The current version will no longer be published. A new version is coming soon!
Well! I was on the brink of signing a contract with a reputable publisher for this book. However, I felt it would be more beneficial to publish it as an article, making it freely accessible to anyone interested. This way, you can dive into any chapter that piques your interest without committing to a purchase or letting it gather dust on a shelf. I’m also open to collaboration if anyone wishes to enhance its content. I hope this resource helps us elevate both our products and ourselves. It will have 12 chapters, and most of that is done! Feel free to drop a comment or contact me.
Table of Contents
Chapter 1: Principles & Methodologies
- The Fail-Safe Principle, Planning for the Unexpected (Published!)
- Least Common Mechanism (Published!)
- Defensive, Offensive, and Aggressive Programming (Published!)
- Defence in Depth (Published!)
- Separation of Privileges (Published!)
- Zero Trusted Security Model (Published!)
- KISS Principle (Published in LinkedIn)
- Principle of Least Privilege (Published!)
Chapter 2: Securing the Development Lifecycle
- Code Review (Published!)
- Regular Security Assessments (Published!)
- Threat Modeling (Published!)
- Security Requirements (Published!)
- Integrating Security Testing (Published!)
Chapter 3: Attack & Defense
- How an attack will take place (In progress)
- How to defend (In progress)
- Most feasible targets in Android (In progress)
Chapter 4: Standards and Guidelines
- Guideline & Standards (Completed)
- MITRE (Draft)
- Some CWE relating to the principles (Draft)
- CWE (Draft)
- CVE (Draft)
- OWASP (Not started)
- CAPEC (Not started)
Chapter 5: Data Validation
- Untrusted Data Sources (Published!)
- Validating Inputs (Published!)
- Encoding Methods (Published!)
- Sanitizing User Inputs (Published!)
Chapter 6: Common Programming Language Mistakes
- Design (Not started)
- C and C++ (Almost done)
- Mobile applications (Not started)
- Kotlin (Not started)
- Java (Not started)
Chapter 7: Compiler and Tools
- GCC Security Features (Published!)
- Proguard and Obfuscating (Published!)
- Static and Dynamic Analysis (Published!)
- Use R8 instead of Proguard
- Sanitizers (Completed)
- Signal, Faults and handling them (30%)
- Debug (Not started)
Chapter 8: Android Security Model
- Kernel-level security (Draft)
- Framework-level security (Draft)
- Application-level security (Draft)
- System & native level security (Draft)
Chapter 9: Android and Google Security Features
- Play Integrity API (Completed)
- Inter-process communications (Draft)
- Permissions (Draft)
- Android Manifest File (Draft)
- Package Visibility (Draft)
- Securing Android Broadcasts and Intents (Completed)
Chapter 10: Protecting Data
- Storage and Security (Completed)
- Shared preferences (Not started)
- Key Store and Key Chain (Not started)
- Encryption (Not started)
- Database (Not started)
- Files (Not started)
- Leakage of data (Not started)
Chapter 11: Authentication, Network, and Protocols
- Android Biometric Authentication (Completed)
- Implementing SSL-TLS for Android Network Communications (Completed)
- Certificate Pinning (Completed)
- OAuth and OpenID Connect for Android Applications (Completed)
- Android Keychain and KeyStore for Secure Credential Storage (Completed)
- Open Authorization (Not started)
- Android Network Security Configuration (Completed)
- Android AccountManager for Access Control (Not started)
- Certificate Pinning in Android Applications (Completed)
Chapter 12: Security Testing
- Using Android Debug Bridge (ADB) for Security Testing (Completed)
- Android Static and Dynamic Analysis Tools (Completed)
- Fuzz Testing (Completed)
- Android Vulnerability Scanning and Penetration Testing (Completed)