Why and How should you approach to Android Security in architecting phase, implementation phase, and operation phase.
This includes what type of secure planning should be considered in term of business domain, what type of universal secure coding should be done. It also talks about how should you store keystores and its password in safe manner.
42. Build Security Inの紹介
• 最近セキュリティ業界で盛り上がってる
• Build Security In is a collaborative effort that
provides practices, tools, guidelines, rules, principles,
and other resources that software developers,
architects, and security practitioners can use to build
security into software in every phase of its
development.
• by US-CERT(米国国土安全保障省(DHS)配下の情報セキュリティ対策組織)
[引用]http://www.softic.or.jp/semi/2014/5_141113/op.pdf
61. ヘッダの入力値チェック
[引用:Square] https://github.com/square/okhttp/blob/master/okhttp/src/main/java/
private void checkNameAndValue(String name, String value) {
if (name == null) throw new NullPointerException("name == null");
if (name.isEmpty()) throw new IllegalArgumentException("name is empty");
for (int i = 0, length = name.length(); i < length; i++) {
char c = name.charAt(i);
if (c <= 'u001f' || c >= 'u007f') {
throw new IllegalArgumentException(String.format(
"Unexpected char %#04x at %d in header name: %s", (int) c, i, name));
}
}
if (value == null) throw new NullPointerException("value == null");
for (int i = 0, length = value.length(); i < length; i++) {
char c = value.charAt(i);
if (c <= 'u001f' || c >= 'u007f') {
throw new IllegalArgumentException(String.format(
"Unexpected char %#04x at %d in %s value: %s", (int) c, i, name, value));
}
}
}
• 対策済みのokhttpからコピペ