Programming Cloud Services for Android Handheld Systems: Security

A key challenge of mobile platforms is that the apps installed on a device increase the number of potential security vulnerabilities. Mistakes in app development or cloud services can lead to vulnerabilities that cause users data to be stolen, charges to user accounts, and spread of malware to a user’s friends. Ensuring that mobile cloud application developers are aware of potential vulnerabilities and avoid introducing them into their code is an essential part of building a more secure app ecosystem.

The course is designed to help students understand how to write more secure mobile cloud applications for Android. Students will be introduced to specific vulnerabilities that have affected well-known apps and be given a wide view of app threats on Android. Developers will also be introduced to the secure coding techniques that can be used to help prevent the introduction of app and cloud service vulnerabilities.

The Mobile Cloud Computing with Android (MoCCA) Specialization

This is the 6th course of the six-course Mobile Cloud Computing with Android (MoCCA) Specialization. It has been designed as part of a Coursera Specialization designed to help learners create complex, cloud-based Android Applications, and includes a final “capstone” project for those who earn Verified Certificates across all six courses.

Note: We are proud to announce that the MoCCA specialization has already reached hundreds of thousands of learners around the globe. In its last iteration, we worked with Google to provide Nexus tablets, feedback from the Google App team, and the potential to be featured in the Google Play store to top course completers.

This time around, we are providing more flexibility for all of you busy learners. We are running the Programming Mobile Applications courses in more digestible one-month-long sections, each with a meaningful mini-project at the end. Additionally, we will be re-offering the courses more frequently. For example, new sessions of my two introductory courses will be launched on a monthly basis, so that you can find a convenient time to join us or pick up where you left off if you didn’t quite finish before.

For previous MoCCA students: If you have already earned a Verified Certificate in the previous version of this course, "Pattern-Oriented Software Architectures: Programming Mobile Services for Android Handheld Systems” offered in May 2014, you do not need to retake this course to continue towards the Specialization certificate and final project in 2015. Please consult the Specializations Help Center or contact the Coursera support team if you are not sure whether you qualify.

This MOOC and five others, taught by Dr. Adam Porter from the University of Maryland and Dr. Jules White from Vanderbilt University, have been designed to complement each other as part of the first trans-institution sequence of MOOCs taught on the Coursera platform, structured as follows:

• The first two courses by Dr. Adam Porter, of the University of Maryland, are Programming Mobile Applications for Android Handheld Systems Part 1 and Part 2. They focus on the design and programming of user-facing applications.  

• The third and fourth courses by Dr. Douglas Schmidt, of Vanderbilt University, are Programming Mobile Services for Android Handheld Systems: Concurrency and Communication. They focus on middleware systems programming topics, such as synchronous and asynchronous concurrency models, background service processing, structured data management, local inter-process communication and networking, and integration with cloud-based services.  

• The fifth and sixth courses by Dr. Jules White, of Vanderbilt University, are Programming Cloud Services for Android Handheld Systems: Spring and Security.  They focus on how to connect Android mobile devices to cloud computing and data storage resources, essentially turning a device into an extension of powerful cloud-based services on popular cloud computing platforms, such as Google App Engine and Amazon EC2.

• The final “capstone” project will require students to develop a complex mobile cloud computing application from the ground up.

Some of the programming assignments and the iRemember integrative project for these MOOCs will be coordinated.  

If you just want to take some of the MOOCs in this sequence or take them all in different order you’re certainly welcome to do so, and you’ll still learn a lot. However, if you take all the MOOCs in this sequence in the order presented you’ll gain a deeper, end-to-end understanding of handheld systems, their applications and services, as well as their integration into the cloud.

This MOOC describes, by example, the basics of securing mobile applications and back-end cloud services. The class is taught in the context of Java, Android, and the Java Spring Framework. Although the cloud service topics in this course will be taught in the context of connecting mobile devices to the cloud, the concepts are broader and will give students the ability to create the cloud services to support large-scale web applications, such as social networking applications; cloud services for embedded systems, such as the Internet of Things and Industrial Internet; and wearable computing devices.

The course is organized into the sections outlined below (additional lectures may be provided live once the MOOC has begun):

Module 1: Android App Security and Risks

• Part 1: Traditional App Accounts
• Part 2: Mobile vs. Traditional App Accounts
• Part 3: App Account Mapping to Linux Users
• Part 4: Apps Lie & Steal
• Part 5: How Android Protects Apps
• Part 6: What Android Doesn't Protect
• Part 7: Avoid Storing Sensitive Data in Public Locations
• Part 8: Risks of Insecure File Permissions

Module 2: Building More Secure Android Apps

• Part 0: The Challenge of Secure Coding
• Part 1: Security Vulnerability Walkthrough
• Part 2: Principles of Secure Abstractions
• Part 3: Avoid Coupling Data & Security State
• Part 4: Build Abstractions that are Hard to Use Insecurely
• Part 5: Bound & Strongly Type Security State
• Part 6: Avoid Conditional Logic in Secure Pathways
• Part 7: Prevent Secure Pathways from Being Broken at Runtime
• Part 8: Privilege Escalation Concepts
• Part 9: Privilege Escalation Scenario
• Part 10: Privilege Escalation Code Walkthrough
• Part 11: Privilege Escalation Fixes
• Part 12: User Interface Attacks
• Part 13: Cross-platform User Interface Attacks

Module 3: Secure HTTP Communication

• Part 1: Man in the Middle Attacks Public Key Infrastructure
• Part 2: HTTPS
• Part 3: Challenges of Storing Secrets on Mobile
• Part 4: WebView Security Issues & Best Practices

Module 4: What was I Saying: Keeping Track of Sessions

• Part 1: Sessions
• Part 2: Spring Security Overview
• Part 3: Spring Security Configuration in Java
• Part 4: Building a Custom UserDetailsService
• Part 5: Setting up a custom UserDetailsService
• Part 6: The Principal
• Part 7: Spring Security Role Annotations
• Part 8: More Complex Expression-based Pre Post Authorize Annotations
• Part 9: Spring Security Controller Code Walkthrough
• Part 10: Spring Security Controller Test Code Walkthrough

Module 5: Authenticating Mobile Clients with OAuth

• Part 1: Stateful Sessions with Cookies Why They Aren't Ideal for Mobile
• Part 2: Stateless Sessions with Tokens
• Part 3: OAuth 2.0
• Part 4: Spring Security OAuth 2.0
• Part 5: A Spring OAuth 2.0 Secured Service
• Part 6: A Retrofit Oauth 2.0 Client for Password Grants