Apps, apis, third party services (Droidcon)
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Apps, apis, third party services (Droidcon)

on

  • 1,851 views

In this talk I talked about my experiences with Android security when it comes to storing secrets in apps on the device. It uses oauth as an example but contained practical hints on how to store any ...

In this talk I talked about my experiences with Android security when it comes to storing secrets in apps on the device. It uses oauth as an example but contained practical hints on how to store any secret securely. Presented at DroidconNL in Amsterdam, November 23 2011.

Statistics

Views

Total Views
1,851
Views on SlideShare
1,842
Embed Views
9

Actions

Likes
0
Downloads
9
Comments
0

4 Embeds 9

http://paper.li 6
http://a0.twimg.com 1
http://www.linkedin.com 1
https://twitter.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Apps, apis, third party services (Droidcon) Presentation Transcript

  • 1. http://www.egeniq.com info@egeniq.com @egeniqApps, APIs and third party services A Love Triangle Ivo Jansch - @ijansch Droidcon, 23 November 2011
  • 2. About Me@ijanschDeveloperAuthorEntreprenerdiOS/Java/PHP 2
  • 3. About EgeniqStartupMobileTechKnowledgeGeeksDevelopment 3
  • 4. Tiqr - Learning about Android Security 1 6 3 2 5 4 http://www.tiqr.org 4
  • 5. The Use Case APIAndroid App Third Party Service 5
  • 6. Timeline 6
  • 7. OAuth Your Android Twitter Application 7
  • 8. OAuth OAuth OAuth Consumer Provider 8
  • 9. Why do you need to protect keys? OAuth Provider 8 9
  • 10. The Android Security Model 10
  • 11. Sandboxing‣ Apps only have access to their own data‣ Access is based on Linux user ID‣ Further protected by application signature 11
  • 12. Storage + Secure Storage‣ USB Storage • External storage, sharable between apps‣ Device Storage • Apps have their own location, within sandbox‣ Secure Storage • Java KeyStores with strong encryption algorithms • Unfortunately no hardware encrypted storage like iPhone 12
  • 13. The Main Problem‣ How can I securely store secrets? • Is sandboxing a solution? -> Not when device is rooted • Is device storage a solution? -> Not when device is rooted • Is encryption a solution? ‣ Yes, but where do you store your encryption keys? 13
  • 14. It’s a common questionStackoverflow search for ‘store secrets android’: 14
  • 15. With common answers- Huh?- Don’t store secrets- Don’t use OAuth- Obfuscate- Encrypt 15
  • 16. Know what? I’ll just use a library 16
  • 17. Scribehttps://github.com/fernandezpablo85/scribe-java 17
  • 18. A Couple Of Solutions 18
  • 19. Option 1 - Obfuscation 19
  • 20. Option 2 - Encryption 20
  • 21. Option 2 - Encryption 21
  • 22. Option 2 - Encryption 22
  • 23. Option 2 - Encryption 23
  • 24. Option 3 - Using the KeyStore 24
  • 25. Option 3 - Using the KeyStore 25
  • 26. Option 4 - Retrieve key from API Your API ? OAuth Android App Provider 26
  • 27. Option 5 - Transparent Proxy Proxy Android OAuth App Provider 27
  • 28. Conclusion It’s all about awareness 28
  • 29. Recommended Reading‣ ISBN: 2147483647‣ Authors: • Himanshu Dwivedi • Chris Clark • David Thiel‣ Covers: • Android • Apple • WinMo 29
  • 30. http://www.egeniq.com info@egeniq.com @egeniqThank you! Questions? http://www.egeniq.com ivo@egeniq.com @ijansch
  • 31. Credits ‣ ‘Tege in Sandbox’ by Judi Cox - http://www.flickr.com/photos/madaise/3406217980/ ‣ ‘Locker (KHS up close) by Travis Hymas - http://www.flickr.com/photos/ travishasphotos/3481640534/ ‣ ‘Mask’ by Ben Fredericson - http://www.flickr.com/photos/xjrlokix/3932488768/