Thomas Methlie, profile picture
Uploaded byThomas Methlie
3,094 views

Android App Security: What (not) to do!

This document discusses common security issues for Android apps and provides recommendations to address them. It identifies issues such as overprivileged apps, information exposure through sent data, intent spoofing, unauthorized intent receipt, insufficient entropy, and use of hardcoded cryptographic keys. The document recommends techniques like using permissions and explicit intents to prevent spoofing, validating untrusted inputs, and parametrized queries to prevent SQL injection. It also cautions against sending sensitive data in sticky broadcasts.

Embed presentation

Downloaded 42 times
Android App Security: What (not) to do! Android App Security: What (not) to do!
About me ● Thomas Methlie ● Consultant @Capgemini, Bergen ● Member of Vestenfjeldske SikkerhetsCompagnie ● CISSP (Associate) certification Android App Security: What (not) to do!
Background http://android-developers.blogspot.com Android App Security: What (not) to do!
Background http://android-developers.blogspot.com Android App Security: What (not) to do!
The not so good news Overprivileged applications Information exposure through sent data Intent spoofing % of applications Use of hardcoded chryptographic keys Unauthorized intent receipt Insufficient entropy 0 10 20 30 40 50 60 70 Android App Security: What (not) to do!
Intent spoofing ● Public components and senders with weak permissions ● Malicious app sends Intent resulting in data injection or state change <receiver android:name=”one.special.recevier”> <intent-filter> <action android:name=”one.intent.action” /> </intent-filter> </receiver> Android App Security: What (not) to do!
Intent spoofing <receiver android:name=”one.special.recevier” android:exported=false> <intent-filter> <action android:name=”one.intent.action” /> </intent-filter> </receiver> <receiver android:name=”one.special.recevier” android:exported=true android:permission=”one.permission”> <intent-filter> <action android:name=”one.intent.action” /> </intent-filter> </receiver> Android App Security: What (not) to do!
Unauthorized Intent Receipt ● Given a public Intent which doesn't require strong permission in the receiving component ● Intercepted by malicious app ● May leak sensitive data and/or change in control flow Intent intent = new Intent(); intent.setAction(“a.special.action”); startActivity(intent); Android App Security: What (not) to do!
Unauthorized Intent Receipt Intent fixedIntent = new Intent(); fixedIntent.setClassName(“pkg.name”, “pkg.name.DestinationName”); Intent fixedIntent2 = new Intent(); fixedIntent2.setAction(“a.special.action”); sendBroadcast (“fixedIntent2, “a.special.permission”); Android App Security: What (not) to do!
Persistent Messages: Sticky broadcasts ● Received by all components registered to receive them ● Exists even after it has been sent ● Can be removed by anyone with a BROADCAST_STICKY permission ● Can not set permission requirements on receiver ● Can compromise sensitive program data Android App Security: What (not) to do!
Persistent Messages: Sticky broadcasts ● Use regular broadcasts protected by the receiver permission ● Examine data in broadcasted messages ● Don't send sensitive data in sticky broadcast messages Android App Security: What (not) to do!
SQL & Query String Injection ● delete, execSQL, rawQuery, update... ● Query String Injection: Allows malicious app to view unauthorized data ● But can not alter data ● Data from untrusted source ● Dynamically constructing SQLite query strings Android App Security: What (not) to do!
SQL & Query String Injection Use parametrised queries Always validate untrusted input query = userDB.query( MY_TABLE,MY_COLUMN,“userid = ?”,{userid}, null,null,null,null) Android App Security: What (not) to do!
More vulnerabilities Insecure Communication Over privileged Applications Insecure Storage Insufficient cryptographic entropy Use of hard-coded cryptographic keys Android App Security: What (not) to do!
Sources 1.Seven ways to hang yourself with Google Android. Y. O'Neil and E. Chin 2.Veracode State of Software Security v04 3.http://android-developers.blogspot.com Android App Security: What (not) to do!
Thank you for listening! @tsmethlie no.linkedin.com/in/thomasmethlie thomas.methlie@gmail.com thomas.methlie@capgemini.com Android App Security: What (not) to do!

