This document provides an introduction to Android development and security. It begins with a brief history of Android and overview of its architecture. It then discusses the Android development environment and process, including key tools and frameworks. It also outlines Android security features like application sandboxing, permissions, and encryption. Finally, it introduces a series of Android security labs that demonstrate exploits like parameter manipulation, insecure storage, and memory attacks. The goal is to provide hands-on examples of common Android vulnerabilities.
Video at http://mrkn.co/andsec
With Android activations reaching a million devices per day, it is no surprise that security threats against our favorite mobile platform have been on the rise.
In this session, you will learn all about Android's security model, including application isolation (sandboxing) and provenance (signing), its permission system and enforcement, data protection features and encryption, as well as enterprise device administration.
Together, we will dig into Android's own internals to see how its security model is applied through the entire Android stack - from the Linux kernel, to the native layers, to the Application Framework services, and to the applications themselves.
Finally, you’ll learn about some of the weaknesses in the Android's model (including rooting, tap-jacking, malware, social-engineering) as well as what can be done to mitigate those threats, such as SE-Linux, memory protection, anti-malware, firewall, and developer best practices.
By the end of this session you will have a better understanding of what it takes to make Android a more trusted component of our personal and professional lives.
This presentation done for my MSc studies @ UOM. The presentation is related to the paper "Understanding Android Security" by William Enck, Machigar Ongtang, and Patrick McDaniel. Pennsylvania State University on 2009
The incorporation of Security-Enhanced Linux in Android (SEAndroid) is an important security enhancement to the platform.
Android is built on top of the Linux kernel, with a collection of traditional and customized Linux libraries and daemons.
....
These slides were presented at GDG MeetUp in Bangalore which was held on 21st September 2013. Uploading the slides to help the people who wanted the slide Deck
This presentation brings out few basic steps that every android phone user should configure to harden his/her device.Although the list is not completly exhaustive but it brings out basic necessities as expected from any smart user.
Cryptography is the science of using mathematics to encrypt and decrypt data.
Cryptography enables you to store sensitive information or transmit it across insecure networks so that it cannot be read by anyone except the intended recipient.
Video at http://mrkn.co/andsec
With Android activations reaching a million devices per day, it is no surprise that security threats against our favorite mobile platform have been on the rise.
In this session, you will learn all about Android's security model, including application isolation (sandboxing) and provenance (signing), its permission system and enforcement, data protection features and encryption, as well as enterprise device administration.
Together, we will dig into Android's own internals to see how its security model is applied through the entire Android stack - from the Linux kernel, to the native layers, to the Application Framework services, and to the applications themselves.
Finally, you’ll learn about some of the weaknesses in the Android's model (including rooting, tap-jacking, malware, social-engineering) as well as what can be done to mitigate those threats, such as SE-Linux, memory protection, anti-malware, firewall, and developer best practices.
By the end of this session you will have a better understanding of what it takes to make Android a more trusted component of our personal and professional lives.
This presentation done for my MSc studies @ UOM. The presentation is related to the paper "Understanding Android Security" by William Enck, Machigar Ongtang, and Patrick McDaniel. Pennsylvania State University on 2009
The incorporation of Security-Enhanced Linux in Android (SEAndroid) is an important security enhancement to the platform.
Android is built on top of the Linux kernel, with a collection of traditional and customized Linux libraries and daemons.
....
These slides were presented at GDG MeetUp in Bangalore which was held on 21st September 2013. Uploading the slides to help the people who wanted the slide Deck
This presentation brings out few basic steps that every android phone user should configure to harden his/her device.Although the list is not completly exhaustive but it brings out basic necessities as expected from any smart user.
Cryptography is the science of using mathematics to encrypt and decrypt data.
Cryptography enables you to store sensitive information or transmit it across insecure networks so that it cannot be read by anyone except the intended recipient.
