Android Application SecurityArtem ChaykinLead Specialist, Web Application Security TeamPositive TechnologiesPositive Hack ...
What am I?― As previous slide said, ptsecurity guy― Mostly web and mobile applications security assessment― SCADAStrangelo...
Intro
Intro
ApplicationResources ManifestIntentsActivity Service BroadcastPermissionsContentprovidersNative libs Classes
ApplicationResources ManifestIntentsActivity Service BroadcastPermissionsContentprovidersNative libs Classes
ApplicationResources ManifestIntentsActivity Service BroadcastPermissionsContentprovidersNative libs Classes
ApplicationResources ManifestIntentsActivity Service BroadcastPermissionsContentprovidersNative libs Classes
ApplicationResources ManifestIntentsActivity Service BroadcastPermissionsContentprovidersNative libs Classes
ApplicationResources ManifestIntentsActivity Service BroadcastPermissionsContentprovidersNative libs Classes
ApplicationResources ManifestIntentsActivity Service BroadcastPermissionsContentprovidersNative libs Classes
ApplicationResources ManifestIntentsActivity Service BroadcastPermissionsContentprovidersNative libs Classes
Hardcoded and forgotten
Hardcoded and forgotten― Default/test credentials― Test servers/ locals IPs― Some cool info
File system
File system― One app – One UID― 0600 mask for new files― 0666 mask for new files (touch, echo, etc)
File system― World readable files― Even world writable..― SD storage
Ok, it could be worse..
File systemHow to secure:― Use MODE_PRIVATE for files― Do not use system tools― Do not save sensitive data on SD storage
logcat// Delete before production releaseLog.d(“Bank”,login+”::”+password);^^aye, of course
logcatandroid.permission.READ_LOGSE/HttpUtil( 9509): >>Response: <?xml version=1.0encoding=UTF-8?><result resultCode="2000...
logcatHow to secure:Do not use at all
SQLite & contentproviders
SQLite & content providersSQLite3/data/data/app.name/databases/load_extension() disabled :(SQLinj… will talk laterPrivate ...
SQLite & content providersContent provider:API to public/semi-public your databaseExported and public by defaultFile acces...
SQLite & content providersHow to secure:android:exported=“false”android:protectionLevel=“signature”android:grantUriPermiss...
Intents
IntentsIntentActivity Service Broadcast
ActivityThis is a Facebook activity->This is what you can interact with
ServiceThis is a Facebook service ->
ServiceThis is a Facebook service ->Really, here it is.
ServiceThis is a Facebook service ->Really, here it is.Background work : sync, upload, download, etc
BroadcastBattery lowSystem send broadcast:ACTION_BATTERY_LOWApplication1:Alerts “Battery low”Application2:Stop sync
ManifestLook for android:debuggable=trueIntents “exported” = (true|false)Intents with <intent-filter> - exported by default
IntentsExported intents can be called from third-party appsActivitystartActivity()startActivityForResult()ServicestartServ...
IntentsThird-party apps can send “extra”“data://” to intentsextrastring integer long float boolean uricomponentnamedatawra...
IntentsSet “exported” to false for all intentsSet permissions for broadcast receiving/deliveringValidate extra data sent t...
Client-server, SSL, MiTM,intercepting, sniffing,spoofing, cats, and moreclient vulns.
Client-serverJSON;XML (SOAP);Simpe POST;Even query string;
Client-server
Конец рассказаСпасибо за вниманиеArtem Chaykinachaykin@ptsecurity.com@a_chaykin
Android app security
Android app security
Android app security
Upcoming SlideShare
Loading in...5
×

Android app security

191

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
191
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Android app security

  1. 1. Android Application SecurityArtem ChaykinLead Specialist, Web Application Security TeamPositive TechnologiesPositive Hack Days 2013
  2. 2. What am I?― As previous slide said, ptsecurity guy― Mostly web and mobile applications security assessment― SCADAStrangelove Team
  3. 3. Intro
  4. 4. Intro
  5. 5. ApplicationResources ManifestIntentsActivity Service BroadcastPermissionsContentprovidersNative libs Classes
  6. 6. ApplicationResources ManifestIntentsActivity Service BroadcastPermissionsContentprovidersNative libs Classes
  7. 7. ApplicationResources ManifestIntentsActivity Service BroadcastPermissionsContentprovidersNative libs Classes
  8. 8. ApplicationResources ManifestIntentsActivity Service BroadcastPermissionsContentprovidersNative libs Classes
  9. 9. ApplicationResources ManifestIntentsActivity Service BroadcastPermissionsContentprovidersNative libs Classes
  10. 10. ApplicationResources ManifestIntentsActivity Service BroadcastPermissionsContentprovidersNative libs Classes
  11. 11. ApplicationResources ManifestIntentsActivity Service BroadcastPermissionsContentprovidersNative libs Classes
  12. 12. ApplicationResources ManifestIntentsActivity Service BroadcastPermissionsContentprovidersNative libs Classes
  13. 13. Hardcoded and forgotten
  14. 14. Hardcoded and forgotten― Default/test credentials― Test servers/ locals IPs― Some cool info
  15. 15. File system
  16. 16. File system― One app – One UID― 0600 mask for new files― 0666 mask for new files (touch, echo, etc)
  17. 17. File system― World readable files― Even world writable..― SD storage
  18. 18. Ok, it could be worse..
  19. 19. File systemHow to secure:― Use MODE_PRIVATE for files― Do not use system tools― Do not save sensitive data on SD storage
  20. 20. logcat// Delete before production releaseLog.d(“Bank”,login+”::”+password);^^aye, of course
  21. 21. logcatandroid.permission.READ_LOGSE/HttpUtil( 9509): >>Response: <?xml version=1.0encoding=UTF-8?><result resultCode="200001033"desc="[OSE(551)]httperror:http://10.10.10.10:7711/GET_BALANCE?LOGIN=833477&amp;PASSWORD=222222" /><<
  22. 22. logcatHow to secure:Do not use at all
  23. 23. SQLite & contentproviders
  24. 24. SQLite & content providersSQLite3/data/data/app.name/databases/load_extension() disabled :(SQLinj… will talk laterPrivate database
  25. 25. SQLite & content providersContent provider:API to public/semi-public your databaseExported and public by defaultFile access APIExamples:content://sms
  26. 26. SQLite & content providersHow to secure:android:exported=“false”android:protectionLevel=“signature”android:grantUriPermission=“true”
  27. 27. Intents
  28. 28. IntentsIntentActivity Service Broadcast
  29. 29. ActivityThis is a Facebook activity->This is what you can interact with
  30. 30. ServiceThis is a Facebook service ->
  31. 31. ServiceThis is a Facebook service ->Really, here it is.
  32. 32. ServiceThis is a Facebook service ->Really, here it is.Background work : sync, upload, download, etc
  33. 33. BroadcastBattery lowSystem send broadcast:ACTION_BATTERY_LOWApplication1:Alerts “Battery low”Application2:Stop sync
  34. 34. ManifestLook for android:debuggable=trueIntents “exported” = (true|false)Intents with <intent-filter> - exported by default
  35. 35. IntentsExported intents can be called from third-party appsActivitystartActivity()startActivityForResult()ServicestartService()BroadcastsendBroadcast()
  36. 36. IntentsThird-party apps can send “extra”“data://” to intentsextrastring integer long float boolean uricomponentnamedatawrapper://host/path?query
  37. 37. IntentsSet “exported” to false for all intentsSet permissions for broadcast receiving/deliveringValidate extra data sent to intents
  38. 38. Client-server, SSL, MiTM,intercepting, sniffing,spoofing, cats, and moreclient vulns.
  39. 39. Client-serverJSON;XML (SOAP);Simpe POST;Even query string;
  40. 40. Client-server
  41. 41. Конец рассказаСпасибо за вниманиеArtem Chaykinachaykin@ptsecurity.com@a_chaykin

×