More Related Content

PDF
OWASP Top 10
byArthur Shvetsov
 
PDF
Hacking android apps by srini0x00
bysrini0x00
 
PPTX
Security Testing Training With Examples
byAlwin Thayyil
 
PDF
Security testing presentation
byConfiz
 
PPT
Securing Applications
byBurak DAYIOGLU
 
PDF
OWASP Mobile Top 10
byNowSecure
 
PDF
Reducing Risk of Credential Compromise at Netflix
bySBWebinars
 
PPTX
Introduction to security testing
byNagasahas DS
 
OWASP Top 10
byArthur Shvetsov
 
Hacking android apps by srini0x00
bysrini0x00
 
Security Testing Training With Examples
byAlwin Thayyil
 
Security testing presentation
byConfiz
 
Securing Applications
byBurak DAYIOGLU
 
OWASP Mobile Top 10
byNowSecure
 
Reducing Risk of Credential Compromise at Netflix
bySBWebinars
 
Introduction to security testing
byNagasahas DS
 

What's hot

PDF
OWASP Mobile Top 10 Deep-Dive
byPrathan Phongthiproek
 
PPTX
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
byAjin Abraham
 
PPTX
API Abuse - The Anatomy of An Attack
byNordic APIs
 
PDF
Attacking android insecurity
byGodfrey Nolan
 
PPTX
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
byAjin Abraham
 
PPT
Security 101
byGeorge V. Reilly
 
PPTX
Zimperium Enterprise Mobile Threats
byZimperium
 
PDF
OWASP Top 10 for Mobile
byAppvigil - Mobile App Security Scanner
 
PPT
Coordinated Malware Eradication & Remediation Project (CMERP) - The Way Forward
byAPNIC
 
PPTX
Overview on hacking tools
byZituSahu
 
PDF
Decompiling Android Workshop
byGodfrey Nolan
 
PPTX
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
byClare Nelson, CISSP, CIPP-E
 
PDF
CNS - Hut3 - Mobile Application (In)Security
byCNS Group
 
PDF
How to make Android apps secure: dos and don’ts
byNowSecure
 
PPT
Step by step guide for web application security testing
byAvyaan, Web Security Company in India
 
PDF
Preparing for the inevitable: The mobile incident response playbook
byNowSecure
 
PDF
Targeted Defense for Malware & Targeted Attacks
byImperva
 
PPTX
Continuous Security - TCCC
byWendy Istvanick
 
PPTX
Cyber Vulnerabilities & How companies can test them
by24by7Security Inc
 
PPTX
OWASP Top 10 Vulnerabilities 2017- AppTrana
byIshan Mathur
 
OWASP Mobile Top 10 Deep-Dive
byPrathan Phongthiproek
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
byAjin Abraham
 
API Abuse - The Anatomy of An Attack
byNordic APIs
 
Attacking android insecurity
byGodfrey Nolan
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
byAjin Abraham
 
Security 101
byGeorge V. Reilly
 
Zimperium Enterprise Mobile Threats
byZimperium
 
OWASP Top 10 for Mobile
byAppvigil - Mobile App Security Scanner
 
Coordinated Malware Eradication & Remediation Project (CMERP) - The Way Forward
byAPNIC
 
Overview on hacking tools
byZituSahu
 
Decompiling Android Workshop
byGodfrey Nolan
 
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
byClare Nelson, CISSP, CIPP-E
 
CNS - Hut3 - Mobile Application (In)Security
byCNS Group
 
How to make Android apps secure: dos and don’ts
byNowSecure
 
Step by step guide for web application security testing
byAvyaan, Web Security Company in India
 
Preparing for the inevitable: The mobile incident response playbook
byNowSecure
 
Targeted Defense for Malware & Targeted Attacks
byImperva
 
Continuous Security - TCCC
byWendy Istvanick
 
Cyber Vulnerabilities & How companies can test them
by24by7Security Inc
 
OWASP Top 10 Vulnerabilities 2017- AppTrana
byIshan Mathur
 

Viewers also liked

PDF
Android Malware Detection Mechanisms
byTalha Kabakus
 
PPTX
Understanding android security model
byPragati Rai
 
PDF
2015.04.24 Updated > Android Security Development - Part 1: App Development
byCheng-Yi Yu
 