OWASP Mobile TOP 10 na przykładzie aplikacji bankowych - Semafor 2016 - Mateu...Logicaltrust pl
Wnioski z technicznego badania kilkudziesięciu polskich aplikacji bankowych przeznaczonych na platformy Android oraz iOS pod kątem występowania w nich podatności z OWASP Mobile TOP 10. Prezentacja rzeczywistych błędów w oprogramowaniu mobilnym, praktycznych porad jak zabezpieczyć aplikacje oraz odniesienie uzyskanych rezultatów do badań przeprowadzonych w innych krajach.
this is a short awareness talk in one of OWASP MEETUP sessions in University Kuala Lumpur, Malaysia, discussing about Android application penetration testing and how to discover potential vulnerabilities
How iOS and Android Handle Security WebinarDenim Group
This webinar takes a technical look at mobile security in iOS and Android and how each of the platforms handle security differently. During the webinar, Dan will cover numerous mobile security topics including mobile secure development, defeating platform environment restrictions and their respective permission models and how to protect network communications.
The 60-minute webinar will provide actionable information to help build a more secure mobile application development program with time for questions.
JSON, or JavaScript Object Notation, is a minimal, readable format for structuring data. It is used primarily to transmit data between a server and web application, as an alternative to XML.
Almost every Android app has some tasks that need to be executed in the background, such as network operations and CPU intensive operations. Many times these tasks are required by the UI thread, however executing them in the UI the will compromise the responsiveness of the app.
The AsyncTask class is is a convenience generic abstract class for executing relatively short tasks in a background thread and updating the UI thread. AsyncTask has 3 type parameters:
Params - the class of the params array that is passed to the execute() method which is called in the UI thread and received in the doInBackground() method which is called in the background thread.
Progress - the class of the values array that is passed by the publishProgress() method which is called in the background thread and returned by the onProgressUpdate() method which is called in the UI thread.
Result - the class of the result that is passed returned by the execute() method and returned by the onPostExecute() method which is called in the UI thread.
The doInBackground() method is an abstract method that defines the actual background task.
Android application development fundamentalsindiangarg
Some concepts to understand the things that relate to basics of development on the Android Platform. The presentation explains the concept of formation of virtual machine for each android app. It also explains the main components like Activities, Services, Content Provider and Broadcast Receiver. The purpose of Intent is also explained. One can also find a brief on things that one can write in the Manifest file. The types of resources have also been explained. Finally one learns to know about the android metrics.
Hacker Halted 2014 - Reverse Engineering the Android OSEC-Council
Introduction to the Android OS. the Android Developers Kit, Android Emulators, Rooting Android devices, de-compiling Android Apps. Dex2jar, Java JD_GUI and so on. During the presentation I will pull an App apart and show how to bypass a login screen.
What better way to express the Zombie Apocalypse then with mobile devices. They are ubiquitous. they are carried everywhere, they go everywhere. Having a decent understanding of the Operating System and it’s vulnerabilities can go a long way towards keeping your device protected.
Thick Client Penetration Testing
You will learn how to do pentesting of Thick client applications on a local and network level, You will also learn how to analyze the internal communication between web services & API.
Similar to Introduction to Android Development and Security (20)
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
Introduction to Android Development and Security
1. An Introduction to Android
Development and Security
Kun Yang
kelwya@gmail.com
2. Android & Me
• I’m a first-year graduate student.
• I developed my first Android APP——BloGeo
two years ago.
• I’ve been an Android user for two years.
• Now I’ve just started to learn Android security.
3. Outline
• Introduction to Android
– Brief history
– Architecture
• Android Development
– Environment
– Programming framework
– Building and running process
– Case Study
• Overview of Android Security Feature
• Android Security Lab (by Security Compass)
• My Future Study
4. Brief History
• Written by Andy Rubin(founder of Android Inc.)
