20-CS-6053 Network Security Spring 2017
Android Security

Secret Key, Public Key, Hash Algorithms, IPSec, Kerberos, Authentication, more

Security of Google Play

Publishing Policy: Google sets a standard that developers are required to meet regarding quality. This concerns the following:
  • sexually explicit material
  • violence and bullying
  • hate speech
  • impersonation
  • deceptive behavior such as pretending to be authorized by someone else
  • infringement of intellectual property
  • unauthorized publishing of someone's personal information
  • illegal activities such as the sale of drugs
  • gambling
  • malicious payloads
  • no unpredictable network usage
     See full developer program policy description
     See Agreement required from developers
     Enforcement: legal means

Publishing Procedure: a developer may publish in a trusted app store such as Google Play or publish on an unofficial website, or even send apps by email. Publishing in an app store has the benefit of assistance in promoting the app and a higher level of trust by users.
     See Publishing overview
Note: section on releasing apps through email
     Note: section on releasing apps through a web site
     See Publishing details
     See Developer guidelines
     Note: section on functionality

Proguard: a tool for shrinking and obfuscating code that makes it harder to reverse engineer. This tool is optional and may be used just prior to release as it gets in the way of debugging.
     See a description of proguard

Request for Removal: someone noticing that an app does not meet developer guidelines may request removal of the app.
     See Page on removing content from Google for more information

Available Apps for protection: some apps offer detection and/or removal of malware.
     See malwarebytes for an anti-malware app
     See lookout for another one

Google Play Bouncer: Google runs an app that is uploaded to see if it will have any non-compliant behavior.
     See a Description of the Bouncer
     See problems with the bouncer which can be summarized as follows:

  1. An app can know it is being run by Bouncer and withhold its malicious payload
  2. An app can be uploaded with no malicious payload, then weeks
    later an additional module containing malicious code can be uploaded
     Note the security tips near the end of the article
See another article on the bouncer

A Malware Development Toolkit: a toolkit that sells for $300 with a guarantee of successful deployment and remote control of the payload.
     See a description of the toolkit
     Look at paragraph beginning with "As Dendroid is a new threat..."
     Look at the advertising for it near the end of the article

Google Play Services:
     See users will be able to verify apps continuously
     But Google Services may have too much power
     See this description of Google Play Services

Malicious Apps can Root a Device:
     See details here

The Apple Store has Security Problems Too:
     See details here