'SecureMe - Droid' Android Security Application by Vishal Asthana
Report
OWASP DelhiFollow
Security Researcher at Adobe, Chapter Leader at OWASP & nullDec. 5, 2015•0 likes•533 views
'SecureMe - Droid' Android Security Application by Vishal Asthana
Dec. 5, 2015•0 likes•533 views
Download to read offline
Report
Technology
OWASP Delhi October Meet - 'SecureMe - Droid' Android Security Application by Vishal Asthana
OWASP DelhiFollow
Security Researcher at Adobe, Chapter Leader at OWASP & nullRecommended
From rogue one to rebel alliance by Peter ChestnaDevSecCon
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon
SC conference - Building AppSec TeamsDinis Cruz
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins
Application Security within AgileNetlight Consulting
More Related Content
Slideshows for you
Adopsi Open SAMM untuk Pengembangan Tata Kelola Pengamanan Perangkat Lunak Directorate of Information Security | Ditjen Aptika
Devops: Security's big opportunity by Peter ChestnaDevSecCon
Life as an enterprise security geek from underground. (What enterprises want ...LINE Corporation
Shifting left – embedding security into the devops pipeline by Mike d. KailDevSecCon
Simplify Dev with Complicated Security ToolsKevin Fealey
Owasp summit 2017 Dinis Cruz
![[OWASP Poland Day] Security knowledge framework](https://cdn.slidesharecdn.com/ss_thumbnails/skf-preso-171004061039-thumbnail.jpg?width=2048&height=1162&fit=bounds)
Viewers also liked
Security in Android Applications / Александр Смирнов (RedMadRobot)Ontico
Testing Android SecurityJose Manuel Ortega Candel
Permission in Android Security: Threats and solutionTandhy Simanjuntak
Android securityMobile Rtpl
Android SecurityLars Jacobs
Ormiston educationJack740
Similar to 'SecureMe - Droid' Android Security Application by Vishal Asthana
Automating security tests for Continuous IntegrationStephen de Vries
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...tdc-globalcode
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Márcio Rosa
DEF CON 24 - Dinesh and Shetty - practical android application exploitationFelipe Prado
2013 Toorcon San Diego Building Custom Android Malware for Penetration TestingStephan Chenette
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016Advanced monitoring
More from OWASP Delhi
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
Securing dns records from subdomain takeoverOWASP Delhi
Effective Cyber Security Report WritingOWASP Delhi
Data sniffing over Air GapOWASP Delhi
UDP HunterOWASP Delhi
Demystifying Container EscapesOWASP Delhi
Recently uploaded
Diogo Monteiro- KAMK Certificate - Demola Global Project 2023.pdfDiogoMonteiro786960
Asterisk UpdateOpenDireito
GDSC INFO.pptxAshishChanchal1
#11 DataWeave Extension Library using Visual Studio CodeAnoopRamachandran13
AI and ML Series - Introduction to Generative AI and LLMs - Session 1DianaGray10
GDSC Final PPT.pptxDishaSharma737984
![[KCD GT 2023] Demystifying etcd failure scenarios for Kubernetes.pdf](https://cdn.slidesharecdn.com/ss_thumbnails/wc-kcdgt2023demystifyingetcdfailurescenariosforkubernetes-230819210453-e911a262-thumbnail.jpg?width=2048&height=1162&fit=bounds)
'SecureMe - Droid' Android Security Application by Vishal Asthana
- SecureMe - Droid
- About Us Security Consultant at Security Compass Inc. Active in… • Web, Mobile & Infrastructure Security • Research & Development, IoT (new!) • Quick-n-Dirty coder • Proud OSCP
- About Us Director India Ops at Security Compass Inc. • Researching in SDLC and Agile Security • SafeCode TLC representative • Co-leading the Delhi chapters – Null (since March 2014) – OWASP (since June 2014) • Founder member of (ISC)² Delhi Chapter
- Where it started?
- Where it started?
