Mobile Application

Development &
Security
Prepared By – Himani Parmar
Gujarat University(Msc)

1
Object-Oriented Programming (OOP) Concepts in Java
• Object-Oriented Programming (OOP) is a programming
paradigm based on the concept of "objects," which can
contain data and code.

• Here are the four main OOP concepts in Java with explanations and
examples:

• Class
• Object
• Encapsulation
• Inheritance
• Polymorphism
• Abstraction

2
Classes and Object

• A class in Java is a set of objects which shares common

characteristics/ behavior and common properties/ attributes.

3
Classes and Object
• An object in Java is a basic unit of Object-Oriented Programming
and represents real-life entities.

4
Object-Oriented Programming (OOP) Concepts in Java
• Encapsulation: Encapsulation is the mechanism of wrapping the data (variables) and code
(methods) together as a single unit. In encapsulation, the variables of a class are hidden from other
classes and can only be accessed through the methods of their current class.

5
Object-Oriented Programming (OOP) Concepts in Java
• Inheritance: Inheritance is a mechanism where one class acquires the properties (fields) and
behaviors (methods) of another class. The class that inherits is called the subclass (or derived class),
and the class being inherited from is called the superclass (or base class).

6
Object-Oriented Programming (OOP) Concepts in Java
• Polymorphism: Polymorphism means "many forms," and it allows one interface to be used for a
general class of actions. The specific action is determined by the exact nature of the situation.
Polymorphism is achieved through method overriding and method overloading.

7
Object-Oriented Programming (OOP) Concepts in Java
• Method Overriding:

8
Object-Oriented Programming (OOP) Concepts in Java
• Method Overloading:

9
Object-Oriented Programming (OOP) Concepts in Java
• Abstraction: Abstraction is the concept of hiding the complex implementation details and showing
only the necessary features of an object. It can be achieved using abstract classes and interfaces.

10
Unit 3: Mobile Application Security Fundamentals

• Android OS

Understanding Mobile Threat Landscape

Secure Coding Practices

Mobile Platform Security Features

Cryptography in Mobile Apps

Secure Network Communication

11
Android OS
• Overview: Android is a mobile operating system developed by
Google, based on the Linux kernel, and designed primarily for
touchscreen mobile devices.

• Key Features: Open-source, customizable UI, multitasking,

extensive app ecosystem.

• Real-life Scenario: Used in various devices including

smartphones, tablets, smart TVs, and wearables.

• Example: Samsung Galaxy, Google Pixel.

12
Android OS
• What Is Android OS?

• Android is an open-source Linux-based operating system for mobile

devices, home appliances, and enterprise handhelds.

• Android OS, short for Android Operating System, is an open-source

operating system based on the Linux kernel, developed primarily for
mobile devices such as smartphones, tablets, smartwatches, and other
wearable devices.

• From its humble beginnings, when it was competing with Nokia’s mobile
OS Symbian, the Windows Phone OS, and Blackberry OS, to its dominant
position in the mobile operating system market, Android has significantly
influenced how we interact with technology.

13
Android OS
• Android, being a versatile operating system, finds applications across
various devices:

• Smart TVs: Android powers smart TVs, enabling users to stream content
from various sources, access apps, browse the internet, and control their
TV experience using voice commands or remote controls.

• Home appliances: Android is being integrated into various home

appliances such as refrigerators, washing machines, and ovens. This
integration allows users to access smart features, control settings
remotely, and receive notifications about the status of their appliances.

• Healthcare devices: Android is used in various healthcare devices,

including wearable fitness trackers, smartwatches, and medical
monitoring devices. These devices can track users’ health metrics,
provide real-time feedback, and sync data with mobile apps for analysis.
14
Android OS
• History of Android

• The history of Android is a fascinating journey that spans several

decades, characterized by innovation, collaboration, and evolution. From
its humble beginnings, when it was competing with Nokia’s mobile OS
Symbian, the Windows Phone OS, and Blackberry OS, to its dominant
position in the mobile operating system market, Android has significantly
influenced how we interact with technology.

• 1. Early origins and development (2003-2007)

• The story of Android began in 2003 when Andy Rubin, Rich Miner, Nick
Sears, and Chris White founded Android Inc. in Palo Alto, California. Their
initial goal was to develop an advanced operating system for digital
cameras. However, recognizing the potential of their project, they shifted
their focus to creating an operating system for mobile devices.
15
Android OS
• 2. Acquisition by Google (2005)

• In 2005, Google, led by then-CEO Eric Schmidt, acquired Android Inc.,

laying the groundwork for what would become one of the most significant
developments in the mobile industry. Google’s acquisition of Android
signaled its entry into the rapidly growing smartphone market and set the
stage for developing a new mobile operating system.

• 3. Open Handset Alliance and the launch of Android (2007)

• On November 5, 2007, the Open Handset Alliance (OHA) was unveiled. It

comprised several prominent technology companies, including Google,
HTC, Samsung, Motorola, and others. The OHA aimed to develop open
standards for mobile devices and promote innovation in the mobile
industry. Shortly after, on November 5, 2007, Google announced the first
beta version of the Android operating system.
16
Android OS
• 4. Android 1.0 and the first Android device (2008)

• The first commercial version of Android, Android 1.0, was released on

September 23, 2008. The HTC Dream, also known as T-Mobile G1, was
the first smartphone to run on the Android operating system. The HTC
Dream featured a touchscreen interface, a physical keyboard, and access
to Google services such as Gmail, Maps, and YouTube.

