Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Common Security Pitfalls
in
Android Apps
Aditya Gupta
Attify
Who Am i
•

Founder, Attify

•

Mobile Security Researcher

•

Developing a secure BYOD solution for enterprises

•

Co-cr...
Agenda

•

Security Overview of Android Apps

•

Some vulnerabilities in Android Apps

•

Secure Coding
Android Security Model
•

Based on Linux

•

Security features are derived mostly from Linux

•

Application Isolation

•
...
Security Overview of
Android Apps
•

Application Sandboxing

•

Data stored in /data/data/[package-name]/

•

AndroidManif...
Hard Coding Sensitive Info
•

Have seen some apps hardcode sensitive info

•

Reversing applications

•

Encrypting passwo...
Protecting against Reversing
Logging Sensitive
Information
Logging Sensitive
Information

Log.d("Facebook-authorize", "Login Success! access_token="
+ getAccessToken() + " expires="...
Leaking Content Providers
•

Content Providers

•

What can one application do to another

•

Leakage of content providers...
Leaking Content Providers
Dropbox
Insecure Data Storage
Android WebView vuln

•

What's a Webview?
Android WebView vuln
•

Framing Web components into application

•

Could be really useful while building applications

•
...
Javascript in Webviews
•

Javascript is allowed in Webviews

•

Javascript could be used to interact with the app's
interf...
Malicious functions with JS
•

Could be used to send SMS or place calls

•

Or to install another application

•

Get a re...
Ad Libraries, anyone?
•

InMobi

•

List of Exposed methods :
•

makeCall

•

postToSocial

•

sendMail

•

sendSMS

•

ta...
Ad Libraries, anyone?
Fix it
setJavascriptEnabled(false)
SQLite Injection
•

SQLite databases for storing application's data

•

Storing sensitive information in databases

•

Do ...
Sample Code
!
uname = (EditText) findViewById(R.id.username);
pword = (EditText) findViewById(R.id.password);

!
!
String ...
Insecure File Permissions

•

File storing sensitive data need to have proper
permissions

•

Should be accessible only by...
Android Backup
Vulnerability
•

Allows backup of application's data

•

No root needed in the device

•

Attacker could re...
Preventing Backup vulnerability

android:allowBackup="false"
Network Traffic
Securing
Android
Applications
Activities
<activity android:name=".SecureActivity"





android:permission="com.example.secure.permission.START_ACTIVITY1...
Services
<service android:name=".SecureService"
android:permission="com.example.secure.permission.SecurePerm"
android:enab...
Content Providers
<provider android.name="com.example.secure.SecureProvider" 




android.authorities="com.example.secure....
If you don't need
android:exported = "false"
Summary
•

Avoid common mistakes

•

Store data in encrypted form

•

Sending data through HTTP/insecure HTTPs
`

•

Drop a mail at adi@attify.com
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
Upcoming SlideShare
Loading in …5
×

Android Security - Common Security Pitfalls in Android Applications

3,471 views

Published on

Aditya Gupta from Attify talking about what are the common security pitfalls in android apps

Published in: Technology
  • Be the first to comment

Android Security - Common Security Pitfalls in Android Applications

  1. 1. Common Security Pitfalls in Android Apps Aditya Gupta Attify
  2. 2. Who Am i • Founder, Attify • Mobile Security Researcher • Developing a secure BYOD solution for enterprises • Co-creator of AFE (Android Framework for Exploitation) • Upcoming tool : DroidSE • Speaker/Trainer at BlackHat, Toorcon, ClubHack, Nullcon, OWASP AppSec, Syscan etc.
  3. 3. Agenda • Security Overview of Android Apps • Some vulnerabilities in Android Apps • Secure Coding
  4. 4. Android Security Model • Based on Linux • Security features are derived mostly from Linux • Application Isolation • Each app in its own DVM
  5. 5. Security Overview of Android Apps • Application Sandboxing • Data stored in /data/data/[package-name]/ • AndroidManifest.xml plays an important role • Permissions while accessing activities, services, content providers
  6. 6. Hard Coding Sensitive Info • Have seen some apps hardcode sensitive info • Reversing applications • Encrypting passwords : really common • Use protection to prevent apps from reversing • Don't ever hardcode a sensitive info in an app.
  7. 7. Protecting against Reversing
  8. 8. Logging Sensitive Information
  9. 9. Logging Sensitive Information Log.d("Facebook-authorize", "Login Success! access_token=" + getAccessToken() + " expires=" + getAccessExpires());
  10. 10. Leaking Content Providers • Content Providers • What can one application do to another • Leakage of content providers • By default exported
  11. 11. Leaking Content Providers
  12. 12. Dropbox
  13. 13. Insecure Data Storage
  14. 14. Android WebView vuln • What's a Webview?
  15. 15. Android WebView vuln • Framing Web components into application • Could be really useful while building applications • Does it also allows Javascript?
  16. 16. Javascript in Webviews • Javascript is allowed in Webviews • Javascript could be used to interact with the app's interface • Malicious functions could be executed
  17. 17. Malicious functions with JS • Could be used to send SMS or place calls • Or to install another application • Get a reverse shell to a remote location • Modify file system or steal something from the device
  18. 18. Ad Libraries, anyone? • InMobi • List of Exposed methods : • makeCall • postToSocial • sendMail • sendSMS • takeCameraPicture • getGalleryImage
  19. 19. Ad Libraries, anyone?
  20. 20. Fix it setJavascriptEnabled(false)
  21. 21. SQLite Injection • SQLite databases for storing application's data • Storing sensitive information in databases • Do you sanitize user input before applying SQL queries
  22. 22. Sample Code ! uname = (EditText) findViewById(R.id.username); pword = (EditText) findViewById(R.id.password); ! ! String getSQL = "SELECT * FROM " + tableName + " WHERE " + username + " = '" + uname + "' AND " + password + " = '" + pword + "'"; ! Cursor cursor = dataBase.rawQuery(getSQL , null);
  23. 23. Insecure File Permissions • File storing sensitive data need to have proper permissions • Should be accessible only by the application
  24. 24. Android Backup Vulnerability • Allows backup of application's data • No root needed in the device • Attacker could read/modify app's data and restore it back • Default behaviour in AndroidManifest.xml
  25. 25. Preventing Backup vulnerability android:allowBackup="false"
  26. 26. Network Traffic
  27. 27. Securing Android Applications
  28. 28. Activities <activity android:name=".SecureActivity" 
 
 android:permission="com.example.secure.permission.START_ACTIVITY1"> </activity>
  29. 29. Services <service android:name=".SecureService" android:permission="com.example.secure.permission.SecurePerm" android:enabled="true" android:exported="true"> </service>
  30. 30. Content Providers <provider android.name="com.example.secure.SecureProvider" 
 
 android.authorities="com.example.secure.mailprovider" 
 
 android.readPermission="com.example.testapps.test1.permission.READ_DATE" 
 android.writePermission="com.example.secure.permission.WRITE_DATA" 
 
 android:grantUriPermissions="true"> ! </provider>
  31. 31. If you don't need android:exported = "false"
  32. 32. Summary • Avoid common mistakes • Store data in encrypted form • Sending data through HTTP/insecure HTTPs
  33. 33. ` • Drop a mail at adi@attify.com

×