- • SMD: SecureMe – Droid • Android security application • Scan installed/updating apps • NVD CVE database as source SecureMe – Droid Overview
- • No other app providing this feature • Some similar ideas: – Android OS security apps – Privacy apps http://cmuchimps.org/ – Trustable – Belarc Birth of SMD
- SecureMe – Design Consideration
- • Secure by Design – Minimum Android Permissions • Network Access • Boot Completed SecureMe – Design Consideration
- • Secure by Design – Minimum Android Permissions • Network Access • Boot Completed – Not accessing sensitive data SecureMe – Design Consideration
- • Secure by Design – Minimum Android Permissions • Network Access • Boot Completed – Not accessing sensitive data – Post scanning actions • Uninstall unsafe app • Update app using Google Play Store • Keep using app – Why not disable app? SecureMe – Design Consideration
- • Secure by Design – Minimum Android Permissions • Network Access • Boot Completed – Not accessing sensitive data – Post scanning actions • Uninstall unsafe app • Update app using Google Play Store • Keep using app – Why not disable app? – Active over Mobile Data and WiFi SecureMe – Design Consideration
- • App Scanning – Pre/Already installed apps – Just installed app – Updated app • Scan depth – Low, Normal, Medium – High, Intense • Scheduled Scan SecureMe Droid Internals
- • Install SecureMe Droid – Google Play Store – Download from https://secureme.securitycompass.com/ SMD: Internals
- • SecureMe Droid detects – New app installation – Existing app update – Scan any installed app • No sensitive information SMD: Internals (contd.)
- • SecureMe Android Client and Server – HTTPS Communication • Find security issues: – NVD CVE database SMD: Internals (contd.)
- • SecureMe Scan Results – App is safe – App is unsafe • Uninstall App • Keep App • Update app using Play Store SMD: Internals (contd.)
- • Am I Vulnerable (AIV) • Re-branded to SecureMe – Droid (SMD) • AIV + ReBranding = SMD Where is AIV?
- Demo Time
- Conclusion • Fun side project • First ever conference acceptance and rollout • You MUST use it and provide feedback!
- Abhineet Jayaraj Security Consultant Vishal Asthana Regional Director, India Operations THANK YOU! abhineet@securitycompass.com vishal@securitycompass.com W W W. S E C U R I T Y C O M PA S S . C O M
Editor's Notes
- Here we are to present SecureMe Droid
- Abhineet introduction
- Vishal introduction
- Vishal came up with this project so why don’t you share it with all.
- Vishal came up with this project so why don’t you share it with all.
- This is what we will be showing you today and this is what I want to happen in the end of this talk. Have SecureMe on all your Android devices.
- Light description of SMD and its purpose. CVE is a vendor agnostic and trustworthy database of vulnerabilities in products. Used in different domains of InfoSec.
- At the time of development we looked for any other app which might give similar functionality but couldn’t find any. Checked similar apps (from list) but not satisfied our need so SMD born.
- How many of the Android users are familiar with this image Battery app is trying to access my phone calls, send sms, etc
- It is coded in such a manner that the app uses least perms which helps in privacy and reducing attack surface. Secure by design: min perm, no sensitive info, post scanning modules, scan over wifi & mobile data
- Security by design: min perm, no sensitive info, post scanning modules, scan over wifi & mobile data
- 3 options for user to choose from. “Disable app” requires Device Admin permissions which we wanted to avoid asking for from user. Secure by Design.
- Android does not auto update apps over Mobile Data. It will notify user but not auto update. Security by design: min perm, no sensitive info, post scanning modules, scan over wifi & mobile data
- Helping secure the device by giving user option to uninstall the app right from SMD interface Scan depth setting for NVD CVE database. Low scanning depth will miss any past vulnerability. Setting has to be done by the user. Scheduled Scan for auto scanning and notifying user.
- Install SMD from mentioned locations.
- App data gathering and no sensitive information
- Secure client server communication. Check CVE database (already downloaded)
- Send scan results to user for action
- Putting it all together
- AIV and marketing and Nish
- Show SMD demo
- Conclude SMD talk
- Thank you and contact us