Unit 6
Unit 6
1. Telephony.Sms.Conversations
2. Telephony.Sms.Draft
3. Telephony.Sms.Inbox
4. Telephony.Sms.Intents
5. Telephony.Sms.Outbox
6. Telephony.Sms.Sent
Android - Sending SMS
• In Android, you can use SmsManager API or devices Built-in SMS application to send
SMS’s.
• SMSManager class manages operations like sending a text message, data message, and
multimedia messages (MMS).
• For sending a text message method sendTextMessage() is used likewise for multimedia
message sendMultimediaMessage() and for data message sendDataMessage() method
is used.
• SmsManager API
• use ACTION_SEND action to launch an email client installed on your Android device.
Syntax to create an intent with ACTION_SEND action.
To send an email you need to specify mailto: as URI using setData() method and data type
will be to text/plain using setType() method as follows −
emailIntent.setData(Uri.parse("mailto:"));
emailIntent.setType("text/plain");
Intent Object - Extra to send Email
Android has built-in support to add TO, SUBJECT, CC, TEXT etc. fields which can be attached
to the intent before sending the intent to a target email client. You can use following extra
fields in your email −
Sr. No. Extra Data & Description
1 EXTRA_BCC-A String[] holding e-mail addresses that should be blind carbon copied.
2 EXTRA_CC-A String[] holding e-mail addresses that should be carbon copied.
3 EXTRA_EMAIL-A String[] holding e-mail addresses that should be delivered to.
4 EXTRA_HTML_TEXT-A constant String that is associated with the Intent, used with ACTION_SEND to
supply an alternative to EXTRA_TEXT as HTML formatted text.
EXTRA_TEXT-A constant CharSequence that is associated with the Intent, used with ACTION_SEND to
6
supply the literal data to be sent.
7 EXTRA_TITLE-A CharSequence dialog title to provide to the user when used with a ACTION_CHOOSER.
Example
• Click the project drop-down and select or create the project for which you want to add an API key.
• Click the menu button and select APIs & Services > Credentials.
• Click Close.
The new API key is listed on the Credentials page under API keys.
(Remember to restrict the API key before using it in production.)
Add the API key to your app
Follow the steps below to include the API key in your application's manifest, contained in the file
AndroidManifest.xml.
1. In AndroidManifest.xml, add the following element as a child of the <application> element, by
inserting it just before the closing </application> tag:
<meta-data
android:name="com.google.android.geo.API_KEY"
android:value="YOUR_API_KEY"/>
In the value attribute, replace YOUR_API_KEY with your API key (the encrypted string). This element
sets the key com.google.android.geo.API_KEY to the value of your API key.
2. Save AndroidManifest.xml and re-build your application.
Android Google Map
Android allows us to integrate google maps in our application. You can show any location on the
map , or can show different routes on the map e.t.c. You can also customize the map according to
your choices.
<meta-data
android:name="com.google.android.maps.v2.API_KEY"
android:value="AIzaSyDKymeBXNeiFWY5jRUejv6zItpmr2MVyQ0" />
Customizing Google Map
You can easily customize google map from its default view , and change it according to your demand.
Adding Marker
You can place a maker with some text over it displaying your location on the map. It can be done by via
addMarker() method. Its syntax is given below −
You can also change the type of the MAP. There are four different types of map and each give a different
view of the map. These types are Normal,Hybrid,Satellite and terrain. You can use them as below
googleMap.setMapType(GoogleMap.MAP_TYPE_NORMAL);
googleMap.setMapType(GoogleMap.MAP_TYPE_HYBRID);
googleMap.setMapType(GoogleMap.MAP_TYPE_SATELLITE);
googleMap.setMapType(GoogleMap.MAP_TYPE_TERRAIN);
1.Normal: This type of map displays typical road map, natural features like river and some features build
by humans.
2.Hybrid: This type of map displays satellite photograph data with typical road maps. It also displays road
and feature labels.
3.Satellite: Satellite type displays satellite photograph data, but doesn't display road and feature labels.
4.Terrain: This type displays photographic data. This includes colors, contour lines and labels and
perspective shading.