• Since its initial release, Android has undergone significant evolution with
regular updates and new versions introduced to the market, as we will
discuss later. The developer preview of Android 15 has been launched in
2024.

• 5. Growth and dominance in the mobile market

• Over the years, Android has experienced tremendous growth, rapidly

becoming the world’s most popular mobile operating system. According 17
Android OS
• Key Features of Android

• Android offers a wide array of functionalities catering to both users and

developers. Some of the key features of Android include:

• Open-source platform: Android is built on an open-source Linux kernel,

allowing developers to access the source code, modify it, and contribute
to its development. This openness fosters innovation and collaboration
within the Android ecosystem.

• Customization user interface: Android provides users with the ability

to customize their device’s user interface, including wallpapers, themes,
widgets, and launchers. Users can personalize their devices to suit their
preferences and style. This feature sets it apart from its closest
competitor, iOS.

18
Android OS
• Multitasking: Android supports multitasking, allowing users to run
multiple apps simultaneously, switch between them seamlessly, and
perform various tasks simultaneously. Users can also use split-screen
mode to view two apps side by side.

• Google Play Store: Android users can access the Google Play Store,
which offers a vast catalog of apps, games, movies, music, books, and
more. The Play Store provides users a centralized platform to discover,
download, and install content for their devices.

• Google Assistant: Android devices come with Google Assistant, a virtual

assistant powered by artificial intelligence. Google Assistant can perform
various tasks, answer questions, provide recommendations, and control
smart home devices using voice commands.

19
Android OS
• Android Architecture

• The Android architecture is a layered structure that defines the components and
interactions within the Android operating system.

20
Android OS
• Android Architecture

• The Android architecture is a layered structure that defines the

components and interactions within the Android operating system.

• 1. Linux kernel layer

• At the core of the Android architecture lies the Linux kernel, which
provides essential hardware abstraction, memory management, process
management, security, and device driver.

• Key features of the Linux kernel layer in the Android architecture include:

• Hardware abstraction: The Linux kernel abstracts hardware

functionalities, allowing the upper layers of the Android stack to interact
with hardware components through standardized interfaces.
21
Android OS
• Memory management: The Linux kernel handles memory allocation,
virtual memory management, and memory protection to ensure efficient
utilization of system resources.

• Security mechanisms: The Linux kernel enforces security policies through

access control mechanisms, permissions, and secure execution
environments.

• Device drivers: The Linux kernel provides device drivers to facilitate

communication between the operating system and hardware
peripherals, such as display drivers, camera drivers, input/output drivers,
and network drivers.

22
Android OS
• 2. Hardware abstraction layer (HAL)

• Above the Linux kernel layer resides the HAL, which abstracts hardware-
specific functionalities and provides standardized interfaces for device
drivers and hardware components. The HAL enables device
manufacturers to develop drivers for specific hardware configurations
while ensuring compatibility with the Android framework.

• Key components of the hardware abstraction layer include:

• HAL modules: HAL modules encapsulate hardware-specific functionalities,

such as camera, audio, display, sensors, and input devices, into
standardized interfaces accessible to higher-level software layers

• Interface definitions: The HAL defines standardized interfaces, known as

Hardware Abstraction Interfaces (HAIs), which specify the methods and
parameters for interacting with hardware components. 23
Android OS
• 3. Native libraries layer

• The native libraries layer consists of libraries written in C and C++

programming languges that provide core system functionalities and
support for native code execution within Android applications. These
libraries augment the capabilities of the Java-based Android framework
and enable developers to access low-level system resources and
hardware features.

• Key native libraries in the Android architecture include:

• libc: The C standard library provides fundamental programming utilities

and functions for memory management, string manipulation,
input/output operations, and system calls.

• libm: The Math library contains mathematical functions and operations,

including arithmetic, trigonometric, exponential, and logarithmic 24
Android OS
• libz: The Zlib library implements data compression and decompression
algorithms, facilitating file compression and decompression operations
within Android applications.

• libjpeg/libpng: These libraries provide support for image processing and

manipulation, including JPEG and PNG image format decoding and
encoding.

25
Android OS
• 4. Android runtime layer

• The Android runtime (ART) layer is responsible for executing and

managing Android applications bytecode compiled from Java or Kotlin
source code. ART employs ahead-of-time (AOT) compilation to convert
bytecode into native machine code, enhancing runtime performance and
reducing memory overheads.

• Key components of the Android Runtime layer include:

• ART compiler: The ART compiler translates bytecode into native machine
code during the installation or upgrade of Android applications, improving
runtime performance and efficiency.

• Dalvik virtual machine (legacy): In earlier versions of Android, the

Dalvik virtual machine executed bytecode in the form of Dalvik
Executable (DEX) files. Dalvik employed just-in-time (JIT) compilation to 26
Android OS
• 5. Java API framework layer

• The Java application programming interface(API) framework layer

comprises a comprehensive set of libraries, APIs, and runtime
environments that facilitate the development of Android applications
using Java or Kotlin programming languages.

