Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
SECURITY
IN ANDROID APPLICATION
31/05/2016
ALEXANDER SMIRNOV
- 3+ years Android dev
- 6+ years commercial dev
- 1 year bank app dev
- Addicted to info security since 2007
- DC7499 mem...
Why?
- Android Security Model
- Reality
- Vulnerabilities
- One more sentence
- Appendix
Agenda
Security
• I •
Android Security Model
Application Isolation
- isolate CPU, RAM, devices, files in 

private directory
Application Isolation
- isolate CPU, RAM, devices, files in 

private directory
- every app run in own process
Application Isolation
- isolate CPU, RAM, devices, files in 

private directory
- every app run in own process
- every app ...
Application Isolation
- isolate CPU, RAM, devices, files in 

private directory
- every app run in own process
- every app ...
Application Isolation
Application Isolation
Application Isolation
Application Isolation
Application Isolation
- Is the parent of all App processes
Zygote
App 1
App 2
App 3
Zygote
fork()
fork()
fork()
start new
App
- Is the parent of all App processes
Zygote
App 1
App 2
App 3
Zygote
fork()
fork()
fork()
start new
App
- COW(Copy On Writ...
- Is the parent of all App processes
Zygote
App 1
App 2
App 3
Zygote
fork()
fork()
fork()
start new
App
- COW(Copy On Writ...
- Before M
- After M
- Custom permissions
- Protection level
Permissions
- Protect user data
Android Security Overview
- Protect user data
Android Security Overview
- Protect system resources
- Protect user data
Android Security Overview
- Protect system resources
- Provide application isolation
• II •
Android Security Model
Reality
Security
Root
Triada
Security
• III•
Vulnerabilities
- Memory Cache
Data Storage
- Memory Cache
Data Storage
- Internal Storage
- Memory Cache
Data Storage
- Internal Storage
- SharedPreference + MODE_PRIVATE + Cipher
- Memory Cache
Data Storage
- Internal Storage
- SharedPreference + MODE_PRIVATE + Cipher
- DB + SQLCipher
- Memory Cache
Data Storage
- Internal Storage
- SharedPreference + MODE_PRIVATE + Cipher
- DB + SQLCipher
- 21+ setStorag...
- Memory Cache
Data Storage
- Internal Storage
- SharedPreference + MODE_PRIVATE + Cipher
- DB + SQLCipher
- 21+ setStorag...
- MITM Has You
Transport
- MITM Has You
Transport
- Check network – why?
- MITM Has You
Transport
- Check network – why?
- Diffie–Hellman key exchange
- MITM Has You
Transport
- Check network – why?
- Diffie–Hellman key exchange
- Certificate Pinning == SSL Pinning
(okhttp ...
Intent
- Use explicit intents
Intent
- Use explicit intents
- Validate Input
Intent
- Use explicit intents
- Validate Input
- Manifest: 

