Presentation describing the best practices concerning Android Offline Storage.
Examples included on manual encryption of files, SQLCipher, and tamper detection
Drupal is a very popular content management system that has been widely adopted by government agencies, major businesses, social networks, and more. This talk focuses on the penetration tester's perspective of Drupal and dives into streamlining the assessment and remediation of commonly observed application and configuration flaws by way of custom exploit code and security checklists.
Download the associated scripts, movies, and checklist here: https://github.com/gfoss/attacking-drupal
This document discusses finding vulnerabilities in SWF (Flash) files. It begins with an introduction to embedding SWF files in HTML and ActionScript versions. It then covers strategies for finding SWF files on websites, as well as types of issues like XSS, data hijacking, and information disclosure. The document provides details on tools for automated and manual testing of SWF files, such as decompiling files, identifying input parameters and sinks, and techniques for bypassing protections.
This document provides a summary of Mike Malone's talk on scaling Django web apps. It discusses how Pownce scaled to handle hundreds of requests per second and thousands of database operations per second while serving millions of users, relationships, notes, and terabytes of static data. It also covers some of the common bottlenecks Pownce encountered and eliminated in scaling their Django application, including using caching, load balancing, and queuing to improve performance and scalability.
This document discusses securing Drupal websites. It covers common Drupal attacks like XSS and SQL injection and recommends countermeasures like keeping software updated, following coding standards, sanitizing user input, and penetration testing. The document also provides an overview of securing the web server, PHP, and the Drupal codebase through permissions, input validation, and file uploads.
Demo repo: https://github.com/hadjango/djangocon-2016-demo/
Description: TheAtlantic.com, with over 30 million monthly unique visitors, is one of the most heavily trafficked media sites built entirely on Django. In this talk I will discuss the lessons we have learned in deploying Django at scale.
Abstract: One year ago we completed a years-long project of migrating theatlantic.com from a sprawling PHP codebase to a Python application built on Django. Our first attempt at a load-balanced Python stack had serious flaws, as we quickly learned. Since then we have completely remade our stack from the bottom up; we have built tools that improve our ability to monitor for performance and service degradation; and we have developed a deployment process that incorporates automated testing and that allows us to push out updates without incurring any downtime. I will discuss the mistakes we made, the steps we took to identify performance problems and server resource issues, what our current stack looks like, and how we achieved the holy grail of zero-downtime deploys.
This document discusses how to hack proof a Drupal site. It covers common security strategies like permissions and software updates. It then details specific vulnerabilities like SQL injection, cross-site scripting, cross-site request forgery, node access bypass, and improper use of drupal_goto. For each vulnerability, it provides an example of an exploit and the proper way to prevent that exploit. It concludes with recommendations on security modules, references, and recovery strategies.
Drupal is a very popular content management system that has been widely adopted by government agencies, major businesses, social networks, and more. This talk focuses on the penetration tester's perspective of Drupal and dives into streamlining the assessment and remediation of commonly observed application and configuration flaws by way of custom exploit code and security checklists.
Download the associated scripts, movies, and checklist here: https://github.com/gfoss/attacking-drupal
This document discusses finding vulnerabilities in SWF (Flash) files. It begins with an introduction to embedding SWF files in HTML and ActionScript versions. It then covers strategies for finding SWF files on websites, as well as types of issues like XSS, data hijacking, and information disclosure. The document provides details on tools for automated and manual testing of SWF files, such as decompiling files, identifying input parameters and sinks, and techniques for bypassing protections.
This document provides a summary of Mike Malone's talk on scaling Django web apps. It discusses how Pownce scaled to handle hundreds of requests per second and thousands of database operations per second while serving millions of users, relationships, notes, and terabytes of static data. It also covers some of the common bottlenecks Pownce encountered and eliminated in scaling their Django application, including using caching, load balancing, and queuing to improve performance and scalability.
This document discusses securing Drupal websites. It covers common Drupal attacks like XSS and SQL injection and recommends countermeasures like keeping software updated, following coding standards, sanitizing user input, and penetration testing. The document also provides an overview of securing the web server, PHP, and the Drupal codebase through permissions, input validation, and file uploads.
Demo repo: https://github.com/hadjango/djangocon-2016-demo/
Description: TheAtlantic.com, with over 30 million monthly unique visitors, is one of the most heavily trafficked media sites built entirely on Django. In this talk I will discuss the lessons we have learned in deploying Django at scale.
Abstract: One year ago we completed a years-long project of migrating theatlantic.com from a sprawling PHP codebase to a Python application built on Django. Our first attempt at a load-balanced Python stack had serious flaws, as we quickly learned. Since then we have completely remade our stack from the bottom up; we have built tools that improve our ability to monitor for performance and service degradation; and we have developed a deployment process that incorporates automated testing and that allows us to push out updates without incurring any downtime. I will discuss the mistakes we made, the steps we took to identify performance problems and server resource issues, what our current stack looks like, and how we achieved the holy grail of zero-downtime deploys.
This document discusses how to hack proof a Drupal site. It covers common security strategies like permissions and software updates. It then details specific vulnerabilities like SQL injection, cross-site scripting, cross-site request forgery, node access bypass, and improper use of drupal_goto. For each vulnerability, it provides an example of an exploit and the proper way to prevent that exploit. It concludes with recommendations on security modules, references, and recovery strategies.
