Mobile application security and privacy Flashcards
(18 cards)
What is the focus of the Mobile Application Security & Privacy course?
The course focuses on security and privacy aspects of mobile applications.
Who are the instructors of the course?
Volker Stolz and Keila Lima.
What are some core Android security features?
Default system and file permissions, cryptography, autofill framework, secure IPC, and techniques to avoid memory management errors.
What is the purpose of the app’s sandbox in Android?
Apps are not supposed to access other apps’ data or code, except when using intents.
What types of permissions exist in Android?
User-granted permissions and application-defined permissions.
How does authentication work in Android?
Access to protected assets is controlled via Credential Manager and supports various authentication methods, including biometric authentication.
What is the preferred mechanism for asynchronous IPC on Android?
Intents.
What are the risks associated with implicit intents?
Implicit intents can lead to security hazards, such as implicit intent hijacking, allowing malicious apps to act as the intended application.
What are some mitigations for implicit intents?
Perform input validation, make intents explicit, specify non-null permissions, show an app chooser, and disallow access to content providers.
What does Google Play Services provide for Safe Browsing?
An API to check URLs for known threats.
What are potential vulnerabilities in WebViews?
Cross-site scripting and unsafe URI loading.
What are the three fundamental ways to save data on an Android device?
Internal storage, external storage, and content providers.
What is the purpose of data access audit in Android?
To help developers detect unexpected private data access within the app.
What are key privacy guidelines for Android applications?
Minimize permissions requests, use location data responsibly, and support user-facing privacy features.
How should sensitive data be handled in Android apps?
Data should be stored safely, passed securely to other apps, and access should be restricted.
What are resettable identifiers in Android?
Identifiers that respect user preferences on advertisement tracking and do not access IMEI or device serial number.
Where can you find information about the latest Android security vulnerabilities?
Android App security improvement program, Security Vulnerabilities, and OWASP Reports.
What are some paths towards mitigation of vulnerabilities?
Vulnerability scanning and updating all app dependencies.