• The Java API Framework exposes high-level functionalities and system

services to developers, enabling them to create rich, interactive, and
feature-rich applications. Key components of the Java API Framework
layer include:

• Android software development kit (SDK): The Android SDK provides a

collection of development tools, libraries, sample code, and
documentation for building Android applications. It includes the Android
Debug Bridge (ADB), Android Studio IDE, Android Emulator, and various
command-line utilities. 27
Android OS
• Core libraries: The core libraries contain essential classes and packages
for application development, including data structures, utilities, I/O
operations, networking, graphics, and user interface components.

• Android framework APIs: The Android framework APIs expose system-

level functionalities and services, such as activity management, resource
handling, content providers, intents, services, and user interface
components (views, layouts, widgets).

28
Android OS
• 6. Application layer

• At the topmost layer of the Android architecture is the application

layer, which consists of user-installed applications, system applications,
and system services running on the Android platform. This layer
encompasses a diverse range of applications, including productivity tools,
multimedia players, games, social networking apps, communication apps,
and more.

• The key components of the application layer include:

• User applications: User-installed applications downloaded from the

Google Play Store or third-party sources provide various functionalities
and services tailored to users’ preferences and needs.

29
Android OS
• System applications: Pre-installed system applications provided by device
manufacturers or the Android Open Source Project (AOSP) offer core
functionalities such as phone dialer, contacts, messaging, browser,
camera, calendar, and settings.

• System services: Background services and daemons running on the

Android platform provide essential system-level functionalities, including
telephony services, network connectivity, location services, media
playback, notification handling, and power management.

30
Android OS
• Android Versions

• Android has evolved through various versions since its inception. Each
version brings new features, enhancements, and optimizations to the
platform. Here is a list of the major Android versions released to date:

• Android 1.0 (Astro): The initial version of Android was released on

September 23, 2008. It introduced basic functionalities such as web
browsing, camera support, and access to Google services like Gmail and
Google Maps.

• Android 1.1 (Bender): Released on February 9, 2009, Android 1.1 included

minor updates and bug fixes to improve system stability and
performance.

• Android 1.5 (Cupcake): Introduced on April 27, 2009, Android 1.5 brought
significant improvements, such as an on-screen keyboard, support for 31
Android OS
• Android 1.6 (Donut): Released on September 15, 2009, Android 1.6
featured updates to the user interface, improved search functionality,
and support for CDMA networks.

• Android 2.0/2.1 (Eclair): Android 2.0 and 2.1, known collectively as Eclair,
were released on October 26, 2009. Eclair introduced features such as
multiple account support, Bluetooth 2.1, and an updated web browser.

• Android 2.2 (Froyo): Released on May 20, 2010, Android 2.2 (Froyo)
introduced significant performance improvements, support for Adobe
Flash Player, and the ability to install apps on external storage.

• Android 2.3 (Gingerbread): Introduced on December 6, 2010, Android 2.3

(Gingerbread) focused on refining the user interface, improving gaming
performance,

32
Android OS
• Android 3.0/3.1/3.2 (Honeycomb): Android 3.0 (Honeycomb) was released
on February 22, 2011, and was specifically designed for tablets. It
featured a redesigned user interface, support for multicore processors,
and improved multitasking capabilities.

• Android 4.0 (Ice Cream Sandwich): Released on October 18, 2011,

Android 4.0 (Ice Cream Sandwich) merged the tablet and smartphone
versions of Android. It introduced features such as a new user interface,
enhanced multitasking, and support for facial recognition.

• Android 4.1/4.2/4.3 (Jelly Bean): Android 4.1 (Jelly Bean) was released on
July 9, 2012, followed by subsequent updates 4.2 and 4.3. Jelly Bean
introduced features such as improved performance, enhanced
notifications, and support for multiple user accounts on tablets.

• Android 4.4 (KitKat): Released on October 31, 2013, Android 4.4 (KitKat)
focused on optimizing the operating system for low-end devices. It 33
Android OS
• Android 5.0/5.1 (Lollipop): Android 5.0 (Lollipop) was released on
November 12, 2014, followed by updates to 5.1. Lollipop introduced the
Material Design language, improved performance, enhanced security
features, and support for 64-bit processors.

• Android 6.0 (Marshmallow): Released on October 5, 2015, Android 6.0

(Marshmallow) introduced features such as app permissions, Google Now
on Tap, and a new battery-saving feature called Doze.

• Android 7.0/7.1 (Nougat): Android 7.0 (Nougat) was released on August

22, 2016, followed by updates to 7.1. Nougat introduced features such as
split-screen multitasking, enhanced notifications, and support for
Daydream VR.

• Android 8.0/8.1 (Oreo): Android 8.0 (Oreo) was released on August 21,
2017, followed by updates to 8.1. Oreo introduced features, such as
picture-in-picture mode, notification dots, and improved battery life, 34
Android OS
• Android 9 (Pie): Released on August 6, 2018, Android 9 (Pie) introduced
features such as gesture-based navigation, adaptive battery, and digital
wellbeing tools to help users monitor their smartphone usage.

• Android 10: Released on September 3, 2019, Android 10 introduced

features such as a system-wide dark mode, improved privacy controls,
and support for foldable smartphones.

• Android 11: Released on September 8, 2020, Android 11 focused on

enhancing communication, privacy, and control with features like chat
bubbles, one-time permissions, and improved media controls.

