Secure Android Development: Best Practices for Robust Apps

Well! I was on the brink of signing a contract with a reputable publisher for this book. However, I felt it would be more beneficial to publish it as an article, making it freely accessible to anyone interested. This way, you can dive into any chapter that piques your interest without committing to a purchase or letting it gather dust on a shelf. I’m also open to collaboration if anyone wishes to enhance its content. I hope this resource helps us elevate both our products and ourselves. It will have 12 chapters, and most of that is done! Feel free to drop a comment or contact me.

Table of Contents

Chapter 1: Principles & Methodologies

Chapter 2: Securing the Development Lifecycle

Chapter 3: Attack & Defense

  • How an attack will take place (In progress)
  • How to defend (In progress)
  • Most feasible targets in Android (In progress)

Chapter 4: Standards and Guidelines

  • Guideline & Standards (Completed)
  • MITRE (Draft)
  • Some CWE relating to the principles (Draft)
  • CWE (Draft)
  • CVE (Draft)
  • OWASP (Not started)
  • CAPEC (Not started)

Chapter 5: Data Validation

Chapter 6: Common Programming Language Mistakes

  • Design (Not started)
  • C and C++ (Almost done)
  • Mobile applications (Not started)
  • Kotlin (Not started)
  • Java (Not started)

Chapter 7: Compiler and Tools

  • Sanitizers (Completed)
  • Compiler Security Features (Completed)
  • Obfuscating (Completed)
  • Signal, Faults and handling them (30%)
  • Static and Dynamic Analysis (Completed)
  • Debug (Not started)

Chapter 8: Android Security Model

  • Kernel-level security (Draft)
  • Framework-level security (Draft)
  • Application-level security (Draft)
  • System & native level security (Draft)

Chapter 9: Android and Google Security Features

  • Play Integrity API (Completed)
  • Inter-process communications (Draft)
  • Permissions (Draft)
  • Android Manifest File (Draft)
  • Package Visibility (Draft)
  • Securing Android Broadcasts and Intents (Completed)

Chapter 10: Protecting Data

  • Storage and Security (Completed)
  • Shared preferences (Not started)
  • Key Store and Key Chain (Not started)
  • Encryption (Not started)
  • Database (Not started)
  • Files (Not started)
  • Leakage of data (Not started)

Chapter 11: Authentication, Network, and Protocols

  • Android Biometric Authentication (Completed)
  • Implementing SSL-TLS for Android Network Communications (Completed)
  • Certificate Pinning (Completed)
  • OAuth and OpenID Connect for Android Applications (Completed)
  • Android Keychain and KeyStore for Secure Credential Storage (Completed)
  • Open Authorization (Not started)
  • Android Network Security Configuration (Completed)
  • Android AccountManager for Access Control (Not started)
  • Certificate Pinning in Android Applications (Completed)

Chapter 12: Security Testing

  • Using Android Debug Bridge (ADB) for Security Testing (Completed)
  • Android Static and Dynamic Analysis Tools (Completed)
  • Fuzz Testing (Completed)
  • Android Vulnerability Scanning and Penetration Testing (Completed)