Resources for new Android app secure coding rules and guidelines

The purpose of this wiki page is to gather information which identifies resources which will help us to write secure coding rules/guidelines against vulnerabilities which have been discovered.

Web resources for new Android app secure coding rules and guidelines:

• Specific to the NDK:
  • https://intrepidusgroup.com/insight/2012/05/ndk-file-permissions-gotcha-and-fix/
  • http://community.arm.com/groups/android-community/blog/2013/09/19/10-android-ndk-tips Ten Android NDK tips
  • “Android NDK | Android Developers”: http://developer.android.com/tools/sdk/ndk/index.html#Contents (also http://developer.android.com/tools/sdk/ndk/index.html )
• https://viaforensics.com/resources/reports/best-practices-ios-android-secure-mobile-development/ (secure app development guidelines list on the right column summarizes, and full report downloadable)
• http://developer.android.com/guide/practices/verifying-apps-art.html#JNI_Issues It discusses current security problems (JNI), as well as new ones that will arise with ART (arrays and compacting garbage collectors, error handling).
• https://developer.android.com/training/articles/security-tips.html Secure Android app development tips
• http://source.android.com/devices/tech/security/ very large source of info about Android app security
  • http://source.android.com/devices/tech/security/best-practices.html best practices for secure Android coding, within main site above
• https://www.isecpartners.com/media/11991/isec_securing_android_apps.pdf Guidelines for developing secure Android apps
• https://developer.android.com/training/articles/security-ssl.html Android app developers should securely use HTTPS and TLS. Info on how to do so, including using pinning when possible.
• For fleshing out new rule JNI01-J, based on slide 18 from Marc Schoenefeld's Java One presentation: https://www.securecoding.cert.org/confluence/display/java/JNI01-J.+Safely+invoke+standard+APIs+that+perform+tasks+using+the+immediate+caller%27s+class+loader+instance?src=contextnavchildmode
• http://source.android.com/devices/tech/security/index.html Overall Android security overview, but needs searching to find the specific info useful for secure coding of Android apps
• https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy Hardening Android for Security and Privacy

Specific vulnerabilities disclosures

• http://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-19997/Google-Android.html big list of Google Android CVE security vulns
• http://androidvulnerabilities.org/
• http://www.pcworld.com/article/2366040/android-444-fixes-openssl-connection-hijacking-flaw.html Android 4.4.4 fixes OpenSSL hijacking vuln
• http://www.networkworld.com/article/2226770/smartphones/risk-and-the-android-heartbleed-vulnerability.html Android and Heartbleed
• http://www.jpcert.or.jp/english/ JPCERT's English-language Android vulnerabilities site
• http://threatpost.com/android-root-access-vulnerability-affecting-most-devices
• http://www.pcworld.com/article/2111100/rogue-apps-could-exploit-android-vulnerability-to-brick-devices-researchers-warn.html memory corruption via string over 387,000 characters.
• https://groups.google.com/forum/?fromgroups#!forum/android-security-discuss Android security group, discussions of a lot of secure Android app coding issues
• Three of the CERT secure coding books:
  • Java rules
  • Java guidelines
  • C rules and recommendations

Online coding forums

Books

Conference/workshop proceedings

I have a lot of papers in PDF, might be easiest to give these to you via USB when you’re in Pittsburgh.