How secure is an android app?

•

0 likes•53 views

Agenda ● Scenario ● APK - What is it? Is it hackable? ● Sandboxing of Android Processes ● Dalvik VM vs Java VM ● Native vs Non-Native Applications ● CPTs and CPMDs ● Reverse Engineering ● Problem of Hybrid Apps ● Best Practices ● Suggestions

Technology

How Secure
is an Android
App?
Pedro Tavares
11 September, 2017

Pedro Tavares
pedrotavares@domdigital.com
Av. Rainha D. Amélia, 142 Cave
6300 - 749 Guarda, Portugal
Agenda
● Scenario
● APK - What is it? Is it hackable?
● Sandboxing of Android Processes
● Dalvik VM vs Java VM
● Native vs Non-Native Applications
● CPTs and CPMDs
● Reverse Engineering
● Problem of Hybrid Apps
● Best Practices
● Suggestions
# Agenda

Pedro Tavares
pedrotavares@domdigital.com
Av. Rainha D. Amélia, 142 Cave
6300 - 749 Guarda, Portugal
Agenda: Scenario# Agenda
server-side
client-side

Pedro Tavares
pedrotavares@domdigital.com
Av. Rainha D. Amélia, 142 Cave
6300 - 749 Guarda, Portugal
APK - What is it? Is it hackable?
Android Package
# Agenda
# APK - What is it?
terminal> unzip edpartners.apk
RE is possible

Pedro Tavares
pedrotavares@domdigital.com
Av. Rainha D. Amélia, 142 Cave
6300 - 749 Guarda, Portugal
Sandboxing of Android
Processes
● Dedicated Virtual Machine (VM)
● Process Isolation (UID)
● Not shared resources
● Kernel protection
# Agenda
# APK - What is it?
# Sandboxing of android ...
Dalvik Virtual
Machine

Pedro Tavares
pedrotavares@domdigital.com
Av. Rainha D. Amélia, 142 Cave
6300 - 749 Guarda, Portugal
Dalvik VM vs Java VM# Agenda
# APK - What is it?
# Sandboxing of android …
# Dalvik VM vs Java VM
Java Source
Code
Java Byte
Code
Dalvik Byte
Code
Dalvik Executable
Dalvik VM
Java Source
Code
Java Byte
Code
Java Byte Code
Java VM
Java Compiler Java Compiler
Dex Compiler
Ant
Gradle

Pedro Tavares
pedrotavares@domdigital.com
Av. Rainha D. Amélia, 142 Cave
6300 - 749 Guarda, Portugal
CPTs and CPMDs# Agenda
# APK - What is it?
# Sandboxing of android …
# Dalvik VM vs Java VM
# CPTs and CPMDs
CPTs
(Cross-platform Tools)
CPMDs
(Cross-platform to Mobile Development)
Tools that automate the process
of creation mobile applications.
Web-based platforms which
enable the process of creation
mobile applications through
CPTs on web-browsers.

Pedro Tavares
pedrotavares@domdigital.com
Av. Rainha D. Amélia, 142 Cave
6300 - 749 Guarda, Portugal
Native vs Non-Native
Applications# Agenda
# APK - What is it?
# Sandboxing of android …
# Dalvik VM vs Java VM
# CPTs and CPMDs
# Native vs Non-Native ...
Native Hybrid Web
Fully Java Based. Direct
communication with the
native API.
HTML5 based. Javascript
provides a bridge with the
native API of mobile
operating system.
Based in HTML5 and on
web-services and online
content.

Pedro Tavares
pedrotavares@domdigital.com
Av. Rainha D. Amélia, 142 Cave
6300 - 749 Guarda, Portugal
# Agenda
# APK - What is it?
# Sandboxing of android …
# Dalvik VM vs Java VM
# CPTs and CPMDs
# Native vs Non-Native …
# Reverse Engineering
Reverse Engineering
App on phone
App on
marketplace
.apk files
resource .dex files Manifest
.class
files
Java files
Readable XML
aapt
(Android asset packaging tool)
Dex > jar (dex2jar)
Class > java (Java Decompiler)
Extract APK
HTML, CSS,
Javascript,
Images, assets,
etc.
Hybrid Apps
unzip

