SlideShare a Scribd company logo
1 of 84
URL url = new URL("https://pixels.camp");
URLConnection urlConnection = url.openConnection();
URL url = new URL("https://devpixels.local");
URLConnection urlConnection = url.openConnection();
SSLContext mySSLContext = SSLContext.getInstance("TLS");
SSLContext mySSLContext = SSLContext.getInstance("TLS");
mySSLContext.init(null, new TrustManager[] { mySuperCustomTrustManager
},new SecureRandom());
SSLContext mySSLContext = SSLContext.getInstance("TLS");
mySSLContext.init(null, new TrustManager[] { mySuperCustomTrustManager
},new SecureRandom());
URL url = new URL("https://devpixels.local");
SSLContext mySSLContext = SSLContext.getInstance("TLS");
mySSLContext.init(null, new TrustManager[] { mySuperCustomTrustManager
},new SecureRandom());
URL url = new URL("https://devpixels.local");
HttpsURLConnection urlConnection = HttpsURLConnection)url.openConnection();
urlConnection.setSSLSocketFactory(mySSLContext.getSocketFactory());
TrustManager mySuperCustomTrustManager = new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkServerTrusted(X509Certificate[] chain,String
authType) throws CertificateException {
}
public void checkClientTrusted(X509Certificate[] chain,String
authType) throws CertificateException {
}
};
URL url = new URL("https://devpixels.camp");
URLConnection urlConnection = url.openConnection();
HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String s, SSLSession sslSession) {
return true;
}
});
URL url = new URL("https://devpixels.camp");
URLConnection urlConnection = url.openConnection();
WebView myWebView = (WebView) findViewById(R.id.webview);
myWebView.loadUrl(“https://devpixels.local”);
WebView myWebView = (WebView) findViewById(R.id.webview);
myWebView.setWebViewClient(new WebViewClient() {
public void onReceivedSslError(WebView view, SslErrorHandler
handler, SslError error) {
handler.proceed();
}
});
myWebView.loadUrl(“https://devpixels.local”);
final class JavaScriptInterface {
@JavascriptInterface
public String getSomeString() {
return "string";
}
}
WebView myWebView = (WebView) findViewById(R.id.webview);
myWebView.getSettings().setJavaScriptEnabled(true);
myWebView.addJavascriptInterface(new JavaScriptInterface(), "jsinterface");
CertificateFactory cf = CertificateFactory.getInstance("X.509");
InputStream caInput = getResources().openRawResource(R.raw.pixels);
Certificate ca;
try {
ca = cf.generateCertificate(caInput);
} finally {
caInput.close();
}
CertificateFactory cf = CertificateFactory.getInstance("X.509");
InputStream caInput = getResources().openRawResource(R.raw.pixels);
Certificate ca;
try {
ca = cf.generateCertificate(caInput);
} finally {
caInput.close();
}
String keyStoreType = KeyStore.getDefaultType();
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("PixelsCampLeaf", ca);
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, tmf.getTrustManagers(), null);
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, tmf.getTrustManagers(), null);
URL url = new URL("https://pixels.camp");
HttpsURLConnection urlConnection = (HttpsURLConnection)url.openConnection();
urlConnection.setSSLSocketFactory(context.getSocketFactory());
InputStream in = urlConnection.getInputStream();
public class accessfile extends ContentProvider {
public class accessfile extends ContentProvider {
public static final String AUTHORITY = "pt.claudio.security";
public static final Uri CONTENT_URI = Uri.parse("content://" + AUTHORITY +
"/");
private static final HashMap<String, String> MIME_TYPES = new
HashMap<String, String>();
private static final UriMatcher sURIMatcher = new
UriMatcher(UriMatcher.NO_MATCH);
