Explore
For Enterprise
Join for Free
Log In

Explorar
Buscar
For Enterprise
Inicia Sesión
Únete de forma gratuita

Privilege Escalation I

Loading...

Engineering Maintainable Android Apps

Universidad Vanderbilt

4.5 (152 calificaciones) | 11K estudiantes inscritos

Curso 4 de 5 en Android App Development Programa Especializado

Engineering Maintainable Android Apps, which is a 4 week MOOC that shows by example various methods for engineering maintainable Android apps, including test-driven development methods and how to develop/run unit tests using JUnit and Robotium (or equivalent automated testing frameworks for Android), as well as how to successfully apply common Java/Android software patterns to improve the extensibility and clarity of Android apps. Students will work on the appropriate automated unit quizzes, based on the material covered in the lecture videos. These lessons will demonstrate the benefits of good software engineering practices that are targeted at creating maintainable code for mobile apps. There will be roughly 3-4 hours of student engagement time per week, including video lectures, and quizzes. The ordering of the modules within the course is designed to be flexible. In particular, students can watch the videos in whatever order suits their experience and needs, e.g., they may want to watch the unit testing videos prior to the software pattern videos if they prefer to learn about unit testing first.

Destrezas que aprenderás

Software Testing, Unit Testing, Android Software Development, Junit

Revisiones

4.5 (152 calificaciones)

5 stars
101 ratings
4 stars
37 ratings
3 stars
6 ratings
2 stars
5 ratings
1 star
3 ratings

GN

Aug 03, 2017

An Excellent course. I will say it is an online course that made me study as if I were in a classroom

ME

Sep 20, 2017

gave me a very good overview on security as a whole and on security specifically for android.

De la lección

Security & Sustainability II

This module provides an introduction to Unit Testing using the Junit 4.0 Framework in Android, as well as an introduction to Testing Frameworks using the Robotium open-source test framework for writing graybox testing cases to automate the testing of multi-Activity Android apps.

Traditional App Accounts3:15

Traditional vs. Mobile App Accounts5:28

App Account Mapping to Linux Users4:45

Apps Lie & Steal4:23

How Android Protects Apps13:52

What Android Does Not Protect14:20

The Challenges of Secure Coding2:48

Security Vulnerability Walkthrough7:30

The iRemember App Example3:38

Privilege Escalation I5:40

Privilege Escalation II4:07

Privilege Escalation III6:22

Course Wrap-up13:59

Impartido por:

Dr. Douglas C. Schmidt
Professor of Computer Science and Associate Chair of the Computer Science and Engineering Program
Michael Walker
Instructor - Graduate Student pursuing PhD in Computer Science
Dr. Jules White
Associate Professor of Computer Science

Transcripción

[MUSIC] Let's talk about some new stories that have been out on the internet about different security issues that we've seen with some production apps. These are some pretty big name apps that have had security issues, and we don't write apps that have these same flaws. Now the specific type of flaw we're going to look at in this case, is called a privilege escalation. Now you may say, well I would never write an app that would accidentally have this flaw. But, the reality is, these are very subtle mistakes that developers make, where they don't realize the ramifications of the decisions they're making, particularly when they let other apps talk to their app in order to access services within their app. It's very easy to make mistakes to accidentally break things like the permissions model on Android. Now, you may say I'll never do that. Let's show you how you could accidentally and inadvertently do something like this with the iRemember app. Let's talk about two services that we could extend the iRemember app with. That might seem benign and very helpful to other apps on the device, but that we can actually show we'll create a security issue on the device. So let's talk about these two services that we're going to extend the iRemember app with, and then use as an example of poor security. So the first one is we decide that we'd like to be able to share stories via an intent. So that other apps that allow you to compose a story, and maybe attach a photo to a story can simply send an intent to this service. So they'll send an intent, and that intent will have a story, plus a photo, and then the service will go off and share that story and that photo that the other app sent to us. Now, let's further assume that, you know, to be really flexible, we decide that we want to create a version of the iRemember app that can share stories and photos to different servers on the Internet. So, we don't want to control all of the iRemember servers, we want to have, maybe, iRemember servers that are for Vanderbilt University, or a set of iRemember servers that are for the University of Maryland. Because we want to be able to have different sets of stories and photographs depending on the location. And we decide we don't want to centrally manage all that information. So one of the things that we could do on this intent is we could allow it to also include the URL of the server that we want to share that story in that photo with. And then what we would do is actually when this intent gets sent to this service to share the story and photo, it would go off and would access the internet. And do the actual share force by sending it to that server. Now this seems like a very benign thing, but as we'll show in a second here this actually opens up a security hole in Android's permissions model. Now let's look at our second service that we're going to add. So let's say for example that we decided that we want to be able to attach photos to the stories in iRemember. But attach photos that aren't necessarily locally stored on the device. So we want the user to be able to type in a URL of a photo to share. Maybe it's a photo that's stored on Facebook's servers or Google+'s servers or somewhere else. So we want to give the ability for a user to specify an arbitrary URL. And then we want to create a service that will automatically go and fetch that photo from the Internet and download it to the local disk. And then return a file descriptor, or URI, specifying where that photo was downloaded to. But, since we're already going in and creating a capability to allow other apps to share stories and photos, why don't we go ahead and just expose this service to download arbitrary photos from the internet as an intent service, as well. Similarly we'll allow apps to send to this service and intent, and in that intent we will have the URL of the photo that we want to go and collect from the internet. The service will go an access the internet, it'll download that file And then it will return to this original service, the file that was downloaded, a location of that file that was downloaded. Again this seems like a helpful service, to that we could have our app, the iRemember app exposed to other apps on the device. So that it makes it easier for them to share photos and stories. But in both cases, we'll actually see that we're doing something inadvertently that's breaking Android's permissions model. One of the things to remember is that for both of these to work we're going to have to add the uses permission to iRemember for internet. Now we've already probably got it there for the capabilities that we were exposing iRemember but we have to remember that we have internet permissions in order for all of this to work.

Explora nuestro catálogo

Inscríbete de manera gratuita y obtén recomendaciones personalizadas, actualizaciones y ofertas.

Coursera brinda acceso universal a la mejor educación del mundo, al asociarse con las mejores universidades y organizaciones, para ofrecer cursos en línea.

© 2019 Coursera Inc. Todos los derechos reservados.

Consíguelo en Google Play

Coursera
Acerca de
Liderazgo
Empleo
Catálogo
Certificados
Certificados MasterTrack™
Grados
For Enterprise
For Government
Para el campus

Comunidad
Learners
Partners
Developers
Beta Testers
Translators

Conectar
Blog
Facebook
LinkedIn
Twitter
Instagram
Youtube
Blog de Tecnología

Más
Términos
Privacidad
Ayuda
Accesibilidad
Prensa
Contacto
Directorio
Afiliados