• Android 12: Released on October 4, 2021, Android 12 introduced a major

visual overhaul with Material You design language, enhanced privacy
features, and performance improvements.

35
Android OS
• Android 13: Android 13 focused on user privacy with features like a photo
picker and notification permission settings. Building on Android 12’s
tablet optimizations, Android 13 enhances system UI, multitasking, and
compatibility modes.

• Android 14: Released on October 4, 2023, Android 14 enhances

accessibility with features like 200% font scaling and customization lock
screens. Additionally, it introduces support for lossless audio formats and
an improved magnifier for low-vision users.

• Android 15: It is the upcoming iteration of the Android operating system,

slated for release in early 2025. It introduces advanced encryption
features for secure data storage and transmission, among other features.

36
Android OS
• Pros of Android

• Open source: Android is built on an open-source platform, allowing

developers to customize and modify the operating system according to
their needs. This fosters innovation and flexibility within the Android
ecosystem.

• Customization: Android offers extensive customization options for users,

including personalized home screens, themes, widgets, and third-party
launchers. Users can tailor their Android devices to match their
preferences and style.

• Diverse hardware options: Android is available on a wide range of devices

manufactured by various companies, offering users a diverse selection of
smartphones, tablets, and other devices with different specifications,
features, and price points.
37
Android OS
• App ecosystem: The Google Play Store, Android’s official app
marketplace, offers a vast catalog of apps, games, utilities, and
entertainment content. With millions of apps available for download,
users can find applications for almost any purpose or interest.

• Affordability: Android devices are available at a wide range of price

points, including budget-friendly options, making them accessible to
users with different budgets and preferences.

38
Android OS
• Cons of Android

• Fragmentation: Android fragmentation refers to the diversity of devices

running different Android operating system versions and customized user
interfaces (UIs) by manufacturers. This can lead to compatibility issues,
inconsistent user experiences, and delays in software updates.

• Bloatware and pre-installed apps: Some Android devices come pre-

installed with bloatware, unnecessary apps, and manufacturer-specific
software that cannot be easily removed. This can consume storage
space, affect performance, and clutter the user interface.

• Lack of timely updates: Android devices may not receive timely software
updates, especially for older or lower-end devices. This can leave devices
vulnerable to security threats and limit access to new features and
improvements introduced in newer Android versions.
39
Understanding Mobile Threat Landscape
• Mobile Security Threats:

• Mobile Application Security Threats: Application-based threats

happen when people download apps that look legitimate but
actually skim data from their device. Examples are spyware and
malware that steal personal and business information without
people realizing it’s happening.

• Web-Based Mobile Security Threats: Web-based threats are

subtle and tend to go unnoticed. They happen when people visit
affected sites that seem fine on the front-end but, in reality,
automatically download malicious content onto devices.

40
Introduction to Development Framework

Mobile Network Security Threats: Network-based threats are
especially common and risky because cyber criminals can steal un-
encrypted data while people use public WiFi networks.
• Mobile Device Security Threats: Physical threats to mobile
devices most commonly refer to the loss or theft of a device.
Because hackers have direct access to the hardware where private
data is stored, this threat is especially dangerous to enterprises.

41
Examples of these Threats
• 1. Social Engineering

• Social engineering attacks are when bad actors send fake emails
(phishing attacks) or text messages to your employees in an effort
to trick them into handing over private information like their
passwords or downloading malware onto their devices.

• Reports by cyber security firm Lookout and Verizon show a 37%

increase in enterprise mobile phishing attacks and that phishing
attacks were the top cause of data breaches globally in 2020.

42
Examples of these Threats

43
Examples of these Threats
• Phishing Attack Countermeasures

• The best defense for phishing and other social engineering attacks
is to teach employees how to spot phishing emails and SMS
messages that look suspicious and avoid falling prey to them
altogether. Reducing the number of people who have access to
sensitive data or systems can also help protect your organization
against social engineering attacks because it reduces the number
of access points attackers have to gain access to critical systems
or information.

44
Examples of these Threats
• 2. Data Leakage via Malicious Apps

• As Dave Jevans, CEO and CTO of Marble Security explains,

“Enterprises face a far greater threat from the millions of generally
available apps on their employees’ devices than from mobile
malware.”

• That’s because 85% of mobile apps today are largely unsecured.

Tom Tovar, CEO of Appdome says, “Today, hackers can easily find
an unprotected mobile app and use that unprotected app to design
larger attacks or steal data, digital wallets, backend details, and
other juicy bits directly from the app.”

45
Examples of these Threats
• For example, when your employees visit Google Play or the App
Store to download apps that look innocent enough, the apps ask
for a list of permissions before people are allowed to download
them. These permissions generally require some kind of access to
files or folders on the mobile device, and most people just glance
at the list of permissions and agree without reviewing them in
great detail.

• this lack of scrutiny can leave devices and enterprises vulnerable.

Even if the app works the way it’s supposed to, it still has the
potential to mine corporate data and send it to a third party, like a
competitor, and expose sensitive product or business information.

46
Examples of these Threats

• How to Protect Against Data Leakage

• The best way to protect your organization against data leakage

through malicious or unsecured applications is by using mobile
application management (MAM) tools. These tools allow IT admins
to manage corporate apps (wipe or control access permissions) on
their employees’ devices without disrupting employees’ personal
apps or data.

47
Examples of these Threats
3. Unsecured Public WiFi

Public WiFi networks are generally less secure than private

networks because there’s no way to know who set the network up,
how (or if) it’s secured with encryption, or who is currently
accessing it or monitoring it. And as more companies offer remote
work options, the public WiFi networks your employees use to
access your servers (e.g., from coffee shops or cafes) could present
a risk to your organization.

For example, cybercriminals often set up WiFi networks that look

authentic but are actually a front to capture data that passes
through their system (a “man in the middle” attack).

48
Examples of these Threats

49
Examples of these Threats
How to Reduce Risks Posed By Unsecured Public WiFi
The best way for you to protect your organization against threats
over public WiFi networks is by requiring employees to use a VPN to
access company systems or files. This will ensure that their session
stays private and secure, even if they use a public network to
access your systems.

50
Examples of these Threats

51
Examples of these Threats
4. End-to-End Encryption Gaps
An encryption gap is like a water pipe with a hole in it. While the
point where the water enters (your users’ mobile devices) and the
point where the water exits the pipe (your systems) might be
secure, the hole in the middle lets bad actors access the water flow
in between.
Unencrypted public WiFi networks are one of the most common
examples of an encryption gap (and it’s why they’re a huge risk to
organizations). Since the network isn’t secured, it leaves an
opening in the connection for cybercriminals to access the
information your employees are sharing between their devices and
your systems.
52
Examples of these Threats
Solution: Ensure Everything is Encrypted
For any sensitive work information, end-to-end encryption is a
must. This includes ensuring any service providers you work with
encrypt their services to prevent unauthorized access, as well as
ensuring your users’ devices and your systems are encrypted as
well.

53
Examples of these Threats
5. Spyware
Spyware is used to survey or collect data and is most commonly
installed on a mobile device when users click on a malicious
advertisement or through scams that trick users into downloading it
unintentionally.
How to Protect Against Spyware

Dedicated mobile security apps (like Google’s play protected) can

help your employees detect and eliminate spyware that might be
installed on their devices and be used to access company data.
Ensuring your employees keep their device operating systems (and
applications) up to date also helps ensure that their devices and
your data are protected against the latest spyware threats.
54
Examples of these Threats
7. Poor Password Habits
A 2020 study by Balbix found that 99% of the people surveyed
reused their passwords between work accounts or between work
and personal accounts. Unfortunately, the passwords that
employees are reusing are often weak as well.
For example, a 2019 study by Google found that 59% of the people
they surveyed used a name or a birthday in their password, and
24% admitted to using a password like one of these below:

55
Examples of these Threats

56
Examples of these Threats
How to Reduce or Eliminate Mobile Password Threats
The NIST password guideline are widely regarded as the
international standard for password best practices. Following these
guidelines—and insisting your employees do the same—will help
protect you against threats from weak or stolen passwords.
Password managers can simplify the work required for your
employees to follow these guidelines
Case Study Analysis: Analyze a recent data breach incident
involving a mobile app. Discuss the vulnerabilities exploited and
the impact on users.

57
Secure Coding Practices
Secure Coding Practices

To mitigate these threats, developers should follow secure coding

practices:
Input validation :

Input validation is a fundamental aspect of secure coding

practices. It involves verifying that all user inputs conform to
expected formats and values before processing them. This helps
prevent various types of injection attacks, such as SQL injection,
cross-site scripting (XSS), and command injection.
For example, if an application expects a numeric input, it should
ensure that the input contains only digits and falls within an
acceptable range. 58
Secure Coding Practices

Input validation :

A common approach is to use whitelisting, where only known good

inputs are accepted, rather than blacklisting, which tries to block
known bad inputs.
 By rigorously validating inputs, developers can significantly
reduce the risk of malicious data being processed by the
application.

59
Secure Coding Practices
Authentication and Authorization

Strong authentication and authorization mechanisms are crucial for

ensuring that only legitimate users can access the application and
its resources.
Authentication verifies the identity of a user, while authorization
determines what actions the authenticated user is allowed to
perform.
Implementing multi-factor authentication (MFA) adds an extra layer
of security by requiring users to provide two or more verification
factors.
For example, a banking app might require a password and a one-
time code sent to the user’s phone. 60
Secure Coding Practices
Authentication and Authorization

 Additionally, role-based access control (RBAC) can be used to

restrict access to sensitive functions based on the user’s role within
the organization.
Properly implemented authentication and authorization
mechanisms help prevent unauthorized access and protect
sensitive data.

61
Secure Coding Practices
Error Handling:

Effective error handling is essential for maintaining the security

and stability of an application. When errors occur, they should be
handled gracefully without exposing sensitive information to the
user or potential attackers.
For instance, instead of displaying a detailed error message that
reveals the structure of the database or the server’s file system,
the application should show a generic error message and log the
detailed information for internal review.
This practice helps prevent attackers from gaining insights into the
application’s inner workings, which could be exploited in future
attacks.
62
Secure Coding Practices
Secure APIs

Using secure APIs is another critical aspect of secure coding

practices. APIs (Application Programming Interfaces) are used to
enable communication between different software components.
To ensure security, developers should use APIs that provide built-in
security features, such as encryption and authentication.
For example, when integrating with a payment gateway,
developers should use APIs that support secure communication
protocols like HTTPS and require API keys or tokens for
authentication.
Additionally, developers should avoid hardcoding credentials within
the application code, as this can lead to credential leakage. 63
Secure Coding Practices
Example: Secure Coding in a Web Application

Consider a web application that allows users to register and log in.