static {
sURIMatcher.addURI(AUTHORITY, "folder/", FOLDER);
sURIMatcher.addURI(AUTHORITY, "file/", FILE);
}
public class accessfile extends ContentProvider {
public static final String AUTHORITY = "pt.claudio.security";
public static final Uri CONTENT_URI = Uri.parse("content://" + AUTHORITY +
"/");
private static final HashMap<String, String> MIME_TYPES = new
HashMap<String, String>();
private static final UriMatcher sURIMatcher = new
UriMatcher(UriMatcher.NO_MATCH);
static {
sURIMatcher.addURI(AUTHORITY, "folder/", FOLDER);
sURIMatcher.addURI(AUTHORITY, "file/", FILE);
}
…
public ParcelFileDescriptor openFile(Uri uri, String mode){
public class accessfile extends ContentProvider {
public static final String AUTHORITY = "pt.claudio.security";
public static final Uri CONTENT_URI = Uri.parse("content://" + AUTHORITY +
"/");
private static final HashMap<String, String> MIME_TYPES = new
HashMap<String, String>();
private static final UriMatcher sURIMatcher = new
UriMatcher(UriMatcher.NO_MATCH);
static {
sURIMatcher.addURI(AUTHORITY, "folder/", FOLDER);
sURIMatcher.addURI(AUTHORITY, "file/", FILE);
}
…
public ParcelFileDescriptor openFile(Uri uri, String mode){
…
File f = new File(getContext().getString(R.string._sdcard), uri.getPath());
Uri targURI =
Uri.parse("content://pt.claudio.security/../../../../../data/data/p
t.claudio.security.pixelscamp_content/files/mysecretfile.txt");
public Cursor query(Uri uri, String[] projection, String
selection,String[] selectionArgs, String sortOrder) {
public Cursor query(Uri uri, String[] projection, String
selection,String[] selectionArgs, String sortOrder) {
SELECT _id, description FROM notes WHERE _id = 1{
{
Projection Selection
public Cursor query(Uri uri, String[] projection, String
selection,String[] selectionArgs, String sortOrder) {
SQLiteQueryBuilder queryBuilder = new SQLiteQueryBuilder();
queryBuilder.setTables(Table.TABLE_NOTE)
SQLiteDatabase db = database.getWritableDatabase();
public Cursor query(Uri uri, String[] projection, String
selection,String[] selectionArgs, String sortOrder) {
SQLiteQueryBuilder queryBuilder = new SQLiteQueryBuilder();
queryBuilder.setTables(Table.TABLE_NOTE)
SQLiteDatabase db = database.getWritableDatabase();
Cursor cursor = queryBuilder.query(db, projection,
selection,selectionArgs, null, null, sortOrder);
String[] selectionArgs = { "first string", "second@string.com" };
String selection = "name=? AND email=?";
Cursor cursor = db.query("TABLE_NAME", null,selection,
selectionArgs, null);
/res/xml/excludes.xml
/res/xml/excludes.xml
<application>
android:fullBackupContent="@xml/excludes"
</application>
/res/xml/excludes.xml
<application>
android:fullBackupContent="@xml/excludes"
</application>
<?xml version="1.0" encoding="utf-8"?>
<full-backup-content>
<exclude domain="sharedpref" path="MyPrefsFile.xml"/>
</full-backup-content>
<full-backup-content>
<include domain=["file" | "database" | "sharedpref" | "external" | "root"]
path="string" />
<exclude domain=["file" | "database" | "sharedpref" | "external" | "root"]
path="string" />
</full-backup-content>
/res/xml/network_security_config.xml
/res/xml/network_security_config.xml
<application>
android:networkSecurityConfig="@xml/network_security_config"
</application>
/res/xml/network_security_config.xml
<application>
android:networkSecurityConfig="@xml/network_security_config"
</application>
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<domain-config cleartextTrafficPermitted="false">
<domain includeSubdomains="true">http.badssl.com</domain>
</domain-config>
</network-security-config>
security.claudio.pt @clviper github.com/clviper
Q&A

