Author: Nikolay Elenkov
Publisher: No Starch Press
Audience: Competent Android developers
Reviewer: Mike James
Reviewed: February 2015
Over the festive season IProgrammer gives its reviewers a well-deserved break. For our readers we pick out a selection of our best books of the year in case you missed them. Over 100 books were reviewed in 2015 and so we start at the top with an A.
We all need to know about Android security - but a whole book dedicated to it? Can this be a good idea? The simple answer is yes but not for every programmer.
The subtitle gives you a clue as to why - An In-Depth Guide to Android's Security Architecture. This isn't a quick look at how things work at the top level, and it isn't a collection of does and don'ts. It contains lots of interesting information, but not everyone will want to know all of it and the average Android programmer is going to have to work very hard to keep up.
Chapter 1 provides an overview of the security model and in part this is an overview of Android's basic design and its differences from standard Linux and Java. The next two chapters discuss the core of Android security - permissions, package and user management. This is where you stand a good chance of getting lost. It is also difficult to see how this information could be of practical value unless you were trying to work out an attack on Android. It covers things like how permissions are created and enforced, including custom app permissions, and how the APK format differs from a JAR. It details how an app gets installed including how to sideload an adb.
You could probably get all of the tasks described completed without understanding the fine detail. Don't let you put this off, however, and read on even if you only get the general gist of how things are working. The way users are handled in Android will come as a surprise to anyone who thinks that it is the same as Linux.
From here the rest of the book becomes much more practical. In Chapter 5 we take a look at the wonderful world of crypto providers and the JCA. Then on to network security and the PKI, credential storage, including setting up VPNs and WiFi, and online account management. In this group of chapters we learn about certificates, the JSSE and Android's implementation of the JSSE.
Chapter 9 introduces enterprise security. As this is a recent introduction to Android you may not even be aware that these facilities exist. Topics include adding a device admin plus more on VPNs and WiFi.
Next Chapter 10 looks at device security including controlling the boot procedure, disk encryption, screen security, usb security and backup. Chapter 11 moves on to NFC and secure elements. Then Chapter 12 discusses SELinux and the Android implementation.
The final chapter is on the system update mechanism and root access. It discusses recovery and how to get root access on a production system This is good background for anyone thinking about experimenting with their own OS images.
This is not a book that you are going to get everything from on a first reading. You also need to be a competent Android developer. While there isn't a lot of Java code in the book, you need to understand the way an app works to understand how the security measures work. On the other hand, you don't really need to understand how security measures work to be able to write Android apps.
This is an excellent book, but it is for readers who want to know more than they strictly need to know - unless you want to become an Android security expert, when this would be your one and only starting point.