Secure your Android app- fight the leaks!
Upcoming SlideShare
Loading in...5
×
 

Secure your Android app- fight the leaks!

on

  • 176 views

You can consult the speaker's notes on the Google Drive presentation: http://bit.ly/droidcon-sec ...

You can consult the speaker's notes on the Google Drive presentation: http://bit.ly/droidcon-sec

On the corporate environment, data is often more sensitive and strategic than the equipment. During this talk we will explore together the security issues that can occasionally cause leaks on an Android app and how to prevent them.

Statistics

Views

Total Views
176
Views on SlideShare
176
Embed Views
0

Actions

Likes
0
Downloads
1
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Secure your Android app- fight the leaks! Secure your Android app- fight the leaks! Presentation Transcript

  • SECURE YOUR APP FIGHT THE LEAKS! DROIDCON PARIS 2013
  • EYAL LEZMY ANDROID PRESALES ENGINEER, SAMSUNG B2B TREASURER AT PARIS ANDROID USER GROUP ANDROID GOOGLE DEVELOPER EXPERT Slides http://bit.ly/droidcon-sec http://eyal.fr
  • Company THE USER TRUSTS YOU DON'T LET HIM DOWN
  • APPS HAVE TO RESPECT THE DATA Different ways to unintentionally grant other apps access to the data inside your application : Exporting an unprotected component Storing personal data in a world readable file Logging personal data in logcat logs Copyright © 1995-2012 SAMSUNG All rights reserved
  • CHECK YOUR ANDROIDMANIFEST.XML It declares accessible app components Activity, Service, Receive,... Adding <intent-filter> => your element is exported by default ContentProvider is always exported by default, until android:targetSdkVersion="17" Copyright © 1995-2012 SAMSUNG All rights reserved
  • CHECK YOUR ANDROIDMANIFEST.XML Don't export app components unless you want to share their content with other applications <application android:label="@string/app_name"> … <service android:name=".ServiceExample“ android:exported="false"> <intent-filter> … </intent-filter> </service> … </application> Copyright © 1995-2012 SAMSUNG All rights reserved
  • CHECK YOUR ANDROIDMANIFEST.XML Don't export app components unless you want to share their content with other applications to <application android:label="@string/app_name"> ity itim … leg a? <service android:name=".ServiceExample“ ur at yo e d android:exported="false"> t is pos <intent-filter> ha ex … W </intent-filter> </service> … </application> Copyright © 1995-2012 SAMSUNG All rights reserved
  • PERMISIONS There are different permission protection levels: normal Lower risk permission dangerous Higher risk, access to user private data, potential negative impact signature Needs the same certificate signature Copyright © 1995-2012 SAMSUNG All rights reserved
  • PERMISIONS Lets look at the code: <permission android:name="com.example.EXAMPLE_PERM“ android:label="@string/example_perm_l“ android:description="@string/example_perm_d“ android:icon="@drawable/example_perm_i“ android:protectionLevel="signature" /> ... <service android:name=".ServiceExample“ android:permission="com.example.EXAMPLE_PERM"> <intent-filter>...</intent-filter> </service> Copyright © 1995-2012 SAMSUNG All rights reserved
  • PERMISIONS Don't be the weakest link Always check the permission of a caller if you use your permission private boolean checkPermission(Context context) { String permission = "com.example.EXAMPLE_PERM"; int res = context.checkCallingPermission(permission); return (res == PackageManager.PERMISSION_GRANTED); } Copyright © 1995-2012 SAMSUNG All rights reserved
  • DISABLE USELESS ACTIVITIES Fit your components lifecycle to your application's lifecycle If before configuration (login, account creation, ...) a service or activity is not useful, disable it If your application handles common implicit Intent's actions like ACTION_VIEW or ACTION_SEND consider disabling it by default Copyright © 1995-2012 SAMSUNG All rights reserved