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Chris Gates
This document summarizes a talk given on DevOps infrastructure security. It discusses how various DevOps tools like GitHub, Jenkins, AWS config files, Chef, and in-memory databases like Redis and Memcache can expose sensitive information if not properly secured. Specific issues covered include exposed Git repositories, weak default credentials, plaintext storage of secrets, and lack of authentication. The document provides recommendations on securing these tools such as enabling authentication, upgrading versions, and segmenting tools from public access.
The document summarizes a presentation about exploiting a vulnerability in Apple's code signing process on macOS. The vulnerability allows ad-hoc signed malicious code to bypass Gatekeeper and execute on systems where only Apple-signed code is supposed to run. The presentation covered code signing basics, a demonstration of the vulnerability, technical details, how it impacts third-party software vendors, the disclosure process to Apple, and recommendations for properly validating signed code.
This document provides an overview of WebAssembly (WASM) and analyzes its attack surface. It begins with a brief history of WASM and describes its Minimum Viable Product (MVP) 1.0 specification, which defines its instruction set and file format. It then discusses WASM's implementation in web browsers and interaction with JavaScript, highlighting its potential attack surface. Examples of past vulnerabilities leveraging WASM are also provided, such as CVE-2017-5116 which used a race condition to redirect execution to attacker-controlled code. The document concludes by discussing the future of WASM and taking questions.
With the 'rise of containers' comes also the rise of container platforms. And while Docker is the way to do things for now, Podman has also been gaining traction as the new kid on the block especially after being somewhat embraced by RedHat and Fedora. Being new also comes with lack of heavy scrutiny and audit on the security side of things. Once you start integrating other protocols and pieces that compliment each other, such as Varlink, boundaries become fuzzy. Rather than focus on container breakouts, which are also very important, we'll focus on how Podman and Varlink interoperate and the authentication and security implications as such. We'll look at the remote API capabilities, secure configurations and how certain setups and projects out there by default can be vulnerable to compromise. By the end of the talk, we will have discussed various bugs, issues and hardening techniques around deploying Podman and Varlink together and if you don't know a lot about containers, you'll learn a bit along the way.
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates and Ken Johnson will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure.
Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. This talk will most definitely be an entertaining one but a cautionary tale as well, provoking attendees into action. Ultimately, this is research targeted towards awareness for those operating within a DevOps environment.
This document discusses 10 common ColdFusion server challenges and how to find and solve them. It covers issues like not having insight into site traffic, not using diagnostics to understand crashes or memory issues, not updating connectors and the Java virtual machine. For each issue, it provides potential solutions like monitoring tools, server logs, and updating to fixes. It emphasizes taking a diagnostic approach and notes that hiring an expert can help solve problems more quickly when needed.
This document discusses how to turn a business into a strong brand through developing an emotional story and understanding customers. It emphasizes that a brand is more than just logos and graphics, but is the story wrapped around a product or service. The document provides tips for creating a brand such as developing the business story, identifying the target customer market, designing a memorable logo that works across mediums, and maintaining consistency in branding across all marketing materials and channels. Real-world examples of small businesses with strong brands are also provided.
The document is about a school trip taken by a fourth grade class. The class went on a bike ride with their kings during the summer of 2012. The trip was organized by their elementary school CEIP ALBEIROS.
презентация престиж безфосфатные стиральные порошки и гелиOleh Lazar
Імпортер на ринку України
високоякісної побутової хімії ТМ «Prestige»
виробництва
Республіки Польща.
Пропонуємо до вашої уваги таку продукцію:
ЛІНІЯ ЗАСОБІВ ДЛЯ ПРАННЯ (порошки, гелі, плямовивідники)
TM «PRESTIGE» - це ідеальна чистота, захист тканин і свіжість в повному об'ємі, а також 100% екологічність!
The document is about a school trip taken by a fourth grade class. The class went on a bike ride with their kings during the summer of 2012. The school involved was CEIP ALBEIROS.
презентация престиж безфосфатные стиральные порошки и гелиOleh Lazar
ЛІНІЯ ЗАСОБІВ ДЛЯ ПРАННЯ (порошки, гелі, плямовивідники)
TM «PRESTIGE» - це ідеальна чистота, захист тканин і свіжість в повному об'ємі, а також 100% екологічність!
Пральний порошок Prestige Universal – універсальний
засіб для пральних машин та ручного прання. Для всіх видів тканин.
Завдяки активному кисню чудово виводить навіть застарілі плями. Містить гранули для пом'якшення води, які захищають пральну машину від поломок.
Prestige Color –пральний порошок для кольорових речей для пральних машин та ручного прання. Для всіх видів тканин.
Завдяки спеціальній формулі зберігає неперевершену насиченість кольорів та первинну структуру тканин.
Містить гранули для пом'якшення води, які захищають пральну машину від поломок.
Prestige White – гіпоалергенний пральний порошок для білих речей для пральних машин та ручного прання. Для всіх видів тканин.
Завдяки вмісту активного кисню (більше 15%) надає речам сяючої білизни і видаляє стійкі плями. Містить гранули для пом'якшення води, які захищають пральну машину від поломок.
Prestige Baby Sensitive - гіпоалергенний пральний порошок без ароматизаторів та інших віддушок для дитячих речей. Застосовується для прання у пральних машинах та ручного прання. Містить гранули для захисту пральної машини від накипу. Зберігає первинний колір речей.
