Android App Security: What (not) to do!

3,027 views

Published on

2 Comments
5 Likes
Statistics
Notes
  • Thanks for the feed back, glad you liked it! The tool looks pretty interesting, will check it out. Otherwise I would recommend Drozer (https://www.mwrinfosecurity.com/products/drozer/) for analyzing apk's.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Very informative, thanks for sharing this. I work in mobile security of Android application. There is a free Android tool available to check vulnerable components of Android applications. Found is very useful. We have been doing the same job by reverse engineering of apk files and extracting manifest..a tough job..This tool makes life pretty easy. I'm sure people reading this post will find it very useful.

    https://play.google.com/store/apps/details?id=com.trident.appscanner&hl=en
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
3,027
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
41
Comments
2
Likes
5
Embeds 0
No embeds

No notes for slide

Android App Security: What (not) to do!

  1. 1. Android App Security: What (not) to do! Android App Security: What (not) to do!
  2. 2. About me● Thomas Methlie● Consultant @Capgemini, Bergen● Member of Vestenfjeldske SikkerhetsCompagnie● CISSP (Associate) certification Android App Security: What (not) to do!
  3. 3. Background http://android-developers.blogspot.comAndroid App Security: What (not) to do!
  4. 4. Background http://android-developers.blogspot.comAndroid App Security: What (not) to do!
  5. 5. The not so good news Overprivileged applicationsInformation exposure through sent data Intent spoofing % of applicationsUse of hardcoded chryptographic keys Unauthorized intent receipt Insufficient entropy 0 10 20 30 40 50 60 70 Android App Security: What (not) to do!
  6. 6. Intent spoofing● Public components and senders with weak permissions● Malicious app sends Intent resulting in data injection or state change <receiver android:name=”one.special.recevier”> <intent-filter> <action android:name=”one.intent.action” /> </intent-filter> </receiver> Android App Security: What (not) to do!
  7. 7. Intent spoofing<receiver android:name=”one.special.recevier” android:exported=false> <intent-filter> <action android:name=”one.intent.action” /> </intent-filter></receiver><receiver android:name=”one.special.recevier” android:exported=true android:permission=”one.permission”> <intent-filter> <action android:name=”one.intent.action” /> </intent-filter></receiver> Android App Security: What (not) to do!
  8. 8. Unauthorized Intent Receipt● Given a public Intent which doesnt require strong permission in the receiving component● Intercepted by malicious app● May leak sensitive data and/or change in control flow Intent intent = new Intent(); intent.setAction(“a.special.action”); startActivity(intent); Android App Security: What (not) to do!
  9. 9. Unauthorized Intent ReceiptIntent fixedIntent = new Intent();fixedIntent.setClassName(“pkg.name”,“pkg.name.DestinationName”);Intent fixedIntent2 = new Intent();fixedIntent2.setAction(“a.special.action”);sendBroadcast (“fixedIntent2,“a.special.permission”); Android App Security: What (not) to do!
  10. 10. Persistent Messages: Sticky broadcasts● Received by all components registered to receive them● Exists even after it has been sent ● Can be removed by anyone with a BROADCAST_STICKY permission● Can not set permission requirements on receiver● Can compromise sensitive program data Android App Security: What (not) to do!
  11. 11. Persistent Messages: Sticky broadcasts● Use regular broadcasts protected by the receiver permission● Examine data in broadcasted messages● Dont send sensitive data in sticky broadcast messages Android App Security: What (not) to do!
  12. 12. SQL & Query String Injection● delete, execSQL, rawQuery, update...● Query String Injection: Allows malicious app to view unauthorized data ● But can not alter data● Data from untrusted source● Dynamically constructing SQLite query strings Android App Security: What (not) to do!
  13. 13. SQL & Query String InjectionUse parametrised queriesAlways validate untrusted input query = userDB.query( MY_TABLE,MY_COLUMN,“userid = ?”,{userid}, null,null,null,null) Android App Security: What (not) to do!
  14. 14. More vulnerabilitiesInsecure CommunicationOver privileged ApplicationsInsecure StorageInsufficient cryptographic entropyUse of hard-coded cryptographic keys Android App Security: What (not) to do!
  15. 15. Sources1.Seven ways to hang yourself with Google Android. Y. ONeil and E.Chin2.Veracode State of Software Security v043.http://android-developers.blogspot.com Android App Security: What (not) to do!
  16. 16. Thank you for listening! @tsmethlie no.linkedin.com/in/thomasmethlie thomas.methlie@gmail.com thomas.methlie@capgemini.com Android App Security: What (not) to do!

×