Your SlideShare is downloading. ×
Apps, apis, third party services (Droidcon)
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Apps, apis, third party services (Droidcon)

1,582
views

Published on

In this talk I talked about my experiences with Android security when it comes to storing secrets in apps on the device. It uses oauth as an example but contained practical hints on how to store any …

In this talk I talked about my experiences with Android security when it comes to storing secrets in apps on the device. It uses oauth as an example but contained practical hints on how to store any secret securely. Presented at DroidconNL in Amsterdam, November 23 2011.

Published in: Technology, Business

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,582
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. http://www.egeniq.com info@egeniq.com @egeniqApps, APIs and third party services A Love Triangle Ivo Jansch - @ijansch Droidcon, 23 November 2011
  • 2. About Me@ijanschDeveloperAuthorEntreprenerdiOS/Java/PHP 2
  • 3. About EgeniqStartupMobileTechKnowledgeGeeksDevelopment 3
  • 4. Tiqr - Learning about Android Security 1 6 3 2 5 4 http://www.tiqr.org 4
  • 5. The Use Case APIAndroid App Third Party Service 5
  • 6. Timeline 6
  • 7. OAuth Your Android Twitter Application 7
  • 8. OAuth OAuth OAuth Consumer Provider 8
  • 9. Why do you need to protect keys? OAuth Provider 8 9
  • 10. The Android Security Model 10
  • 11. Sandboxing‣ Apps only have access to their own data‣ Access is based on Linux user ID‣ Further protected by application signature 11
  • 12. Storage + Secure Storage‣ USB Storage • External storage, sharable between apps‣ Device Storage • Apps have their own location, within sandbox‣ Secure Storage • Java KeyStores with strong encryption algorithms • Unfortunately no hardware encrypted storage like iPhone 12
  • 13. The Main Problem‣ How can I securely store secrets? • Is sandboxing a solution? -> Not when device is rooted • Is device storage a solution? -> Not when device is rooted • Is encryption a solution? ‣ Yes, but where do you store your encryption keys? 13
  • 14. It’s a common questionStackoverflow search for ‘store secrets android’: 14
  • 15. With common answers- Huh?- Don’t store secrets- Don’t use OAuth- Obfuscate- Encrypt 15
  • 16. Know what? I’ll just use a library 16
  • 17. Scribehttps://github.com/fernandezpablo85/scribe-java 17
  • 18. A Couple Of Solutions 18
  • 19. Option 1 - Obfuscation 19
  • 20. Option 2 - Encryption 20
  • 21. Option 2 - Encryption 21
  • 22. Option 2 - Encryption 22
  • 23. Option 2 - Encryption 23
  • 24. Option 3 - Using the KeyStore 24
  • 25. Option 3 - Using the KeyStore 25
  • 26. Option 4 - Retrieve key from API Your API ? OAuth Android App Provider 26
  • 27. Option 5 - Transparent Proxy Proxy Android OAuth App Provider 27
  • 28. Conclusion It’s all about awareness 28
  • 29. Recommended Reading‣ ISBN: 2147483647‣ Authors: • Himanshu Dwivedi • Chris Clark • David Thiel‣ Covers: • Android • Apple • WinMo 29
  • 30. http://www.egeniq.com info@egeniq.com @egeniqThank you! Questions? http://www.egeniq.com ivo@egeniq.com @ijansch
  • 31. Credits ‣ ‘Tege in Sandbox’ by Judi Cox - http://www.flickr.com/photos/madaise/3406217980/ ‣ ‘Locker (KHS up close) by Travis Hymas - http://www.flickr.com/photos/ travishasphotos/3481640534/ ‣ ‘Mask’ by Ben Fredericson - http://www.flickr.com/photos/xjrlokix/3932488768/