Можна застосовувати для прання речей новонароджених.
Гелі для прання ТМ «Prestige» - безфосфатні гіпоалергенні концентрати, які діють від самого початку циклу прання, прекрасно видаляють плями вже при 38 °С. Бережно та якісно видаляють бруд та жирні плями на делікатних тканинах. В асортименті представлені гелі для прання «Universal» для всіх кольорів, в т.ч. і білих та кольорових речей «Color».
Засіб для видалення плям «Prestige» - кисневий безфосфатний безпечний відбілюючий засіб для білих тканин у формі порошку. Рекомендується для замочування для видалення стійких забруднень. Додавання до прального порошку або гелю для прання посилить його дію, відпере будь-які плями і зробить Ваші речі яскравішими і білішими! Підходить для всіх типів тканин.
Засіб для видалення плям ТМ «Prestige» - безфосфатний плямовивідник у формі порошку для кольорових тканин. Рекомендується для ручного та машинного прання, а також замочування. Додавання до прального порошку або гелю для прання посилить його дію Завдяки вмісту активного кисню ефективно видаляє плями, напр., від кави, чаю, макіяжу, крові, трави, вина, фруктів тощо.
The document is a project report submitted by Akshay Gupta analyzing the performance of a gas reservoir through volumetric analysis, material balance analysis, and reservoir simulation. It includes an abstract, introduction on gas reservoirs, methodology for estimating gas initially in place through volumetric and material balance approaches, and a case study on simulation of a gas reservoir. The report was completed as an internship project at the Institute of Reservoir Studies in Ahmedabad, India under the supervision of an ONGC reservoir engineer.
Money Hungry Co. issued $500,000 face value bonds on July 1, 2014 that mature on June 30, 2019. The bonds pay semi-annual interest of 8% on June 30 and December 31 of each year. The market yield at issuance was 12%. The document discusses the calculation of the carrying value of the bonds payable account over time using the present value of future cash flows.
Spyros Ktenas
Project Management for Software Development Projects
KTH Royal Institute of Technology
This is the part of the slides relevant to
GE.SI.PMF – Generic Simple Project Management Framework
Doesn’t include PM tools, risk, communication, stakeholders,
PRINCE2, PMBok etc.
This document discusses key concepts in statistical inference using a frequentist approach. It covers populations and samples, parameters and random variables, hypothesis testing concepts like the null hypothesis, test statistics, p-values, Type I and Type II errors. It also summarizes how to test hypotheses about a population mean and standard deviation. Finally, it provides overviews of one-way and two-way ANOVA for comparing group means.
This document provides definitions and explanations of acids and bases according to different theories. It discusses the Arrhenius, Brønsted-Lowry and Lewis definitions. It also covers pH, ionization constants, and the auto-ionization of water. Key points include: 1) Arrhenius defined acids/bases as producing H+/OH- ions in water, while Brønsted-Lowry defined them as proton donors/acceptors; 2) Lewis defined them based on electron pair sharing; 3) pH is a measure of H3O+ concentration; 4) the product of [H3O+] and [OH-] is constant.
1. The document discusses techniques for finding extrema of functions, including absolute and local extrema. Critical points, endpoints, and the first and second derivative tests are covered.
2. The mean value theorem and Rolle's theorem are summarized. The mean value theorem relates the average and instantaneous rates of change over an interval.
3. Optimization problems can be solved by setting the derivative of the objective function equal to zero to find critical points corresponding to maxima or minima.
4. Newton's method is presented as an iterative process for approximating solutions to equations, using tangent lines to generate a sequence of improving approximations.
5. Anti-derivatives are defined as functions whose derivatives are a given
Testing Android Security - Jose Manuel Ortega Candel - Codemotion Amsterdam 2016Codemotion
The talk would aim to give an overview of the tools we have to increase the security of applications before publishing them on the market or distribute the apk. These could be talking points: -Static and dynamic analysis application code for detecting potential vulnerabilities. -Development security in android components -New permissions model from version 6 where the user can allow or deny permissions in runtime -Libraries that allow encrypted data, for example SQLCipher to encrypt a SQLite database or to encrypt xml preferences files like securePreferences
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Chris Gates
This document summarizes a talk given on DevOps infrastructure security. It discusses how various DevOps tools like GitHub, Jenkins, AWS config files, Chef, and in-memory databases like Redis and Memcache can expose sensitive information if not properly secured. Specific issues covered include exposed Git repositories, weak default credentials, plaintext storage of secrets, and lack of authentication. The document provides recommendations on securing these tools such as enabling authentication, upgrading versions, and segmenting tools from public access.
The document summarizes a presentation about exploiting a vulnerability in Apple's code signing process on macOS. The vulnerability allows ad-hoc signed malicious code to bypass Gatekeeper and execute on systems where only Apple-signed code is supposed to run. The presentation covered code signing basics, a demonstration of the vulnerability, technical details, how it impacts third-party software vendors, the disclosure process to Apple, and recommendations for properly validating signed code.
This document provides an overview of WebAssembly (WASM) and analyzes its attack surface. It begins with a brief history of WASM and describes its Minimum Viable Product (MVP) 1.0 specification, which defines its instruction set and file format. It then discusses WASM's implementation in web browsers and interaction with JavaScript, highlighting its potential attack surface. Examples of past vulnerabilities leveraging WASM are also provided, such as CVE-2017-5116 which used a race condition to redirect execution to attacker-controlled code. The document concludes by discussing the future of WASM and taking questions.