More Related Content

What's hot

Mt logging with_bam
Mt logging with_bamMt logging with_bam
Mt logging with_bamAmani Soysa
 
Open Policy Agent (OPA) と Kubernetes Policy
Open Policy Agent (OPA) と Kubernetes PolicyOpen Policy Agent (OPA) と Kubernetes Policy
Open Policy Agent (OPA) と Kubernetes PolicyMotonori Shindo
 
A secure erasure code based cloud storage
A secure erasure code based cloud storageA secure erasure code based cloud storage
A secure erasure code based cloud storageIMPULSE_TECHNOLOGY
 
Managing and Integrating Vault at The New York Times
Managing and Integrating Vault at The New York TimesManaging and Integrating Vault at The New York Times
Managing and Integrating Vault at The New York TimesAmanda MacLeod
 
Back to basics Italian webinar 2 Mia prima applicazione MongoDB
Back to basics Italian webinar 2  Mia prima applicazione MongoDBBack to basics Italian webinar 2  Mia prima applicazione MongoDB
Back to basics Italian webinar 2 Mia prima applicazione MongoDBMongoDB
 
Hiding secrets in Vault
Hiding secrets in VaultHiding secrets in Vault
Hiding secrets in VaultNeven Rakonić
 
Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21Max Kleiner
 
Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011Kieon
 
SORACOM Beam から AWS IoT へのデータ送信
SORACOM Beam から AWS IoT へのデータ送信SORACOM Beam から AWS IoT へのデータ送信
SORACOM Beam から AWS IoT へのデータ送信Motokatsu Matsui
 
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...David Timothy Strauss
 
DevSum'15 : Microsoft Azure and Things
DevSum'15 : Microsoft Azure and ThingsDevSum'15 : Microsoft Azure and Things
DevSum'15 : Microsoft Azure and ThingsThomas Conté
 
Info 2402 assignment 2_ crawler
Info 2402 assignment 2_ crawlerInfo 2402 assignment 2_ crawler
Info 2402 assignment 2_ crawlerShahriar Rafee
 
Service intergration
Service intergration Service intergration
Service intergration 재민 장
 

What's hot (15)

Mt logging with_bam
Mt logging with_bamMt logging with_bam
Mt logging with_bam
 
Vault 101
Vault 101Vault 101
Vault 101
 
Open Policy Agent (OPA) と Kubernetes Policy
Open Policy Agent (OPA) と Kubernetes PolicyOpen Policy Agent (OPA) と Kubernetes Policy
Open Policy Agent (OPA) と Kubernetes Policy
 
A secure erasure code based cloud storage
A secure erasure code based cloud storageA secure erasure code based cloud storage
A secure erasure code based cloud storage
 
Web cryptography javascript
Web cryptography javascriptWeb cryptography javascript
Web cryptography javascript
 
Managing and Integrating Vault at The New York Times
Managing and Integrating Vault at The New York TimesManaging and Integrating Vault at The New York Times
Managing and Integrating Vault at The New York Times
 
Back to basics Italian webinar 2 Mia prima applicazione MongoDB
Back to basics Italian webinar 2  Mia prima applicazione MongoDBBack to basics Italian webinar 2  Mia prima applicazione MongoDB
Back to basics Italian webinar 2 Mia prima applicazione MongoDB
 
Hiding secrets in Vault
Hiding secrets in VaultHiding secrets in Vault
Hiding secrets in Vault
 
Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21
 
Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011
 
SORACOM Beam から AWS IoT へのデータ送信
SORACOM Beam から AWS IoT へのデータ送信SORACOM Beam から AWS IoT へのデータ送信
SORACOM Beam から AWS IoT へのデータ送信
 
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
 
DevSum'15 : Microsoft Azure and Things
DevSum'15 : Microsoft Azure and ThingsDevSum'15 : Microsoft Azure and Things
DevSum'15 : Microsoft Azure and Things
 
Info 2402 assignment 2_ crawler
Info 2402 assignment 2_ crawlerInfo 2402 assignment 2_ crawler
Info 2402 assignment 2_ crawler
 
Service intergration
Service intergration Service intergration
Service intergration
 

Similar to This is the secure droid you are looking for

Additional action script 3.0
Additional action script 3.0Additional action script 3.0
Additional action script 3.0Brian Kelly
 
