Google Explains Security Enhancements in Android 4.2; Android Camp Registration Open

Google Android Camp, a week-long educational summer program at Mountain View open to thirty current freshmen and sophomores. Google highlights Android 4.2, Jelly Bean, security enhancements for users and devs.

Share online:

Google's third annual Android Camp week-long educational summer program runs through June 9 to June 15, 2013 at the Google's headquarters in Mountain View, California, is open now for sign up with the deadline to apply is March 17th.

Google Android Camp 2013

Android Camp is open to current freshmen and sophomores studying computer science or a related major at a four-year university in the U.S. and Canada.

Additionally, it include an interactive and collaborative curriculum focused on providing a practical introduction to developing applications for the Android operating system.

In addition, "students will explore the concepts behind Android, the framework for constructing an application, and the tools for developing, testing, and publishing software for the platform," Google said adding, "Students will also get the opportunity to enjoy technical talks by Googlers, network with talented students and attend social activities around Silicon Valley."

For more information and to submit your application, please visit google.com/students/androidcamp

In another blog post, Android Developers team highlights the new security features in Android 4.2 Jelly Bean that are especially important for developers to be aware of and understand.

Android 4.2, Jelly Bean, introduces a number of security enhancements to ensure a more secure environment for users and developers. "Regardless whether you are targeting your app to devices running Jelly Bean or to earlier versions of Android, it's a good idea to validate these areas in order to make your app more secure and robust," Google writes.

Here is a quick run-down of some of the new security features:

Content Provider default access has changed. "Devs can control access to your content providers through a combination of the exported attribute in the provider declaration and app-specific permissions for reading/writing data in the provider," informs Google.

New implementation of SecureRandom based on OpenSSL.

In general, the switch to the new SecureRandom implementation should be transparent to apps. "A recommended approach is to generate a truly random AES key upon first launch and store that key in internal storage," the team explains.

JavascriptInterface methods in WebViews must now be annotated with @JavascriptInterface in order to make them accessible from hosted JavaScript.

Secure USB debugging in 4.2.2 when enabled on a device, ensures that only host computers authorized by the user can access the internals of a USB-connected device using the ADB tool included in the Android SDK.

Secure USB debugging is enabled in the Android 4.2.2 update that is now rolling out to Nexus devices across the world.

"For developers, the change to USB debugging should be largely transparent. If you've updated your SDK environment to include ADB version 1.0.31 (available with SDK Platform-tools r16.0.1 and higher), all you need to do is connect and authorize your device(s). If your development device appears in "offline" state, you may need to update ADB. To so so, download the latest Platform Tools release through the SDK Manager," explains Adnroid dev team.

For a full list of security best practices for Android apps, make sure to take a look at the Security Tips document.

Update 02/20: Android dev team today explains how developers can use cryptography to safely store user credentials, such as passwords and auth tokens, on local storage.

Google recommends to use Anti-pattern that rather than storing an encryption key directly as a string inside an APK, "uses a proxy string to generate the key instead -- similar to a passphrase.

This essentially obfuscates the key so that it's not readily visible to attackers.

Google further notes, that if an app needs additional encryption, a recommended approach is to require a passphase or PIN to access your application. "This passphrase could be fed into PBKDF2 to generate the encryption key.

"PBKDF2 is a commonly used algorithm for deriving key material from a passphrase, using a technique known as "key stretching". Android provides an implementation of this algorithm inside SecretKeyFactory as PBKDF2WithHmacSHA1,explains the team.

About The Author

Deepak Gupta is a IT & Web Consultant. He is the founder and CEO of diTii.com & DIT Technologies, where he's engaged in providing Technology Consultancy, Design and Development of Desktop, Web and Mobile applications using various tools and softwares. Sign-up for the Email for daily updates. Google+ Profile.