Attacking android insecurity

512
-1

Published on

This presentation is aimed at Android app developers looking to deal with the insecurity that surrounds Android apps these days and how to create a secure app.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
512
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Attacking android insecurity

  1. 1. Godfrey Nolan
  2. 2. Why are we here?Little bit of Android HistorySecure Coding PracticesSecure Policy ScannerSample Demo AppOther tools
  3. 3. MalwareKnown ExploitsFake appsAndroid versions
  4. 4. Top 10Looking for new additionsMetrics
  5. 5. Opening files as WORLD_READABLE, WORLD_WRITABLEOpening databases as WORLD_READABLE, WORLD_WRITABLEUnencrypted SQLite databaseStoring data on SD-CARD via WRITE_TO_EXTERNAL_STORAGECheck app permissionsCheck app is not looking for root permissionsSearch for hardcoded usernames and passwordsSearch for API callsDetect Unencrypted communicationsCheck for basic obfuscationCheck location requests
  6. 6. Check app permissions ACCESS_COARSE_LOCATION ACCESS_FINE_LOCATION CALL_PHONE CAMERA INTERNET READ_CALENDAR READ_CONTACTS READ_INPUT_STATE READ_SMS RECORD_AUDIO SEND_SMS WRITE_CALENDAR WRITE_CONTACTS
  7. 7. Policy PercentageWorld Readable Writeable File 11World Readable Writeable Database 0Unencrypted Database 47Access External Storage 32Sketchy Permissions 72Runtime Root Access 8.5Username Password 81Access Http 47Unencrypted Communications 47No Basic Obfuscation 94
  8. 8. Version 1 Run SPEVersion 2 Run SPEVersion 3 Run SPE
  9. 9. Secure Policy Enforcer (SPE)Aspect Security’s ContrastCheckmarxVeracode MobileUsing a CA cert to sign your APKMobile Device Management tools –MobiControl
  10. 10. http://jon.oberheide.org/files/summercon12-bouncer.pdfhttp://www.securelist.com/en/analysis/204792239/IT_Threat_Evolution_Q2_2012http://developer.android.com/reference/android/Manifest.permission.htmlhttps://www.pcisecuritystandards.org/security_standards/documents.php?document=mobile_payment_security_guidelines1#mobile_payment_security_guidelines1
  11. 11. http://www.decompilingandroid.com@decompilinggodfrey@riis.comhttp://www.riis.com

×