• Save
Attacking android insecurity
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Attacking android insecurity

on

  • 766 views

This presentation is aimed at Android app developers looking to deal with the insecurity that surrounds Android apps these days and how to create a secure app.

This presentation is aimed at Android app developers looking to deal with the insecurity that surrounds Android apps these days and how to create a secure app.

Statistics

Views

Total Views
766
Views on SlideShare
765
Embed Views
1

Actions

Likes
0
Downloads
0
Comments
0

1 Embed 1

http://www.docshut.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Attacking android insecurity Presentation Transcript

  • 1. Godfrey Nolan
  • 2. Why are we here?Little bit of Android HistorySecure Coding PracticesSecure Policy ScannerSample Demo AppOther tools
  • 3. MalwareKnown ExploitsFake appsAndroid versions
  • 4. Top 10Looking for new additionsMetrics
  • 5. Opening files as WORLD_READABLE, WORLD_WRITABLEOpening databases as WORLD_READABLE, WORLD_WRITABLEUnencrypted SQLite databaseStoring data on SD-CARD via WRITE_TO_EXTERNAL_STORAGECheck app permissionsCheck app is not looking for root permissionsSearch for hardcoded usernames and passwordsSearch for API callsDetect Unencrypted communicationsCheck for basic obfuscationCheck location requests
  • 6. Check app permissions ACCESS_COARSE_LOCATION ACCESS_FINE_LOCATION CALL_PHONE CAMERA INTERNET READ_CALENDAR READ_CONTACTS READ_INPUT_STATE READ_SMS RECORD_AUDIO SEND_SMS WRITE_CALENDAR WRITE_CONTACTS
  • 7. Policy PercentageWorld Readable Writeable File 11World Readable Writeable Database 0Unencrypted Database 47Access External Storage 32Sketchy Permissions 72Runtime Root Access 8.5Username Password 81Access Http 47Unencrypted Communications 47No Basic Obfuscation 94
  • 8. Version 1 Run SPEVersion 2 Run SPEVersion 3 Run SPE
  • 9. Secure Policy Enforcer (SPE)Aspect Security’s ContrastCheckmarxVeracode MobileUsing a CA cert to sign your APKMobile Device Management tools –MobiControl
  • 10. http://jon.oberheide.org/files/summercon12-bouncer.pdfhttp://www.securelist.com/en/analysis/204792239/IT_Threat_Evolution_Q2_2012http://developer.android.com/reference/android/Manifest.permission.htmlhttps://www.pcisecuritystandards.org/security_standards/documents.php?document=mobile_payment_security_guidelines1#mobile_payment_security_guidelines1
  • 11. http://www.decompilingandroid.com@decompilinggodfrey@riis.comhttp://www.riis.com