Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Android Open Market Place        보안이슈       SK플래닛    Client SW Dev.최정필( jungpil.choi@sk.com)
Good News(1/2)• More Apps, More Downloads• More Revenue  – Android Market 매출 800% 향상(2010/2009)
Good News(2/2)• Tstore  – 1400만 사용자  – 월 100억 거래  – 누적 거래 1천억  – 일 다운로드 100만건  – 게임매출: 75~80%• Samsung/Pantech/Nstore…
Bad News!(1/2)• 낮은 구매율 – Apple App Store에 비해 낮은 유료 사용자   • 29% 유료앱 구매경험(국내, android) – 높은 부분유료화(IAB)
Bad News!(2/2)• More Problems  – 무단복제(Copy Right)  – 권한도용(Payment Issues)  – Malicious Code    • Send SMS    • Collect IME...
Why Android?(1/3)• Open Source/Open Market  – Open : ‘mkdir android ; cd android ; repo init -u    git://android.git.kerne...
Why Android?(2/3)• Java  – Bytecode: easy to understand  – Cost(disassembly) >> Cost(decompile)  – 전통적인 자바의 특징     • Mocha...
Why Android?(3/3)• Android System itself  – Dalvik VM executes dex files  – Odex File: optimized dex file                 ...
OMPs ARM• Application Rights Management  – Google: LVL(License Verification Library)  – Amazon: DRM
OMPs ARM• Bypass-attack
OMPs ARM
In-app Billing   Secure• Items could be  faked by Bytecode  Modification  – Apple: IAP Cracker               Preview제거    ...
How To Defense?•   Use Obfuscator•   Use Native Code•   Use Your own item server•   Sorry, Find your own solutions!    – 2...
Conclusion• Current Android OMPs are not secure• Developer should handle it by him/herself• OMPs will do efforts  – TStore...
Upcoming SlideShare
Loading in …5
×

안드로이드 오픈마켓_보안이슈

3,582 views

Published on

Global Community Summit 2012의 안드로이드 오픈마켓의 보안이슈

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

안드로이드 오픈마켓_보안이슈

  1. 1. Android Open Market Place 보안이슈 SK플래닛 Client SW Dev.최정필( jungpil.choi@sk.com)
  2. 2. Good News(1/2)• More Apps, More Downloads• More Revenue – Android Market 매출 800% 향상(2010/2009)
  3. 3. Good News(2/2)• Tstore – 1400만 사용자 – 월 100억 거래 – 누적 거래 1천억 – 일 다운로드 100만건 – 게임매출: 75~80%• Samsung/Pantech/Nstore…
  4. 4. Bad News!(1/2)• 낮은 구매율 – Apple App Store에 비해 낮은 유료 사용자 • 29% 유료앱 구매경험(국내, android) – 높은 부분유료화(IAB)
  5. 5. Bad News!(2/2)• More Problems – 무단복제(Copy Right) – 권한도용(Payment Issues) – Malicious Code • Send SMS • Collect IMEI numbers
  6. 6. Why Android?(1/3)• Open Source/Open Market – Open : ‘mkdir android ; cd android ; repo init -u git://android.git.kernel.org/platform/manifest.git ; repo sync ; make’ – Rooting: 시스템의 모든 권한을 갖는다 • One Click Rooting – Custom ROM • 온라인뱅킹이 지원될 정도로 대중화 -_-; • 폰의 모든 정보를 믿을수 없다 – IP/MDN/IMEI/MAC
  7. 7. Why Android?(2/3)• Java – Bytecode: easy to understand – Cost(disassembly) >> Cost(decompile) – 전통적인 자바의 특징 • Mocha(1996) – For android • dex2jar : dex  jar  java (JD-GUI) • smali/baksmali: dex  smali  dex
  8. 8. Why Android?(3/3)• Android System itself – Dalvik VM executes dex files – Odex File: optimized dex file dex file Dalvik Virtual odex file Machine Storage (JIT Compiler) (reuse) decompile hijacking
  9. 9. OMPs ARM• Application Rights Management – Google: LVL(License Verification Library) – Amazon: DRM
  10. 10. OMPs ARM• Bypass-attack
  11. 11. OMPs ARM
  12. 12. In-app Billing Secure• Items could be faked by Bytecode Modification – Apple: IAP Cracker Preview제거 Item 획득 Level Up
  13. 13. How To Defense?• Use Obfuscator• Use Native Code• Use Your own item server• Sorry, Find your own solutions! – 2011 Google I/O Evading Pirates and Stopping Vampires using License Verification Library, In-App Billing, and App Engine – 2012.4 Code Obfuscation for the Amazon In-App
  14. 14. Conclusion• Current Android OMPs are not secure• Developer should handle it by him/herself• OMPs will do efforts – TStore will be enhanced soon! – Google? • 비즈니스 인사이더는 구글이 구글 플레이 결제방식을 개선하는 것을 검토 중이라고 전했다. … 결제방식 개선 은 전체 안드로이드 생태계를 책임지는 전략이 될 것으 로 보인다. 구체적인 방법은 알려지지 않았지만…

×