Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
© Blueinfy Solutions
Secure Coding For Android
Applications
© Blueinfy Solutions
Local Storage - Example
• Remember me option – NOT SECURE WAY
© Blueinfy Solutions
Token stored
• On local file – NOT SECURE WAY
© Blueinfy Solutions
Shared Preferences
• SHARED PREFERENCE – NOT SECURE WAY
© Blueinfy Solutions
Writing to file
• When opening file for writing, make sure to
open it in private mode as shown below ...
© Blueinfy Solutions
Local Storage – Secure Method
• Encrypt the data using strong encryption,
possibly AES
• Do not decry...
© Blueinfy Solutions
Securing Secrets
• AES encryption to store secret information
and making secure storage.
• APIs and L...
© Blueinfy Solutions
Secure Method – Sample Code
© Blueinfy Solutions
Sending Encrypted in JSON
© Blueinfy Solutions
Secure
© Blueinfy Solutions
Cache with WebView
• By default, webView control caches all
request and response
• Some of the filena...
© Blueinfy Solutions
Sample code to clear the cache
© Blueinfy Solutions
SSL Implementation
• Application sends request to server over SSL
(Secure Way)
• Most application fai...
© Blueinfy Solutions
Verify SSL Server – Sample Code
© Blueinfy Solutions
Copy/Paste in the text fields
• Services are shared between all the
applications
• Attacker can write...
© Blueinfy Solutions
Screenshot in temporary files
• Pressing HOME button takes screenshot of the
last screen and saves it...
© Blueinfy Solutions
Protecting IP
• Unlike iOS, there is no encryption supported
by android platform
• Possible to Decomp...
© Blueinfy Solutions
Code Analysis with AppCodeScan
• Semi automated tool
• Ability to expand with custom rules
• Simple t...
© Blueinfy Solutions
Sample Rules - Android
© Blueinfy Solutions
Conclusion
Upcoming SlideShare
Loading in …5
×

Android secure coding

654 views

Published on

Securing Android Apps.

Published in: Software
  • Be the first to comment

Android secure coding

  1. 1. © Blueinfy Solutions Secure Coding For Android Applications
  2. 2. © Blueinfy Solutions Local Storage - Example • Remember me option – NOT SECURE WAY
  3. 3. © Blueinfy Solutions Token stored • On local file – NOT SECURE WAY
  4. 4. © Blueinfy Solutions Shared Preferences • SHARED PREFERENCE – NOT SECURE WAY
  5. 5. © Blueinfy Solutions Writing to file • When opening file for writing, make sure to open it in private mode as shown below – String FILENAME = “temp"; String string = “token”; FileOutputStream fos = openFileOutput(FILENAME, Context.MODE_PRIVATE); fos.write(string.getBytes()); fos.close();
  6. 6. © Blueinfy Solutions Local Storage – Secure Method • Encrypt the data using strong encryption, possibly AES • Do not decrypt the data at client side • Send Encrypted Data to the server • Server decrypts the data before validating it
  7. 7. © Blueinfy Solutions Securing Secrets • AES encryption to store secret information and making secure storage. • APIs and Libs for it. • Random cookies and keys. • Not to open and shared storage. • Cache and File writing is not enough. • Design level strategy for it.
  8. 8. © Blueinfy Solutions Secure Method – Sample Code
  9. 9. © Blueinfy Solutions Sending Encrypted in JSON
  10. 10. © Blueinfy Solutions Secure
  11. 11. © Blueinfy Solutions Cache with WebView • By default, webView control caches all request and response • Some of the filenames are – – webviewCache.db – webview.db-shm – webview.db-wal – webviewCookiesChromium.db – webviewCookiesChromiumPrivate.db – imagecache.db
  12. 12. © Blueinfy Solutions Sample code to clear the cache
  13. 13. © Blueinfy Solutions SSL Implementation • Application sends request to server over SSL (Secure Way) • Most application fails to handle SSL certificate validation error on the client side • Only certificate from the OWNER server and sub-domain should be allowed
  14. 14. © Blueinfy Solutions Verify SSL Server – Sample Code
  15. 15. © Blueinfy Solutions Copy/Paste in the text fields • Services are shared between all the applications • Attacker can write malicious program to monitor clipboard to get access to sensitive data if copy/paste is not disabled • Copy/Paste must be disabled on the sensitive fields
  16. 16. © Blueinfy Solutions Screenshot in temporary files • Pressing HOME button takes screenshot of the last screen and saves it in local storage • To disable this, manifest file needs to be updated under Activity Tag
  17. 17. © Blueinfy Solutions Protecting IP • Unlike iOS, there is no encryption supported by android platform • Possible to Decompile binary and get access to source code • “ProGuard” can be leveraged to protect against Decompile
  18. 18. © Blueinfy Solutions Code Analysis with AppCodeScan • Semi automated tool • Ability to expand with custom rules • Simple tracing utility to verify and track vulnerabilities • Simple HTML reporting which can be converted to PDF
  19. 19. © Blueinfy Solutions Sample Rules - Android
  20. 20. © Blueinfy Solutions Conclusion

×