Come scrivere un'applicazione Android sicura? Come proteggere il codice e i dati? Non ci sono soluzioni definitive ed inattaccabili, qualunque sia la soluzione occorre verificarne la robustezza e l'efficacia. Scriviamo il codice con la mentalità da Developer ma lo possiamo verificare solo con le modalità di un Hacker. Ne vediamo qualcuna insieme.
5. Inductive Deductive
Constructive Deconstructive
Programming skills Reverse Engineering
Good Practice Lateral Thinking
Desing then code Laziness
RTFM Subvert the manual
Frameworks and libs Shortcut
Conservative Incautious
High level lang Low level lang
HunterFarmer
6. Inductive Deductive
Constructive Deconstructive
Programming skills Reverse Engineering
Good Practice Lateral Thinking
Desing then code Laziness
RTFM Subvert the manual
Frameworks and libs Shortcut
Conservative Incautious
High level lang Low level lang
HackerDeveloper
7. Abstract
How to write a secure Android Application
No, I'm kidding
Applications are not secure.
Write code as a Developer
Verify its strength as a Hacker
15. Android Security
Permissions managed during installation
Permissions asked when needed
Installation authorised only by the PlayStore
Linux is OpenSource
28. Defence
Secure by design
Anti reversing
-code obfuscation
-native code
-string encryption
-class encryption
-apk integrity check
-signature check
29. Secure by Design
Execution depends on external check
Secrets are not persisted
Secrets are server side
Secure server access
30. Code obfuscation
proguard: free, low security
dexguard: very expensive, very good security (one licence per
package)
allatori: out of the shelf, good security
dexprotect: average price, very good security
32. Binary library
#include <jni.h>
#include <string>
extern "C" JNIEXPORT jstring JNICALL
Java_it_sicurieffetti_codemotion2018_MainActivity_stringFromJNI(
JNIEnv *env,
jobject /* this */) {
// my api key, can be encoded or obfuscated
std::string hello = "98574632987345";
return env->NewStringUTF(hello.c_str());
}
33. Binary library
public class MainActivity extends AppCompatActivity {
// Used to load the 'native-lib' library on application startup.
static {
System.loadLibrary("native-lib");
}
/**
* A native method that is implemented by the 'native-lib' native library,
* which is packaged with this application.
*/
public native String stringFromJNI();
String key = stringFromJNI();
Dall’oggetto specifico induce la classe che generalizza
Dal Problema generale deduce il caso critico
Dall’oggetto specifico induce la classe che generalizza
Dal Problema generale deduce il caso critico
Discretional Access Control
Mandatory Access Control
Falsificabilita’.
per quanto numerose possano essere, le osservazioni sperimentali a favore di una teoria non possono mai provarla definitivamente e basta anche solo una smentita sperimentale per confutarla.
siamo tutti un po’ hunter e un po’ farmer, a seconda delle occasioni.
bisogna far emergere questa personalita nelle varie fasi.