Additional action script 3.0
Additional action script 3.0Additional action script 3.0
Additional action script 3.0Brian Kelly
 
Windows 8 metro applications
Windows 8 metro applicationsWindows 8 metro applications
Windows 8 metro applicationsAlex Golesh
 
10 sharing files and data in windows phone 8
10   sharing files and data in windows phone 810   sharing files and data in windows phone 8
10 sharing files and data in windows phone 8WindowsPhoneRocks
 
Amazon Cognito使って認証したい?それならSpring Security使いましょう!
Amazon Cognito使って認証したい?それならSpring Security使いましょう!Amazon Cognito使って認証したい?それならSpring Security使いましょう!
Amazon Cognito使って認証したい?それならSpring Security使いましょう!Ryosuke Uchitate
 
Descargar datos con JSON en Android
Descargar datos con JSON en AndroidDescargar datos con JSON en Android
Descargar datos con JSON en Android★ Raúl Laza
 
Top 10 F5 iRules to migrate to a modern load balancing platform
Top 10 F5 iRules to migrate to a modern load balancing platformTop 10 F5 iRules to migrate to a modern load balancing platform
Top 10 F5 iRules to migrate to a modern load balancing platformAvi Networks
 
HTML5 APIs - Where No Man Has Gone Before! - GothamJS
HTML5 APIs - Where No Man Has Gone Before! - GothamJSHTML5 APIs - Where No Man Has Gone Before! - GothamJS
HTML5 APIs - Where No Man Has Gone Before! - GothamJSRobert Nyman
 
Leveraging Azure Search in Your Application
Leveraging Azure Search in Your ApplicationLeveraging Azure Search in Your Application
Leveraging Azure Search in Your ApplicationJeremy Hutchinson
 
JavaScript APIs - The Web is the Platform - .toster conference, Moscow
JavaScript APIs - The Web is the Platform - .toster conference, MoscowJavaScript APIs - The Web is the Platform - .toster conference, Moscow
JavaScript APIs - The Web is the Platform - .toster conference, MoscowRobert Nyman
 
iOS Keychain by 흰, 민디
iOS Keychain by 흰, 민디iOS Keychain by 흰, 민디
iOS Keychain by 흰, 민디MINJICHO20
 
The state of your own hypertext preprocessor
The state of your own hypertext preprocessorThe state of your own hypertext preprocessor
The state of your own hypertext preprocessorAlessandro Nadalin
 
FluentLeniumで困った話
FluentLeniumで困った話FluentLeniumで困った話
FluentLeniumで困った話Yuuki Ooguro
 
create-netflix-clone-05-client-model.pdf
create-netflix-clone-05-client-model.pdfcreate-netflix-clone-05-client-model.pdf
create-netflix-clone-05-client-model.pdfShaiAlmog1
 
[AzureCamp 24 Juin 2014] Cache Distribué par Thomas Conté
[AzureCamp 24 Juin 2014] Cache Distribué par Thomas Conté[AzureCamp 24 Juin 2014] Cache Distribué par Thomas Conté
[AzureCamp 24 Juin 2014] Cache Distribué par Thomas ContéMicrosoft Technet France
 

Similar to This is the secure droid you are looking for (20)

Additional action script 3.0
Additional action script 3.0Additional action script 3.0
Additional action script 3.0
 
Additional action script 3.0
Additional action script 3.0Additional action script 3.0
Additional action script 3.0
 
What's new in Liferay Mobile SDK 2.0 for Android
What's new in Liferay Mobile SDK 2.0 for AndroidWhat's new in Liferay Mobile SDK 2.0 for Android
What's new in Liferay Mobile SDK 2.0 for Android
 
Windows 8 metro applications
Windows 8 metro applicationsWindows 8 metro applications
Windows 8 metro applications
 
10 sharing files and data in windows phone 8
10   sharing files and data in windows phone 810   sharing files and data in windows phone 8
10 sharing files and data in windows phone 8
 
Amazon Cognito使って認証したい?それならSpring Security使いましょう!
Amazon Cognito使って認証したい?それならSpring Security使いましょう!Amazon Cognito使って認証したい?それならSpring Security使いましょう!
Amazon Cognito使って認証したい?それならSpring Security使いましょう!
 
