OWASP Mobile Security Project - Android/References

Here are a number of references related to Android Security

Official documentation

 * Main websites: http://www.android.com, http://code.google.com/android , http://developer.android.com/
 * Android Security FAQ
 * Android Developer's Guide
 * Security and Permissions
 * Testing and Instrumentation
 * AndroidManifest.xml File and Permissions list
 * Notepad Tutorial - Recomended starting point to understand Android

Android Security Team

 * Report security vulnerabilities in Android: security@android.com (here is the PGP Public key)
 * Android Security Mailing list
 * Introduction from Android Security Team

Published Research and presentations

 * Presentations
 * Smart Phones Dumb Apps Presentation about how to unpack, disassemble/decompile, and analyze Android applications. Also has a link to some Perl code to automate parts of this process.
 * Coverity SCAN 2010 Open Source Integrity Report which contains information about 88 Kernel bugs in Android
 * [https://www.isecpartners.com/files/iSEC_Android_Exploratory_Blackhat_2009.pdf Exploratory Android Security (iSEC Partners, Blackhat_2009)
 * Developing Secure Mobile Applications for Android
 * Building Android Sandcastles in Android's Sandbox at BlackHat Abu Dhabi (Nov 10 - 11 2010) (NOT PUBLISHED YET)
 * Books
 * Mobile Application Security
 * Blog posts
 * Reversing Android Apps 101 and Storing Data On Mobile Devices The Wrong Way  - Jack Mannino
 * Android Emulators with Android Market and Android Market on Emulator

Tools

 * Android Development
 * Android SDK
 * Android Security Review
 * Smart Phones Dumb Apps Presentation about how to unpack, disassemble/decompile, and analyze Android applications. Also has a link to some Perl code to automate parts of this process.
 * Dex2Jar : "...Android mobile device runs applications which have been converted into a compact Dalvik Executable (.dex) format. Dex2Jar converts .dex files to Java .class files..." 
 * ApkTool : "...It is a tool for reengineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications; it makes possible to debug smali code step by step. Also it makes working with app easier because of project-like files structure and automation of some repetitive tasks like building apk, etc..." 
 * JD : Java Decompiler
 * OWASP O2 Platform can be used to review the Android Java source code (create object model of compiled java code, search source-code files, model config files)
 * Commercial tools (like Fortify, IBM AppScan Source) can parse Java files (the question is "Do they have Android Specific rules")
 * iSec Partners have a number of Android related tools at https://www.isecpartners.com/mobile_application_tools.html

Media Coverage

 * Storing data unencrypted: "Firm finds security holes in mobile bank apps": http://news.cnet.com/8301-27080_3-20021874-245.html
 * Paypal has issue with lack of SSL in iPhope app: http://online.wsj.com/article/SB10001424052748703506904575592782874885808.html (more to iPhone page)