intent-filter = exported="true"
2FA: SMS
- Secure PUSH
2FA: SMS
- Secure PUSH
- Mobile application
2FA: SMS
- Secure PUSH
- Mobile application
- SIMApplets
2FA: SMS
- Secure PUSH
- Mobile application
- SIMApplets
- DCV (Dynamic Code Verification)
Insecure Device
- Secure persistent datastore
Insecure Device
- Secure persistent datastore
- No immutable (Strings -> char[])
Insecure Device
- Secure persistent datastore
- No immutable (Strings -> char[])
- Notify if root
Insecure Device
- Secure persistent datastore
- No immutable (Strings -> char[])
- Notify if root
- Custom keyboard
Insecure Device
- Secure persistent datastore
- No immutable (Strings -> char[])
- Notify if root
- Custom keyboard
- No E...
Reverse Protection
- Check for debug mode
Reverse Protection
- Check for debug mode
- Emulator check
Reverse Protection
- Check for debug mode
- Emulator check
- Verify sign
Reverse Protection
- Check for debug mode
- Emulator check
- Verify sign
- Obfuscation
- JNI
Reverse Protection
- Check for debug mode
- Emulator check
- Verify sign
- Obfuscation
Security
• IV •
One more sentence
One more sentence
- Convenience vs Security
One more sentence
- Convenience vs Security
- Socialization & Tools
One more sentence
- Convenience vs Security
- Socialization & Tools
- Layered Security
One more sentence
- Convenience vs Security
- Socialization & Tools
- Layered Security
- Better than others
- OWASP TOP 10 Mobile Risks
One more sentence
- Convenience vs Security
- Socialization & Tools
- Layered Security
- Bette...
Security
• V •
Appendix
- Cyber Risk Report: bit.ly/1MuoIDS
- OWASP Top 10 Mobile Risks: bit.ly/1FAIJiv
- DefCon Groups List: bit.ly/1JQlNgC
- Tri...
- Android Security Model
- Reality
- Vulnerabilities
- One more sentence
Result
Any Questions,
Please?
smredkey@gmail.com
@_smred
Security in Android Applications / Александр Смирнов (RedMadRobot)
Upcoming SlideShare
Loading in …5
×

Security in Android Applications / Александр Смирнов (RedMadRobot)

348 views

Published on

На протяжении многих лет исследования безопасности мобильных приложений показывают, что безопасности мобильные разработчики отдают достаточно мало времени, в связи с чем мы имеем в маркете множество приложений с различными уязвимостями.

Попытаемся изменить сложившуюся ситуацию и для этого в докладе рассмотрим, что необходимо знать о безопасности мобильному разработчику. Модель безопасности Android, ключевые уязвимости и способы защиты от них.

Published in: Engineering
  • Be the first to comment

Security in Android Applications / Александр Смирнов (RedMadRobot)