ASP.NET WEB API
ASP.NET WEB APIASP.NET WEB API
ASP.NET WEB API
 
Descargar datos con JSON en Android
Descargar datos con JSON en AndroidDescargar datos con JSON en Android
Descargar datos con JSON en Android
 
OWASP Proxy
OWASP ProxyOWASP Proxy
OWASP Proxy
 
Xml & Java
Xml & JavaXml & Java
Xml & Java
 
Top 10 F5 iRules to migrate to a modern load balancing platform
Top 10 F5 iRules to migrate to a modern load balancing platformTop 10 F5 iRules to migrate to a modern load balancing platform
Top 10 F5 iRules to migrate to a modern load balancing platform
 
HTML5 APIs - Where No Man Has Gone Before! - GothamJS
HTML5 APIs - Where No Man Has Gone Before! - GothamJSHTML5 APIs - Where No Man Has Gone Before! - GothamJS
HTML5 APIs - Where No Man Has Gone Before! - GothamJS
 
Leveraging Azure Search in Your Application
Leveraging Azure Search in Your ApplicationLeveraging Azure Search in Your Application
Leveraging Azure Search in Your Application
 
JavaScript APIs - The Web is the Platform - .toster conference, Moscow
JavaScript APIs - The Web is the Platform - .toster conference, MoscowJavaScript APIs - The Web is the Platform - .toster conference, Moscow
JavaScript APIs - The Web is the Platform - .toster conference, Moscow
 
iOS Keychain by 흰, 민디
iOS Keychain by 흰, 민디iOS Keychain by 흰, 민디
iOS Keychain by 흰, 민디
 
The state of your own hypertext preprocessor
The state of your own hypertext preprocessorThe state of your own hypertext preprocessor
The state of your own hypertext preprocessor
 
FluentLeniumで困った話
FluentLeniumで困った話FluentLeniumで困った話
FluentLeniumで困った話
 
create-netflix-clone-05-client-model.pdf
create-netflix-clone-05-client-model.pdfcreate-netflix-clone-05-client-model.pdf
create-netflix-clone-05-client-model.pdf
 
Ajax chap 5
Ajax chap 5Ajax chap 5
Ajax chap 5
 
[AzureCamp 24 Juin 2014] Cache Distribué par Thomas Conté
[AzureCamp 24 Juin 2014] Cache Distribué par Thomas Conté[AzureCamp 24 Juin 2014] Cache Distribué par Thomas Conté
[AzureCamp 24 Juin 2014] Cache Distribué par Thomas Conté
 

More from Cláudio André

Droidstat-X, Android Applications Security Analyser Xmind Generator
Droidstat-X, Android Applications Security Analyser Xmind GeneratorDroidstat-X, Android Applications Security Analyser Xmind Generator
Droidstat-X, Android Applications Security Analyser Xmind GeneratorCláudio André
 
A day in the life of a pentester
A day in the life of a pentesterA day in the life of a pentester
A day in the life of a pentesterCláudio André
 
Mobile application (in)security - 2nd Integrity Smart Executive Breakfast
Mobile application (in)security - 2nd Integrity Smart Executive BreakfastMobile application (in)security - 2nd Integrity Smart Executive Breakfast
Mobile application (in)security - 2nd Integrity Smart Executive BreakfastCláudio André
 
Hacker, you shall not pass!
Hacker, you shall not pass!Hacker, you shall not pass!
Hacker, you shall not pass!Cláudio André
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 

More from Cláudio André (7)

Droidstat-X, Android Applications Security Analyser Xmind Generator
Droidstat-X, Android Applications Security Analyser Xmind GeneratorDroidstat-X, Android Applications Security Analyser Xmind Generator
Droidstat-X, Android Applications Security Analyser Xmind Generator
 
Is my app secure?
Is my app secure?Is my app secure?
Is my app secure?
 
