• Description: Android permissions, cryptographic providers, network security
• Practical part: Permissions, encrypt/decrypt, MAC, Trust Store

• Lecture Slides

List all permissions currently known by the system using the pm command. Display more information about each permission using -f (defining package, label, description and protection level).

Create an application with 2 activities. In each activity display a specific message using a TextView. Declare a new permission in the manifest file (permission tree, permission group and the actual permission). The permission must have the protection level dangerous. For the second activity, request the new permission (android:permission). Run this application.

Create another application with a single activity. In the activity include a button. When the button is pressed, an intent should be sent to start the second activity of the first application. The intent for launching an activity from another application should look like this:

Intent i = new Intent();
// Replace the package name and full qualified name of the second activity with the ones from your package
i.setComponent(new ComponentName("com.example.user.application1", "com.example.user.application1.MainActivity2Activity"));
i.setAction("com.example.user.application1.startSecondActivity");
startActivity(i);

Run the application. When pressing the button you should get a SecurityException (Permission Denied). For solving this, use the declared permission in the manifest of the second application.

In the first application (with 2 activities), include an EditText and a button in the first activity. When the user types a text and presses the button, it will send the text to the second activity through an intent (putExtra). In the second activity, get the message from the Intent and display it in the TextView.

In the first activity generate a symmetric key using KeyGenerator for HmacSha256 algorithm. Save this key in a Singleton (that can be accessed from both activities). Then generate the HMAC of the text introduced by the user (using Hmac with HmacSha256 algorithm) and send the HMAC along with the initial message (through the Intent). In the second activity, obtain the HMAC from the Intent, obtain the Singleton, get the symmetric key and recompute the HMAC.If the HMAC is valid (equal with the recomputed one), Display the message “Data is unmodified”.

Hint: Send data and HMAC as byte arrays in the Intent.

In the first activity generate another symmetric key using KeyGenerator for AES algorithm (or use the same key from Task 2). Save the key in the Singleton. Encrypt the text typed by the user using Cipher with algorithm AES/CBC/PKCS5Padding. Send the ciphertext through the Intent to the second activity (instead of the plain text). Also send the initialization vector (IV). In the second activity, extract the ciphertext and IV from the Intent, decrypt the ciphertext using Cipher and display it in the TextView.

Hint: In the first activity, compute the MAC and then encrypt the data. In the second activity, decrypt the data and then verify the MAC. Hint: Send ciphertext, IV and HMAC as byte arrays in the Intent. Hint: Use doFinal to directly encrypt and decrypt (no need for update + doFinal).

Create an application and display the system (default) trust store using the TrustManager.