5.None: This type displays an empty grid with no tiles loaded.
Methods of Google map
Methods Description
addCircle(CircleOptions options) This method add circle to map.
addPolygon(PolygonOptions options) This method add polygon to map.
addTileOverlay(TileOverlayOptions
options) This method add tile overlay to the map.
animateCamera(CameraUpdate This method moves the map according to the update with an
update) animation.
clear() This method removes everything from the map.
getMyLocation() This method returns the currently displayed user location.
This method reposition the camera according to the instructions
moveCamera(CameraUpdate update) defined in the update.
setTrafficEnabled(boolean enabled) This method set the traffic layer on or off.
snapshot(GoogleMap.SnapshotReadyC
This method takes a snapshot of the map.
allback callback)
stopAnimation() This method stops the camera animation if there is any progress.
Geocoding and reverse geocoding
Geocoding is the process of converting addresses (like a street address) into
geographic coordinates (like latitude and longitude), which you can use to place
markers on a map, or position the map.
Reverse geocoding is the process of converting geographic coordinates into a human-
readable address.
How to Get Current Location in Android
There are two ways to get the current location of any Android device:
1.Android’s Location Manager API
2.Fused Location Provider: Google Play Services Location APIs
• The user expects the other two parties to have taken the necessary measures to ensure
his safety.
• However, when the nature of the action requires his consent, the end-user is the
decisive factor when it comes to the security of the overall system.
Operating System Security
• The kernel is the core operating system software that handles the CPU resources, the
system memory, the system devices, including the file systems and networking, and is
responsible for managing all the processes.
• It serves as a link between the software and the hardware.
• Android’s kernel is based on the Linux kernel’s long-term support (LTS) branches.
• The decades of continuous improvement have established Linux as a stable and reliable
kernel amongst many businesses and security professionals.
• The security of the Android operating system is based around the following key
security features of the Linux kernel:
Process Isolation
User-Based Permission Model
Inter-Process Communication (IPC)
Sandboxing¹
Android platform uses the Linux user-based permissions model to isolate application
resources.
This process in called application sandbox.
The aim of sandboxing is to prevent malicious external programs from interacting with
the protected app.
The internal operating system components are also protected by the sandboxing
mechanism.
Android uses the User ID (UID) concept to manage an application’s access control and not
the system user’s access control. An application is prohibited from accessing other
application’s data or system features without the necessary permissions.
The application is sandboxed at the kernel level, hence it is guaranteed that the
application is isolated from the rest of the system, regardless of specific development
environment, programming languages or APIs used.
By default, applications have limited access to the operating system. This ensures that a
malicious application cannot get access to the external system from the inside.
Rooting
• To overcome the limitations of the sandbox model, the user is able to root the device. On a Linux system,
root is the name of the account that has access to all files and commands. Being based on Linux, Android
has this concept as well.
• Although counterintuitive, the owner of the device is NOT root. This design decision was made for security
reasons. If the owner was able to do anything in the system, it would be easier for malicious applications to
get control over the entire system by tricking the user into granting them the same permissions.
• But as we’ve already seen, Android is designed to be open. Consequently, the user is allowed to root the
phone, i.e. switch to the root user.
• It should be noted that rooting is not recommended to be done by inexperienced users. Rooting a phone
might result in making the warranty null and void. One should always weight the advantages and
disadvantages of rooting before proceeding.
• After rooting, we can no longer rely on the security measures enforced by the operating system. This means
that we are effectively taking the whole system into our own hands, have control over everything, and
dispose the beautifully engineered security systems in favour of a customised experience.
Verified Boot³
• Verified Boot is a process that ensures that the device is booting the original operating system alongside the
afferent system code, and not a malicious replica.
• Similarly to the Blockchain technology, the Verified Boot establishes a chain of trust between the multiple
components that can be altered, starting from the hardware up to the verified partitions. If any of the
components up the chain is altered, the whole chain is invalidated and the user is warned.