A day in the life of a pentester
A day in the life of a pentesterA day in the life of a pentester
A day in the life of a pentester
 
Mobile application (in)security - 2nd Integrity Smart Executive Breakfast
Mobile application (in)security - 2nd Integrity Smart Executive BreakfastMobile application (in)security - 2nd Integrity Smart Executive Breakfast
Mobile application (in)security - 2nd Integrity Smart Executive Breakfast
 
Hacker, you shall not pass!
Hacker, you shall not pass!Hacker, you shall not pass!
Hacker, you shall not pass!
 
Mobile (in)security ?
Mobile (in)security ?Mobile (in)security ?
Mobile (in)security ?
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 

Recently uploaded

Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Karmanjay Verma
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 

Recently uploaded (20)

Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 

This is the secure droid you are looking for

  • 1.
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8. URL url = new URL("https://pixels.camp"); URLConnection urlConnection = url.openConnection();
  • 9. URL url = new URL("https://devpixels.local"); URLConnection urlConnection = url.openConnection();
  • 10.
  • 11. SSLContext mySSLContext = SSLContext.getInstance("TLS");
  • 12. SSLContext mySSLContext = SSLContext.getInstance("TLS"); mySSLContext.init(null, new TrustManager[] { mySuperCustomTrustManager },new SecureRandom());
  • 13. SSLContext mySSLContext = SSLContext.getInstance("TLS"); mySSLContext.init(null, new TrustManager[] { mySuperCustomTrustManager },new SecureRandom()); URL url = new URL("https://devpixels.local");
  • 14. SSLContext mySSLContext = SSLContext.getInstance("TLS"); mySSLContext.init(null, new TrustManager[] { mySuperCustomTrustManager },new SecureRandom()); URL url = new URL("https://devpixels.local"); HttpsURLConnection urlConnection = HttpsURLConnection)url.openConnection(); urlConnection.setSSLSocketFactory(mySSLContext.getSocketFactory());
  • 15. TrustManager mySuperCustomTrustManager = new X509TrustManager() { public X509Certificate[] getAcceptedIssuers() { return null; } public void checkServerTrusted(X509Certificate[] chain,String authType) throws CertificateException { } public void checkClientTrusted(X509Certificate[] chain,String authType) throws CertificateException { } };
  • 16. URL url = new URL("https://devpixels.camp"); URLConnection urlConnection = url.openConnection();
  • 17. HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() { @Override public boolean verify(String s, SSLSession sslSession) { return true; } }); URL url = new URL("https://devpixels.camp"); URLConnection urlConnection = url.openConnection();
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
  • 26. WebView myWebView = (WebView) findViewById(R.id.webview); myWebView.loadUrl(“https://devpixels.local”);
  • 27. WebView myWebView = (WebView) findViewById(R.id.webview); myWebView.setWebViewClient(new WebViewClient() { public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) { handler.proceed(); } }); myWebView.loadUrl(“https://devpixels.local”);
  • 28. final class JavaScriptInterface { @JavascriptInterface public String getSomeString() { return "string"; } } WebView myWebView = (WebView) findViewById(R.id.webview); myWebView.getSettings().setJavaScriptEnabled(true); myWebView.addJavascriptInterface(new JavaScriptInterface(), "jsinterface");
  • 29.
  • 30.
  • 31.
  • 32.
  • 33. CertificateFactory cf = CertificateFactory.getInstance("X.509"); InputStream caInput = getResources().openRawResource(R.raw.pixels); Certificate ca; try { ca = cf.generateCertificate(caInput); } finally { caInput.close(); }
  • 34. CertificateFactory cf = CertificateFactory.getInstance("X.509"); InputStream caInput = getResources().openRawResource(R.raw.pixels); Certificate ca; try { ca = cf.generateCertificate(caInput); } finally { caInput.close(); } String keyStoreType = KeyStore.getDefaultType(); KeyStore keyStore = KeyStore.getInstance(keyStoreType); keyStore.load(null, null); keyStore.setCertificateEntry("PixelsCampLeaf", ca);
  • 35. String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm(); TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm); tmf.init(keyStore);
