Your SlideShare is downloading. ×
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Android Security - Common Security Pitfalls in Android Applications

1,578

Published on

Aditya Gupta from Attify talking about what are the common security pitfalls in android apps

Aditya Gupta from Attify talking about what are the common security pitfalls in android apps

Published in: Technology
0 Comments
8 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,578
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
152
Comments
0
Likes
8
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Common Security Pitfalls in Android Apps Aditya Gupta Attify
  • 2. Who Am i • Founder, Attify • Mobile Security Researcher • Developing a secure BYOD solution for enterprises • Co-creator of AFE (Android Framework for Exploitation) • Upcoming tool : DroidSE • Speaker/Trainer at BlackHat, Toorcon, ClubHack, Nullcon, OWASP AppSec, Syscan etc.
  • 3. Agenda • Security Overview of Android Apps • Some vulnerabilities in Android Apps • Secure Coding
  • 4. Android Security Model • Based on Linux • Security features are derived mostly from Linux • Application Isolation • Each app in its own DVM
  • 5. Security Overview of Android Apps • Application Sandboxing • Data stored in /data/data/[package-name]/ • AndroidManifest.xml plays an important role • Permissions while accessing activities, services, content providers
  • 6. Hard Coding Sensitive Info • Have seen some apps hardcode sensitive info • Reversing applications • Encrypting passwords : really common • Use protection to prevent apps from reversing • Don't ever hardcode a sensitive info in an app.
  • 7. Protecting against Reversing
  • 8. Logging Sensitive Information
  • 9. Logging Sensitive Information Log.d("Facebook-authorize", "Login Success! access_token=" + getAccessToken() + " expires=" + getAccessExpires());
  • 10. Leaking Content Providers • Content Providers • What can one application do to another • Leakage of content providers • By default exported
  • 11. Leaking Content Providers
  • 12. Dropbox
  • 13. Insecure Data Storage
  • 14. Android WebView vuln • What's a Webview?
  • 15. Android WebView vuln • Framing Web components into application • Could be really useful while building applications • Does it also allows Javascript?
  • 16. Javascript in Webviews • Javascript is allowed in Webviews • Javascript could be used to interact with the app's interface • Malicious functions could be executed
  • 17. Malicious functions with JS • Could be used to send SMS or place calls • Or to install another application • Get a reverse shell to a remote location • Modify file system or steal something from the device
  • 18. Ad Libraries, anyone? • InMobi • List of Exposed methods : • makeCall • postToSocial • sendMail • sendSMS • takeCameraPicture • getGalleryImage
  • 19. Ad Libraries, anyone?
  • 20. Fix it setJavascriptEnabled(false)
  • 21. SQLite Injection • SQLite databases for storing application's data • Storing sensitive information in databases • Do you sanitize user input before applying SQL queries
  • 22. Sample Code ! uname = (EditText) findViewById(R.id.username); pword = (EditText) findViewById(R.id.password); ! ! String getSQL = "SELECT * FROM " + tableName + " WHERE " + username + " = '" + uname + "' AND " + password + " = '" + pword + "'"; ! Cursor cursor = dataBase.rawQuery(getSQL , null);
  • 23. Insecure File Permissions • File storing sensitive data need to have proper permissions • Should be accessible only by the application
  • 24. Android Backup Vulnerability • Allows backup of application's data • No root needed in the device • Attacker could read/modify app's data and restore it back • Default behaviour in AndroidManifest.xml
  • 25. Preventing Backup vulnerability android:allowBackup="false"
  • 26. Network Traffic
  • 27. Securing Android Applications
  • 28. Activities <activity android:name=".SecureActivity" 
 
 android:permission="com.example.secure.permission.START_ACTIVITY1"> </activity>
  • 29. Services <service android:name=".SecureService" android:permission="com.example.secure.permission.SecurePerm" android:enabled="true" android:exported="true"> </service>
  • 30. Content Providers <provider android.name="com.example.secure.SecureProvider" 
 
 android.authorities="com.example.secure.mailprovider" 
 
 android.readPermission="com.example.testapps.test1.permission.READ_DATE" 
 android.writePermission="com.example.secure.permission.WRITE_DATA" 
 
 android:grantUriPermissions="true"> ! </provider>
  • 31. If you don't need android:exported = "false"
  • 32. Summary • Avoid common mistakes • Store data in encrypted form • Sending data through HTTP/insecure HTTPs
  • 33. ` • Drop a mail at adi@attify.com

×