With the 'rise of containers' comes also the rise of container platforms. And while Docker is the way to do things for now, Podman has also been gaining traction as the new kid on the block especially after being somewhat embraced by RedHat and Fedora. Being new also comes with lack of heavy scrutiny and audit on the security side of things. Once you start integrating other protocols and pieces that compliment each other, such as Varlink, boundaries become fuzzy. Rather than focus on container breakouts, which are also very important, we'll focus on how Podman and Varlink interoperate and the authentication and security implications as such. We'll look at the remote API capabilities, secure configurations and how certain setups and projects out there by default can be vulnerable to compromise. By the end of the talk, we will have discussed various bugs, issues and hardening techniques around deploying Podman and Varlink together and if you don't know a lot about containers, you'll learn a bit along the way.
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates and Ken Johnson will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure.
Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. This talk will most definitely be an entertaining one but a cautionary tale as well, provoking attendees into action. Ultimately, this is research targeted towards awareness for those operating within a DevOps environment.
This document discusses 10 common ColdFusion server challenges and how to find and solve them. It covers issues like not having insight into site traffic, not using diagnostics to understand crashes or memory issues, not updating connectors and the Java virtual machine. For each issue, it provides potential solutions like monitoring tools, server logs, and updating to fixes. It emphasizes taking a diagnostic approach and notes that hiring an expert can help solve problems more quickly when needed.
This document discusses how to turn a business into a strong brand through developing an emotional story and understanding customers. It emphasizes that a brand is more than just logos and graphics, but is the story wrapped around a product or service. The document provides tips for creating a brand such as developing the business story, identifying the target customer market, designing a memorable logo that works across mediums, and maintaining consistency in branding across all marketing materials and channels. Real-world examples of small businesses with strong brands are also provided.
The document is about a school trip taken by a fourth grade class. The class went on a bike ride with their kings during the summer of 2012. The trip was organized by their elementary school CEIP ALBEIROS.
презентация престиж безфосфатные стиральные порошки и гелиOleh Lazar
Імпортер на ринку України
високоякісної побутової хімії ТМ «Prestige»
виробництва
Республіки Польща.
Пропонуємо до вашої уваги таку продукцію:
ЛІНІЯ ЗАСОБІВ ДЛЯ ПРАННЯ (порошки, гелі, плямовивідники)
TM «PRESTIGE» - це ідеальна чистота, захист тканин і свіжість в повному об'ємі, а також 100% екологічність!
The document is about a school trip taken by a fourth grade class. The class went on a bike ride with their kings during the summer of 2012. The school involved was CEIP ALBEIROS.
презентация престиж безфосфатные стиральные порошки и гелиOleh Lazar
ЛІНІЯ ЗАСОБІВ ДЛЯ ПРАННЯ (порошки, гелі, плямовивідники)
TM «PRESTIGE» - це ідеальна чистота, захист тканин і свіжість в повному об'ємі, а також 100% екологічність!
Пральний порошок Prestige Universal – універсальний
засіб для пральних машин та ручного прання. Для всіх видів тканин.
Завдяки активному кисню чудово виводить навіть застарілі плями. Містить гранули для пом'якшення води, які захищають пральну машину від поломок.
Prestige Color –пральний порошок для кольорових речей для пральних машин та ручного прання. Для всіх видів тканин.
Завдяки спеціальній формулі зберігає неперевершену насиченість кольорів та первинну структуру тканин.
Містить гранули для пом'якшення води, які захищають пральну машину від поломок.
Prestige White – гіпоалергенний пральний порошок для білих речей для пральних машин та ручного прання. Для всіх видів тканин.
Завдяки вмісту активного кисню (більше 15%) надає речам сяючої білизни і видаляє стійкі плями. Містить гранули для пом'якшення води, які захищають пральну машину від поломок.
Prestige Baby Sensitive - гіпоалергенний пральний порошок без ароматизаторів та інших віддушок для дитячих речей. Застосовується для прання у пральних машинах та ручного прання. Містить гранули для захисту пральної машини від накипу. Зберігає первинний колір речей.
Можна застосовувати для прання речей новонароджених.
Гелі для прання ТМ «Prestige» - безфосфатні гіпоалергенні концентрати, які діють від самого початку циклу прання, прекрасно видаляють плями вже при 38 °С. Бережно та якісно видаляють бруд та жирні плями на делікатних тканинах. В асортименті представлені гелі для прання «Universal» для всіх кольорів, в т.ч. і білих та кольорових речей «Color».
Засіб для видалення плям «Prestige» - кисневий безфосфатний безпечний відбілюючий засіб для білих тканин у формі порошку. Рекомендується для замочування для видалення стійких забруднень. Додавання до прального порошку або гелю для прання посилить його дію, відпере будь-які плями і зробить Ваші речі яскравішими і білішими! Підходить для всіх типів тканин.
Засіб для видалення плям ТМ «Prestige» - безфосфатний плямовивідник у формі порошку для кольорових тканин. Рекомендується для ручного та машинного прання, а також замочування. Додавання до прального порошку або гелю для прання посилить його дію Завдяки вмісту активного кисню ефективно видаляє плями, напр., від кави, чаю, макіяжу, крові, трави, вина, фруктів тощо.