Pedro Tavares
pedrotavares@domdigital.com
Av. Rainha D. Amélia, 142 Cave
6300 - 749 Guarda, Portugal
Problem of Hybrid Apps# Agenda
# APK - What is it?
# Sandboxing of android …
# Dalvik VM vs Java VM
# CPTs and CPMDs
# Native vs Non-Native …
# Reverse Engineering
# Problem of Hybrid Apps ● Best user experience
● Portability (multi-platforms)
● Cheaper origination costs
● Faster (initial) speed to market
● Weak security (obfuscation, encryption, etc.)
● Weak performance (a bridge is needed)
● Creates a lot of junk
Advantages
Know Problems

Pedro Tavares
pedrotavares@domdigital.com
Av. Rainha D. Amélia, 142 Cave
6300 - 749 Guarda, Portugal
Best Practices# Agenda
# APK - What is it?
# Sandboxing of android …
# Dalvik VM vs Java VM
# CPTs and CPMDs
# Native vs Non-Native …
# Reverse Engineering
# Problem of Hybrid Apps
# Best Practices
● Architecture well-defined
● Obfuscation
○ Native Apps: ProGuard
○ Hybrid: Google Closure Compiler in the level
ADVANCED_OPTIMIZATIONS
● Obfuscation not resolve hardcoded strings
○ Android Keystore System
■ Store keys in Internal Storage
➢ Trusted Execution Environment
○ oauth2
● Javascript files available via remote callbacks
● Minify Javascript files
Increase the
cracking task

Pedro Tavares
pedrotavares@domdigital.com
Av. Rainha D. Amélia, 142 Cave
6300 - 749 Guarda, Portugal
Suggestions# Agenda
# APK - What is it?
# Sandboxing of android …
# Dalvik VM vs Java VM
# CPTs and CPMDs
# Native vs Non-Native …
# Reverse Engineering
# Problem of Hybrid Apps
# Best Practices
#Suggestions
“Meteor.js: um framework além do MVC”
www.meteor.com
Obfuscation
Android Keystore System
(MinSDK 18, Android 4.3 and higher, and Smartphone support)
https://medium.com/@vashisthg/android-secure-shared-preferences-10f8356a4c2b
https://github.com/ophio/secure-preferences
https://developer.android.com/training/articles/keystore.html#UsingAndroidKeyStore
AWS
Cognito, lambda, 3party apps, etc.
https://aws.amazon.com/pt/mobile/

Similar to How secure is an android app?

Cross Section and Deep Dive into GE Predix

Altoros

Kubernetes: Increasing velocity without sacrificing quality

Adam Schepis

DevOpsDays Tel Aviv DEC 2022 | Building A Cloud-Native Platform Brick by Bric...

Haggai Philip Zagury

WSO2Con US 2013 - Using Jaggery in Telecom Web and Mobile Applications

WSO2

Life of a Request by Ana Oprea

Rails Girls MUC

In this talk, we will cover important elements for successful CI and CD. We will discuss how these elements make CI and CD much simpler, and hence more attainable. We will cover some best practices / recommendations to include in your application pipelines. We will look at a sample implementation of a pipeline leveraging modern tools. Finally, we will discuss some forthcoming ideas for making it even easier to declaratively enable CI and CD for applications.

Delivery Pipelines as a First Class Citizen @deliverAgile2019

ciberkleid

by Stephen Timms, EVP Global Sales, CloudEndure By leveraging AWS, CloudEndure is able to offer AWS as a target infrastructure to attain affordable, enterprise-grade disaster recovery for physical, virtual, hybrid, and cloud-based workloads. In this session, CloudEndure will provide best practices all organizations should consider when enabling disaster recovery capabilities. We will provide recommendations on how to improve your disaster recovery plan and guide the audience through two customer use cases from CGS and Health Quest.

Disaster Recovery Best Practices and Customer Use Cases: CGS and HealthQuest

Amazon Web Services

Droidcon London 2021 - Full Stack Dart

Chris Swan

GE Predix - The IIoT Platform

Juan Pablo Genovese

Disaster Recovery Best Practices and Customer Use Cases: CGS and Health Quest...

Amazon Web Services

Conquer Architectural Challenges with End-to-End JavaScript - enterJS 2014

Alexandre Morgaut

Embarcadero's Connected Development

Jim McKeeth

全面保護企業的關鍵智慧資產

NVIDIA Taiwan

The Cross-Platform Build Pipeline • Check in code • Run a build (compile) • Run tests - Mocha, or Jasmine and Protractor after build • Run Cordova build • Create binary deployable files -> APK, IPA, XAP file (platform binaries) • Deploy platform binary to a emulator • Run functional tests on the emulator -> Espresso from Google, mock wire • Signing or packaging • Submit to test store (internal, beta testing) • Send emails to beta testers with links to the app

Continuous Delivery for Cross-Platform Mobile Apps

Movel

What is the best programming language for your web product?