  1. 1. SECURITY IN ANDROID APPLICATION 31/05/2016 ALEXANDER SMIRNOV
  2. 2. - 3+ years Android dev - 6+ years commercial dev - 1 year bank app dev - Addicted to info security since 2007 - DC7499 member WhoAmI
  3. 3. Why?
  4. 4. - Android Security Model - Reality - Vulnerabilities - One more sentence - Appendix Agenda
  5. 5. Security • I • Android Security Model
  6. 6. Application Isolation - isolate CPU, RAM, devices, files in 
 private directory
  7. 7. Application Isolation - isolate CPU, RAM, devices, files in 
 private directory - every app run in own process
  8. 8. Application Isolation - isolate CPU, RAM, devices, files in 
 private directory - every app run in own process - every app has own UserID and 
 GroupID
  9. 9. Application Isolation - isolate CPU, RAM, devices, files in 
 private directory - every app run in own process - every app has own UserID and 
 GroupID - every app run in own instance of Dalvik VM
  10. 10. Application Isolation
  11. 11. Application Isolation
  12. 12. Application Isolation
  13. 13. Application Isolation
  14. 14. Application Isolation
  15. 15. - Is the parent of all App processes Zygote App 1 App 2 App 3 Zygote fork() fork() fork() start new App
  16. 16. - Is the parent of all App processes Zygote App 1 App 2 App 3 Zygote fork() fork() fork() start new App - COW(Copy On Write) strategy
  17. 17. - Is the parent of all App processes Zygote App 1 App 2 App 3 Zygote fork() fork() fork() start new App - COW(Copy On Write) strategy - /dev/socket/zygote
  18. 18. - Before M - After M - Custom permissions - Protection level Permissions
  19. 19. - Protect user data Android Security Overview
  20. 20. - Protect user data Android Security Overview - Protect system resources
  21. 21. - Protect user data Android Security Overview - Protect system resources - Provide application isolation
  22. 22. • II • Android Security Model Reality Security
  23. 23. Root
  24. 24. Triada
  25. 25. Security • III• Vulnerabilities
  26. 26. - Memory Cache Data Storage
  27. 27. - Memory Cache Data Storage - Internal Storage
  28. 28. - Memory Cache Data Storage - Internal Storage - SharedPreference + MODE_PRIVATE + Cipher
  29. 29. - Memory Cache Data Storage - Internal Storage - SharedPreference + MODE_PRIVATE + Cipher - DB + SQLCipher
  30. 30. - Memory Cache Data Storage - Internal Storage - SharedPreference + MODE_PRIVATE + Cipher - DB + SQLCipher - 21+ setStorageEncryption
  31. 31. - Memory Cache Data Storage - Internal Storage - SharedPreference + MODE_PRIVATE + Cipher - DB + SQLCipher - 21+ setStorageEncryption - KeyStore
  32. 32. - MITM Has You Transport
  33. 33. - MITM Has You Transport - Check network – why?
  34. 34. - MITM Has You Transport - Check network – why? - Diffie–Hellman key exchange
  35. 35. - MITM Has You Transport - Check network – why? - Diffie–Hellman key exchange - Certificate Pinning == SSL Pinning (okhttp 2.7.4 || 3.1.2)
  36. 36. Intent - Use explicit intents
  37. 37. Intent - Use explicit intents - Validate Input
  38. 38. Intent - Use explicit intents - Validate Input - Manifest: 
 intent-filter = exported="true"
  39. 39. 2FA: SMS - Secure PUSH
  40. 40. 2FA: SMS - Secure PUSH - Mobile application
  41. 41. 2FA: SMS - Secure PUSH - Mobile application - SIMApplets
  42. 42. 2FA: SMS - Secure PUSH - Mobile application - SIMApplets - DCV (Dynamic Code Verification)
  43. 43. Insecure Device - Secure persistent datastore
  44. 44. Insecure Device - Secure persistent datastore - No immutable (Strings -> char[])
  45. 45. Insecure Device - Secure persistent datastore - No immutable (Strings -> char[]) - Notify if root
  46. 46. Insecure Device - Secure persistent datastore - No immutable (Strings -> char[]) - Notify if root - Custom keyboard
  47. 47. Insecure Device - Secure persistent datastore - No immutable (Strings -> char[]) - Notify if root - Custom keyboard - No EditText
  48. 48. Reverse Protection - Check for debug mode
  49. 49. Reverse Protection - Check for debug mode - Emulator check
  50. 50. Reverse Protection - Check for debug mode - Emulator check - Verify sign
  51. 51. Reverse Protection - Check for debug mode - Emulator check - Verify sign - Obfuscation
  52. 52. - JNI Reverse Protection - Check for debug mode - Emulator check - Verify sign - Obfuscation
  53. 53. Security • IV • One more sentence
  54. 54. One more sentence - Convenience vs Security
  55. 55. One more sentence - Convenience vs Security - Socialization & Tools
  56. 56. One more sentence - Convenience vs Security - Socialization & Tools - Layered Security
  57. 57. One more sentence - Convenience vs Security - Socialization & Tools - Layered Security - Better than others
  58. 58. - OWASP TOP 10 Mobile Risks One more sentence - Convenience vs Security - Socialization & Tools - Layered Security - Better than others
  59. 59. Security • V • Appendix
  60. 60. - Cyber Risk Report: bit.ly/1MuoIDS - OWASP Top 10 Mobile Risks: bit.ly/1FAIJiv - DefCon Groups List: bit.ly/1JQlNgC - Triada Malware: bit.ly/1qvyFqY - Obfuscation tools list: bit.ly/1XiHf6Z - Security Official Docs: bit.ly/1qvw1BK - Diffie–Hellman Video: bit.ly/23jV7Se - Tools for SA and Hacking: bit.ly/1qvxpUM Additional Information
  61. 61. - Android Security Model - Reality - Vulnerabilities - One more sentence Result
  62. 62. Any Questions, Please? smredkey@gmail.com @_smred

×