2. About Us
Security Consultant at Security Compass Inc.
Active in…
• Web, Mobile & Infrastructure Security
• Research & Development, IoT (new!)
• Quick-n-Dirty coder
• Proud OSCP
3. About Us
Director India Ops at Security Compass Inc.
• Researching in SDLC and Agile Security
• SafeCode TLC representative
• Co-leading the Delhi chapters
– Null (since March 2014)
– OWASP (since June 2014)
• Founder member of (ISC)² Delhi Chapter
8. • No other app providing this feature
• Some similar ideas:
– Android OS security apps
– Privacy apps
http://cmuchimps.org/
– Trustable
– Belarc
Birth of SMD
11. • Secure by Design
– Minimum Android Permissions
• Network Access
• Boot Completed
– Not accessing sensitive data
SecureMe – Design Consideration
12. • Secure by Design
– Minimum Android Permissions
• Network Access
• Boot Completed
– Not accessing sensitive data
– Post scanning actions
• Uninstall unsafe app
• Update app using Google Play
Store
• Keep using app
– Why not disable app?
SecureMe – Design Consideration
13. • Secure by Design
– Minimum Android Permissions
• Network Access
• Boot Completed
– Not accessing sensitive data
– Post scanning actions
• Uninstall unsafe app
• Update app using Google Play
Store
• Keep using app
– Why not disable app?
– Active over Mobile Data and WiFi
SecureMe – Design Consideration
22. Conclusion
• Fun side project
• First ever conference acceptance and rollout
• You MUST use it and provide feedback!
23. Abhineet Jayaraj
Security Consultant
Vishal Asthana
Regional Director, India Operations
THANK YOU!
abhineet@securitycompass.com vishal@securitycompass.com
W W W. S E C U R I T Y C O M PA S S . C O M
Editor's Notes
Here we are to present SecureMe Droid
Abhineet introduction
Vishal introduction
Vishal came up with this project so why don’t you share it with all.
Vishal came up with this project so why don’t you share it with all.
This is what we will be showing you today and this is what I want to happen in the end of this talk. Have SecureMe on all your Android devices.
Light description of SMD and its purpose.
CVE is a vendor agnostic and trustworthy database of vulnerabilities in products. Used in different domains of InfoSec.
At the time of development we looked for any other app which might give similar functionality but couldn’t find any.
Checked similar apps (from list) but not satisfied our need so SMD born.
How many of the Android users are familiar with this image
Battery app is trying to access my phone calls, send sms, etc
It is coded in such a manner that the app uses least perms which helps in privacy and reducing attack surface.
Secure by design: min perm, no sensitive info, post scanning modules, scan over wifi & mobile data
Security by design: min perm, no sensitive info, post scanning modules, scan over wifi & mobile data
3 options for user to choose from.
“Disable app” requires Device Admin permissions which we wanted to avoid asking for from user. Secure by Design.
Android does not auto update apps over Mobile Data. It will notify user but not auto update.
Security by design: min perm, no sensitive info, post scanning modules, scan over wifi & mobile data
Helping secure the device by giving user option to uninstall the app right from SMD interface
Scan depth setting for NVD CVE database. Low scanning depth will miss any past vulnerability. Setting has to be done by the user.
Scheduled Scan for auto scanning and notifying user.
Install SMD from mentioned locations.
App data gathering and no sensitive information
Secure client server communication.
Check CVE database (already downloaded)