FIT5003 Software Security S1 2020
Assignment 1: Java and Android Security Programming
• Deadline: Assignment 1 Report submission is due on Monday 18 th May 2020, 8:00 AM.
• Demonstration Deadline: The demonstration via Panopto platform or the interview must be shared/-
conducted before Wednesday 20th May 2020, 23:59 PM.
• Submission Files:
1. A report in PDF file format of maximum 6 pages as a reference. Appendices and References are
excluded from the page count.
2. Appropriate Android Studio Project compressed as a zip or rar file
1. A handwritten document is not acceptable and will not be marked even if converted and submitted electronically.
• Individual Assignment: This is an individual assignment so each student should work on the assignment tasks alone.
• Submission Platform:
– Electronic submission via Moodle for the report.
– Electronic submission via Moodle for the assignment task code and apks
– Share of video interview files with your tutor via the Monash panopto service
• Filename Format: Name your files for different assignment tasks as follows:
1. Submission via moodle: report_SID.pdf
2. Sharing via Panopto: A1_interview_SID as title, in case of an interview.
3. Submission via moodle of assignment task files: use A1_task_number_SID and the appropriate
file extension for the relevant task
• Late Submission Policy: Submit a special consideration form to formally request a late submission.
For this semester, special consideration requests should be send directly to the faculty and not just
the tutor team. However, do inform the teaching team of your request.
• Late Submission Penalty: A late submitted assignment without prior approval will receive a late
penalty of 20% deduction per day (including Saturday and Sunday) or part thereof, after the due
date and time.
• Plagiarism: It is an academic requirement that your submitted work be original. Zero marks will be
awarded for the whole submission if there is any evidence of copying, collaboration, pasting from
websites, or copying from textbooks.
Note: Plagiarism policy applies to all assessments.
• Grading Procedure:
– To receive a grade for the assignment you must demonstrate and explain your work by creating
a video recording of maximum 20 minutes using Panopto platform and share it with your
– You must only demonstrate what you have submitted via report. The different deadline for
recording is to allow you to find a suitable time to record your demonstration.
– If you have any privacy concern regarding the Panopto platform then you need to raise it with
your tutor by Monday 11th May 2020. Requests for interviews after this date will not be
– You can use the report and any other notes you have prepared beforehand to help you explain
and demonstrate your work.
• IT Use Policy: Your submission must comply with Monash University’s IT Use Policy.
• This assignment is worth 30% of the total unit marks.
• The assignment is marked out of 30 nominal marks.
1 Task 1: Android Java-Based application (20 Marks)
In the Android Studio that is provided, there is a sketched Android Application that is using the default or
a custom made Keystore in order to digitally signed a text message that is provided by the user. The
user is capable of choosing the Java keystore that he wants to use as long as it is already stored in
some common Android folder. The Android Application consists of two Activities, a public one (called
PrivateUserActivity and a private one called PrivateActivity. When the application start, the Public
activity (PrivateUserActivity) is loaded. The PrivateUserActivity lets the user to write the path
where a custom keystore is going to be used. There is also a text field where the user can write the password that is needed in order to correctly open the keystore. There are also three buttons that have the
functionality shown in the following figure (1).
1. Task 1.1 (15 Marks) Implement the functionality of the Private Activity PrivateActivity so that:
• it collects and processes the information coming from PrivateUserActivity
• it extracts from the keystore the information regarding the keys and certificates and shows in
the textview the key aliases, the certificate type and the cipher that is been used.
• when the user places in the textbox shown in the Figure 1 one of the key alias and has added
a text in the other textbox (also shown in the figure 1) if the “Return Result” button is pressed,
then the provided user text is digitally signed using the keys in the chosen alias.
• the provided digital signature is returned to PrivateActivity and is printed in the appl screen
using the Toast class (see relevant code inside the provided Android project)
2. Task 1.2 (5 Marks): Based on the existing design approach and functionality that appears on the
provided Android Application as well as the code that you have developed to solve Task 1.1, explain
possible design issues that can compromize the security of this Android Application.
Figure 1: Android Application Expected Functionality
Info: Some Notes-Hints:
• There is a class in the PrivateUserActivity.java that is used for storing the keystore information. When such info are provided by the user then an object of this class is created, it is
serialized and send using the Android intent mechanism to the PrivateActivity.java
• Messages between the two Activities are passed using the Android external intent mechanism
• Keep in mind that each application needs to have certain permissions to perform actions related
to the Android system
2 Task 2. Android Repacking for Information Disclosure (10 marks)
Steps for this task:
1. Choose an Android app to attack.There exist several apk repositories over the internet where you
can download apks (eg. https://www.androiddrawer.com/). You can also use https://apkpure.com/
Info: After repackaging, if the app can no longer be installed, you need to choose another app
for repackaging. Reporting this and explain why it cannot be installed can be a plus to this
2. Select the location where the code will be changed. This can be a single place or multiple places.
The complexity of considered places will be taken into account when marking.
3. Do the actual change (attack). There are various tools can be used for this action. For simplicity,
ApkTool can be used to modify the code at the Smali code level. For flexibility, Soot can be leveraged
to instrument the code in Android APK files. No matter which tool is selected, the final attack should
be done automatically.
Information about Sout can be found from the official website:
And information about apktool can be found in:
You can find a small tutorial on Sout in:
Also, you can find several Android Application reverse engineering tools in the latest Kali Linux versions
本网站支持 Alipay WeChatPay PayPal等支付方式
E-mail: firstname.lastname@example.org 微信号:vipnxx