 To implement secure coding practices, the developers would

validate all user inputs, such as email addresses and passwords, to
ensure they meet the required format and length.
They would implement strong authentication mechanisms, such as
requiring users to verify their email addresses and enabling MFA.
Error handling would be designed to show generic error messages
to users while logging detailed information for internal use.

64
Secure Coding Practices
Example: Secure Coding in a Web Application

Consider a web application that allows users to register and log in.

The application would use secure APIs for tasks like sending
verification emails and processing payments, ensuring that all
communication is encrypted and authenticated.
 By following these secure coding practices, the developers can
create a robust and secure web application that protects user data
and resists common attacks.
Refer : OWASP Top10

65
Mobile Platform Security Features
What is Mobile Platform Security? Mobile platform security refers to
the measures and protocols implemented to protect mobile devices
and their data from unauthorized access, malware, and other cyber
threats. With the increasing reliance on mobile devices for personal
and professional tasks, ensuring their security has become
paramount.
Importance of Mobile Security: Mobile devices often store sensitive
information such as personal photos, financial data, and business
communications. A breach in mobile security can lead to significant
personal and financial losses. Therefore, understanding and
implementing robust security measures is crucial.
Real-Life Example: In 2020, a major security breach occurred when
a popular mobile app was found to be leaking user data due to
66
inadequate security measures. This incident highlighted the
Mobile Platform Security Features
Mobile Operating Systems

Android Security Features: Android, being an open-source platform,

is more susceptible to security threats. However, it has several
built-in security features such as Google Play Protect, which scans
apps for malware, and app sandboxing, which isolates apps to
prevent them from accessing unauthorized data.
Google Play Protect: Google Play Protect is a comprehensive
security service that continuously scans and verifies apps on the
Google Play Store. In 2019, it detected and removed a malicious
app that had been downloaded by millions of users, preventing
potential data breaches.

67
Mobile Platform Security Features
App Sandboxing: App sandboxing ensures that each app operates
in its own environment, preventing it from accessing data from
other apps. This isolation helps in containing any potential security
breaches within a single app.
iOS Security Features: iOS, known for its stringent security
measures, includes features like the App Store review process,
which ensures that only secure and verified apps are available for
download, and data encryption, which protects user data from
unauthorized access.
Real-Life Example: In 2021, Apple quickly responded to a security
flaw in iMessage that could have allowed hackers to access user
data. The company released a patch within days, demonstrating
the effectiveness of its security protocols.
68
Mobile Platform Security Features
Common Mobile Threats

Malware: Malware is a significant threat to mobile devices, with

various types such as Trojans, spyware, and ransomware. These
malicious programs can steal data, monitor user activity, and even
lock devices until a ransom is paid.
Real-Life Example: The Pegasus spyware attack in 2019 targeted
high-profile individuals by exploiting vulnerabilities in mobile
operating systems. This spyware could access messages, emails,
and even activate the device’s camera and microphone without the
user’s knowledge.

69
Mobile Platform Security Features
Common Mobile Threats

Phishing: Phishing attacks trick users into providing sensitive

information by masquerading as legitimate entities. These attacks
are often carried out through emails, messages, or fake websites.
Real-Life Example: In 2020, a phishing attack targeted mobile
banking users by sending fake SMS messages that appeared to be
from their banks. Many users unknowingly provided their login
credentials, leading to significant financial losses.
Mitigation Strategies: To protect against these threats, users
should be cautious about downloading apps from untrusted
sources, regularly update their devices, and use security software
to detect and remove malware.
70
Mobile Platform Security Features
Application Security

Secure Coding Practices: Developers must follow secure coding

practices to prevent vulnerabilities in mobile applications. This
includes input validation, using secure APIs, and regularly updating
the app to fix security flaws.
Real-Life Example: In 2021, a popular social media app was found
to have a vulnerability due to poor coding practices. This flaw
allowed hackers to access user data, emphasizing the need for
secure coding.

71
Mobile Platform Security Features
App Permissions: Limiting app permissions is crucial for protecting
user data. Apps should only request permissions that are necessary
for their functionality.
Real-Life Example: A fitness app was found to be misusing
permissions to access users’ location data and contacts, which it
then sold to third parties. This incident highlighted the importance
of scrutinizing app permissions.
User Education: Educating users about the importance of app
permissions and encouraging them to review permissions regularly
can help prevent unauthorized access to their data.

72
Mobile Platform Security Features
Network Security

Wi-Fi Security: Public Wi-Fi networks are often unsecured, making

them a prime target for cyber attacks. Users should avoid
accessing sensitive information over public Wi-Fi and use VPNs to
encrypt their data.
Real-Life Example: In 2018, a man-in-the-middle attack on a public
Wi-Fi network in a coffee shop allowed hackers to intercept and
steal users’ personal information, including passwords and credit
card details.

73
Mobile Platform Security Features
Network Security

Mobile Network Security: Mobile networks also need robust security

measures, including encryption and secure communication
protocols, to protect data transmitted over the network.
Real-Life Example: In 2019, a breach in a mobile network’s security
affected millions of users, exposing their personal information and
call records. This incident underscored the need for strong network
security.
Best Practices: Users should enable encryption on their devices,
use secure communication apps, and be cautious about connecting
to unknown networks to protect their data.

