How secure

IS AN ANDROID
app ?
by

MARIUS MAILAT
Who is

MARIUS
?
Who is Marius?

1

FOUNDER of DEV COMMUNITY - ANDROIDER

2

ANDROID TRAINER - marakana, androider

3

PARTNER AND CTO - AP...
Agenda
Agenda

1

Last year message vs this year APPROACH

2

How safe are your daily apps ?

3

Dissect the most popular RO bank...
Last year message

VS

this year approach
Last year message vs this year approach
Last year message
You are a code artist!
Programming as an intellectual activity a...
How safe are
YOUR DAILY APPS ?
How safe are your daily apps ?
Mobile threats on ANDROID

1

AdVERTISING OVER MALWARE

2

Direct Payoff SMS

3

Destructive attacks ON SENSITIVE DATA

4
...
BU HU HU
Dissect the

most POPULAR

Android banking apps
How to SCOOP inside of an ANDROID APP ?

1

$ APKTool D BANK.Apk

2

$ Jar xvf BANK.apk classes.dex

3

$ dex2jar.sh class...
Do we have ROMANIAN banking apps ?
Facts : ANDROID banking apps ?
Downloads

Comments

RattingS

Url

50,000-100,000

429

3,7

http://goo.gl/oV7Pl0

10,000-...
How I CALCULATE the BU HU HU score ?
DB

SSL

PERSISTANCE

PERMISSIONS

SERVER

WEIRD

CODE

-

-

-

+

+-

no fragments,...
Security guidelines

For ANDROID ?
Security GUIDELINES for ANDROID apps ?

1

ENCRYPT EVERyTHING - DB, Preferences ...

2

PASSWORD - SALT

3

SECURE SERVER ...
How to secure
your ANDROID APPS ?
How TO SECURE your Android APPS
Your safer code ART

SECURITY & CODE
guidelines

GUIDELINES PROTECT YOU ?

Your code ART
S...
Thank you
Questions?

MARIUS MAILAT,

marius.mailat@gmail.com
Upcoming SlideShare
Loading in …5
×

Droidcon Eastern Europe 2013 - How secure is an Android app

403 views
322 views

Published on

Insight in how safe are the romanian banking apps you use daily. Even this is meant to be a presentation Marius will show you how you can secure your apps for curious eyes. The short presentation was presented at IMworld 2013 and at Droidcon 2013 was backed up with a workshop.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
403
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
6
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Droidcon Eastern Europe 2013 - How secure is an Android app

  1. 1. How secure IS AN ANDROID app ? by MARIUS MAILAT
  2. 2. Who is MARIUS ?
  3. 3. Who is Marius? 1 FOUNDER of DEV COMMUNITY - ANDROIDER 2 ANDROID TRAINER - marakana, androider 3 PARTNER AND CTO - APPSELERATION 4 PARTNER AND CO-FOUNDER - APPSRISE.com
  4. 4. Agenda
  5. 5. Agenda 1 Last year message vs this year APPROACH 2 How safe are your daily apps ? 3 Dissect the most popular RO banking apps 4 Security guidelines for Android ? 5 How to secure your Android apps ?
  6. 6. Last year message VS this year approach
  7. 7. Last year message vs this year approach Last year message You are a code artist! Programming as an intellectual activity allows you to create interactive art. This year approach You are a code artist but your art is stolen ! My code art was decompiled, repacked/altered with new code and was sold as genuine art ! I love my art, I hate thieves !
  8. 8. How safe are YOUR DAILY APPS ?
  9. 9. How safe are your daily apps ?
  10. 10. Mobile threats on ANDROID 1 AdVERTISING OVER MALWARE 2 Direct Payoff SMS 3 Destructive attacks ON SENSITIVE DATA 4 Information Scavengers 5 Premeditated Spy on location and INFO
  11. 11. BU HU HU
  12. 12. Dissect the most POPULAR Android banking apps
  13. 13. How to SCOOP inside of an ANDROID APP ? 1 $ APKTool D BANK.Apk 2 $ Jar xvf BANK.apk classes.dex 3 $ dex2jar.sh classes.dex 4 > OPEN JD-GUI 5 TRY ALTENATIVES: DARE, DED, DEXDUMP etc
  14. 14. Do we have ROMANIAN banking apps ?
  15. 15. Facts : ANDROID banking apps ? Downloads Comments RattingS Url 50,000-100,000 429 3,7 http://goo.gl/oV7Pl0 10,000-50,000 749 3,8 http://goo.gl/8AVwS 10,000-50,000 210 3,6 http://goo.gl/p8BRwK 10,000-50,000 270 4,0 http://goo.gl/FDN0ox 1,000-5,000 41 3,8 http://goo.gl/8FRN5q 1,000-5,000 39 3,1 http://goo.gl/oQWbsM 1,000-5,000 22 3,6 http://goo.gl/TLuHBk 500-1,000 27 4,1 http://goo.gl/zpWLkP
  16. 16. How I CALCULATE the BU HU HU score ? DB SSL PERSISTANCE PERMISSIONS SERVER WEIRD CODE - - - + +- no fragments, old STYLE CODE Almost weird - HYBRID APP, WEBVIEW WITH PRE-JAVA-CODE TOTALLY WEIRD - UNSECURE SERVER, PHP, KIND OF MIX OF WEIRD & COMPLEX + OWN WEIRD CACHE MECHANISM, no loging class READABLE XML PARSING DONE ON TABLE DANCE UGLY BUT NICE - + - - - - - - - - MANY LIBS, BUMP LIB :) , HYBRID AGAIN - - AGAIN PHONEGAP load HTML?! - - A BAD OTP BANK CORDOVA STUFF - HYBRID PSEUDO NATIVE BU HU HU SCORE 0-bad, 10-EXCELLENT
  17. 17. Security guidelines For ANDROID ?
  18. 18. Security GUIDELINES for ANDROID apps ? 1 ENCRYPT EVERyTHING - DB, Preferences ... 2 PASSWORD - SALT 3 SECURE SERVER COMMUNICATION 4 DO NOT TRUST THE SERVER AND THE APP ! 5 DO NOT ALLOW BACKUP
  19. 19. How to secure your ANDROID APPS ?
  20. 20. How TO SECURE your Android APPS Your safer code ART SECURITY & CODE guidelines GUIDELINES PROTECT YOU ? Your code ART SERIOUS PAINTING SKILLS WITH sensitve data PROTECT THE APP Protect the resources Protect the database Protect the preferences Encrypt your binary Bu huhu MAGIC via DEXJAR and CO
  21. 21. Thank you Questions? MARIUS MAILAT, marius.mailat@gmail.com

×