Your SlideShare is downloading. ×

Android app security

164
views

Published on

Published in: Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
164
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Android Application SecurityArtem ChaykinLead Specialist, Web Application Security TeamPositive TechnologiesPositive Hack Days 2013
  • 2. What am I?― As previous slide said, ptsecurity guy― Mostly web and mobile applications security assessment― SCADAStrangelove Team
  • 3. Intro
  • 4. Intro
  • 5. ApplicationResources ManifestIntentsActivity Service BroadcastPermissionsContentprovidersNative libs Classes
  • 6. ApplicationResources ManifestIntentsActivity Service BroadcastPermissionsContentprovidersNative libs Classes
  • 7. ApplicationResources ManifestIntentsActivity Service BroadcastPermissionsContentprovidersNative libs Classes
  • 8. ApplicationResources ManifestIntentsActivity Service BroadcastPermissionsContentprovidersNative libs Classes
  • 9. ApplicationResources ManifestIntentsActivity Service BroadcastPermissionsContentprovidersNative libs Classes
  • 10. ApplicationResources ManifestIntentsActivity Service BroadcastPermissionsContentprovidersNative libs Classes
  • 11. ApplicationResources ManifestIntentsActivity Service BroadcastPermissionsContentprovidersNative libs Classes
  • 12. ApplicationResources ManifestIntentsActivity Service BroadcastPermissionsContentprovidersNative libs Classes
  • 13. Hardcoded and forgotten
  • 14. Hardcoded and forgotten― Default/test credentials― Test servers/ locals IPs― Some cool info
  • 15. File system
  • 16. File system― One app – One UID― 0600 mask for new files― 0666 mask for new files (touch, echo, etc)
  • 17. File system― World readable files― Even world writable..― SD storage
  • 18. Ok, it could be worse..
  • 19. File systemHow to secure:― Use MODE_PRIVATE for files― Do not use system tools― Do not save sensitive data on SD storage
  • 20. logcat// Delete before production releaseLog.d(“Bank”,login+”::”+password);^^aye, of course
  • 21. logcatandroid.permission.READ_LOGSE/HttpUtil( 9509): >>Response: <?xml version=1.0encoding=UTF-8?><result resultCode="200001033"desc="[OSE(551)]httperror:http://10.10.10.10:7711/GET_BALANCE?LOGIN=833477&amp;PASSWORD=222222" /><<
  • 22. logcatHow to secure:Do not use at all
  • 23. SQLite & contentproviders
  • 24. SQLite & content providersSQLite3/data/data/app.name/databases/load_extension() disabled :(SQLinj… will talk laterPrivate database
  • 25. SQLite & content providersContent provider:API to public/semi-public your databaseExported and public by defaultFile access APIExamples:content://sms
  • 26. SQLite & content providersHow to secure:android:exported=“false”android:protectionLevel=“signature”android:grantUriPermission=“true”
  • 27. Intents
  • 28. IntentsIntentActivity Service Broadcast
  • 29. ActivityThis is a Facebook activity->This is what you can interact with
  • 30. ServiceThis is a Facebook service ->
  • 31. ServiceThis is a Facebook service ->Really, here it is.
  • 32. ServiceThis is a Facebook service ->Really, here it is.Background work : sync, upload, download, etc
  • 33. BroadcastBattery lowSystem send broadcast:ACTION_BATTERY_LOWApplication1:Alerts “Battery low”Application2:Stop sync
  • 34. ManifestLook for android:debuggable=trueIntents “exported” = (true|false)Intents with <intent-filter> - exported by default
  • 35. IntentsExported intents can be called from third-party appsActivitystartActivity()startActivityForResult()ServicestartService()BroadcastsendBroadcast()
  • 36. IntentsThird-party apps can send “extra”“data://” to intentsextrastring integer long float boolean uricomponentnamedatawrapper://host/path?query
  • 37. IntentsSet “exported” to false for all intentsSet permissions for broadcast receiving/deliveringValidate extra data sent to intents
  • 38. Client-server, SSL, MiTM,intercepting, sniffing,spoofing, cats, and moreclient vulns.
  • 39. Client-serverJSON;XML (SOAP);Simpe POST;Even query string;
  • 40. Client-server
  • 41. Конец рассказаСпасибо за вниманиеArtem Chaykinachaykin@ptsecurity.com@a_chaykin