Tutorial: Building Secure Android Applications

An abridged version of this tutorial is available here.

Instructors: William Enck and Patrick McDaniel

Intended Audience

The tutorial is intended for developers and security professionals wishing to learn about the Android mobile phone platform and application security. Participants should have some familiarity with Java, but not necessarily experience building Android applications. Having a laptop pre-installed with Eclipse and the Android SDK is recommended for greatest take-away. Instructions on how to prepare for the tutorial can be found at: http://siis.cse.psu.edu/android-tutorial.html


The Google Android mobile phone platform is one of the most anticipated smartphone operating systems. Android builds on a component-based framework for developing mobile applications, where each application is comprised of different numbers and types of components. The application framework encourages component interaction between applications, allowing developers to build upon each others functionality. However, if not properly controlled, these interactions may lead to vulnerabilities in both applications and the phone.

This tutorial describes the mechanisms available to develop secure applications within Android's development framework. We begin with the basics of building Android applications and describe how subtle design decisions impact an application's security. This knowledge will be applied towards building a small suite of applications whose interaction achieves a larger goal. After completing this tutorial, participants will be ready to start developing their own Android applications with an acute understanding of the potential dangers encountered during the process.

About the Instructors

William Enck is a doctoral candidate researching network and systems security in the SIIS Lab in the Computer Science and Engineering Department at Penn State University. William's research efforts have included telecommunications security, specifically modeling and characterizing SMS vulnerabilities, systems and hardware security, and large-scale network configuration. His work has appeared in many major conferences and journals and has received national and international press coverage.

Patrick McDaniel is an Associate Professor in the Computer Science and Engineering Department at the Pennsylvania State University and co-director of the Systems and Internet Infrastructure Security Laboratory. Patrick's research efforts centrally focus on network, telecommunications, and systems security, language-based security, and technical and public policy issues in digital media. Patrick was awarded the National Science Foundation CAREER Award and has chaired several top conferences in security including, among others, the 2007 and 2008 IEEE Symposium on Security and Privacy and the 2005 USENIX Security Symposium. Patrick is the editor-in-chief of the ACM Journal Transactions on Internet Technology (TOIT), and serves as associate editor of the journals ACM Transactions on Information and System Security and IEEE Transactions on Software Engineering. Prior to pursuing his Ph.D. in 1996 at the University of Michigan, Patrick was a software architect and program manager in the telecommunications industry.

Tutorial Materials

Pre-Tutorial Setup

To avoid delays and complications during the tutorial, we advise participants to pre-setup the Android development environment. We will be using the Android 1.5 SDK, Release 1 running in Eclipse 3.4 (Ganymede -- download and install "Eclipse IDE for Java Developers"). Participants should follow the installation or upgrading instructions for their development platform as described on Android's SDK developer website. This includes:

  1. Installing Eclipse
  2. Downloading and extracting the Android SDK archive
  3. Installing the Android Eclipse plugin
  4. Setting up the Android Eclipse plugin
Finally, participants may wish to browse the Android developer's guide, but this is not necessary.