The document is a project report submitted by Akshay Gupta analyzing the performance of a gas reservoir through volumetric analysis, material balance analysis, and reservoir simulation. It includes an abstract, introduction on gas reservoirs, methodology for estimating gas initially in place through volumetric and material balance approaches, and a case study on simulation of a gas reservoir. The report was completed as an internship project at the Institute of Reservoir Studies in Ahmedabad, India under the supervision of an ONGC reservoir engineer.
Money Hungry Co. issued $500,000 face value bonds on July 1, 2014 that mature on June 30, 2019. The bonds pay semi-annual interest of 8% on June 30 and December 31 of each year. The market yield at issuance was 12%. The document discusses the calculation of the carrying value of the bonds payable account over time using the present value of future cash flows.
Spyros Ktenas
Project Management for Software Development Projects
KTH Royal Institute of Technology
This is the part of the slides relevant to
GE.SI.PMF – Generic Simple Project Management Framework
Doesn’t include PM tools, risk, communication, stakeholders,
PRINCE2, PMBok etc.
This document discusses key concepts in statistical inference using a frequentist approach. It covers populations and samples, parameters and random variables, hypothesis testing concepts like the null hypothesis, test statistics, p-values, Type I and Type II errors. It also summarizes how to test hypotheses about a population mean and standard deviation. Finally, it provides overviews of one-way and two-way ANOVA for comparing group means.
This document provides definitions and explanations of acids and bases according to different theories. It discusses the Arrhenius, Brønsted-Lowry and Lewis definitions. It also covers pH, ionization constants, and the auto-ionization of water. Key points include: 1) Arrhenius defined acids/bases as producing H+/OH- ions in water, while Brønsted-Lowry defined them as proton donors/acceptors; 2) Lewis defined them based on electron pair sharing; 3) pH is a measure of H3O+ concentration; 4) the product of [H3O+] and [OH-] is constant.
1. The document discusses techniques for finding extrema of functions, including absolute and local extrema. Critical points, endpoints, and the first and second derivative tests are covered.
2. The mean value theorem and Rolle's theorem are summarized. The mean value theorem relates the average and instantaneous rates of change over an interval.
3. Optimization problems can be solved by setting the derivative of the objective function equal to zero to find critical points corresponding to maxima or minima.
4. Newton's method is presented as an iterative process for approximating solutions to equations, using tangent lines to generate a sequence of improving approximations.
5. Anti-derivatives are defined as functions whose derivatives are a given
Testing Android Security - Jose Manuel Ortega Candel - Codemotion Amsterdam 2016Codemotion
The talk would aim to give an overview of the tools we have to increase the security of applications before publishing them on the market or distribute the apk. These could be talking points: -Static and dynamic analysis application code for detecting potential vulnerabilities. -Development security in android components -New permissions model from version 6 where the user can allow or deny permissions in runtime -Libraries that allow encrypted data, for example SQLCipher to encrypt a SQLite database or to encrypt xml preferences files like securePreferences
This document outlines an agenda for testing Android security. It discusses various stages of the development cycle and security testing approaches, including static and dynamic analysis, component security, and best practices. Automatic and hybrid tools are presented for analyzing apps through decompilation, emulation, and network traffic inspection. Specific tools are explained like Android Lint, QARK, Drozer, and SQLCipher. The document concludes with recommendations around permissions, encryption, input validation, and references.
This document discusses insecure data storage in Android applications. It provides an overview of common ways Android apps store data, such as Shared Preferences, SQLite databases, and internal/external storage. It notes that malware or physical access could exploit unencrypted or insecurely stored data. The document demonstrates extracting Shared Preference XML files and SQLite databases from an emulator for a banking app as an example of insecure data storage. It recommends storing data on a network/server or encrypting locally stored data on the device to help secure apps.
With the big delays in the time it takes until an iOS jailbreak is public and stable, it is often not possible to test mobile apps in the latest iOS version. Occasionally customers might also provide builds that only work in iOS versions for which no jailbreak is available. On Android the situation is better, but there can also be problems to root certain phone models. These trends make security testing of mobile apps difficult. This talk will cover approaches to defeat common security mechanisms that must be bypassed in the absence of root/jailbreak.
Android Platform Debugging and DevelopmentOpersys inc.
This document provides an overview and agenda for a presentation on Android platform debugging and development. It covers:
1. An introduction to Android architecture basics like hardware, AOSP, Binder and system services.
2. Setting up the development environment, including host/target systems, IDEs like Android Studio, and exploring the AOSP sources.
3. Tools for observing and monitoring at the native, framework and overall system level, including logcat, dumpsys, and third party apps.
4. Interfacing with the framework using commands like am, pm and wm, and service calls.
5. Tips for working with the AOSP source code using make targets and other build tools.
Here are the steps to solve the challenges in FridaLab:
1. Change class variable:
```
Java.perform(function() {
var Challenge01 = Java.use('com.fridalab.challenge01');
Challenge01.variable = 1;
});
```
2. Run chall02():
```
chall02();
```
3. Make chall03() return true:
```
var chall03 = Java.use('com.fridalab.challenge03');
chall03.run.implementation = function() {
return true;
}
```
4-5. Modify functions to always return "F
Working with the AOSP - Linaro Connect Asia 2013Opersys inc.