74
Mobile Platform Security Features
Device Security

Physical Security: Physical security measures such as lock screens and

biometric authentication (fingerprint, facial recognition) are essential for
preventing unauthorized access to mobile devices.

Real-Life Example: A stolen smartphone was recovered by the police, but

the thief was unable to access the data due to the device’s biometric
security features, protecting the owner’s sensitive information.

Remote Wipe and Find My Device: Features like remote wipe and Find My
Device allow users to locate their lost devices and erase data remotely to
prevent unauthorized access.

75
Cryptography in Mobile Apps
What is Cryptography? Cryptography is the practice of securing
information by transforming it into an unreadable format, only
accessible to those possessing the decryption key. It is a
cornerstone of data security in mobile applications.
Importance of Cryptography in Mobile Apps: With the increasing
use of mobile apps for sensitive transactions, such as banking and
communication, cryptography ensures that data remains
confidential and intact during transmission and storage.
Overview of Cryptographic Techniques: Various cryptographic
techniques, including symmetric and asymmetric encryption,
hashing, and digital signatures, are employed to protect data in
mobile apps.
Real-Life Example: In 2020, a major financial app implemented 76
Cryptography in Mobile Apps
Symmetric Encryption

Definition and Mechanism: Symmetric encryption uses a single key

for both encryption and decryption. The Advanced Encryption
Standard (AES) is a widely used symmetric encryption algorithm.
Advantages: Symmetric encryption is fast and efficient, making it
suitable for encrypting large amounts of data.
Challenges: The main challenge is secure key distribution, as both
the sender and receiver must have access to the same key.
Real-Life Example: Many messaging apps use AES to encrypt
messages, ensuring that only the intended recipient can read them.

77
Cryptography in Mobile Apps
Asymmetric Encryption

Definition and Mechanism: Asymmetric encryption uses a pair of

keys – a public key for encryption and a private key for decryption.
The RSA algorithm is a common example.
Advantages: Asymmetric encryption provides a higher level of
security, as the private key is never shared.
Challenges: It is computationally intensive and slower than
symmetric encryption, making it less suitable for encrypting large
amounts of data.
Real-Life Example: Secure email services use RSA to encrypt
emails, ensuring that only the intended recipient can decrypt and
read the message. 78
Cryptography in Mobile Apps

79
Cryptography in Mobile Apps
Hashing

Definition and Mechanism: Hashing converts data into a fixed-size

string of characters, which is unique to the original data. Common
hashing algorithms include SHA-256 and MD5.
Advantages: Hashing is useful for verifying data integrity, as any
change in the original data results in a different hash value.
Challenges: Hashing is a one-way process, meaning it cannot be
reversed to retrieve the original data.
Real-Life Example: Password storage in mobile apps often uses
hashing to ensure that even if the database is compromised, the
actual passwords remain secure.
80
Cryptography in Mobile Apps
Digital Signatures

Definition and Mechanism: Digital signatures use asymmetric

encryption to verify the authenticity and integrity of a message or
document. The sender signs the data with their private key, and the
recipient verifies it with the sender’s public key.
Advantages: Digital signatures provide non-repudiation, ensuring
that the sender cannot deny having sent the message.
Challenges: The security of digital signatures depends on the
protection of the private key.
Real-Life Example: Many mobile banking apps use digital
signatures to verify transactions, ensuring that they are authorized
by the account holder. 81
Cryptography in Mobile Apps
End-to-End Encryption

Definition and Mechanism: End-to-end encryption ensures that

data is encrypted on the sender’s device and only decrypted on the
recipient’s device, preventing intermediaries from accessing the
data.
Advantages: It provides the highest level of security for data
transmission, as only the communicating parties can access the
data.
Challenges: Implementing end-to-end encryption can be complex
and requires careful key management.
Real-Life Example: Messaging apps like WhatsApp and Signal use
end-to-end encryption to secure user communications. 82
Cryptography in Mobile Apps
Best Practices for Cryptography in Mobile Apps

Use Strong Algorithms: Always use well-established and strong

cryptographic algorithms, such as AES for symmetric encryption
and RSA for asymmetric encryption.
Secure Key Management: Ensure that cryptographic keys are
stored securely and never hard-coded in the app. Use secure key
storage solutions provided by the mobile platform.
Regular Updates: Keep cryptographic libraries and algorithms up to
date to protect against newly discovered vulnerabilities.
User Education: Educate users about the importance of security
features and encourage them to use strong passwords and enable
security settings. 83
Secure Network Communication in Mobile Applications
What is Secure Network Communication? Secure network communication
involves protecting data transmitted between mobile applications and
servers from unauthorized access and tampering. This is crucial for
maintaining the confidentiality, integrity, and authenticity of the data.

Importance in Mobile Applications: Mobile applications often handle

sensitive information such as personal data, financial transactions, and
confidential communications. Ensuring secure network communication is
essential to protect this data from cyber threats.

Common Threats: Mobile applications are vulnerable to various network-

based attacks, including man-in-the-middle (MITM) attacks, packet
sniffing, and data interception. These threats can compromise the
security of the transmitted data.

