Updating Android Security Provider

Android relies on a security Provider to provide secure network communications. However, from time to time, vulnerabilities are found in the default security provider. To protect from these vulnerabilities, security provider needs to be updated.

Google Play Services provides a quick way[1] so that you can easily update security provider within your application with just few lines of code, but still there are lots of devices without Google Play Services, you may want to update security provider for those too. Also you may not want to include Google Play Services just for security provider. Here are simple steps to build latest security provider from source.

  1. Download the AOSP source as mentioned on AOSP site[2].
  2. Run envsetup.sh
    $ . build.envsetup.sh
  3. Run lunch, specify the desired architecture. E.g. for arm
    $ lunch aosp_arm-user
  4. Change directory to external/conscrypt
    $ cd external/conscrypt
  5. Run mma, this will build the conscrypt library, the OpenSSL provider used by Android along with its all dependencies. You can specify the number of jobs according to your CPU
    $ mma -j8
  6. Get Java library and Native shared library.
    Path for Java library : out/target/common/obj/JAVA_LIBRARIES/conscrypt_unbundled_intermediates/javalib.jar
    Path for Native library : out/target/product/generic/obj/lib/libconscrypt_jni.so
  7. You can change the name of javalib.jar and add it to your build path. To use native library, you have to put it under lib/armeabi directory at the root of your project.

You can easily add this security provider on top of default one with following code :
Security.insertProviderAt(new OpenSSLProvider("Any name"), 1);

[1]https://developer.android.com/training/articles/security-gms-provider.html
[2]https://source.android.com/source/downloading.html

Advertisements

GSOC update: Unit tests for KDE Connect Android

Test driven development is considered as one of the best approach to develop good quality, efficient and maintainable software. While refactoring Android version and adding support for SSL, I realized that it is becoming more and more difficult to test it on emulator. So while my new phone arrives :D, I tried my hands on Android Testing Framework.

While there are some tests for desktop version of KDE Connect, Android version had no tests at all. Also, I had never realized how UI applications can be tested or how unit tests are going to work if all classes are linked with each other. I had no idea how to isolate a class for unit test.

Android Testing Framework which is built on top of JUnit provides excellent functionality to write unit tests for an Android application. It provides context for the application needed to access shared preferences etc., annotations for categorizing tests like small test, medium test, large test, annotation to specify the test to run on UI thread for UI testing, controlling the UI programmatically like programmatically pressing a button etc. and a lot of other functionalities.

Unit tests are meant to run in isolated mode, that is minimal dependency on any other class or module and I still had no idea how it can be done. While using real classes for unit tests, my mentor recommended to mock some objects using Mockito. Then I came to know about Mockito, an excellent framework to mock any Java class where we can control the behavior of methods when called, based on types or values of the arguments, and also perform other task on some conditions. Mockito makes writing stubs for object very easy.

I just studied about Software Testing this semester, but all I learned was theoretical which is good for analyzing what test to write and what test cases to use, but implementing unit tests was completely different.

After discovering this wonderful and exciting stuff, looking forward to a full summer like this 🙂

GSOC 2015 with KDE

GSOC 2015

Though late in posting due to my exams,but love to tell everyone about finally getting selected for GSOC 2015 to work with KDE to improve encryption scheme for KDE Connect.

Those who don’t know about GSOC, KDE or KDE Connect, here is a quick introduction :

What is Google Summer of Code ?
The Google Summer of Code (GSoC) is an international annual program,held from May to August since 2005, in which Google awards stipends to all students who successfully complete a requested free and open-source software coding project during the summer.

What is KDE ?
KDE is an international free software community producing an integrated set of cross-platform applications designed to run on Linux, FreeBSD, Solaris, Microsoft Windows, and OS X systems.

What is KDE Connect ?
KDE Connect is a project that aims communication between all your devices. Ig currently runs on KDE (compilable on other platforms also) and Android platform.
It was started during GSOC 2013 by Albert Vaca and is continuosly enhancing by adding more and more features and improving functionalites.