This document provides instructions for customizing and building the Android Open Source Project (AOSP). It discusses tools for working with AOSP, building AOSP, output images, compatibility testing, and basic customizations like adding a new device. The document is intended to guide developers through setting up their environment, building AOSP, and making simple changes to AOSP components and devices.
Rhodes allows creating native mobile applications for iOS and Android from a single Ruby codebase. It uses a Ruby on Rails-like MVC framework and allows deploying the created applications to devices using Xcode and the Android SDK/NDK. The document provides instructions on setting up the development environment for Rhodes, including installing dependencies like Homebrew, Xcode, Android SDK/NDK, and configuring paths. It also covers generating a sample Rhodes application, running apps on emulators and deploying to physical devices for both Android and iOS.
Android Platform Debugging and DevelopmentOpersys inc.
This document provides an overview of debugging and development tools for the Android platform. It discusses setting up the development environment in Android Studio and exploring the AOSP source code. Various tools are described for observing system behavior like logcat, dumpsys, and profiling tools. Native debugging with gdb and gdbserver is covered as well as interfacing with framework services. The document concludes with benchmarking and performance analysis techniques.
Android Embedded - Smart Hubs als Schaltzentrale des IoTinovex GmbH
Android can be used as an operating system for smart hubs and embedded devices in the Internet of Things (IoT). Key advantages of using Android include its powerful graphics capabilities, ability to easily update devices over-the-air, and support for integrating various hardware protocols and devices. Android also provides a stable architecture and development process similar to building smartphone apps, making it well-suited for building smart hub and IoT devices.
Marco Grassi gives a presentation on reverse engineering, penetration testing, and hardening Android apps. The presentation covers techniques for reverse engineering APKs, dealing with obfuscation, tamper detection, securing network communications, attacks on IPC, and more advanced topics like runtime manipulation. Real-world examples are provided to demonstrate vulnerabilities found in apps and how they can be exploited.
Android Platform Debugging and DevelopmentOpersys inc.
This document provides an overview of debugging and development for the Android platform. It discusses the architecture basics, setting up a development environment in Android Studio, tools for observing and monitoring the system like logcat and dumpsys, interfacing with the framework, working with AOSP sources, symbolic debugging with gdb and gdbserver, detailed dynamic data collection using tools like ftrace and perf, and benchmarking. The document also provides guidance on debugging challenges and lists additional topics like debuggerd, tombstones, and ANR traces.
Android Platform Debugging and DevelopmentKarim Yaghmour
This document provides an overview of debugging and development for the Android platform. It discusses the architecture basics, setting up a development environment in Android Studio, tools for observing and monitoring the system like logcat and dumpsys, interfacing with the framework, working with AOSP sources, symbolic debugging with gdb and gdbserver, detailed dynamic data collection using tools like ftrace and perf, and benchmarking. The document also provides guidance on debugging challenges and lists additional topics like debuggerd, tombstones, and ANR traces.
Kunwar Atul presented techniques for pentesting Android applications without root access. This included bypassing SSL pinning by modifying the app's manifest to allow user certificates, extracting sensitive data from backup files without root using ADB, and exploiting insecure Firebase databases and deep links. Deep links could be triggered via ADB to load attacker URLs within an app's webview. References were provided on SSL pinning bypass with Burp Suite, Frida, and modifying apps; reading data without root; and exploiting Firebase and deep links. The presentation did not cover Android architecture, tools like Drozer and Apktool, or lab setups.
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group
This document provides an overview of assessing and securing iOS apps. It discusses setting up a testing environment by jailbreaking an iOS device to gain root access. Various tools are installed to analyze apps, including intercepting network traffic both passively and by acting as an HTTP proxy gateway. The document also covers monitoring local app data, binaries, and runtime analysis for black-box security testing of iOS apps.
Few tips for iOS application development from security perspective.
Google docs presentation: https://docs.google.com/presentation/d/1eLQ40YCReg_pXp2as9FrbTgkNfOjOoPxDYUbFNyrT-M/pub?start=false&loop=false&delayms=3000
Android Platform Debugging and DevelopmentOpersys inc.
This document provides an overview and agenda for a presentation on Android platform debugging and development. It covers debugging architecture basics, setting up a development environment in Android Studio, tools for observing and monitoring apps and frameworks, interfacing with core Android components, working with AOSP sources, and dynamic data collection techniques like logging, strace, ftrace, and perf. Symbolic debugging with gdb/gdbserver and challenges with systrace/atrace are also discussed.
Android Platform Debugging and DevelopmentOpersys inc.
This document provides an overview of debugging and development tools for the Android platform. It discusses setting up the development environment in Android Studio and explores tools for observing system behavior like logcat and dumpsys. Symbolic debugging with gdb and ftrace for dynamic tracing are covered. The document also summarizes benchmarking tools and concludes by discussing challenges with systrace and perf on Android.
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDefconRussia
Dmitry Evdokimov presents an overview of analyzing iOS apps through blackbox testing techniques. The document outlines the iOS platform and architecture, common iOS vulnerabilities, and static and dynamic analysis tools that can be used to identify vulnerabilities in iOS apps without access to source code. The agenda includes topics on the iOS platform, Objective-C, app structure, common vulnerabilities, and static and dynamic testing techniques.
