The purpose of this wiki page is to gather information which identifies resources which will help us to write secure coding rules/guidelines against vulnerabilities which have been discovered.
Web resources for new Android app secure coding rules and guidelines:
- Specific to the NDK:
- http://community.arm.com/groups/android-community/blog/2013/09/19/10-android-ndk-tips Ten Android NDK tips
- “Android NDK | Android Developers”: http://developer.android.com/tools/sdk/ndk/index.html#Contents (also http://developer.android.com/tools/sdk/ndk/index.html )
- https://viaforensics.com/resources/reports/best-practices-ios-android-secure-mobile-development/ (secure app development guidelines list on the right column summarizes, and full report downloadable)
- http://developer.android.com/guide/practices/verifying-apps-art.html#JNI_Issues It discusses current security problems (JNI), as well as new ones that will arise with ART (arrays and compacting garbage collectors, error handling).
- https://developer.android.com/training/articles/security-tips.html Secure Android app development tips
- http://source.android.com/devices/tech/security/ very large source of info about Android app security
- http://source.android.com/devices/tech/security/best-practices.html best practices for secure Android coding, within main site above
- https://www.isecpartners.com/media/11991/isec_securing_android_apps.pdf Guidelines for developing secure Android apps
- https://developer.android.com/training/articles/security-ssl.html Android app developers should securely use HTTPS and TLS. Info on how to do so, including using pinning when possible.
- For fleshing out new rule JNI01-J, based on slide 18 from Marc Schoenefeld's Java One presentation: https://www.securecoding.cert.org/confluence/display/java/JNI01-J.+Safely+invoke+standard+APIs+that+perform+tasks+using+the+immediate+caller%27s+class+loader+instance?src=contextnavchildmode
- http://source.android.com/devices/tech/security/index.html Overall Android security overview, but needs searching to find the specific info useful for secure coding of Android apps
- https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy Hardening Android for Security and Privacy
Specific vulnerabilities disclosures
- http://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-19997/Google-Android.html big list of Google Android CVE security vulns
- http://www.pcworld.com/article/2366040/android-444-fixes-openssl-connection-hijacking-flaw.html Android 4.4.4 fixes OpenSSL hijacking vuln
- http://www.networkworld.com/article/2226770/smartphones/risk-and-the-android-heartbleed-vulnerability.html Android and Heartbleed
- http://www.jpcert.or.jp/english/ JPCERT's English-language Android vulnerabilities site
- http://www.pcworld.com/article/2111100/rogue-apps-could-exploit-android-vulnerability-to-brick-devices-researchers-warn.html memory corruption via string over 387,000 characters.
- https://groups.google.com/forum/?fromgroups#!forum/android-security-discuss Android security group, discussions of a lot of secure Android app coding issues
- Three of the CERT secure coding books:
- Java rules
- Java guidelines
- C rules and recommendations
Online coding forums
I have a lot of papers in PDF, might be easiest to give these to you via USB when you’re in Pittsburgh.