  • DISABLE USELESS ACTIVITIES Disabled: <activity android:name="com.example.Activity" android:label="@string/app_name" android:enabled="false"> </activity> Enabled: PackageManager.setComponentEnabledSetting(componentName, newState, flags); Copyright © 1995-2012 SAMSUNG All rights reserved
  • STORING DATA WISELY Protect personal data using MODE_PRIVATE for data files, shared preferences, and databases: openFileOutput() openSharedPreferences() openOrCreateDatabase() External storage (sdcard) is shared storage Copyright © 1995-2012 SAMSUNG All rights reserved
  • PLEASE... SHUT THE FUCK UP! Don't expose data through logcat on production Detect the build mode with BuildConfig.DEBUG public static final boolean SHOW_LOG = BuildConfig.DEBUG; public static void d(final String tag, final String msg) { if (SHOW_LOG) Log.d(tag, msg); } Be careful about this subject and test it during QA Copyright © 1995-2012 SAMSUNG All rights reserved
  • PROTECTING APP FROM USERS No more android:debuggable on the manifest Don't leave this enabled in release code! ADT 8.0+ do it for you automatically Copyright © 1995-2012 SAMSUNG All rights reserved
  • PROTECTING APP FROM USERS $ adb shell shell@android:/ $ run-as com.android.example sh shell@android:/data/data/com.android.example $ id uid=10060(app_60) gid=10060(app_60) shell@android:/data/data/com.android.example $ ls files/secret_data.txt shell@android:/data/data/com.android.example $ cat files/secret_data.txt Copyright © 1995-2012 SAMSUNG All rights reserved
  • IT'S NOT JUST ABOUT YOUR APP INSECURE NETWORK LOST OR STOLEN DEVICES
  • USE SAFE NETWORKING HTTPS and SSL can protect against Man in the Middle attacks and prevent casual snooping Server certificate validity must be correctly checked "15% of apps have weak or bad SSL implementation on the Play Store" Free certified SSL: https://www.startssl.com/ Copyright © 1995-2012 SAMSUNG All rights reserved
  • DATA ENCRYPTION DOESN'T SOLVE ALL PROBLEMS ...but it may help discouraging curious. Use a peer-reviewed library like KeyCzar Take care of the key : Create it at first start, with true random Or grab a user key from your server Or ask the user for a passphrase you won't store Copyright © 1995-2012 SAMSUNG All rights reserved
  • DEVICE ADMINISTRATION On a corporate environment, device administration can be considered Password management Device encryption Disable camera Lock the device Remote wipe Copyright © 1995-2012 SAMSUNG All rights reserved
  • BEHIND THE STAGE The APK's content is always world readable, take care about what you put inside Sensitive files should be kept out of the APK Java is open source, your code too Using Proguard takes a single line of code Or... Dex encryption AAPT modified Logic on server Copyright © 1995-2012 SAMSUNG All rights reserved
  • IT'S NOT JUST ABOUT SECURITY THINK ABOUT POLITICS...
  • THE SECURITY PARADOX Copyright © 1995-2012 SAMSUNG All rights reserved
  • NEVER FORGET THE USER, NEVAAAAA! "The more secure you make something, the less secure it becomes" Level the security following the user acceptance or... Users will find workarounds Users won't use your service Copyright © 1995-2012 SAMSUNG All rights reserved
  • REFERENCES Google I/O 2012 Sessions Android Developpers Live Youtube channel Android Developement Android Developement: Using Cryptography The Commons Blog InformationWeek: Security Paradox ThreatPost: SLL implementation on Android apps StartSSL Free certificates Copyright © 1995-2012 SAMSUNG All rights reserved
  • SAMSUNG SMART APP CHALLENGE 2013 SAMSUNG SMART APP CHALLENGE 2013 A Global app challenge Apps for the Galaxy S4 Use of Samsung Chord SDK Apply June 20 - August 31 $800,000 for 10 winners www.smartappchallenge.com
  • SAMSUNG DEVELOPERS http://developer.samsung.com SDKs and Documentation Samsung Chord SDK Bluetooth Low Energy SDK S Pen & Multi Window SDK AllShare Framework Remote Test Lab Test your applications on real devices through the internet Free 24H 365 Days Real Device, NOT emulator Multiple Devices
  • THANK YOU! Slides http://bit.ly/droidcon-sec http://eyal.fr