• Acquired by Google in 2005
• Android 1.0 released in 2007
• Android 4.0 released in 2011
• 52.5% of global mobile users
5. Brief Introduction
• First complete, open and free mobile
platform
• Operating System
– Mobile device optimized Linux kernel 2.6
• Application framework
– Mainly Java-based
– Running on Dalvik virtual machine featuring JIT
compilation
• Key applications
– Gmail, Maps, Contacts, Market and etc.
13. Activities
• An activity is a single, focused thing that the
user can do
• Typically correspond to one UI screen
• Activities are stacked like a deck of cards
• Active activity is placed on top
14. Activity
Lifecycle
• 4 states
– Active
– Paused(visible, not active)
– Stopped(invisible)
– Destroyed
• Call back functions
– onCreate & onDestroy
– onStart & onStop & onRestart
– onResume & onPause
16. Views
• Views are GUI controls(E.g. TextView, EditText, Button)
• Activity windows consist of views and viewgroups
• Organized as trees to build up GUIs
• Operations we can perform on views
– Set properties: Use function or define in the XML layout files to load.
– Set focus
– Set up listener
– Set visibility
– Draw anything we like
• We can use Layout to help place views
– E.g. LinearLayout, TableLayout, AbsoluteLayout
– Use function or define in the XML layout files
19. Intents
• Intents are used to exchange data between
Activities or Applications
• Think of Intents as a verb and object; a
description of what you want done
– E.g. VIEW, CALL, PLAY etc..
• Describes what the application wants
• Provides late runtime binding
20. Services
• Services run in the background
• Don’t interact with the user
• Run on the main thread of the process
21. Content Providers
• Content providers store and retrieve data and make
it accessible to all applications
• It is the only way to share data across packages
• The backend is SQLite
• They are linked to clients
• Data exposed as a unique URI
22. Resources
• Resources are images , strings and etc.
• Externalize resources from application code
• SDK will generate codes to map a resource to
an id, we can use static class R to get
resources
• Layout xml files are also resources
23. Manifest File
• Control file that tells the system what to do
and how the top-level components are related
• It’s the “glue” that actually specifies which
intents your activities receive
• Specifies permissions
24. Building and Running
• Android package format
– Bundle a few files into a file(.apk)
– Just a zip file
– Classes.dex is core file – compiled java classes
– Use ‘DX’ tool to convert Java *.class to Dalvik
bytecode *.dex
30. Android Security Overview
• Goals
– Protect user data
– Protect system resources (including the network)
– Provide application isolation
• Android security features provided
– Robust security at the OS level through the Linux
kernel
– Mandatory application sandbox for all applications
– Secure interprocess communication
– Application signing
– Application-defined and user-granted permissions
31. Android Security Overview(cont.)
• Application Sandbox: Kernel Level
– Each Application has a user ID(UID) to run
• Interprocess Communication
– Binder
• A lightweight capability-based remote procedure call mechanism
designed for high performance when performing in-process and
cross-process calls.
– Intents
– ContentProviders
• Application signing
32. Android Security Overview(cont.)
• Application-defined and user-granted permissions
– Camera functions
– Location data (GPS)
– Bluetooth functions
– Telephony functions
– SMS/MMS functions
– Network
33. ExploitMe Mobile Android Labs
• By Security Compass
– information security consulting firm
– specializing in secure software development and
training
• An open source project demonstrating
Android mobile hacking
• A bank transfer mobile client
• Server written in python(http/https)
• 8 Labs
36. Lab 3 - Insecure file storage
File creation mode: the default mode, where the created file can only be
Solution: accessed by the calling application (or all applications sharing the same
user ID).
37. Lab 4 - Secure Logging
Solution:
• adb logcat
Be aware of what you
are logging and only log
non-sensitive
information.
40. Lab 6 - Advanced Encryption
• apktool
– It is a tool for reengineering 3rd party, closed,
binary Android apps.
– It can decode resources to nearly original form
and rebuild them after making some
modifications.