Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Android Security
Developing Secure App
Secure Coding Guidelines
•Such guidelines even exists?
•Who cares! No one's gonna hack my app.
•Lets finish this project a...
Secure Coding Guidelines
• Computer Emergency ResponseTeam (CERT)
• Expert groups that handle Computer/IT security inciden...
Packaging
AttackVectors
in Android
AttackVectors
AttackVectors
• Mounting SD Card in PC
• Malicious App
• Network Attack
• Malicious File Attack
• User’s Unawareness
• USB...
Security Policy
in Android
Unix Security Policy
1. Process Isolation
2. Hardware Isolation
3. User Permission Model
4. R/W/X Permissions to file
5. S...
Android Security Policy
1. Application Isolation
2. Sandbox of Application
3. Secure Communication
4. Signing the Applicat...
To Do's
To Secure Apps
Avoid Simple Logics
private void validate(){
if(mLoginAccess == 1 ){
// TODO: update user.
}
}
private void validate() {
i...
Test 3rd Party Libraries!
•Caution: Developers rely heavily on third-party libraries.
It is important to thoroughly probe ...
Use Encryption
•Caution: External storage can become unavailable if the
user mounts the external storage on a computer or
...
But How to Encrypt?
To Secure Apps
How to Encrypt or Encode?
1. Encode Shared Preferences
2.Encrypt SQLite: SQLCipher
3. Encrypt Network:TLS
4.Data Encryptio...
To be Secured
1. Secure Intents
2.SecureWebView
3. Secure Logs
4.Secure Intent Leaks
Code Obfuscation
1. Proguard
2.Don't include unused Classes and Libraries
3. Difficult to protect from Smali Decompilation
To Use
1. Use ofTokens for Authentication
2.Use of HTTPS!
Our Evils
1. ADB
2.MaliciousApplications
3. Unprotected Network
4.Sniffers
Our Friends
1. Android Fuzzers
2.Xposed Framework
3. Drozer
4.APKtool or any other StaticAnalysisTool
5.PenetrationTools f...
Thank you!
@DearDhruv
Upcoming SlideShare
Loading in …5
×
Upcoming SlideShare
Android Security
Next
Download to read offline and view in fullscreen.

2

Share

Download to read offline

Android security

Download to read offline

Android security
Reference GDGAhmedabad

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Android security

  1. 1. Android Security Developing Secure App
  2. 2. Secure Coding Guidelines •Such guidelines even exists? •Who cares! No one's gonna hack my app. •Lets finish this project anyhow!!!
  3. 3. Secure Coding Guidelines • Computer Emergency ResponseTeam (CERT) • Expert groups that handle Computer/IT security incidents. • Issued Android Secure Coding Guidelines. • Mission: We reduce the number of vulnerabilities to a level that can be fully mitigated in operational environments.
  4. 4. Packaging
  5. 5. AttackVectors in Android
  6. 6. AttackVectors
  7. 7. AttackVectors • Mounting SD Card in PC • Malicious App • Network Attack • Malicious File Attack • User’s Unawareness • USB Debugging • Root permissions!! (Can do anything)
  8. 8. Security Policy in Android
  9. 9. Unix Security Policy 1. Process Isolation 2. Hardware Isolation 3. User Permission Model 4. R/W/X Permissions to file 5. Secure IPC
  10. 10. Android Security Policy 1. Application Isolation 2. Sandbox of Application 3. Secure Communication 4. Signing the Application 5. Permission model of Application
  11. 11. To Do's To Secure Apps
  12. 12. Avoid Simple Logics private void validate(){ if(mLoginAccess == 1 ){ // TODO: update user. } } private void validate() { if (mLogin.hasAccess == true) { // TODO: update user. } } private void validate() { if (mLogin.hasAccess) { // TODO: update user. } }
  13. 13. Test 3rd Party Libraries! •Caution: Developers rely heavily on third-party libraries. It is important to thoroughly probe and test this as you test your code. Third-party libraries can contain vulnerabilities and weaknesses. Many developers assume third-party libraries are well-developed and tested, however, issues can and do exist in their code.
  14. 14. Use Encryption •Caution: External storage can become unavailable if the user mounts the external storage on a computer or removes the media, and there's no security enforced upon files you save to the external storage. All applications can read and write files placed on the external storage and the user can remove them. http://developer.android.com/guide/topics/data/data- storage.html
  15. 15. But How to Encrypt? To Secure Apps
  16. 16. How to Encrypt or Encode? 1. Encode Shared Preferences 2.Encrypt SQLite: SQLCipher 3. Encrypt Network:TLS 4.Data Encryption: Facebook’s Conceal Library 5.MD5, SHA Sensitive Data
  17. 17. To be Secured 1. Secure Intents 2.SecureWebView 3. Secure Logs 4.Secure Intent Leaks
  18. 18. Code Obfuscation 1. Proguard 2.Don't include unused Classes and Libraries 3. Difficult to protect from Smali Decompilation
  19. 19. To Use 1. Use ofTokens for Authentication 2.Use of HTTPS!
  20. 20. Our Evils 1. ADB 2.MaliciousApplications 3. Unprotected Network 4.Sniffers
  21. 21. Our Friends 1. Android Fuzzers 2.Xposed Framework 3. Drozer 4.APKtool or any other StaticAnalysisTool 5.PenetrationTools for Android 6.and Many more...
  22. 22. Thank you! @DearDhruv
  • izyrider

    Mar. 13, 2017
  • MobileRtpl

    Apr. 1, 2016

Android security Reference GDGAhmedabad

Views

Total views

1,512

On Slideshare

0

From embeds

0

Number of embeds

79

Actions

Downloads

79

Shares

0

Comments

0

Likes

2

×