MobiDev

hirecloud.pro: cloud based platform to conduct technical interviews

Ugendreshwar Kudupudi

Techdays Helsinki - Creating the distributed apps of the future using dapr - ...

Geert van der Cruijsen

Over the last years booming of cloud technologies created a lot of opportunities for business and together with IoT expansion established new niche: Edge Computing. Since it's one of the first speech within the UA community we will go through main points about the origin, business use cases, main frameworks, and challenges. Why DevOps people should start learning embedded programming aspects and why we shouldn't allow to register a cloud node after reboot? That's the questions what we'll also review with professional part of the audience.

DevOps Fest 2020. Pavlo Repalo. Edge Computing: Appliance and Challanges

DevOps_Fest

Virdata: lessons learned from the Internet of Things and M2M Cloud Services @...

Nathan Bijnens

Dataencryptionsystem

Vibhu Mishra

Similar to How secure is an android app? (20)

Cross Section and Deep Dive into GE Predix

Kubernetes: Increasing velocity without sacrificing quality

DevOpsDays Tel Aviv DEC 2022 | Building A Cloud-Native Platform Brick by Bric...

WSO2Con US 2013 - Using Jaggery in Telecom Web and Mobile Applications

Life of a Request by Ana Oprea

Delivery Pipelines as a First Class Citizen @deliverAgile2019

Disaster Recovery Best Practices and Customer Use Cases: CGS and HealthQuest

Droidcon London 2021 - Full Stack Dart

GE Predix - The IIoT Platform

Disaster Recovery Best Practices and Customer Use Cases: CGS and Health Quest...

Conquer Architectural Challenges with End-to-End JavaScript - enterJS 2014

Embarcadero's Connected Development

全面保護企業的關鍵智慧資產

Continuous Delivery for Cross-Platform Mobile Apps

What is the best programming language for your web product?

hirecloud.pro: cloud based platform to conduct technical interviews

Techdays Helsinki - Creating the distributed apps of the future using dapr - ...

DevOps Fest 2020. Pavlo Repalo. Edge Computing: Appliance and Challanges

Virdata: lessons learned from the Internet of Things and M2M Cloud Services @...

Dataencryptionsystem

Recently uploaded

Decarbonising Commercial Real Estate: The Role of Operational Performance

IES VE

Six Myths about Ontologies: The Basics of Formal Ontology

johnbeverley2021

Architecting Cloud Native Applications

WSO2

JohnPollard-hybrid-app-RailsConf2024.pptx

JohnPollard37

Understanding the FAA Part 107 License ..

Christopher Logan Kennedy

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

panagenda

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Zilliz

In the ever-evolving landscape of data management, Zero-ETL is an approach that is reshaping how businesses handle and integrate their data. This webinar explores Zero-ETL, a paradigm shift from the traditional Extract, Transform, Load (ETL) process, offering a more streamlined, efficient, and real-time data integration method. We will begin with an introduction to the concept of Zero-ETL, including how it allows direct access to data in its native environment and real-time data transformation, providing up-to-date information with significantly reduced data redundancy. Next, we'll take you through several demonstrations showing how Zero-ETL can deliver real-time data and enable the free movement of data between systems. We will also discuss the various tools that support all aspects of Zero-ETL, providing attendees with an understanding of how they can adopt this innovative approach in their organizations. Lastly, the session will conclude with an interactive Q&A segment, allowing participants to gain deeper insights into how Zero-ETL can be tailored to their specific business needs and how they can get started today. Join us to discover how Zero-ETL can elevate your organization's data strategy.

The Zero-ETL Approach: Enhancing Data Agility and Insight

Safe Software

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Edi Saputra

WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...

WSO2

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the deployment of external web forms using Jotform for Bonterra Impact Management. This solution can be customized to your organization’s needs and deployed to support the common use cases below: - Intake and consent - Assessments - Surveys - Applications - Program registration Interested in deploying web form automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Jeffrey Haguewood

The presentation was made in “Web3 Fusion: Embracing AI and Beyond” is more than a conference; it's a journey into the heart of digital transformation. The conference a provided a platform where the future of technology meets practical application. This three-day hybrid event, set in the heart of innovation, served as a gateway to the latest trends and transformative discussions in AI, Blockchain, IoT, AR/VR, and their collective impact on the information space.

