Book Review: Android Security Internals

Android Security Internals – An in depth guide to Android’s Security Architecture by Nikolay Elenkov

Android Security Internals is written by Nikolay Elenkov, an experienced enterprise security expert. His contribution in the field of Android Security has led to the discovery and correction of significant Android security flaws. if you are doubtful of whether the title, ”Android Security Internals” is appropriate for this book, then don’t be doubtful as the book dives deep into the security architecture of Android. To effectively use this book, the reader should have programming experience preferably in C/C++ or Java and should have a computer science background especially with the fundamentals of Operating System.

The purpose of this book is to educate android application developers about the pitfalls in Android security and to train them with good practices that they have to follow while developing a Android application. The book does provide excellent explanations of minute details that are rarely seen in other books, e.g. demonstration of dm-verify. This books also provides a fantastic explanation of how Android works by describing its security architecture using a bottom up approach and then probing deep into the implementation of major Android subsystems and components that relate to android security.

In the beginning chapters of this book the author has done an excellent job by explaining what some of the main Androidisms are. The book has excellent explanations for the need for Dalvik, what a Binder Object is, capability based security, permission level protection, network security, dynamic permission enforcement, package verification, forward locking, Android OpenSSL, Keystore service, Keychain API, Online Account Management, SELinux, System Updates and Device Security. One of the highlights of this book is the “Note” provided at the end of a major topic to explain specifics or warn the reader about certain practices that they should be careful about.

Chapter wise, chapter 1 deals with Android’s Security Model. This chapter has some excellent explanation for terms like low memory killer, wake locks, anonymous shared memory, alarms, paranoid networking and binder. Chapter 2 deals with ‘Permissions’. This chapter explains custom permissions and permission level protection. Chapter 3 deals with package management – good explanation for what APK is, what package verification is, details about code signing and APK install process. Chapter 4 is for user management with special emphasis on application sharing. Chapter 5 talks about Cryptography, while Chapter 6 deals with Network Security and PKI and Chapter 7 talks about Credential Storage. In Chapter 8 the author explains what Online Account Management is. Enterprise Security is discussed in Chapter 9 while Device Security is explained in Chapter 10. A chapter specifically for NFC – chapter 11 deals with NFC and Secure elements, SELinux dealt in Chapter 12, while System Update and Root Access is the focus for Chapter 13.

Some suggestions that could improve this book are – The author could have provided a checklist of items related to application security so that developers could consult and tick-off those guidelines before releasing an Android app. It would have been nice to have questions at the end of each chapter to test reader’s understanding of the content discussed in that chapter. The author mentions plenty of security related tools in each chapter as a footnote but it would have been better had these been collected and presented at the end of the book. Lastly, all source code examples used in the book could have been given as a single downloadable zip file on the publisher’s website.

Overall – This is an excellent book. This is a must have book for Android application developers and security researchers and to anybody who is interested in the Android Security Architecture. If you are a Android Developer or a Developer looking to switch to Android Development then you will find this book as an excellent introduction to help you write highly secure code for Android apps.