Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
SECURITY
IN ANDROID APPLICATION
22/04/2016
ALEXANDER SMIRNOV
- 3+ years Android dev
- 6+ years commercial dev
- 1 year bank app dev
- BlackHat friends since 2007
- DC7499 member
WhoAm...
Why?
3
- Android Security Model
- Reality
- Vulnerabilities
- One more sentence
- Appendix
Agenda
4
Security
• I •
Android Security Model
5
6
Application Isolation
7
- isolate CPU, RAM, devices, files in
private directory
- every app run in own process
- every app ...
Application Isolation
8
- Is the parent of all App processes
- COW(Copy On Write) strategy
- /dev/socket/zygote
Zygote
9
App 1
App 2
App 3
Zygote
...
- Before M
- After M
- Custom permissions
- Protection level
Permissions
10
- Protect user data
- Protect system resources
- Provide application isolation
Android Security Overview
11
• II •
Android Security Model
Reality
Security
12
13
Root
14
TRIADA
Security
15
• III•
Vulnerabilities
- Memory Cache
- DB + SQLCipher
- SharedPreference +
MODE_PRIVATE + Cipher
- 21+ setStorageEncryption for
local files
- Key...
- MITM has you
- Check network – why?
- Diffie–Hellman key exchange
- Certificate Pinning == SSL Pinning
(okhttp 2.7.4 || 3...
- Use explicit intents
- Validate Input
- Manifest: 

intent-filter = exported=«yes»
Intent
18
- Secure PUSH
- Mobile application
- SIMApplets
- DCV (Dynamic Code Verification)
2FA: SMS
19
- Custom keyboard
- Secure persistent datastore
- No EditText
- No immutable (Strings -> char[])
- Notify if root
Insecure...
- Check debug
- Verify sign
- Emulator check
- Obfuscation
- JNI
Reverse Protection
21
Security
22
• IV •
One more sentence
- Convenience vs Security
- Socialization & Tools
- Layered Security
- Better than others
- OWASP TOP 10 Mobile Risks
One ...
Security
24
• V •
Appendix
- Cyber Risk Report: bit.ly/1MuoIDS
- OWASP Top 10 Mobile Risks: bit.ly/1FAIJiv
- DefCon Groups List: bit.ly/1JQlNgC
- Tri...
- Android Security Model
- Reality
- Vulnerabilities
- One more sentence
Result
26
Thank you!
sm@redmadrobot.com
@_smred
Upcoming SlideShare
Loading in …5
×

Смирнов Александр, Security in Android Application

298 views

Published on

Рассмотрим best practices в обеспечении безопасности мобильных приложений, модель безопасности Android, ключевые уязвимости и способы защиты от них.

Published in: Mobile
  • Login to see the comments

  • Be the first to like this

Смирнов Александр, Security in Android Application

  1. 1. SECURITY IN ANDROID APPLICATION 22/04/2016 ALEXANDER SMIRNOV
  2. 2. - 3+ years Android dev - 6+ years commercial dev - 1 year bank app dev - BlackHat friends since 2007 - DC7499 member WhoAmI 2
  3. 3. Why? 3
  4. 4. - Android Security Model - Reality - Vulnerabilities - One more sentence - Appendix Agenda 4
  5. 5. Security • I • Android Security Model 5
  6. 6. 6
  7. 7. Application Isolation 7 - isolate CPU, RAM, devices, files in private directory - every app run in own process - every app has own UserID and GroupID - every app run in own instance of Dalvik VM
  8. 8. Application Isolation 8
  9. 9. - Is the parent of all App processes - COW(Copy On Write) strategy - /dev/socket/zygote Zygote 9 App 1 App 2 App 3 Zygote fork() fork() fork() start new App
  10. 10. - Before M - After M - Custom permissions - Protection level Permissions 10
  11. 11. - Protect user data - Protect system resources - Provide application isolation Android Security Overview 11
  12. 12. • II • Android Security Model Reality Security 12
  13. 13. 13 Root
  14. 14. 14 TRIADA
  15. 15. Security 15 • III• Vulnerabilities
  16. 16. - Memory Cache - DB + SQLCipher - SharedPreference + MODE_PRIVATE + Cipher - 21+ setStorageEncryption for local files - KeyStore Data Storage 16
  17. 17. - MITM has you - Check network – why? - Diffie–Hellman key exchange - Certificate Pinning == SSL Pinning (okhttp 2.7.4 || 3.1.2) Transport 17
  18. 18. - Use explicit intents - Validate Input - Manifest: 
 intent-filter = exported=«yes» Intent 18
  19. 19. - Secure PUSH - Mobile application - SIMApplets - DCV (Dynamic Code Verification) 2FA: SMS 19
  20. 20. - Custom keyboard - Secure persistent datastore - No EditText - No immutable (Strings -> char[]) - Notify if root Insecure Device 20
  21. 21. - Check debug - Verify sign - Emulator check - Obfuscation - JNI Reverse Protection 21
  22. 22. Security 22 • IV • One more sentence
  23. 23. - Convenience vs Security - Socialization & Tools - Layered Security - Better than others - OWASP TOP 10 Mobile Risks One more sentence 23
  24. 24. Security 24 • V • Appendix
  25. 25. - Cyber Risk Report: bit.ly/1MuoIDS - OWASP Top 10 Mobile Risks: bit.ly/1FAIJiv - DefCon Groups List: bit.ly/1JQlNgC - Triada Malware: bit.ly/1qvyFqY - Obfuscation tools list: bit.ly/1XiHf6Z - Security Official Docs: bit.ly/1qvw1BK - Diffie–Hellman Video: bit.ly/23jV7Se - Tools for SA and Hacking: bit.ly/1qvxpUM Additional Information 25
  26. 26. - Android Security Model - Reality - Vulnerabilities - One more sentence Result 26
  27. 27. Thank you! sm@redmadrobot.com @_smred

×