Android Security - Common Security Pitfalls in Android Applications

2,565 views
2,354 views

Published on

Aditya Gupta from Attify talking about what are the common security pitfalls in android apps

Published in: Technology
0 Comments
9 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,565
On SlideShare
0
From Embeds
0
Number of Embeds
87
Actions
Shares
0
Downloads
187
Comments
0
Likes
9
Embeds 0
No embeds

No notes for slide

Android Security - Common Security Pitfalls in Android Applications

  1. 1. Common Security Pitfalls in Android Apps Aditya Gupta Attify
  2. 2. Who Am i • Founder, Attify • Mobile Security Researcher • Developing a secure BYOD solution for enterprises • Co-creator of AFE (Android Framework for Exploitation) • Upcoming tool : DroidSE • Speaker/Trainer at BlackHat, Toorcon, ClubHack, Nullcon, OWASP AppSec, Syscan etc.
  3. 3. Agenda • Security Overview of Android Apps • Some vulnerabilities in Android Apps • Secure Coding
  4. 4. Android Security Model • Based on Linux • Security features are derived mostly from Linux • Application Isolation • Each app in its own DVM
  5. 5. Security Overview of Android Apps • Application Sandboxing • Data stored in /data/data/[package-name]/ • AndroidManifest.xml plays an important role • Permissions while accessing activities, services, content providers
  6. 6. Hard Coding Sensitive Info • Have seen some apps hardcode sensitive info • Reversing applications • Encrypting passwords : really common • Use protection to prevent apps from reversing • Don't ever hardcode a sensitive info in an app.
  7. 7. Protecting against Reversing
  8. 8. Logging Sensitive Information
  9. 9. Logging Sensitive Information Log.d("Facebook-authorize", "Login Success! access_token=" + getAccessToken() + " expires=" + getAccessExpires());
  10. 10. Leaking Content Providers • Content Providers • What can one application do to another • Leakage of content providers • By default exported
  11. 11. Leaking Content Providers
  12. 12. Dropbox
  13. 13. Insecure Data Storage
  14. 14. Android WebView vuln • What's a Webview?
  15. 15. Android WebView vuln • Framing Web components into application • Could be really useful while building applications • Does it also allows Javascript?
  16. 16. Javascript in Webviews • Javascript is allowed in Webviews • Javascript could be used to interact with the app's interface • Malicious functions could be executed
  17. 17. Malicious functions with JS • Could be used to send SMS or place calls • Or to install another application • Get a reverse shell to a remote location • Modify file system or steal something from the device
  18. 18. Ad Libraries, anyone? • InMobi • List of Exposed methods : • makeCall • postToSocial • sendMail • sendSMS • takeCameraPicture • getGalleryImage
  19. 19. Ad Libraries, anyone?
  20. 20. Fix it setJavascriptEnabled(false)
  21. 21. SQLite Injection • SQLite databases for storing application's data • Storing sensitive information in databases • Do you sanitize user input before applying SQL queries
  22. 22. Sample Code ! uname = (EditText) findViewById(R.id.username); pword = (EditText) findViewById(R.id.password); ! ! String getSQL = "SELECT * FROM " + tableName + " WHERE " + username + " = '" + uname + "' AND " + password + " = '" + pword + "'"; ! Cursor cursor = dataBase.rawQuery(getSQL , null);
  23. 23. Insecure File Permissions • File storing sensitive data need to have proper permissions • Should be accessible only by the application
  24. 24. Android Backup Vulnerability • Allows backup of application's data • No root needed in the device • Attacker could read/modify app's data and restore it back • Default behaviour in AndroidManifest.xml
  25. 25. Preventing Backup vulnerability android:allowBackup="false"
  26. 26. Network Traffic
  27. 27. Securing Android Applications
  28. 28. Activities <activity android:name=".SecureActivity" 
 
 android:permission="com.example.secure.permission.START_ACTIVITY1"> </activity>
  29. 29. Services <service android:name=".SecureService" android:permission="com.example.secure.permission.SecurePerm" android:enabled="true" android:exported="true"> </service>
  30. 30. Content Providers <provider android.name="com.example.secure.SecureProvider" 
 
 android.authorities="com.example.secure.mailprovider" 
 
 android.readPermission="com.example.testapps.test1.permission.READ_DATE" 
 android.writePermission="com.example.secure.permission.WRITE_DATA" 
 
 android:grantUriPermissions="true"> ! </provider>
  31. 31. If you don't need android:exported = "false"
  32. 32. Summary • Avoid common mistakes • Store data in encrypted form • Sending data through HTTP/insecure HTTPs
  33. 33. ` • Drop a mail at adi@attify.com

×