  • 36. String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm(); TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm); tmf.init(keyStore); SSLContext context = SSLContext.getInstance("TLS"); context.init(null, tmf.getTrustManagers(), null);
  • 37. String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm(); TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm); tmf.init(keyStore); SSLContext context = SSLContext.getInstance("TLS"); context.init(null, tmf.getTrustManagers(), null); URL url = new URL("https://pixels.camp"); HttpsURLConnection urlConnection = (HttpsURLConnection)url.openConnection(); urlConnection.setSSLSocketFactory(context.getSocketFactory()); InputStream in = urlConnection.getInputStream();
  • 38.
  • 39.
  • 40.
  • 41.
  • 42.
  • 43.
  • 44. public class accessfile extends ContentProvider {
  • 45. public class accessfile extends ContentProvider { public static final String AUTHORITY = "pt.claudio.security"; public static final Uri CONTENT_URI = Uri.parse("content://" + AUTHORITY + "/"); private static final HashMap<String, String> MIME_TYPES = new HashMap<String, String>(); private static final UriMatcher sURIMatcher = new UriMatcher(UriMatcher.NO_MATCH); static { sURIMatcher.addURI(AUTHORITY, "folder/", FOLDER); sURIMatcher.addURI(AUTHORITY, "file/", FILE); }
  • 46. public class accessfile extends ContentProvider { public static final String AUTHORITY = "pt.claudio.security"; public static final Uri CONTENT_URI = Uri.parse("content://" + AUTHORITY + "/"); private static final HashMap<String, String> MIME_TYPES = new HashMap<String, String>(); private static final UriMatcher sURIMatcher = new UriMatcher(UriMatcher.NO_MATCH); static { sURIMatcher.addURI(AUTHORITY, "folder/", FOLDER); sURIMatcher.addURI(AUTHORITY, "file/", FILE); } … public ParcelFileDescriptor openFile(Uri uri, String mode){
  • 47. public class accessfile extends ContentProvider { public static final String AUTHORITY = "pt.claudio.security"; public static final Uri CONTENT_URI = Uri.parse("content://" + AUTHORITY + "/"); private static final HashMap<String, String> MIME_TYPES = new HashMap<String, String>(); private static final UriMatcher sURIMatcher = new UriMatcher(UriMatcher.NO_MATCH); static { sURIMatcher.addURI(AUTHORITY, "folder/", FOLDER); sURIMatcher.addURI(AUTHORITY, "file/", FILE); } … public ParcelFileDescriptor openFile(Uri uri, String mode){ … File f = new File(getContext().getString(R.string._sdcard), uri.getPath());
  • 48.
  • 50.
  • 51.
  • 52.
  • 53.
  • 54.
  • 55.
  • 56.
  • 57. public Cursor query(Uri uri, String[] projection, String selection,String[] selectionArgs, String sortOrder) {
  • 58. public Cursor query(Uri uri, String[] projection, String selection,String[] selectionArgs, String sortOrder) { SELECT _id, description FROM notes WHERE _id = 1{ { Projection Selection
  • 59. public Cursor query(Uri uri, String[] projection, String selection,String[] selectionArgs, String sortOrder) { SQLiteQueryBuilder queryBuilder = new SQLiteQueryBuilder(); queryBuilder.setTables(Table.TABLE_NOTE) SQLiteDatabase db = database.getWritableDatabase();
  • 60. public Cursor query(Uri uri, String[] projection, String selection,String[] selectionArgs, String sortOrder) { SQLiteQueryBuilder queryBuilder = new SQLiteQueryBuilder(); queryBuilder.setTables(Table.TABLE_NOTE) SQLiteDatabase db = database.getWritableDatabase(); Cursor cursor = queryBuilder.query(db, projection, selection,selectionArgs, null, null, sortOrder);
  • 61.
  • 62. String[] selectionArgs = { "first string", "second@string.com" }; String selection = "name=? AND email=?"; Cursor cursor = db.query("TABLE_NAME", null,selection, selectionArgs, null);
  • 63.
  • 64.
  • 65.
  • 66.
  • 67.
  • 68.
  • 69.
  • 73. <full-backup-content> <include domain=["file" | "database" | "sharedpref" | "external" | "root"] path="string" /> <exclude domain=["file" | "database" | "sharedpref" | "external" | "root"] path="string" /> </full-backup-content>
  • 74.
  • 75.
  • 76.
  • 77.
  • 78.
  • 79.
  • 82. /res/xml/network_security_config.xml <application> android:networkSecurityConfig="@xml/network_security_config" </application> <?xml version="1.0" encoding="utf-8"?> <network-security-config> <domain-config cleartextTrafficPermitted="false"> <domain includeSubdomains="true">http.badssl.com</domain> </domain-config> </network-security-config>
  • 83.

