cap
• Solution: python app.py --ssl --port 8443

35. Lab 2 - Parameter Manipulation
• emulator @YOUR_AVD_NAME --http-proxy
localhost:8008
• http post
Solution:

36. Lab 3 - Insecure file storage
File creation mode: the default mode, where the created file can only be
Solution: accessed by the calling application (or all applications sharing the same
user ID).

37. Lab 4 - Secure Logging
Solution:
• adb logcat
Be aware of what you
are logging and only log
non-sensitive
information.

38. Lab 5 - Basic Encryption

39. Lab 5 - Basic Encryption(cont.)

40. Lab 6 - Advanced Encryption
• apktool
– It is a tool for reengineering 3rd party, closed,
binary Android apps.
– It can decode resources to nearly original form
and rebuild them after making some
modifications.

41. Lab 6 - Advanced Encryption(cont.)
• apktool d BasicEncryptionSolution.apk export

42. Lab 6 - Advanced Encryption(cont.)

43. Lab 6 - Advanced Encryption(cont.)
• Smali
– Smali is an assembler for the dex format used by
dalvik

44. Lab 6 - Advanced Encryption(cont.)

45. Lab 7 - Memory Protection

46. Lab 7 - Memory Protection
• hprof-conv source dest
– Convert dex memory dump format to Java format
• Use MAT(memory analyzer tool) to browse it

47. Lab 7 - Memory Protection(cont.)

48. Lab 7 - Memory Protection(cont.)

49. Lab 8 - Client-side Password
complexity

50. Future Study
Android Reverse Engineering!
I hope I can show you some more hacking examples next time.

51. Thanks!
Q&A