Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

This is the secure droid you are looking for

545 views

Published on

Presentation made on Pixels Camp on the 7th of November in 2016.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

This is the secure droid you are looking for

  1. 1. URL url = new URL("https://pixels.camp"); URLConnection urlConnection = url.openConnection();
  2. 2. URL url = new URL("https://devpixels.local"); URLConnection urlConnection = url.openConnection();
  3. 3. SSLContext mySSLContext = SSLContext.getInstance("TLS");
  4. 4. SSLContext mySSLContext = SSLContext.getInstance("TLS"); mySSLContext.init(null, new TrustManager[] { mySuperCustomTrustManager },new SecureRandom());
  5. 5. SSLContext mySSLContext = SSLContext.getInstance("TLS"); mySSLContext.init(null, new TrustManager[] { mySuperCustomTrustManager },new SecureRandom()); URL url = new URL("https://devpixels.local");
  6. 6. SSLContext mySSLContext = SSLContext.getInstance("TLS"); mySSLContext.init(null, new TrustManager[] { mySuperCustomTrustManager },new SecureRandom()); URL url = new URL("https://devpixels.local"); HttpsURLConnection urlConnection = HttpsURLConnection)url.openConnection(); urlConnection.setSSLSocketFactory(mySSLContext.getSocketFactory());
  7. 7. TrustManager mySuperCustomTrustManager = new X509TrustManager() { public X509Certificate[] getAcceptedIssuers() { return null; } public void checkServerTrusted(X509Certificate[] chain,String authType) throws CertificateException { } public void checkClientTrusted(X509Certificate[] chain,String authType) throws CertificateException { } };
  8. 8. URL url = new URL("https://devpixels.camp"); URLConnection urlConnection = url.openConnection();
  9. 9. HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() { @Override public boolean verify(String s, SSLSession sslSession) { return true; } }); URL url = new URL("https://devpixels.camp"); URLConnection urlConnection = url.openConnection();
  10. 10. WebView myWebView = (WebView) findViewById(R.id.webview); myWebView.loadUrl(“https://devpixels.local”);
  11. 11. WebView myWebView = (WebView) findViewById(R.id.webview); myWebView.setWebViewClient(new WebViewClient() { public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) { handler.proceed(); } }); myWebView.loadUrl(“https://devpixels.local”);
  12. 12. final class JavaScriptInterface { @JavascriptInterface public String getSomeString() { return "string"; } } WebView myWebView = (WebView) findViewById(R.id.webview); myWebView.getSettings().setJavaScriptEnabled(true); myWebView.addJavascriptInterface(new JavaScriptInterface(), "jsinterface");
  13. 13. CertificateFactory cf = CertificateFactory.getInstance("X.509"); InputStream caInput = getResources().openRawResource(R.raw.pixels); Certificate ca; try { ca = cf.generateCertificate(caInput); } finally { caInput.close(); }
  14. 14. CertificateFactory cf = CertificateFactory.getInstance("X.509"); InputStream caInput = getResources().openRawResource(R.raw.pixels); Certificate ca; try { ca = cf.generateCertificate(caInput); } finally { caInput.close(); } String keyStoreType = KeyStore.getDefaultType(); KeyStore keyStore = KeyStore.getInstance(keyStoreType); keyStore.load(null, null); keyStore.setCertificateEntry("PixelsCampLeaf", ca);
  15. 15. String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm(); TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm); tmf.init(keyStore);
  16. 16. String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm(); TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm); tmf.init(keyStore); SSLContext context = SSLContext.getInstance("TLS"); context.init(null, tmf.getTrustManagers(), null);
  17. 17. String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm(); TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm); tmf.init(keyStore); SSLContext context = SSLContext.getInstance("TLS"); context.init(null, tmf.getTrustManagers(), null); URL url = new URL("https://pixels.camp"); HttpsURLConnection urlConnection = (HttpsURLConnection)url.openConnection(); urlConnection.setSSLSocketFactory(context.getSocketFactory()); InputStream in = urlConnection.getInputStream();
