关闭

关闭

封号提示

内容

首页 Apress.Android.Apps.Security.Sep.2012.pdf

Apress.Android.Apps.Security.Sep.2012.pdf

Apress.Android.Apps.Security.Se…

上传者: macware 2014-02-14 评分1 评论0 下载1 收藏0 阅读量539 暂无简介 简介 举报

简介:本文档为《Apress.Android.Apps.Security.Sep.2012pdf》,可适用于软件工程领域,主题内容包含AndroidAppsSecuritySheranAGunasekeraCreateappsthataresafefromhacking,attac符等。

AndroidAppsSecuritySheranAGunasekeraCreateappsthataresafefromhacking,attacks,andsecuritybreachesForyourconvenienceApresshasplacedsomeofthefrontmattermaterialaftertheindexPleaseusetheBookmarksandContentsataGlancelinkstoaccessthemvContentsataGlanceAbouttheAuthorxiiiAbouttheTechnicalReviewerxvAcknowledgmentsxviiChapter:AndroidArchitectureChapter:Information:TheFoundationofanAppChapter:AndroidSecurityArchitectureChapter:ConceptsinAction–PartChapter:DataStorageandCryptographyChapter:TalkingtoWebAppsChapter:SecurityintheEnterpriseChapter:ConceptsinAction:PartChapter:PublishingandSellingYourAppsChapter:MalwareandSpywareAppendixA:AndroidPermissionConstantsIndexChapterAndroidArchitectureGoogleenteredthemobilephonemarketinastylethatonlymultibilliondollarcompaniescanafford:itboughtacompanyIn,Google,IncpurchasedAndroid,IncAtthetime,Androidwasrelativelyunknown,despitehavingfourverysuccessfulpeopleasitscreatorsFoundedbyAndyRubin,RichMiner,ChrisWhite,andNickSearsin,Androidflewundertheradar,developinganoperatingsystemformobilephonesWithaquesttodevelopasmartermobilephonethatwasmoreawareofitsowner’spreferences,theteambehindtheAndroidoperatingsystemtoiledawayinsecrecyAdmittingonlythattheyweredevelopingsoftwareformobilephones,theteamremainedquietaboutthetruenatureoftheAndroidoperatingsystemuntiltheacquisitioninWiththefullmightofGoogle’sresourcesbehindit,AndroiddevelopmentincreasedatarapidpaceBythesecondquarterof,AndroidhadalreadycapturednearlyamarketshareinmobilephoneoperatingsystemsshippedtoendusersThefourfoundersstayedonaftertheacquisition,withRubintakingtheleadasSeniorVicePresidentofMobileTheofficiallaunchofversionofAndroidtookplaceonSeptember,,andthefirstdevicetorunitwastheHTCDream(seeFigure)CHAPTER:AndroidArchitectureOneoftheuniquefeaturesoftheAndroidoperatingsystemthathasallowedittogrowrapidlyhasbeenthatthebinariesandsourcecodearereleasedasopensourcesoftwareYoucandownloadtheentiresourcecodeoftheAndroidoperatingsystem,andittakesupapproximatelyGBofdiskspaceIntheory,thisallowsanyonetodesignandbuildaphonethatrunsAndroidTheideaofkeepingthesoftwareopensourcewasfolloweduntilversionVersionsofAndroidincludingandhigherthanarestillclosedsourceInaninterviewgiventoBloombergBusinessweek,RubinsaidthattheversionxcodebasetookmanyshortcutstoensureitwasreleasedtomarketquicklyandworkedwithveryspecifichardwareIfotherhardwarevendorsadoptedthisversionofAndroid,thenthechancesforanegativeuserexperiencewouldbeapossibility,andGooglewishedtoavoidthisComponentsoftheAndroidArchitectureTheAndroidarchitectureisdividedintothefollowingfourmaincomponents(seeFigure):ThekernelThelibrariesandDalvikvirtualmachineTheapplicationframeworkTheapplicationsFigureAnHTCDream(CourtesyMichaelOryl)BloombergBusinessweek,“GoogleHoldsHoneycombTight,”AshleeVanceandBradStone,wwwbusinessweekcomtechnologycontentmartchtm,March,CHAPTER:AndroidArchitectureTheKernelAndroidrunsontopofaLinuxkernelThekernelisthefirstlayerofsoftwarethatinteractswiththedevicehardwareSimilartoadesktopcomputerrunningLinux,theAndroidkernelwilltakecareofpowerandmemorymanagement,devicedrivers,processmanagement,networking,andsecurityTheAndroidkernelisavailableathttp:androidgitkernelorgModifyingandbuildinganewkernelisnotsomethingyouwillwanttoconsiderasanapplicationdeveloperGenerally,onlyhardwareordevicemanufacturerswillwanttomodifythekerneltoensurethattheoperatingsystemworkswiththeirparticulartypeofhardwareApplicationLayerFrameworksLayerRuntimeLayerKernelLayerAppActivityManagerWindowManagerPackageManagerSurfaceManagerMediaFrameworkSQLiteCoreLibrariesDalvikVirtualMachine(DVM)OpenGLESFreeTypeWebKitSGLSSLlibcDisplayDriverMouseDriverEthernetDriverUSBDriverKeyboardDriverC,C,NativeCodeJava=LinuxKernel=Libraries=AndroidRuntime=AndroidFrameworks=ApplicationsWiFiDriverHardwareBinder(IPC)DriverPowerManagementFlashMemoryDriverAudioDriversResourceManagerXMPPServiceContentProvidersViewSystemNotificationManagerAppAppAppAppFigureTheAndroidarchitectureCHAPTER:AndroidArchitectureTheLibrariesThelibrariescomponentalsosharesitsspacewiththeruntimecomponentThelibrariescomponentactsasatranslationlayerbetweenthekernelandtheapplicationframeworkThelibrariesarewritteninCCbutareexposedtodevelopersthroughaJavaAPIDeveloperscanusetheJavaapplicationframeworktoaccesstheunderlyingcoreCClibrariesSomeofthecorelibrariesincludethefollowing:LibWebCore:AllowsaccesstothewebbrowserMedialibraries:AllowsaccesstopopularaudioandvideorecordingandplaybackfunctionsGraphicslibraries:AllowsaccesstoDandDgraphicsdrawingenginesTheruntimecomponentconsistsoftheDalvikvirtualmachinethatwillinteractwithandrunapplicationsThevirtualmachineisanimportantpartoftheAndroidoperatingsystemandexecutessystemandthirdpartyapplicationsTheDalvikVirtualMachineDanBornsteinoriginallywrotetheDalvikvirtualmachineHenameditafterasmallfishingvillageinIcelandwherehebelievedoneofhisancestorsonceoriginatedTheDalvikVMwaswrittenprimarilytoallowapplicationexecutionondeviceswithverylimitedresourcesTypically,mobilephoneswillfallintothiscategorybecausetheyarelimitedbyprocessingpower,theamountofmemoryavailable,andashortbatterylifeWhAtisAVirtuAlMAchineAvirtualmachineisanisolated,guestoperatingsystemrunningwithinanotherhostoperatingsystemAvirtualmachinewillexecuteapplicationsasiftheywererunningonaphysicalmachineOneofthemainadvantagesofavirtualmachineisportabilityRegardlessoftheunderlyinghardware,thecodethatyouwritewillworkontheVMToyouasadeveloper,thismeansthatyouwriteyourcodeonlyonceandcanexecuteitonanyhardwareplatformthatrunsacompatibleVMTheDalvikVMexecutesdexfilesAdexfileismadebytakingthecompiledJavaclassorjarfilesandconsolidatingalltheconstantsanddatawithineachclassfileintoasharedconstantpool(seeFigure)Thedxtool,includedintheAndroidSDK,performsthisconversionAfterconversion,dexfileshaveasignificantlysmallerfilesize,asshowninTableCHAPTER:AndroidArchitectureTheApplicationFrameworkTheapplicationframeworkisoneofthebuildingblocksforthefinalsystemorenduserapplicationsTheframeworkprovidesasuiteofservicesorsystemsthatadeveloperwillfindusefulwhenwritingapplicationsCommonlyreferredtoastheAPI(applicationprogramminginterface)component,thisframeworkwillprovideadeveloperwithaccesstouserinterfacecomponentssuchasbuttonsandtextboxes,commoncontentproviderssothatappsmaysharedatabetweenthem,anotificationmanagersothatdeviceownerscanbealertedofevents,andanactivitymanagerformanagingthelifecycleofapplicationsAsadeveloper,youwillwritecodeandusetheAPIsintheJavaprogramminglanguageListing,takenfromGoogle’ssampleAPIdemos(http:developerandroidcomresourcessamplesApiDemosindexhtml),demonstrateshowtousetheapplicationframeworktoplayavideofileTheimportstatementsinboldallowaccesstothecoreCClibrariesthroughaJavaAPIjarfileclassfiledexfileclassfileheterogeneousconstantpoolheterogeneousconstantpoolotherdatastringidsconstantpooltypeidsconstantpoolprotoidsconstantpoolfieldidsconstantpoolmethodidsconstantpoolotherdataclassfileheterogeneousconstantpoolotherdataotherdataFigureConversionofajarfiletoadexfileTableAFileSizeComparison(inBytes)ofjaranddexFilesApplicationUncompressedjarCompressedjarUncompresseddexCommonsystemlibraries===Webbrowserapp===Alarmclockapp===CHAPTER:AndroidArchitectureListingAVideoPlayerDemo(CourtesyGoogle,Inc)**Copyright(C)TheAndroidOpenSourceProject**LicensedundertheApacheLicense,Version(the"License")*youmaynotusethisfileexceptincompliancewiththeLicense*YoumayobtainacopyoftheLicenseat**http:wwwapacheorglicensesLICENSE**Unlessrequiredbyapplicablelaworagreedtoinwriting,software*distributedundertheLicenseisdistributedonan"ASIS"BASIS,*WITHOUTWARRANTIESORCONDITIONSOFANYKIND,eitherexpressorimplied*SeetheLicenseforthespecificlanguagegoverningpermissionsand*limitationsundertheLicense*packagecomexampleandroidapismediaimportcomexampleandroidapisRimportandroidappActivityimportandroidosBundleimportandroidwidgetMediaControllerimportandroidwidgetToastimportandroidwidgetVideoViewpublicclassVideoViewDemoextendsActivity{***TODO:SetthepathvariabletoastreamingvideoURLoralocalmedia*filepath*privateStringpath=""privateVideoViewmVideoViewOverridepublicvoidonCreate(Bundleicicle){superonCreate(icicle)setContentView(Rlayoutvideoview)mVideoView=(VideoView)findViewById(Ridsurfaceview)if(path==""){TelltheusertoprovideamediafileURLpathToastmakeText(VideoViewDemothis,"PleaseeditVideoViewDemoActivity,andsetpath""variabletoyourmediafileURLpath",ToastLENGTHLONG)show()}else{CHAPTER:AndroidArchitecture**Alternatively,forstreamingmediayoucanuse*mVideoViewsetVideoURI(Uriparse(URLstring))*mVideoViewsetVideoPath(path)mVideoViewsetMediaController(newMediaController(this))mVideoViewrequestFocus()}}}TheApplicationsTheapplicationcomponentoftheAndroidoperatingsystemistheclosesttotheenduserThisiswheretheContacts,Phone,Messaging,andAngryBirdsappsliveAsadeveloper,yourfinishedproductwillexecuteinthisspacebyusingtheAPIlibrariesandtheDalvikVMInthisbook,wewillextensivelylookatthiscomponentoftheAndroidoperatingsystemEventhougheverycomponentoftheAndroidoperatingsystemcanbemodified,youwillonlyhavedirectcontroloveryourownapplication’ssecurityThisdoesnot,however,giveyoufreereintoignorewhathappensifthedeviceiscompromisedwithakernelorVMexploitEnsuringyourapplicationdoesnotfallvictimtoanattackbecauseofanunrelatedexploitisalsoyourresponsibilityWhatThisBookIsAboutNowthatyou’vegotanoverallunderstandingoftheAndroidarchitecture,let’sturntowhatyouwillnotlearninthisbookFirst,youarenotgoingtolearnhowtodevelopAndroidappsfromscratchinthisbookYouwillseemanyexamplesandsourcecodelistingsandwhileIwillexplaineachsectionofcode,youmighthaveadditionalquestionsthatyoumightnotfindansweredinthisbookYouarerequiredtohaveacertaindegreeofexperienceandskillatwritingJavaapplicationsfortheAndroidplatformIalsoassumethatyouhavealreadysetupyourAndroiddevelopmentenvironmentusingtheEclipseIDEInthisbook,IwillfocusonhowyoucandevelopmoresecureapplicationsfortheAndroidoperatingsystemAndroidhashaditsfairshareofsecuritysetbacksandaburgeoninglistofmalwarethatisworthexaminingandlearningfromArmedwithwheretolookandhowtotacklesecurityaspectsofdevelopingforAndroidwillnotnecessarilymakeyouabettercoder,butitwillstartyouonyourwaytobecomingmoreresponsiblewithyourendusers’privacyandsecurityI’vetriedtowritethisbookinamannerthatwillhelpyouunderstandtheconceptsofsecurityinrelationtotheapplicationsyoudevelopInmostcases,thebestwayIfindIcanachievethisisbyteachingthroughexampleTherefore,youwillusuallyfindmeaskingyoutowriteandexecutesourcecodelistingsfirstIwillthenfollowupwithanexplanationofthespecificconceptthatwearecoveringWiththisinmind,let’stakealookatsomeofthesecuritycontrolsavailableontheAndroidoperatingsystemCHAPTER:AndroidArchitectureSecuritySecurityisn’tadirtyword,Blackadder!GeneralMelchett,BlackadderIVSecurityisavastsubjectandisapplicabletomanyareasdependingonwhatcontextitistakeninIwrotethisbooktocoverasmallcomponentofasmallcomponentofsecurityItiswrittentogiveyouagoodunderstandingofAndroidapplicationsecurityHowever,whatdoesthatreallymeanWhatarewetryingtosecureWhowillbenefitfromthisWhyisitimportantLet’strytoanswerthosequestionsandpossiblycomeupwithafewnewonesFirst,let’sidentifywhoyoureallyareAreyouadeveloperMaybeyou’reasecuritypractitionerconductingresearchAlternatively,maybeyou’reanenduserinterestedinsafeguardingyourselffromanattackI’dliketothinkthatIfitintoeachofthesecategoriesNodoubt,youwillfitintooneormoreofthemThevastmajority,however,willfitintoonecategory:anenduserwhowantstousethefeaturesofawellwrittenapplicationinamannerthatdoesnotcompromiseherprivacyandsecurityIfyou’readeveloper,andI’mguessingyouareifyou’vepickedthisbookup,thisisyourtargetaudience:theenduserYouwriteapplicationstodistributetoyourusersYoumaychoosetosellthemorgivethemawayforfreeEitherway,youarewritingapplicationsthatwillendupinstalledonsomeoneelse’sdevice,possiblythousandsofmilesawayProtectYourUserYourapplicationshouldstrivetoprovidethebestfunctionalitypossiblewhiletakingcaretoprotectyourusers’dataThismeansthinkingaboutsecuritybeforeyoubegindevelopmentYourusermightnotalwaysknowaboutthesecuritypracticesyouemploy“underthehood”ofyourapplication,butonebreachinyourapplicationisallitwilltaketoensurethatallhisTwitterandFacebookfollowersfindoutPlanningandthinkingaboutsecuritypriortothedevelopmentphaseofyourapplicationcansaveyoutheembarrassmentofbadreviewsandthelossofpayingcustomersTheenduserisalmostneverquicktoforgiveorforgetAswegoalong,youwilllearnprinciplesandtechniquestoidentifysensitiveuserdataandcreateaplantoprotectthisdataThegoalistoeliminateorvastlyreduceanyunintentionalharmyourapplicationcouldcauseSo,whatareyoureallyprotectingtheenduserfromSecurityRisksMobiledeviceusersfacesomeuniqueriskswhencomparedwithdesktopcomputerusersAsidefromthehigherpossibilityoflosingorhavingtheirdevicestolen,mobiledeviceusersrisklosingsensitivedataorhavingtheirprivacycompromisedWhywouldthisbedifferentfromdesktopusersFirst,thequalityofdatastoredonauser’smobiledevicetendstobemorepersonalApartfromemail,thereareinstantmessages,SMSMMS,contacts,photos,andvoicemail“Sowhat”yousay“Someofthesethingsexistonadesktopcomputer”True,butconsiderthis:ThedataonyourmobiledeviceismostlikelygoingtobeofhighervaluethanthatCHAPTER:AndroidArchitectureonyourdesktopbecauseyoucarryitaroundwithyouallthetimeItisaconvergedplatformofbothyourcomputerandmobilephonethatcontainsarichercollectionofpersonaldataBecausethelevelofuserinteractionishigheronthesmartphone,thedataisalwaysnewerthanonyourdesktopcomputerEvenifyouhaveconfiguredrealtimesynctoaremotelocation,thatstillonlyprotectsyoufromalossofdataandnotalossofprivacyConsideralsothattheformatofdatastoredonmobiledevicesisfixedEveryphonewillhaveSMSMMS,contacts,andvoicemailPhonesthataremorepowerfulwillhavephotos,videos,GPSlocations,andemail,butallofitiscommonregardlessoftheoperatingsystemNowconsiderhowimportantallofthisinformationistoanenduserToauserwhohasnobackups,losingdataofthisnaturecanbeunthinkableLosingimportantphonenumbers,preciousmomentsofherdaughter’sfirststepscaughtonvideo,orimportantSMSmessagescanbecatastrophictotheeverydayphoneuserWhatabouttheuserwhocombinesbothbusinessandpersonalactivitiesonhisphoneWhatwouldyoudoifsomeonecopiedanentirefileofpasswordsforyourofficeserverfarmfromyourphoneOrifanemailcontainingtradesecretsandconfidentialpricingforproposalsleakedoutontotheInternetWhatifyoulosttheaddressofyourchild’sschoolConsiderastalkergainingaccesstothisinformationandmore,suchasyourhomeaddressandphonenumberItisclearwhenyouthinkaboutitthatthedatastoredonthephoneis,inmostcases,farmorevaluablethanthatofthedeviceitselfThemostdangeroustypeofattackistheonethattakesplacesilentlyandremotelyanattackerdoesnotneedphysicalaccesstoyourphoneThesetypesofattackscanhappenatanytimeandcanoftenhappenbecauseofweaksecurityelsewhereonthedeviceTheselapsesinsecuritymightnotbebecauseyourapplicationisinsecureTheycouldbeduetoabuginthekernelorwebbrowserThequestionisthis:canyourapplicationprotectits

职业精品

安置房买卖合同范本.doc

拆迁安置房买卖合同范本.docx

资金入股开小吃店合同.docx

新员工试用期转正审批表(通用).doc

用户评论

0/200
    暂无评论
上传我的资料

精彩专题

相关资料换一换

  • Apress.Android A…

  • QUE - !!!Android…

  • Apress.Pro.JavaS…

  • Apress.Learn.coc…

  • Apress.Android.A…

  • android-apps-sec…

  • Apress.Android.A…

  • Apress.Android.A…

  • Apress Pro Andro…

  • Apress.Pro.NET.P…

资料评价:

/ 236
所需积分:2 立即下载

意见
反馈

返回
顶部