Security in Android Application, Александр Смирнов, RedMadRobot, Москва
•
0 likes•502 views
Выступление на конференции DUMP-2016.
Recommended
More Related Content
Viewers also liked
Viewers also liked (20)
Similar to Security in Android Application, Александр Смирнов, RedMadRobot, Москва
Similar to Security in Android Application, Александр Смирнов, RedMadRobot, Москва (20)
More from it-people
More from it-people (20)
Recently uploaded
Recently uploaded (9)
Security in Android Application, Александр Смирнов, RedMadRobot, Москва
- 1. SECURITY IN ANDROID APPLICATION 08/04/2016 ALEXANDER SMIRNOV v1.0
- 2. - 3+ years Android dev - 6+ years commercial dev - 1 year bank app dev - BlackHat friends since 2007 - DC7499 member WhoAmI 2
- 3. Why? 3
- 4. - Android Security Model - Reality - Vulnerabilities - One more sentence - Appendix Agenda 4
- 5. Security • I • Android Security Model 5
- 6. 6
- 8. - Is the parent of all App processes - COW(Copy On Write) strategy - /dev/socket/zygote Zygote 8 App 1 App 2 App 3 Zygote fork() fork() fork() start new App
- 9. - Before M - After M - Custom permissions - Protection level Permissions 9
- 10. - Protect user data - Protect system resources - Provide application isolation Android Security Overview 10
- 11. • II • Android Security Model Reality Security 11
- 12. 12 Root
- 13. 13 TRIADA
- 15. - Memory Cache - DB + SQLCipher - SharedPreference + MODE_PRIVATE + Cipher - 21+ setStorageEncryption for local files - KeyStore Data Storage 15
- 16. - MITM has you - Check network – why? - Diffie–Hellman key exchange - Certificate Pinning == SSL Pinning (okhttp 2.7.4 || 3.1.2) Transport 16
- 17. - Use explicit intents - Validate Input - Manifest: intent-filter = exported=«yes» Intent 17
- 18. - Secure PUSH - Mobile application - SIMApplets - DCV (Dynamic Code Verification) 2FA: SMS 18
- 19. - Custom keyboard - Secure persistent datastore - No EditText - No immutable (Strings -> char[]) - Notify if root Insecure Device 19
- 20. - Check debug - Verify sign - Emulator check - Obfuscation - JNI Reverse Protection 20
- 21. Security 21 • IV • One more sentence
- 22. - Convenience vs Security - Socialization & Tools - Layered Security - Better than others - OWASP TOP 10 Mobile Risks One more sentence 22
- 24. - Cyber Risk Report: bit.ly/1MuoIDS - OWASP Top 10 Mobile Risks: bit.ly/1FAIJiv - DefCon Groups List: bit.ly/1JQlNgC - Triada Malware: bit.ly/1qvyFqY - Obfuscation tools list: bit.ly/1XiHf6Z - Security Official Docs: bit.ly/1qvw1BK - Diffie–Hellman Video: bit.ly/23jV7Se - Tools for SA and Hacking: bit.ly/1qvxpUM Additional Information 24
- 25. - Android Security Model - Reality - Vulnerabilities - One more sentence Result 25