Real-Life Example: In 2019, a major data breach occurred when attackers

intercepted unencrypted data transmitted by a popular mobile app, 84
Secure Network Communication in Mobile Applications
HTTPS and TLS

HTTPS Overview: HTTPS (Hypertext Transfer Protocol Secure) is an extension

of HTTP that uses TLS (Transport Layer Security) to encrypt data transmitted
between a mobile app and a server. This ensures that the data cannot be
read or tampered with by unauthorized parties.

TLS Mechanism: TLS performs a handshake using public key cryptography to

establish a secure connection. It provides confidentiality, integrity, and
authentication for the data transmitted over the network.

Advantages of HTTPS: HTTPS protects against MITM attacks and ensures that
the data remains confidential and unaltered during transmission. It also helps
in authenticating the server, ensuring that the app is communicating with the
intended server.

Real-Life Example: Many banking apps use HTTPS to secure financial

85
transactions, ensuring that sensitive information such as account details and
Secure Network Communication in Mobile Applications
Certificate Pinning

Definition and Mechanism: Certificate pinning involves associating a specific

server’s certificate with the mobile app, ensuring that the app only trusts
that certificate for secure communication. This prevents attackers from using
fraudulent certificates to intercept data.

Advantages: Certificate pinning provides an additional layer of security by

ensuring that the app only communicates with trusted servers. It helps in
preventing MITM attacks even if a Certificate Authority (CA) is compromised.

Challenges: Implementing certificate pinning requires careful management

of certificates, including updating the app when the server’s certificate
changes.

Real-Life Example: A popular messaging app implemented certificate pinning

to prevent attackers from intercepting user messages, ensuring secure
86
communication between users.
Secure Network Communication in Mobile Applications
Secure Sockets Layer (SSL)

Definition and Mechanism: SSL (Secure Sockets Layer) is a predecessor to

TLS and provides encryption for data transmitted over the network. Although
SSL is now considered outdated, it laid the foundation for modern secure
communication protocols.

Advantages: SSL provided the initial framework for secure communication,

ensuring that data transmitted over the network was encrypted and
protected from interception.

Challenges: SSL has several known vulnerabilities and is no longer

considered secure. Modern applications should use TLS instead of SSL for
secure communication.

Real-Life Example: Early versions of secure websites used SSL to protect user
data during online transactions. However, these sites have since migrated to
87
TLS for enhanced security.
Secure Network Communication in Mobile Applications
VPNs and Secure Tunnels

Definition and Mechanism: Virtual Private Networks (VPNs) create secure

tunnels for data transmission over public networks. VPNs encrypt data before
it leaves the device, ensuring that it remains secure during transmission.

Advantages: VPNs provide a secure communication channel, protecting data

from interception and eavesdropping. They are particularly useful for
securing data transmitted over public Wi-Fi networks.

Challenges: VPNs can introduce latency and may require additional

configuration on the user’s device. Users must also trust the VPN provider to
handle their data securely.

Real-Life Example: Many corporate mobile apps use VPNs to secure remote
access to internal networks, ensuring that sensitive business data is
protected during transmission.
88
Secure Network Communication in Mobile Applications
Best Practices for Secure Network Communication

Use Strong Encryption: Always use strong encryption algorithms such as

AES-256 for encrypting data transmitted over the network. Avoid using
outdated or weak encryption methods.

Regularly Update Certificates: Ensure that certificates used for secure

communication are regularly updated and replaced before they expire. This
helps in maintaining the integrity of the secure communication channel.

Implement Certificate Pinning: Use certificate pinning to prevent MITM

attacks and ensure that the app only communicates with trusted servers.

Educate Users: Educate users about the importance of secure network

communication and encourage them to use secure networks and VPNs when
accessing sensitive information.
89
Assignment - 3
 Explain the architecture of the Android operating system.

 Describe the most common types of mobile threats and provide real-life examples of each.

 Explain how malware can affect mobile devices and suggest methods to detect and prevent it.

 Discuss the impact of phishing attacks on mobile users and how they can be mitigated.

 Analyze the role of social engineering in mobile security breaches and provide strategies to counteract it.

 Evaluate the effectiveness of mobile security solutions in protecting against network-based attacks.

 What are the key principles of secure coding practices for mobile applications? Provide examples.

 Explain the importance of input validation in mobile app development and how it can prevent security vulnerabilities.

 Discuss the role of secure APIs in mobile app security and provide best practices for their implementation.

 Analyze the risks associated with hardcoding credentials in mobile apps and suggest secure alternatives.

 Evaluate the importance of regular code reviews and security testing in maintaining secure mobile applications.

90
Assignment - 3

 Explain the concept of app sandboxing and its significance in mobile security.

 Discuss the role of biometric authentication in enhancing mobile device security.

 Analyze the effectiveness of remote wipe and device tracking features in protecting lost or stolen mobile devices.

 Evaluate the impact of app permissions on user privacy and security. Provide examples of best practices for managing
app permissions.

 Describe the differences between symmetric and asymmetric encryption and their applications in mobile apps.

 Explain the importance of hashing in mobile app security and provide examples of its use.

 Discuss the role of digital signatures in ensuring the authenticity and integrity of mobile app data.

 Analyze the challenges and benefits of implementing end-to-end encryption in mobile messaging apps.

 Evaluate the best practices for key management in mobile applications and their importance in maintaining secure
cryptographic operations.

91