Welcome!

Mobile IoT Authors: Elizabeth White, Zakia Bouachraoui, Pat Romanski, Maria C. Horton, Yeshim Deniz

Related Topics: Mobile IoT, Cloud Security, @ThingsExpo

Mobile IoT: Book Review

Book Review: Android Security Internals | @ThingsExpo [#IoT]

An In-Depth Guide to Android's Security Architecture

This is the first security book I have read on Android that was not primarily about hacking the Android platform. This book completely covers all the tools available to the Android software architects and developers.

Instead of showing us how to root the device at the beginning of the book and then showing us exploits and vulnerabilities throughout the rest of it, he covers how root access is achieved in different types of Android builds, and different ways get Root Access, but late in the book.

The book starts out with an overview of the Android security model, and then each chapter is dedicated to a specific feature of Android's security model. I have listed the chapters below.

Chapter 1: Android's Security Model
Chapter 2: Permissions
Chapter 3: Package Management
Chapter 4: User Management
Chapter 5: Cryptographic Providers
Chapter 6: Network Security and PKI
Chapter 7: Credential Storage
Chapter 8: Online Account Management
Chapter 9: Enterprise Security
Chapter 10: Device Security
Chapter 11: NFC and Secure Elements
Chapter 12: SELinux
Chapter 13: System Updates and Root Access

Although the chapter titles give you a pretty good idea of what is in them, I have listed some of the chapters below along with the topics covered that I liked best.

Chapter 2: Permissions covers The Nature of Permissions, Requesting Permissions, Permission Management, Permission Protection Levels, Permission Assignment, Permission Enforcement, System Permissions, Shared User ID, Custom Permissions, Public and Private Components, Activity and Service Permissions, Broadcast Permissions, Content Provider Permissions, and Pending Intents.

Chapter 3: Package Management covers Android Application Package Format, Code signing, APK Install Process, and Package Verification.

Chapter 4: User Management covers, Multi-User Support Overview, Types of Users, User Management, User Metadata, Per-User Application Management, External Storage, and Other Multi-User Features.

Chapter 5: Cryptographic Providers covers JCA Provider Architecture, JCA Engine Classes, Android JCA Providers, and Using a Custom Provider.

Chapter 6: Network Security and PKI covers PKI and SSL Overview, JSSE Introduction, and Android JSSE Implementation.

Chapter 8: Online Account Management covers Android Account Management Overview, Account Management Implementation, and Google Accounts Support.

Chapter 10: Device Security covers Controlling OS Boot-Up and Installation, Verified Boot, Disk Encryption, Screen Security, Secure USB Debugging, and Android Backup.

Chapter 11: NFC and Secure Elements covers NFC Overview, Android NFC Support, Secure Elements, and Software Card Emulation.

There are some books I feel every Android developer should read and this book is definitely one of them. Every Android developer should have this book on their bookshelf. Although, I do not feel it is a beginner's book. You should have a working knowledge of Android programming before attempting to read it, so don't start here, but make sure you eventually get here.

The author's writing style is great. He does an excellent job of covering complex topics in a way that makes them easy to understand. Diagrams, code snippets, and screen shots are used just at the right spots. This may seem stupid to mention, but after attempting to get value out of a book with 2 screenshots and 3 sentences on a page, you learn to appreciate when the learning tools are used right.

The book is not only a great cover to cover read, but it will also make a good reference. Chapter 1: "Android's Security Model" is available on the publisher's site which is a nice introduction to the book and the author's writing style. There is also a very detailed table of contents and the index available.

Amazon also has a lot of the book available for preview. Their preview includes some material from chapters other than chapter 1. You can also use the search on Amazon to see if a topic you are interested in is included.

Overall I found this book excellent. Admittedly, it was a very long read. I have been toting it around for months, but that is because so many things are covered, and they are covered in depth. I also enjoyed reading it, so it was worth the time and toting.


Android Security Internals: An In-Depth Guide to Android's Security Architecture

Android Security Internals: An In-Depth Guide to Android's Security Architecture

More Stories By Tad Anderson

Tad Anderson has been doing Software Architecture for 18 years and Enterprise Architecture for the past few.

IoT & Smart Cities Stories
While the focus and objectives of IoT initiatives are many and diverse, they all share a few common attributes, and one of those is the network. Commonly, that network includes the Internet, over which there isn't any real control for performance and availability. Or is there? The current state of the art for Big Data analytics, as applied to network telemetry, offers new opportunities for improving and assuring operational integrity. In his session at @ThingsExpo, Jim Frey, Vice President of S...
@CloudEXPO and @ExpoDX, two of the most influential technology events in the world, have hosted hundreds of sponsors and exhibitors since our launch 10 years ago. @CloudEXPO and @ExpoDX New York and Silicon Valley provide a full year of face-to-face marketing opportunities for your company. Each sponsorship and exhibit package comes with pre and post-show marketing programs. By sponsoring and exhibiting in New York and Silicon Valley, you reach a full complement of decision makers and buyers in ...
The Internet of Things is clearly many things: data collection and analytics, wearables, Smart Grids and Smart Cities, the Industrial Internet, and more. Cool platforms like Arduino, Raspberry Pi, Intel's Galileo and Edison, and a diverse world of sensors are making the IoT a great toy box for developers in all these areas. In this Power Panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists discussed what things are the most important, which will have the most profound e...
Two weeks ago (November 3-5), I attended the Cloud Expo Silicon Valley as a speaker, where I presented on the security and privacy due diligence requirements for cloud solutions. Cloud security is a topical issue for every CIO, CISO, and technology buyer. Decision-makers are always looking for insights on how to mitigate the security risks of implementing and using cloud solutions. Based on the presentation topics covered at the conference, as well as the general discussions heard between sessio...
The Jevons Paradox suggests that when technological advances increase efficiency of a resource, it results in an overall increase in consumption. Writing on the increased use of coal as a result of technological improvements, 19th-century economist William Stanley Jevons found that these improvements led to the development of new ways to utilize coal. In his session at 19th Cloud Expo, Mark Thiele, Chief Strategy Officer for Apcera, compared the Jevons Paradox to modern-day enterprise IT, examin...
Rodrigo Coutinho is part of OutSystems' founders' team and currently the Head of Product Design. He provides a cross-functional role where he supports Product Management in defining the positioning and direction of the Agile Platform, while at the same time promoting model-based development and new techniques to deliver applications in the cloud.
In his keynote at 18th Cloud Expo, Andrew Keys, Co-Founder of ConsenSys Enterprise, provided an overview of the evolution of the Internet and the Database and the future of their combination – the Blockchain. Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settl...
There are many examples of disruption in consumer space – Uber disrupting the cab industry, Airbnb disrupting the hospitality industry and so on; but have you wondered who is disrupting support and operations? AISERA helps make businesses and customers successful by offering consumer-like user experience for support and operations. We have built the world’s first AI-driven IT / HR / Cloud / Customer Support and Operations solution.
LogRocket helps product teams develop better experiences for users by recording videos of user sessions with logs and network data. It identifies UX problems and reveals the root cause of every bug. LogRocket presents impactful errors on a website, and how to reproduce it. With LogRocket, users can replay problems.
Data Theorem is a leading provider of modern application security. Its core mission is to analyze and secure any modern application anytime, anywhere. The Data Theorem Analyzer Engine continuously scans APIs and mobile applications in search of security flaws and data privacy gaps. Data Theorem products help organizations build safer applications that maximize data security and brand protection. The company has detected more than 300 million application eavesdropping incidents and currently secu...