The purpose of this wiki page is to gather information which identifies resources which will help us to write secure coding rules/guidelines against vulnerabilities which have been discovered.

Web resources for new Android app secure coding rules and guidelines:

• Specific to the NDK:
  • https://intrepidusgroup.com/insight/2012/05/ndk-file-permissions-gotcha-and-fix/
  • http://community.arm.com/groups/android-community/blog/2013/09/19/10-android-ndk-tips  Ten Android NDK tips
  • “Android NDK | Android Developers”: http://developer.android.com/tools/sdk/ndk/index.html#Contents (also http://developer.android.com/tools/sdk/ndk/index.html )
• https://viaforensics.com/resources/reports/best-practices-ios-android-secure-mobile-development/  (secure app development guidelines list on the right column summarizes, and full report downloadable)
• http://developer.android.com/guide/practices/verifying-apps-art.html#JNI_Issues It discusses current security problems (JNI), as well as new ones that will arise with ART (arrays and compacting garbage collectors, error handling).
• https://developer.android.com/training/articles/security-tips.html Secure Android app development tips
• http://source.android.com/devices/tech/security/  very large source of info about Android app security
  • http://source.android.com/devices/tech/security/best-practices.html best practices for secure Android coding, within main site above
• https://www.isecpartners.com/media/11991/isec_securing_android_apps.pdf Guidelines for developing secure Android apps
• https://developer.android.com/training/articles/security-ssl.html Android app developers should securely use HTTPS and TLS. Info on how to do so, including using pinning when possible.
• For fleshing out new rule JNI01-J, based on slide 18 from Marc Schoenefeld's Java One presentation: https://www.securecoding.cert.org/confluence/display/java/JNI01-J.+Safely+invoke+standard+APIs+that+perform+tasks+using+the+immediate+caller%27s+class+loader+instance?src=contextnavchildmode
• http://source.android.com/devices/tech/security/index.html Overall Android security overview, but needs searching to find the specific info useful for secure coding of Android apps
• https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy Hardening Android for Security and Privacy

Specific vulnerabilities disclosures

• http://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-19997/Google-Android.html big list of Google Android CVE security vulns
• http://androidvulnerabilities.org/
• http://www.pcworld.com/article/2366040/android-444-fixes-openssl-connection-hijacking-flaw.html  Android 4.4.4 fixes OpenSSL hijacking vuln
• http://www.networkworld.com/article/2226770/smartphones/risk-and-the-android-heartbleed-vulnerability.html Android and Heartbleed  
• http://www.jpcert.or.jp/english/ JPCERT's English-language Android vulnerabilities site
• http://threatpost.com/android-root-access-vulnerability-affecting-most-devices
• http://www.pcworld.com/article/2111100/rogue-apps-could-exploit-android-vulnerability-to-brick-devices-researchers-warn.html memory corruption via string over 387,000 characters.
• https://groups.google.com/forum/?fromgroups#!forum/android-security-discuss   Android security group, discussions of a lot of secure Android app coding issues
• Three of the CERT secure coding books:
  • Java rules
  • Java guidelines
  • C rules and recommendations

Online coding forums

Books

Conference/workshop proceedings

I have a lot of papers in PDF, might be easiest to give these to you via USB when you’re in Pittsburgh.