## 08 - Android Security

• Description: Android permissions, cryptographic providers, network security
• Practical part: Permissions, encrypt/decrypt, MAC, Trust Store

### Practical

#### Task 1 - List Permissions (1p)

List all permissions currently known by the system using the pm command. Display more information about each permission using -f (defining package, label, description and protection level).

#### Task 2 - Custom Permissions (3p)

Create an application with 2 activities. In each activity display a specific message using a TextView. Declare a new permission in the manifest file (permission tree, permission group and the actual permission). The permission must have the protection level dangerous. For the second activity, request the new permission (android:permission). Run this application.

Create another application with a single activity. In the activity include a button which will be used to start the second activity of the first application. For this, first we will use an implicit intent and then we will change it to an explicit one. For an implicit intent we will define an intent filter in the manifest file of the first application in the second activity node.

<intent-filter>
<action android:name="com.example.user.application1.startSecondActivity" />
<category android:name="android.intent.category.DEFAULT" />
</intent-filter>

Then we will define the implicit intent for launching the activity from the first application:

Intent i = new Intent();

// The action string represents the intent filter name defined in the manifest file of the first application
i.setAction("com.example.user.application1.startSecondActivity");

startActivity(i);

If you want to use an explicit intent instead of an implicit one:

Intent i = new Intent();

// Replace the package name and full qualified name of the second activity with the ones from your package
i.setComponent(new ComponentName("com.example.user.application1", "com.example.user.application1.MainActivity2Activity"));

startActivity(i);

Run the application. When pressing the button you should get a SecurityException (Permission Denied). For solving this, use the declared permission in the manifest of the second application.

#### Task 3 - Generate and Verify HMAC (3p)

In the first application (with 2 activities), include an EditText and a Button in the first activity. When the user types a text and presses the button, it will send the text to the second activity through an intent (putExtra). In the second activity, get the message from the Intent and display it in the TextView.

In the first activity generate a symmetric key using KeyGenerator for HmacSha256 algorithm. Save this key in a Singleton (that can be accessed from both activities). Then generate the HMAC of the text introduced by the user (using Hmac with HmacSha256 algorithm) and send the HMAC along with the initial message (through the Intent). In the second activity, obtain the HMAC from the Intent, obtain the Singleton, get the symmetric key and recompute the HMAC.If the HMAC is valid (equal with the recomputed one), Display the message “Data is unmodified”.

Hint: Send data and HMAC as byte arrays in the Intent.
Hint: Use Arrays.equals() for byte arrays comparison.

#### Task 4 - Encrypt and Decrypt Data (3p)

In the first activity generate another symmetric key using KeyGenerator for AES algorithm (or use the same key from Task 2). Save the key in the Singleton. Encrypt the text typed by the user using Cipher with algorithm AES/CBC/PKCS5Padding. Send the ciphertext through the Intent to the second activity (instead of the plain text). Also send the initialization vector (IV). In the second activity, extract the ciphertext and IV from the Intent, decrypt the ciphertext using Cipher and display it in the TextView.

Hint: In the first activity, compute the MAC and then encrypt the data. In the second activity, decrypt the data and then verify the MAC.
Hint: Send ciphertext, IV and HMAC as byte arrays in the Intent.
Hint: Use doFinal to directly encrypt and decrypt (no need for update + doFinal).