Posted on

Android – keep secrets right

research of android security [https://tproger.ru/digest/android-security-resources/]

SSL pinning защита мобильного банкинга на android с помощью ssl сертификата [https://www.emaro-ssl.ru/blog/ssl-pinning-for-android/] [pdf]

Android AES crypto encryption [https://habrahabr.ru/company/rambler-co/blog/279835/] AES/CBC/PKCS5Padding [pdf]

Tampering detection Android [https://www.airpair.com/android/posts/adding-tampering-detection-to-your-android-app]

Authentication Android SSL client cert [https://habrahabr.ru/post/194530/] [pdf]

Tips for Developing Secure Android Applications [https://medium.com/@saranyaan2710/tips-for-developing-secure-android-applications-984a89ae3190]

Using a Custom Certificate Trust Store on Android [https://nelenkov.blogspot.com/2011/12/using-custom-certificate-trust-store-on.html]


Secure data in Android — Encryption

This article is a part of “Secure data in Android” series:

Encryption
Encryption in Android (Part 1)
Encryption in Android (Part 2)
Encrypting Large Data
Initialization Vector
Key Invalidation
Fingerprint
Confirm Credentials


pdf

Posted on

Android IPC

Inter-process communication

pdf

AIDL (Android Interface Definition Language) и коммуникация между процессами (IPC) [https://habrahabr.ru/post/139432/]


Основы безопасности операционной системы Android. Безопасность на уровне Application Framework. Binder IPC [https://habr.com/post/176093/]


Android IPC Mechanism [pdf]


Communication between apps in Android

Problems to solve by communication

  • apps can start each other and can receive a result
  • apps can send notification about events
  • providing data
  • providing methods (RPC)
  • providing UI

Android API to communicate

  • startActivity, startActivityForResult
  • sendBroadcast
  • ContentProvider
  • AIDL, Messenger
  • system services: Notification listener, Mediasession etc.

How does it work under the hood

Features of startActivityForResult

  • transaction has 1 Mb limit
  • user leave your app
  • hence OS can kill your app or user might don’t come back to the app
  • you can pass primitive types, String, Parcelable, Serializable and list of them
  • the main goal – start other activities and receive their result

Features of sendBroadcast

  • at the moment there are 2 queues: for foreground and for background priority
    /**
     * BROADCASTS
     *
     * We keep two broadcast queues and associated bookkeeping, one for those at
     * foreground priority, and one for normal (background-priority) broadcasts.
     */
    
  • transaction has 1 Mb limit
  • delivery time is not guaranteed
  • asynchronously
  • you don’t know when receiver receive Intent
  • you can pass primitive types, String, Parcelable, Serializable and list of them
  • the main goals:
    • notify about events if delivery time is not important
    • if delivery time is important and receiver is in foreground
    • you can receiver system events

AIDL

[https://developer.android.com/guide/components/aidl]

  • you can pass primitive types, String, Parcelable, Interface and list of them
  • AIDL can do everything
  • you can invoke another app methods synchronously and asynchronously
  • receive data by your own callback or by Messenger
  • 1 Mb limit [https://developer.android.com/reference/android/os/TransactionTooLargeException]
    The Binder transaction failed because it was too large.
    During a remote procedure call, the arguments and the return value of the call are transferred as Parcel objects stored in the Binder transaction buffer. If the arguments or the return value are too large to fit in the transaction buffer, then the call will fail and TransactionTooLargeException will be thrown.
    The Binder transaction buffer has a limited fixed size, currently 1Mb, which is shared by all transactions in progress for the process. Consequently this exception can be thrown when there are many transactions in progress even when most of the individual transactions are of moderate size.
    
  • the main goal is RPC

ContentProvider

  • a row in cursor has 2 Mb limit
  • a number of rows is not limited
  • synchronously
  • you can pass primitive types, String, byte[], other data types use toString
  • the main goal is data transfer

System services

  • AccountManager – a way to store and share account info
  • App widgets
  • NotificationListenerService – a way to get all notification
  • Mediasession