Experts Live Europe 2017 - Why you should care about Docker - an introductionMarc Müller
The popularity of Docker has grown massively in recent years. So what are the benefits for development and operations? This talk provides you a proper introduction into the topic and answers the questions around the differences between Linux and Windows containers, the development workflow and enterprise grade hosting scenarios.
Similar to Android secure offline storage - CC Mobile (20)
5. Android offline storage possibilities
▪ Several ways to store data in Android
- SharedPreferences
- Files (Internal and external storage)
- SqlLite
- These are not secure!
▪ Back-up
▪ Rooted devices
8. Offline storage Best Practices
▪ Avoid it (if possible)
▪ Avoid external storage (outside of sandbox, globally readable)
▪ set android:allowBackup=”false”
▪ set android:saveEnabled=”false”
▪ MODE_PRIVATE with files
9. ADB shell
▪ When app is debuggable (default in DEV) or device is rooted
- adb shell
- run-as be.ordina.offlinestorage (Not necessary on rooted device)
- cd /data/data/be.ordina.offlinestorage/
▪ shared_prefs
▪ db
▪ files
10. Backup extractor -> https://github.com/nelenkov/android-backup-extractor
▪ Command line: adb backup be.ordina.offlinestorage
▪ Unlock the device and confirm backup operation
▪ Command line: java -jar abe-all.jar unpack backup.ab backup.tar
▪ Unzip the tar and check it’s contents (including the prefs file)
Backing up application
12. Files on internal storage
▪ Internal storage mode MODE_PRIVATE (MODE_WORLD_READABLE and
MODE_WORLD_WRITEABLE deprecated)
▪ Files saved on internal storage in MODE_PRIVATE are private to the application.
▪ FILE CONTENT IS NOT SECURE! -> BY BACKING-UP these files are also perfectly
readable
13. Safe file storage
▪ Encryption of files!
▪ See fragment.EncryptedInternalStorageFragment class for implementation details
15. SQLite
▪ Relational database
▪ Saved on internal storage automatically
▪ can be pulled or backed up with adb
▪ sqlitebrowser: (http://sqlitebrowser.org)
▪ SQLite3 command line interface: https://www.sqlite.org/download.html
▪ NOT SAFE
21. Hiding the key
▪ Ask each time
▪ In the code
▪ In de NDK
▪ Android KeyStore (apple KeyChain equivalent)
▪ Server-side
22. Ask each time
▪ At Startup, always ask the users password.
▪ This password can be used to decrypt the database.
23. In the code
▪ Generate a device specific key (See fragment.DeviceSpecificKeyFragment.java)
▪ As we saw earlier, this can be reverse engineered and used to recreate the device
specific key (Not very safe…)
24. In the NDK
▪ Install the NDK: https://developer.android.com/tools/sdk/ndk/index.html
▪ Documentation: <ndk>/docs/Programmers_Guide/html/index.html
- Samples/hello-jni: Example Java Native Interface
- Building/ndk-build: How to build your native c files
- Building/Android.mk: Android .mk file describing c-library
25. In the NDK
▪ Android studio
- Create folder app/jni
▪ Create Android.mk, Application.mk, <your-module>.c
- Create folder src/main/jniLibs
- Compile c module:
▪ cd in <project-path>/app directory
▪ <ndk-path>/ndk-build
26. Decompile jar with .so modules
▪ http://reverseengineering.stackexchange.com/questions/4624/how-do-i-reverse-
engineer-so-files-found-in-android-apks
▪ online disassembler: http://onlinedisassembler.com/odaweb/
28. Android KeyStore (as of 4.3)
▪ Android hardware backed KeyStore
▪ Standard Java JCA (Java Cryptography Architecture) api but ‘AndroidKeyStore’ as
provider
▪ http://developer.android.com/training/articles/keystore.html
▪ http://nelenkov.blogspot.be/2013/08/credential-storage-enhancements-android-43.html
29. Server side decryption
▪ Communication over HTTPS (of course…)
▪ Send bytes or Strings that need to be decrypted to server
▪ Server decrypts and sends unencrypted data back.
Advantages:
▪ Key information doesn’t leave the server (more secure)
Disadvantages:
▪ Application needs to be connected to internet to function correctly.
▪ More server round-trips to perform the encryption and decryption of data.
30. Tamper Detection
▪ Check if app is installed through play store
▪ Check if app is debuggable
▪ Check if app is running on emulator
▪ Check if device is rooted
34. Check if device is rooted
▪ Check for typical rooted binaries
- /sbin/, /system/bin/, /system/xbin/, /data/local/xbin/, /data/local/bin/, /system/sd/xbin/,
/system/bin/failsafe/, /data/local/, /system/app/
▪ Check for rooted run command: su
▪ @See RootDetectionUtils.java in Sample project
Show the small demo app which contains sample code that serves our presentation.
Applications run in a sandbox. This means:
Apps are given a userId and the apps run with that userId.
Files stored in the sandbox are accessible only to those userIds.
Apps with a different userId can not access those files.
REMARKS.
Apps signed with the same key or apps with the same sharedUserId (AndroidManifest) can access the same sandbox
Rooted phones overcome this limitation
On a device that’s rooted, everything basically runs as root.
As root you gain access to practically everything and all Android limitations that exist no longer apply (isDebuggable, allowBackup, etc…) (IF IM NOT MISTAKEN!)
Avoid offline storage. In the US for example, Health Insurance regulations state that apps running in airplane mode that still “work” are non-compliant.
