Artem Сhaykin. Android Application Security.

705 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
705
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Artem Сhaykin. Android Application Security.

  1. 1. Android Application SecurityArtem ChaykinLead Specialist, Web Application Security TeamPositive TechnologiesPositive Hack Days 2013
  2. 2. What I Am― as the previous slide said, a ptsecurity guy;― mostly devoted to web and mobile applications securityassessment;― a member of the SCADAStrangelove Team.
  3. 3. Intro
  4. 4. Intro
  5. 5. ApplicationResources ManifestIntentsActivity Service BroadcastPermissionsContentprovidersNative libs Classes
  6. 6. ApplicationResources ManifestIntentsActivity Service BroadcastPermissionsContentprovidersNative libs Classes
  7. 7. ApplicationResources ManifestIntentsActivity Service BroadcastPermissionsContentprovidersNative libs Classes
  8. 8. ApplicationResources ManifestIntentsActivity Service BroadcastPermissionsContentprovidersNative libs Classes
  9. 9. ApplicationResources ManifestIntentsActivity Service BroadcastPermissionsContentprovidersNative libs Classes
  10. 10. ApplicationResources ManifestIntentsActivity Service BroadcastPermissionsContentprovidersNative libs Classes
  11. 11. ApplicationResources ManifestIntentsActivity Service BroadcastPermissionsContentprovidersNative libs Classes
  12. 12. ApplicationResources ManifestIntentsActivity Service BroadcastPermissionsContentprovidersNative libs Classes
  13. 13. Hardcoded and Forgotten
  14. 14. Hardcoded and Forgotten― default/test credentials;― test server/local IPs;― some cool info.
  15. 15. File System
  16. 16. File System― one app – one UID;― 0600 mask for new files;― 0666 mask for new files (touch, echo, etc.).
  17. 17. File System― world-readable files;― even world-writable (!) files;― SD storage.
  18. 18. Ok, It Could Be Worse…
  19. 19. File SystemHow to secure:― use MODE_PRIVATE for files;― do not use system tools ;― so not store sensitive data on an SD storage.
  20. 20. logcat// Delete before production releaseLog.d(“Bank”,login+”::”+password);^^aye, of course
  21. 21. logcatandroid.permission.READ_LOGSE/HttpUtil( 9509): >>Response: <?xml version=1.0encoding=UTF-8?><result resultCode="200001033"desc="[OSE(551)]httperror:http://10.10.10.10:7711/GET_BALANCE?LOGIN=833477&amp;PASSWORD=222222" /><<
  22. 22. logcatHow to secure:Do not use at all!
  23. 23. SQLite & ContentProviders
  24. 24. SQLite & content providersSQLite3:/data/data/app.name/databases/load_extension() disabled :(SQLinj… will talk laterPrivate database
  25. 25. SQLite & Content ProvidersContent provider:― an API making your database public/semi-public;― exported and public by default;― an API for accessing files.Examples:content://sms
  26. 26. SQLite & Content ProvidersHow to secure:android:exported=“false”android:protectionLevel=“signature”android:grantUriPermission=“true”
  27. 27. Intents
  28. 28. IntentsIntentActivity Service Broadcast
  29. 29. ActivityThis is a Facebook activity->This is what you can interact with
  30. 30. ServiceThis is a Facebook service ->
  31. 31. ServiceThis is a Facebook service ->Really, here it is.
  32. 32. ServiceThis is a Facebook service ->Really, here it is.Background work : sync, upload, download, etc.
  33. 33. BroadcastBattery lowSystem sendsbroadcast:ACTION_BATTERY_LOWApplication1:Alerts “Battery low”Application2:Stop sync
  34. 34. ManifestLook for android:debuggable=trueIntents “exported” = (true|false)Intents with <intent-filter> - exported by default
  35. 35. IntentsExported intents can be called from third-party apps.ActivitystartActivity()startActivityForResult()ServicestartService()BroadcastsendBroadcast()
  36. 36. IntentsThird-party apps can send “extra”“data://” to intents.extrastring integer long float boolean uricomponentnamedatawrapper://host/path?query
  37. 37. IntentsHow to secure:― set Exported to False for all intents;― set permissions for broadcast receiving/delivering;― validate extra data sent to the intents.
  38. 38. Client-Server, SSL, MiTM,Intercepting, Sniffing,Spoofing, Cats, and MoreClient Vulns
  39. 39. Client-Server― JSON;― XML (SOAP);― simple POST;― even query string.
  40. 40. Client-Server
  41. 41. Thank you for yourattention!Artem Chaykin• achaykin@ptsecurity.com• @a_chaykin

×