It currently supports 9 plugins:
1.Battery – shows phone battery status on desktop
2.Clipboard – a bi-directional clipboard sync between desktop and phone
3.Touchpad – allows your phone be used as touchpad for desktop
4.Media player control – you can access you media players running in desktop through phone
5.Notification sync – shows Android notifications on desktop(currently works for Android version greader that KitKat)
6.Ping – Just to ping your one device from other
7.Sftp – allows you to browse phone’s filesystem through you desktop
8.Share -An easy share of files from desktop to phone or vice vesra
9.Telephony Plugin -Show notifications about incoming calls and messages on desktop and also pauses media players while you are talking on phone and resumes as soon as you hang up

How does it work ?
It runs as background service in devices.It also has a UI through which user can interact. As soon as a new device is in network, it is shown as an available device. You may send a paring request to other device and if other device accepts it, both device share their 2048 bit public key. After pairing, the devices can communicate with each other based on above mentioned plugins. All communication between the devices(except file sharing) is encrypted by RSA encryption using public key shared during paring.

What is my project ?
Since plain RSA is susceptible to many attacks e.g. Man in the Middle attack, Blachienbahar attack (as the padding scheme used in PKCSv1.5), my task is to implement SSL protocol to be used to communication. As SSL protocol is most secure protocol currently being used in wide number of places, it will make the communication much more secure.Also, earlier full packet was not encrypted, only the main part(the data that is send) was encrypted. Now whole network package will be encrypted by SSL itself. File transfers will also be on SSL, so no eavesdropper can see the contents of file or cannot tamper it.

Looking forward for a wonderful summer with lots of new things to learn and a stipend to earn 😀

My jouney till now …

An entrance into college leads to an entrance into a new world, so I would consider it as a start of my journey. I was admitted to DTU in August 2013 where I was first exposed to programming. Although at that point I knew what programming was, but completely unaware of how to do it. So I started by learning C first by some online resources. From then, it became a hobby for me to write various programs in C and running it on my PC. Being completely unaware of what real softwares are like, I continued it, learned C++ and started doing some competitive programming. During this time I learned about various data structures and algorithms. This wave continued for nearly 1 year in which I learned about C, C++, data structures, algorithms and solved nearly 150+ programming question on websites like spoj and codechef.
Later my interest in competitive programming started diminishing and I started learning making Android applications(I always wanted to make some applications that other persons can use) where I made some simple android applications like basic calculator, GCM based application for information sharing etc. Since JAVA was in many ways similar to C++, so there was not much problem in shifting to JAVA from C++, but yeah null pointer exceptions was real pain and it was very hard for me to debug them at that time.
I always had an itch to make a game,so after making some android apps I decided to make a game.So after thinking a lot, I came up with an idea and started implementing it using libGDX framework. Making a game was a whole new exprience to me.Now I was working with some real graphics and it changed my whole perspective towards games. So after some real hardwork for nearly 15 days I managed to complete my game. Since I was not good at art from childhood, making graphics for my game was a real challange to me.Also I needed some free graphics which I had to modify according to me which was also quite difficult.But after facing all challanges I finally managed to finish my game and published it on playstore with the title Ball Blast.
Later, for some months I just scrolled through internet to contribute to some open source project(still wanna work with some real projects and learn about how community works) and found about KDE Connect, an awesome project started by Albert Vaca which enables different devices to communicate with each other.It has many plugins like file sharing, mpris, touchpad etc.I started contributing to it by submitting some patches and still working to implement SSL protocol for communication between the devices. The world of open source taught me how to write flexible and readable code and also making changes in existing code without breaking it and making minimal changes. Due to open source I came to know about Git and the real meaning of GitHub(not just a code sharing website), I wish I would have known about it earlier. I also came to know about various other utilities like make, cmake and Qt framework (An awesome framework for making cross platform GUI desktop applications in C++).
So at last here I am writing this blog, which I was trying from a long time. I realised that I have missed some part of my life and writing blog can help me to recover it any time I want. It may also help some fellow developers as I will be sharing some programming tutorials also.
After all this I still don’t know what I like the most, but I came to know that I like learning new things and to work with them.I want to change the world, just haven’t figured out how am I gonna do that but I will.