• 30 September 2011
  • Prepared By: Signed
  • Executive Summary
  • Table of Contents
  • List of Figures
    		•

    Mitre technical report




    Download 0.77 Mb.
    bet1/6
    Sana21.03.2020
    Hajmi0.77 Mb.
    #8283
    TuriReport
      1   2   3   4   5   6


    Android Secure Application Development Guidance for DoD


    Michael Peck, Shawn Valle

    30 September 2011

    MTR120076

    MITRE TECHNICAL REPORT






    Sponsor: ESE Capstone
    Dept. No.: G021 / E54A
    Contract No.: W15P7T-12-C-F600
    Project No.: 031280SE-D2

    The views, opinions and/or findings contained in this report are those of The MITRE Corporation and should not be construed as an official government position, policy, or decision, unless designated by other documentation.

    This document was prepared for authorized distribution only. Approved for Public Release: 12-3459. Distribution Unlimited
    ©2011 The MITRE Corporation.
    All rights reserved.






    Prepared By:

    Signed

    Robert “Pat” Benito, JC2 Pilot Task Lead 2/19/12



    Approved By:

    Signed

    Josiah R. Collens, Jr. 2/20/12


    Director of Integration for Joint C2
    NSEC

    This page intentionally left blank.



    Executive Summary

    Android applications developed for US Department of Defense (DoD), are required to go through a workflow process to evaluate and test for meeting expected Cyber Security and Information Assurance guidelines. Applications that meet the evaluation guidelines can be permitted into the enterprise application market, known as CAPStore, for user distribution. The following documentation identifies the technical requirements and guidance Android application developers should adhere to when developing applications for DoD.

    The details within are technical and security focused, and should be made available to software engineers and IA engineers. The material is organized with a logical flow in mind, initially focusing on application permissions, then into securing code and data, and finally focusing on multiple application interaction.

    Table of Contents


    1Introduction 1

    2Application Permissions 1

    1.1Leverage Android Permissions Model 1

    1.2Creating New Manifest Permissions 1

    3General Application Authentication 2

    1.3Password Guidance 3

    4Data Protection 4

    1.4Database Encryption 5

    1.5SD Card Storage 5

    1.6Android Application Package 6

    1.7File Permissions 6

    5Follow Secure Programming Practices 1

    1.8Input Validation 1

    2Avoiding SQL injection attacks 1

    3Avoiding command injection attacks 2

    1.9Sign Application Packages 2

    1.10Avoid Android NDK or Java JNI Use, Unless Necessary 3

    1.11Third-Party Libraries 3

    6Secure Data Communication 1

    1.12Leverage TLS/SSL 1

    1.13Parameter Content 4

    7Secure Inter-App Communication 1

    1.14Securing Android Intents 1

    1.15Securing Content Providers 4

    8Application Update Process 1

    9Non-Android SDK Applications 1

    1.16Browser-based Apps 1

    1.17Adobe Air Apps 1




    List of Figures

    Figure 3‑1 Potential Sample Authentication 2

    Figure 3‑2 Standard DoD PED Banner 4


    This page intentionally left blank.





    1. Download 0.77 Mb.
      1   2   3   4   5   6




    Download 0.77 Mb.