• The device state can be one of the following:
• LOCKED: no custom software can be flashed on the device and boot verification is active
• UNLOCKED: custom software can be flashed on the device and boot verification is inactive
• Root of trust is a cryptographic key used to sign the Android copy that runs on the device. This key is part of the
boot verification. We are able to replace this key in order to run custom Android versions. By doing so, we can
keep the verified boot mechanism even if we use a different OS version.
• Android is continuously delivering minor security updates alongside the major ones that come with every new
Android version.
• The minor updates usually patch discovered vulnerabilities.
• An attacker might try to downgrade the Android version running on the device in order to exploit vulnerabilities
that were patched. This class of attacks is mitigated by Rollback Protection. Rollback Protection is part of the
Verified Boot process.
2. Application Security
• The security aspect of an application is often overlooked. The lack of concern can determine the
application to transform into an attack vector, leveraged by malicious actors.
• Permissions⁴
• In Android, the user’s privacy is protected by the means of permissions. Android applications
requires the user’s consent to perform actions that might impact other applications, the operating
system or the user himself.
•Install-time permissions (for Android 5.1.1 and below): When an application is installed, the user is
presented with the list of all permissions that the app requires.
•Runtime permissions (for Android 6.0 and higher): When an application requests a permission, the user is
prompted with a dialog. Unlike install-time permissions, runtime permissions are usually requested when
the respective functionality is needed. For example, a camera permission should be requested before the
user tries to take a capture.
Data Storage⁵
Data storage is, allegedly, the most sensitive field of Android security. Data is the ultimate goal of an attacker. We
have to make sure that every option of data storage is properly secured according to the sensitivity of the data
saved.
Internal storage: Data stored here is visible only to the corresponding application. Other applications do not
have access to the files stored in the respective application’s directory. When the application is uninstalled, all the
data stored here is erased as well.
External storage: Data stored in external storage is globally readable and writable. This means that any
application can read or write the files stored here. Therefore, it is necessary for the application’s sensitive
information to be stored in the internal storage. However, in case the information can be safely saved publicly, we
should make the necessary validations when we try to read it back. Since the data can be altered by other
applications or attackers, we can’t be certain that the data we previously wrote didn’t transform into a dynamically-
loaded malware.
Content providers: They provide an abstraction over the data stored. With the use of content providers, we have
more control over the read and write permissions. If we develop multiple applications under the same signature,
we can share data between them with the use of a content provider, so that the data is visible only between our
applications.
A common developer habit is that of storing user’s credentials in the SharedPreferences.
However, we should design our data storage by thinking that everything stored can end up in the hands of an
attacker. All the permissions and protections can be nulled if the device is rooted.
To add an extra layer of security we can encrypt the data stored. To encrypt the data, Android provides the
Security⁷ library that includes, inter alia, two classes for data encryption:
Android provides the following classes that facilitate the interprocess communication:
Intent
Binder
Messenger
Intents are the go-to mechanism of passing data when working with activities or broadcast listeners.
Intents can be either explicit or implicit.
Explicit intents are designed to be received by an explicit component, hence the name. This way, we
can be sure that the data sent from application A is received only by the application B. Moreover,
explicit intents can be used to send data between activities inside our applications.
implicit intents specify an action that should be performed. Depending on the action, the intent might
include some data needed for the respective action.
Implicit intents are usually used when our application cannot do an action and we want to delegate
the task to a third-party application.
Binder and Messenger are used to implement remote procedure call (RPC) IPC in Android. They
provide an interface that facilitates secure communication between an application and a service.
Application Signing
• Code signing provides developers with the ability to identify the author of an application and
seamlessly update it, without the need of cumbersome processes. Applications that are not signed
by a developer cannot be uploaded to Google Play.
• Even if an unsigned application package ended up on the device, the application cannot be installed
because the package manager checks whether the package is signed or not before installing any
application.
• If multiple applications are signed using the same certificate, they can specify the
android:sharedUserId key in their manifest so that they share the same UID. However, the key was
deprecated in API 29 because it could cause non-deterministic behaviour when assigning the UID,
hence it is strongly discouraged to be used and may be removed in future versions.
• Applications have the ability to create security permissions protected by the signature. Thus,
applications signed under the same certificate, under different UIDs and application sandboxes, can
access restricted functionalities exposed by one or the other.