Your SlideShare is downloading. ×
  • Like
Android Security - Common Security Pitfalls in Android Applications
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Android Security - Common Security Pitfalls in Android Applications

  • 1,110 views
Published

Aditya Gupta from Attify talking about what are the common security pitfalls in android apps

Aditya Gupta from Attify talking about what are the common security pitfalls in android apps

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,110
On SlideShare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
94
Comments
0
Likes
7

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Common Security Pitfalls in Android Apps Aditya Gupta Attify
  • 2. Who Am i • Founder, Attify • Mobile Security Researcher • Developing a secure BYOD solution for enterprises • Co-creator of AFE (Android Framework for Exploitation) • Upcoming tool : DroidSE • Speaker/Trainer at BlackHat, Toorcon, ClubHack, Nullcon, OWASP AppSec, Syscan etc.
  • 3. Agenda • Security Overview of Android Apps • Some vulnerabilities in Android Apps • Secure Coding
  • 4. Android Security Model • Based on Linux • Security features are derived mostly from Linux • Application Isolation • Each app in its own DVM
  • 5. Security Overview of Android Apps • Application Sandboxing • Data stored in /data/data/[package-name]/ • AndroidManifest.xml plays an important role • Permissions while accessing activities, services, content providers
  • 6. Hard Coding Sensitive Info • Have seen some apps hardcode sensitive info • Reversing applications • Encrypting passwords : really common • Use protection to prevent apps from reversing • Don't ever hardcode a sensitive info in an app.
  • 7. Protecting against Reversing
  • 8. Logging Sensitive Information
  • 9. Logging Sensitive Information Log.d("Facebook-authorize", "Login Success! access_token=" + getAccessToken() + " expires=" + getAccessExpires());
  • 10. Leaking Content Providers • Content Providers • What can one application do to another • Leakage of content providers • By default exported
  • 11. Leaking Content Providers
  • 12. Dropbox
  • 13. Insecure Data Storage
  • 14. Android WebView vuln • What's a Webview?
  • 15. Android WebView vuln • Framing Web components into application • Could be really useful while building applications • Does it also allows Javascript?
  • 16. Javascript in Webviews • Javascript is allowed in Webviews • Javascript could be used to interact with the app's interface • Malicious functions could be executed
  • 17. Malicious functions with JS • Could be used to send SMS or place calls • Or to install another application • Get a reverse shell to a remote location • Modify file system or steal something from the device
  • 18. Ad Libraries, anyone? • InMobi • List of Exposed methods : • makeCall • postToSocial • sendMail • sendSMS • takeCameraPicture • getGalleryImage
  • 19. Ad Libraries, anyone?
  • 20. Fix it setJavascriptEnabled(false)
  • 21. SQLite Injection • SQLite databases for storing application's data • Storing sensitive information in databases • Do you sanitize user input before applying SQL queries
  • 22. Sample Code ! uname = (EditText) findViewById(R.id.username); pword = (EditText) findViewById(R.id.password); ! ! String getSQL = "SELECT * FROM " + tableName + " WHERE " + username + " = '" + uname + "' AND " + password + " = '" + pword + "'"; ! Cursor cursor = dataBase.rawQuery(getSQL , null);
  • 23. Insecure File Permissions • File storing sensitive data need to have proper permissions • Should be accessible only by the application
  • 24. Android Backup Vulnerability • Allows backup of application's data • No root needed in the device • Attacker could read/modify app's data and restore it back • Default behaviour in AndroidManifest.xml
  • 25. Preventing Backup vulnerability android:allowBackup="false"
  • 26. Network Traffic
  • 27. Securing Android Applications
  • 28. Activities <activity android:name=".SecureActivity" 
 
 android:permission="com.example.secure.permission.START_ACTIVITY1"> </activity>
  • 29. Services <service android:name=".SecureService" android:permission="com.example.secure.permission.SecurePerm" android:enabled="true" android:exported="true"> </service>
  • 30. Content Providers <provider android.name="com.example.secure.SecureProvider" 
 
 android.authorities="com.example.secure.mailprovider" 
 
 android.readPermission="com.example.testapps.test1.permission.READ_DATE" 
 android.writePermission="com.example.secure.permission.WRITE_DATA" 
 
 android:grantUriPermissions="true"> ! </provider>
  • 31. If you don't need android:exported = "false"
  • 32. Summary • Avoid common mistakes • Store data in encrypted form • Sending data through HTTP/insecure HTTPs
  • 33. ` • Drop a mail at adi@attify.com