AI in Action: Real World Use Cases by Anitaraj

AnitaRaj43

Vector Search -An Introduction in Oracle Database 23ai.pptx

Remote DBA Services

Retrieval augmented generation (RAG) is the most popular style of large language model application to emerge from 2023. The most basic style of RAG works by vectorizing your data and injecting it into a vector database like Milvus for retrieval to augment the text output generated by an LLM. This is just the beginning. One of the ways that we can extend RAG, and extend AI, is through multilingual use cases. Typical RAG is done in English using embedding models that are trained in English. In this talk, we’ll explore how RAG could work in languages other than English. We’ll explore French, Chinese, and Polish.

Introduction to Multilingual Retrieval Augmented Generation (RAG)

Zilliz

MINDCTI Revenue Release Quarter One 2024

MIND CTI

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

How to Check CNIC Information Online with Pakdata cf

danishmna97

DBX First Quarter 2024 Investor Presentation

Dropbox

In this keynote, Asanka Abeysinghe, CTO,WSO2 will explore the shift towards platformless technology ecosystems and their importance in driving digital adaptability and innovation. We will discuss strategies for leveraging decentralized architectures and integrating diverse technologies, with a focus on building resilient, flexible, and future-ready IT infrastructures. We will also highlight WSO2's roadmap, emphasizing our commitment to supporting this transformative journey with our evolving product suite.

Platformless Horizons for Digital Adaptability

WSO2

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

Recently uploaded (20)

Decarbonising Commercial Real Estate: The Role of Operational Performance

Six Myths about Ontologies: The Basics of Formal Ontology

Architecting Cloud Native Applications

JohnPollard-hybrid-app-RailsConf2024.pptx

Understanding the FAA Part 107 License ..

Why Teams call analytics are critical to your entire business

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

The Zero-ETL Approach: Enhancing Data Agility and Insight

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

AI in Action: Real World Use Cases by Anitaraj

Vector Search -An Introduction in Oracle Database 23ai.pptx

Introduction to Multilingual Retrieval Augmented Generation (RAG)

MINDCTI Revenue Release Quarter One 2024

AWS Community Day CPH - Three problems of Terraform

How to Check CNIC Information Online with Pakdata cf

DBX First Quarter 2024 Investor Presentation

Platformless Horizons for Digital Adaptability

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

How secure is an android app?

1. How Secure is an Android App? Pedro Tavares 11 September, 2017

2. Pedro Tavares pedrotavares@domdigital.com Av. Rainha D. Amélia, 142 Cave 6300 - 749 Guarda, Portugal Agenda ● Scenario ● APK - What is it? Is it hackable? ● Sandboxing of Android Processes ● Dalvik VM vs Java VM ● Native vs Non-Native Applications ● CPTs and CPMDs ● Reverse Engineering ● Problem of Hybrid Apps ● Best Practices ● Suggestions # Agenda

3. Pedro Tavares pedrotavares@domdigital.com Av. Rainha D. Amélia, 142 Cave 6300 - 749 Guarda, Portugal Agenda: Scenario# Agenda server-side client-side

4. Pedro Tavares pedrotavares@domdigital.com Av. Rainha D. Amélia, 142 Cave 6300 - 749 Guarda, Portugal APK - What is it? Is it hackable? Android Package # Agenda # APK - What is it? terminal> unzip edpartners.apk RE is possible

5. Pedro Tavares pedrotavares@domdigital.com Av. Rainha D. Amélia, 142 Cave 6300 - 749 Guarda, Portugal Sandboxing of Android Processes ● Dedicated Virtual Machine (VM) ● Process Isolation (UID) ● Not shared resources ● Kernel protection # Agenda # APK - What is it? # Sandboxing of android ... Dalvik Virtual Machine

6. Pedro Tavares pedrotavares@domdigital.com Av. Rainha D. Amélia, 142 Cave 6300 - 749 Guarda, Portugal Dalvik VM vs Java VM# Agenda # APK - What is it? # Sandboxing of android … # Dalvik VM vs Java VM Java Source Code Java Byte Code Dalvik Byte Code Dalvik Executable Dalvik VM Java Source Code Java Byte Code Java Byte Code Java VM Java Compiler Java Compiler Dex Compiler Ant Gradle