PDF
What Is Bounce Rate?
byBlind Five Year Old
 
PDF
Tech Report: On the Effectiveness of Malware Protection on Android
byFraunhofer AISEC
 
PDF
Anomaly Detection using String Analysis for Android Malware Detection - CISIS...
byCarlos Laorden
 
PDF
Android Security Development - Part 2: Malicious Android App Dynamic Analyzi...
byCheng-Yi Yu
 
PDF
30 IT Jobs which makes 100 k $ yearly
bySajjid Siddique
 
PDF
Google Analytics Report on how to reduce bounce rate
byStreebo
 
Android Malware Detection Mechanisms
byTalha Kabakus
 
Understanding android security model
byPragati Rai
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
byCheng-Yi Yu
 
What Is Bounce Rate?
byBlind Five Year Old
 
Tech Report: On the Effectiveness of Malware Protection on Android
byFraunhofer AISEC
 
Anomaly Detection using String Analysis for Android Malware Detection - CISIS...
byCarlos Laorden
 
Android Security Development - Part 2: Malicious Android App Dynamic Analyzi...
byCheng-Yi Yu
 
30 IT Jobs which makes 100 k $ yearly
bySajjid Siddique
 
Google Analytics Report on how to reduce bounce rate
byStreebo
 

Similar to Android App Security: What (not) to do!

PDF
CNIT 128: 7. Attacking Android Applications (Part 1 of 3)
bySam Bowne
 
PDF
Hacking Android [MUC:SEC 20.05.2015]
byAngelo Rüggeberg
 
PDF
Android App Hacking - Erez Metula, AppSec
byDroidConTLV
 
PDF
9 Writing Secure Android Applications
bySam Bowne
 
PDF
7. Attacking Android Applications (Part 2)
bySam Bowne
 
PPTX
Android security
byMobile Rtpl
 
PDF
CNIT 128 7. Attacking Android Applications (Part 2)
bySam Bowne
 
PPTX
Android Application Penetration Testing - Mohammed Adam
byMohammed Adam
 
PDF
Android Pentesting
byn|u - The Open Security Community
 
PPTX
Android application security unveiled
byJan Hodermarsky
 
PDF
Android securitybyexample
byPragati Rai
 
PDF
Introduction to Android Application Security Testing - 2nd Sep 2017
bySatheesh Kumar V
 
PDF
Android Security - Common Security Pitfalls in Android Applications
byBlrDroid
 
PPTX
Android app security
byPositive Hack Days
 
PDF
DEFCON 18- These Aren't the Permissions You're Looking For
byMichael Scovetta
 
ODP
Dos and Don'ts of Android Application Security (Security Professional Perspec...
byBijay Senihang
 
PDF
User Expectations in Mobile App Security
byTao Xie
 
PDF
Droidcon secureyourapp fighttheleaks-samsung
byottot
 
PDF
Testing Android Security Codemotion Amsterdam edition
byJose Manuel Ortega Candel
 
PDF
Testing Android Security - Jose Manuel Ortega Candel - Codemotion Amsterdam 2016
byCodemotion
 
CNIT 128: 7. Attacking Android Applications (Part 1 of 3)
bySam Bowne
 
Hacking Android [MUC:SEC 20.05.2015]
byAngelo Rüggeberg
 
Android App Hacking - Erez Metula, AppSec
byDroidConTLV
 
9 Writing Secure Android Applications
bySam Bowne
 
7. Attacking Android Applications (Part 2)
bySam Bowne
 
Android security
byMobile Rtpl
 
CNIT 128 7. Attacking Android Applications (Part 2)
bySam Bowne
 
Android Application Penetration Testing - Mohammed Adam
byMohammed Adam
 
Android Pentesting
byn|u - The Open Security Community
 
Android application security unveiled
byJan Hodermarsky
 
Android securitybyexample
byPragati Rai
 
Introduction to Android Application Security Testing - 2nd Sep 2017
bySatheesh Kumar V
 
Android Security - Common Security Pitfalls in Android Applications
byBlrDroid
 
Android app security
byPositive Hack Days
 
DEFCON 18- These Aren't the Permissions You're Looking For
byMichael Scovetta
 
Dos and Don'ts of Android Application Security (Security Professional Perspec...
byBijay Senihang
 
User Expectations in Mobile App Security
byTao Xie
 
Droidcon secureyourapp fighttheleaks-samsung
byottot
 
Testing Android Security Codemotion Amsterdam edition
byJose Manuel Ortega Candel
 
Testing Android Security - Jose Manuel Ortega Candel - Codemotion Amsterdam 2016
byCodemotion
 

Android App Security: What (not) to do!

