• 30 September 2011
  • Prepared By: Signed
  • Executive Summary
  • Table of Contents
  • List of Figures
  • Mitre technical report

    Download 252.44 Kb.
    Hajmi252.44 Kb.
      1   2   3   4   5   6

    Android Secure Application Development Guidance for DoD

    Michael Peck, Shawn Valle

    30 September 2011



    Sponsor: ESE Capstone
    Dept. No.: G021 / E54A
    Contract No.: W15P7T-12-C-F600
    Project No.: 031280SE-D2

    The views, opinions and/or findings contained in this report are those of The MITRE Corporation and should not be construed as an official government position, policy, or decision, unless designated by other documentation.

    This document was prepared for authorized distribution only. Approved for Public Release: 12-3459. Distribution Unlimited
    ©2011 The MITRE Corporation.
    All rights reserved.

    Prepared By:


    Robert “Pat” Benito, JC2 Pilot Task Lead 2/19/12

    Approved By:


    Josiah R. Collens, Jr. 2/20/12

    Director of Integration for Joint C2

    This page intentionally left blank.

    Executive Summary

    Android applications developed for US Department of Defense (DoD), are required to go through a workflow process to evaluate and test for meeting expected Cyber Security and Information Assurance guidelines. Applications that meet the evaluation guidelines can be permitted into the enterprise application market, known as CAPStore, for user distribution. The following documentation identifies the technical requirements and guidance Android application developers should adhere to when developing applications for DoD.

    The details within are technical and security focused, and should be made available to software engineers and IA engineers. The material is organized with a logical flow in mind, initially focusing on application permissions, then into securing code and data, and finally focusing on multiple application interaction.

    Table of Contents

    1Introduction 1

    2Application Permissions 1

    1.1Leverage Android Permissions Model 1

    1.2Creating New Manifest Permissions 1

    3General Application Authentication 2

    1.3Password Guidance 3

    4Data Protection 4

    1.4Database Encryption 5

    1.5SD Card Storage 5

    1.6Android Application Package 6

    1.7File Permissions 6

    5Follow Secure Programming Practices 1

    1.8Input Validation 1

    2Avoiding SQL injection attacks 1

    3Avoiding command injection attacks 2

    1.9Sign Application Packages 2

    1.10Avoid Android NDK or Java JNI Use, Unless Necessary 3

    1.11Third-Party Libraries 3

    6Secure Data Communication 1

    1.12Leverage TLS/SSL 1

    1.13Parameter Content 4

    7Secure Inter-App Communication 1

    1.14Securing Android Intents 1

    1.15Securing Content Providers 4

    8Application Update Process 1

    9Non-Android SDK Applications 1

    1.16Browser-based Apps 1

    1.17Adobe Air Apps 1

    List of Figures

    Figure 3‑1 Potential Sample Authentication 2

    Figure 3‑2 Standard DoD PED Banner 4

    This page intentionally left blank.

    1. Download 252.44 Kb.
      1   2   3   4   5   6

    Download 252.44 Kb.

    Bosh sahifa

        Bosh sahifa

    Mitre technical report

    Download 252.44 Kb.