7. Pedro Tavares pedrotavares@domdigital.com Av. Rainha D. Amélia, 142 Cave 6300 - 749 Guarda, Portugal Dalvik VM vs Java VM# Agenda # APK - What is it? # Sandboxing of android … # Dalvik VM vs Java VM

8. Pedro Tavares pedrotavares@domdigital.com Av. Rainha D. Amélia, 142 Cave 6300 - 749 Guarda, Portugal CPTs and CPMDs# Agenda # APK - What is it? # Sandboxing of android … # Dalvik VM vs Java VM # CPTs and CPMDs CPTs (Cross-platform Tools) CPMDs (Cross-platform to Mobile Development) Tools that automate the process of creation mobile applications. Web-based platforms which enable the process of creation mobile applications through CPTs on web-browsers.

9. Pedro Tavares pedrotavares@domdigital.com Av. Rainha D. Amélia, 142 Cave 6300 - 749 Guarda, Portugal Native vs Non-Native Applications# Agenda # APK - What is it? # Sandboxing of android … # Dalvik VM vs Java VM # CPTs and CPMDs # Native vs Non-Native ... Native Hybrid Web Fully Java Based. Direct communication with the native API. HTML5 based. Javascript provides a bridge with the native API of mobile operating system. Based in HTML5 and on web-services and online content.

10. Pedro Tavares pedrotavares@domdigital.com Av. Rainha D. Amélia, 142 Cave 6300 - 749 Guarda, Portugal # Agenda # APK - What is it? # Sandboxing of android … # Dalvik VM vs Java VM # CPTs and CPMDs # Native vs Non-Native … # Reverse Engineering Reverse Engineering App on phone App on marketplace .apk files resource .dex files Manifest .class files Java files Readable XML aapt (Android asset packaging tool) Dex > jar (dex2jar) Class > java (Java Decompiler) Extract APK HTML, CSS, Javascript, Images, assets, etc. Hybrid Apps unzip

11. Pedro Tavares pedrotavares@domdigital.com Av. Rainha D. Amélia, 142 Cave 6300 - 749 Guarda, Portugal Problem of Hybrid Apps# Agenda # APK - What is it? # Sandboxing of android … # Dalvik VM vs Java VM # CPTs and CPMDs # Native vs Non-Native … # Reverse Engineering # Problem of Hybrid Apps ● Best user experience ● Portability (multi-platforms) ● Cheaper origination costs ● Faster (initial) speed to market ● Weak security (obfuscation, encryption, etc.) ● Weak performance (a bridge is needed) ● Creates a lot of junk Advantages Know Problems

12. Pedro Tavares pedrotavares@domdigital.com Av. Rainha D. Amélia, 142 Cave 6300 - 749 Guarda, Portugal Best Practices# Agenda # APK - What is it? # Sandboxing of android … # Dalvik VM vs Java VM # CPTs and CPMDs # Native vs Non-Native … # Reverse Engineering # Problem of Hybrid Apps # Best Practices ● Architecture well-defined ● Obfuscation ○ Native Apps: ProGuard ○ Hybrid: Google Closure Compiler in the level ADVANCED_OPTIMIZATIONS ● Obfuscation not resolve hardcoded strings ○ Android Keystore System ■ Store keys in Internal Storage ➢ Trusted Execution Environment ○ oauth2 ● Javascript files available via remote callbacks ● Minify Javascript files Increase the cracking task

13. Pedro Tavares pedrotavares@domdigital.com Av. Rainha D. Amélia, 142 Cave 6300 - 749 Guarda, Portugal Suggestions# Agenda # APK - What is it? # Sandboxing of android … # Dalvik VM vs Java VM # CPTs and CPMDs # Native vs Non-Native … # Reverse Engineering # Problem of Hybrid Apps # Best Practices #Suggestions “Meteor.js: um framework além do MVC” www.meteor.com Obfuscation Android Keystore System (MinSDK 18, Android 4.3 and higher, and Smartphone support) https://medium.com/@vashisthg/android-secure-shared-preferences-10f8356a4c2b https://github.com/ophio/secure-preferences https://developer.android.com/training/articles/keystore.html#UsingAndroidKeyStore AWS Cognito, lambda, 3party apps, etc. https://aws.amazon.com/pt/mobile/

14. End Thanks

How secure is an android app?

Recommended

Recommended

More Related Content

Similar to How secure is an android app?

Similar to How secure is an android app? (20)

Recently uploaded

Recently uploaded (20)

How secure is an android app?