Avoid external storage. Use ContentProviders to share information between apps instead of saving data in the globally accesible storage…
Set allowBackup=false. This will prevent adb backup command from working.
set android:saveEnabled=”false” prevents the application from saving instancestate of your activity during screen rotation…This behaviour is not desired.
MODE_PRIVATE with files. Store all files in MODE_PRIVATE. This should keep your files private to your app.
In case of a rooted device, the above best practices don’t really increase the security of your offline files.
Rooted devices are not limited by the android sandbox...
More explanation on the isDebuggable flag:
Can be set in AndroidManifest.xml.
Android studio (not sure about eclipse, but probably also) by default sets this flag on true when deploying on a device during development.
The android backup extractor can be used to convert .ab (android backup) files to .tar files.
The resulting .tar file can then simply be unzipped and the contents can be inspected!
DEMO the adb shell and adb backup tools.
adb shell demo:
Connect device
adb shell
run-as be.ordina.offlinestorage (package in AndroidManifest.xml)
cd /data/data/be.ordina.offlinestorage (normally, the run-as command already cd’s into this directory)
REMARKS:
when app isDebuggable is false, this does not work!
When running from android studio, the app is debuggable
When creating release build, the app is not debuggable
isDebuggable property is being set on the application tag in AndroidManifest.xml
adb backup demo:
Connect device
cd ~/AndroidSecurityWorkshop/Androidackups
adb backup be.ordina.offlinestorage
confirm backup on device
abe-all.jar unpack backup.ab backup.tar
extract the tar
REMARKS:
when app allowBackup=false, then the backup pulled from the device will not be readable after running the backup-extractor
Always use MODE_PRIVATE. This will ensure that files are being saved in the application’s sandbox.
Only apps signed with the siging key or apps with the same sharedUserId (AndroidManifest.xml) can access files in the sandbox!
DEMO the offline stored files.
Demo the code:
Show the code where file is created. Notice the MODE_PRIVATE. explain that this means the file will not be accessible for other applications (unless device is rooted of course)
Backup the application (or re-use an existing backup).
Show the file content!
Explain that storing files in this way is not secure!
DEMO the Sqlite database.
Open the app
Navigate to the SqlLite fragment
Insert a user
adb backup the application
open de database in sqlitebrowser (or command-line with sqlite)
SqlCipher encrypts the database with AES-256 symmetric encryption
It’s a drop-in replacement for sqlite. So all code samples you find on the internet which apply to sqlite can be used for sqlCipher. Only difference is the packagename of the sqlcipher objects (net.sqlcipher.database instead of android.database.sqlite)
SQLCipher works by hooking into the database system at a certain point where they can intercept blocks of data before they are being written or read.
At this stage, they are being encrypted using AES-256.
More details about this can be found at the url listed on this slide!
Demo SQLCipher.
First show the code. Comparison with Sqlite code (notice the drop-in replacement. No different api calls, only different package names)
Show the usage of a password
Perform backup of the application (Or re-use an existing backup)
open the encrypted database with sqlite cli (Notice this won’t work!)
open the encrypted database with sqlcipher cli (Notice that without PRAGMA key=”<KEY>”;, this won’t work either)
open the encrypted database with sqlcipher cli (USE PRAGMA key=”<KEY>”; statement and query the db!)
Demo decompiled jar and show password in code:
CD into ~/AndroidSecurityWorkshop/AndroidApks
Run: adb shell pm path your-package-name.
Run: adb pull <.apk-path>
Rename base.apk to base.zip
Extract the zip
Run: java -jar ../abe-all.jar base/classes.dex
Open the resulting jar with JD-GUI
Open the correct classname, and display the password.
Now that we have encrypted our local files and local databases, our data has become unreadable.
Our problem now shifts to hiding the key. Because when users find the key, our encryption mechanisms are useless…
DEMO the SqlCipherFragment!
DBLoginFragment is being used as login fragment… Login attemts are being sent to the OfflineStorageActivity through a callback.
In the callback, the password is retrieved and sent to the SqlCipherFragment, which tries to connect to the database with the password.
In case of a wrong password, login fails.
The compiled c-module becomes a .so module.
This module can be disassembled…
Show the contents of the .so module in the onlinedisassembler!
Show the c-code:
Explain how the method name should correspond to a method declared in java
Show the native Java method
Show how to load the library!
Show how the method is called and the password is being retrieved from the native library
As of Android 4.3, The Android KeyStore Api allows a user to store keys in the secure hardware of your CPU!
This was previously also possible (as of android 4.0) but required the use of reflection and was limited to RSA keys.
App can be tampered with when not installed through play store.
For example, the app could be decompiled, altered and packaged again and then manually be installed. This should be prevented.
Unless explicitily configured, apps in production aren’t debuggable.
App could be tampered with when you detect it’s running in debuggable mode. This might be an indication that people are trying to reverse engineer your app.
Check is being done by bitwise AND’ing the flags on our application with the FLAG_DEBUGGABLE. If the result is 0, then the app is debuggable.
This may also indicate people are trying to reverse engineer your app. Or repackage it.
Rooted device allow for applications to bypass the sandboxing model.
This implies:
Resources are accessible by anyone.
Private storage can be inspected regardless of whether the app is debuggable or backupable. (database, preferences, files, etc…)
Check is being done by looking for the typical rooted binaries and the su command.