Editor's Notes

  1. For us to have secure communication with have to rely on HTTPS yada yada
  2. HTTPS is based on certificates and depend on their validation yada yada yada
  3. Some of the validations include those above, explain a little bit
  4. Optionally we also have Certificate Pinning a little later. So let’s imagine two scenarios of a developer creating a mobile app for pixels camp..
  5. So the production envirionment will be pixels.camp and this settings we would make a secure connection to the website..
  6. But actually I am using my local dev setup, and I am using a self signed certificate and therefore I keep getting errors. So my first idea is to Google a little bit to find a way to solve this errors…
  7. This is where things go South… Well I found some nice guys in Stackoverflow that pointed me to a way to get rid off those pesky errors..
  8. Explain
  9. Explain
  10. Explain
  11. Explain
  12. Explain. So the errors when away. Awesome.
  13. So let’s say that I have a second scenario that actually I have a online server with a valid certificate but actually not the right hostname. Well stackoverflow to the rescue..
  14. Explain. Again the errors went away. But what are the implications of this patches?
  15. Well…. Image that Ron is using your application in his coffee, using his public hotspot. Yada Yada Yada Yada
  16. Yada Yada… so another impact is the possibility to manipulate returned information. That reminds me of a particular component that can be very dangerours.
  17. Yada Yada… so another impact is the possibility to manipulate returned information. That reminds me of a particular component that can be very dangerours.
  18. Yada Yada… so another impact is the possibility to manipulate returned information. That reminds me of a particular component that can be very dangerours.
  19. Yada Yada… so another impact is the possibility to manipulate returned information. That reminds me of a particular component that can be very dangerours.
  20. Yada Yada… so another impact is the possibility to manipulate returned information. That reminds me of a particular component that can be very dangerours.
  21. Yada Yada… so another impact is the possibility to manipulate returned information. That reminds me of a particular component that can be very dangerours.
  22. So enter Webviews…
  23. Explain
  24. Explain
  25. Explain
  26. Video with metasploit with payload to exploit JavascriptInterface
  27. Well…. Ron not happy!
  28. So enter Webviews…
  29. So enter Webviews…
  30. So enter Webviews…
  31. So enter Webviews…
  32. So enter Webviews…
  33. So enter Webviews…
  34. So enter Webviews…
  35. Explain
  36. Explain
  37. Explain
  38. Explain
  39. Explain
  40. Explain
  41. Explain
  42. Explain
  43. Explain
  44. Video with exploiting the content provider
  45. So for bónus points, we can even indirectly break application sandbox……..
  46. Explain
  47. Explain
  48. Explain
  49. Explain
  50. Explain
  51. Explain
  52. Explain.
  53. So for those wondering what does parameters mean, let’s imagine a SQL query. Projection represents the fields choosen for the query and Selection the fields users in the Where clause. The sortOrder are the fields that we would define in the Order by. The selectionArgs I will talk about them later.
  54. Explain
  55. Explain
  56. Video with exploiting the content provider
  57. Explain Selection Args
  58. Explain
  59. Explain
  60. Explain
  61. Explain
  62. Explain