  18. 18. public class accessfile extends ContentProvider {
  19. 19. public class accessfile extends ContentProvider { public static final String AUTHORITY = "pt.claudio.security"; public static final Uri CONTENT_URI = Uri.parse("content://" + AUTHORITY + "/"); private static final HashMap<String, String> MIME_TYPES = new HashMap<String, String>(); private static final UriMatcher sURIMatcher = new UriMatcher(UriMatcher.NO_MATCH); static { sURIMatcher.addURI(AUTHORITY, "folder/", FOLDER); sURIMatcher.addURI(AUTHORITY, "file/", FILE); }
  20. 20. public class accessfile extends ContentProvider { public static final String AUTHORITY = "pt.claudio.security"; public static final Uri CONTENT_URI = Uri.parse("content://" + AUTHORITY + "/"); private static final HashMap<String, String> MIME_TYPES = new HashMap<String, String>(); private static final UriMatcher sURIMatcher = new UriMatcher(UriMatcher.NO_MATCH); static { sURIMatcher.addURI(AUTHORITY, "folder/", FOLDER); sURIMatcher.addURI(AUTHORITY, "file/", FILE); } … public ParcelFileDescriptor openFile(Uri uri, String mode){
  21. 21. public class accessfile extends ContentProvider { public static final String AUTHORITY = "pt.claudio.security"; public static final Uri CONTENT_URI = Uri.parse("content://" + AUTHORITY + "/"); private static final HashMap<String, String> MIME_TYPES = new HashMap<String, String>(); private static final UriMatcher sURIMatcher = new UriMatcher(UriMatcher.NO_MATCH); static { sURIMatcher.addURI(AUTHORITY, "folder/", FOLDER); sURIMatcher.addURI(AUTHORITY, "file/", FILE); } … public ParcelFileDescriptor openFile(Uri uri, String mode){ … File f = new File(getContext().getString(R.string._sdcard), uri.getPath());
  22. 22. Uri targURI = Uri.parse("content://pt.claudio.security/../../../../../data/data/p t.claudio.security.pixelscamp_content/files/mysecretfile.txt");
  23. 23. public Cursor query(Uri uri, String[] projection, String selection,String[] selectionArgs, String sortOrder) {
  24. 24. public Cursor query(Uri uri, String[] projection, String selection,String[] selectionArgs, String sortOrder) { SELECT _id, description FROM notes WHERE _id = 1{ { Projection Selection
  25. 25. public Cursor query(Uri uri, String[] projection, String selection,String[] selectionArgs, String sortOrder) { SQLiteQueryBuilder queryBuilder = new SQLiteQueryBuilder(); queryBuilder.setTables(Table.TABLE_NOTE) SQLiteDatabase db = database.getWritableDatabase();
  26. 26. public Cursor query(Uri uri, String[] projection, String selection,String[] selectionArgs, String sortOrder) { SQLiteQueryBuilder queryBuilder = new SQLiteQueryBuilder(); queryBuilder.setTables(Table.TABLE_NOTE) SQLiteDatabase db = database.getWritableDatabase(); Cursor cursor = queryBuilder.query(db, projection, selection,selectionArgs, null, null, sortOrder);
  27. 27. String[] selectionArgs = { "first string", "second@string.com" }; String selection = "name=? AND email=?"; Cursor cursor = db.query("TABLE_NAME", null,selection, selectionArgs, null);
  28. 28. /res/xml/excludes.xml
  29. 29. /res/xml/excludes.xml <application> android:fullBackupContent="@xml/excludes" </application>
  30. 30. /res/xml/excludes.xml <application> android:fullBackupContent="@xml/excludes" </application> <?xml version="1.0" encoding="utf-8"?> <full-backup-content> <exclude domain="sharedpref" path="MyPrefsFile.xml"/> </full-backup-content>
  31. 31. <full-backup-content> <include domain=["file" | "database" | "sharedpref" | "external" | "root"] path="string" /> <exclude domain=["file" | "database" | "sharedpref" | "external" | "root"] path="string" /> </full-backup-content>
  32. 32. /res/xml/network_security_config.xml
  33. 33. /res/xml/network_security_config.xml <application> android:networkSecurityConfig="@xml/network_security_config" </application>
  34. 34. /res/xml/network_security_config.xml <application> android:networkSecurityConfig="@xml/network_security_config" </application> <?xml version="1.0" encoding="utf-8"?> <network-security-config> <domain-config cleartextTrafficPermitted="false"> <domain includeSubdomains="true">http.badssl.com</domain> </domain-config> </network-security-config>
  35. 35. security.claudio.pt @clviper github.com/clviper Q&A

×