  • 1.
    Android App Security:What (not) to do! Android App Security: What (not) to do!
  • 2.
    About me ● Thomas Methlie ● Consultant @Capgemini, Bergen ● Member of Vestenfjeldske SikkerhetsCompagnie ● CISSP (Associate) certification Android App Security: What (not) to do!
  • 3.
    Background http://android-developers.blogspot.com Android App Security: What (not) to do!
  • 4.
    Background http://android-developers.blogspot.com Android App Security: What (not) to do!
  • 5.
    The not sogood news Overprivileged applications Information exposure through sent data Intent spoofing % of applications Use of hardcoded chryptographic keys Unauthorized intent receipt Insufficient entropy 0 10 20 30 40 50 60 70 Android App Security: What (not) to do!
  • 6.
    Intent spoofing ● Public components and senders with weak permissions ● Malicious app sends Intent resulting in data injection or state change <receiver android:name=”one.special.recevier”> <intent-filter> <action android:name=”one.intent.action” /> </intent-filter> </receiver> Android App Security: What (not) to do!
  • 7.
    Intent spoofing <receiver android:name=”one.special.recevier” android:exported=false> <intent-filter> <action android:name=”one.intent.action” /> </intent-filter> </receiver> <receiver android:name=”one.special.recevier” android:exported=true android:permission=”one.permission”> <intent-filter> <action android:name=”one.intent.action” /> </intent-filter> </receiver> Android App Security: What (not) to do!
  • 8.
    Unauthorized Intent Receipt ● Given a public Intent which doesn't require strong permission in the receiving component ● Intercepted by malicious app ● May leak sensitive data and/or change in control flow Intent intent = new Intent(); intent.setAction(“a.special.action”); startActivity(intent); Android App Security: What (not) to do!
  • 9.
    Unauthorized Intent Receipt IntentfixedIntent = new Intent(); fixedIntent.setClassName(“pkg.name”, “pkg.name.DestinationName”); Intent fixedIntent2 = new Intent(); fixedIntent2.setAction(“a.special.action”); sendBroadcast (“fixedIntent2, “a.special.permission”); Android App Security: What (not) to do!
  • 10.
    Persistent Messages: Sticky broadcasts ● Received by all components registered to receive them ● Exists even after it has been sent ● Can be removed by anyone with a BROADCAST_STICKY permission ● Can not set permission requirements on receiver ● Can compromise sensitive program data Android App Security: What (not) to do!
  • 11.
    Persistent Messages: Sticky broadcasts ● Use regular broadcasts protected by the receiver permission ● Examine data in broadcasted messages ● Don't send sensitive data in sticky broadcast messages Android App Security: What (not) to do!
  • 12.
    SQL & QueryString Injection ● delete, execSQL, rawQuery, update... ● Query String Injection: Allows malicious app to view unauthorized data ● But can not alter data ● Data from untrusted source ● Dynamically constructing SQLite query strings Android App Security: What (not) to do!
  • 13.
    SQL & QueryString Injection Use parametrised queries Always validate untrusted input query = userDB.query( MY_TABLE,MY_COLUMN,“userid = ?”,{userid}, null,null,null,null) Android App Security: What (not) to do!
  • 14.
    More vulnerabilities Insecure Communication Overprivileged Applications Insecure Storage Insufficient cryptographic entropy Use of hard-coded cryptographic keys Android App Security: What (not) to do!
  • 15.
    Sources 1.Seven ways tohang yourself with Google Android. Y. O'Neil and E. Chin 2.Veracode State of Software Security v04 3.http://android-developers.blogspot.com Android App Security: What (not) to do!
  • 16.
    Thank you forlistening! @tsmethlie no.linkedin.com/in/thomasmethlie thomas.methlie@gmail.com thomas.methlie@capgemini.com Android App Security: What (not) to do!