SlideShare a Scribd company logo

Android security

Download as PPTX, PDF
M
Mobile Rtpl

The document discusses developing secure Android apps and provides guidelines for doing so. It outlines potential attack vectors like malicious apps or files and the importance of following security best practices such as using encryption, testing third party libraries, and securing intents, logs, and webviews. The document encourages avoiding simple validation logic, using tokens for authentication, HTTPS, and provides tips for code obfuscation as well as tools that can help find vulnerabilities.

Mobile
1 of 22
Android Security Developing Secure App
Secure Coding Guidelines •Such guidelines even exists? •Who cares! No one's gonna hack my app. •Lets finish this project anyhow!!!
Secure Coding Guidelines • Computer Emergency ResponseTeam (CERT) • Expert groups that handle Computer/IT security incidents. • Issued Android Secure Coding Guidelines. • Mission: We reduce the number of vulnerabilities to a level that can be fully mitigated in operational environments.
Packaging
AttackVectors in Android
AttackVectors
AttackVectors • Mounting SD Card in PC • Malicious App • Network Attack • Malicious File Attack • User’s Unawareness • USB Debugging • Root permissions!! (Can do anything)
Security Policy in Android
Unix Security Policy 1. Process Isolation 2. Hardware Isolation 3. User Permission Model 4. R/W/X Permissions to file 5. Secure IPC
Android Security Policy 1. Application Isolation 2. Sandbox of Application 3. Secure Communication 4. Signing the Application 5. Permission model of Application
To Do's To Secure Apps
Avoid Simple Logics private void validate(){ if(mLoginAccess == 1 ){ // TODO: update user. } } private void validate() { if (mLogin.hasAccess == true) { // TODO: update user. } } private void validate() { if (mLogin.hasAccess) { // TODO: update user. } }
Test 3rd Party Libraries! •Caution: Developers rely heavily on third-party libraries. It is important to thoroughly probe and test this as you test your code. Third-party libraries can contain vulnerabilities and weaknesses. Many developers assume third-party libraries are well-developed and tested, however, issues can and do exist in their code.
Use Encryption •Caution: External storage can become unavailable if the user mounts the external storage on a computer or removes the media, and there's no security enforced upon files you save to the external storage. All applications can read and write files placed on the external storage and the user can remove them. http://developer.android.com/guide/topics/data/data- storage.html
But How to Encrypt? To Secure Apps
How to Encrypt or Encode? 1. Encode Shared Preferences 2.Encrypt SQLite: SQLCipher 3. Encrypt Network:TLS 4.Data Encryption: Facebook’s Conceal Library 5.MD5, SHA Sensitive Data
To be Secured 1. Secure Intents 2.SecureWebView 3. Secure Logs 4.Secure Intent Leaks
Code Obfuscation 1. Proguard 2.Don't include unused Classes and Libraries 3. Difficult to protect from Smali Decompilation
To Use 1. Use ofTokens for Authentication 2.Use of HTTPS!
Our Evils 1. ADB 2.MaliciousApplications 3. Unprotected Network 4.Sniffers
Our Friends 1. Android Fuzzers 2.Xposed Framework 3. Drozer 4.APKtool or any other StaticAnalysisTool 5.PenetrationTools for Android 6.and Many more...
Thank you! @DearDhruv

Recommended

Android Security
Android SecurityAndroid Security
Android Security
Arqum Ahmad
 
Android Security
Android SecurityAndroid Security
Android Security
Lars Jacobs
 
Android Security
Android SecurityAndroid Security
Android Security
Suminda Gunawardhana
 
Mobile security
Mobile securityMobile security
Mobile security
priyanka pandey
 
Android security
Android securityAndroid security
Android security
Midhun P Gopi
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security model
Pragati Rai
 
Mobile Device Security
Mobile Device SecurityMobile Device Security
Mobile Device Security
Nemwos
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
Marakana Inc.
 

Recommended

Android Security
Android SecurityAndroid Security
Android Security
Arqum Ahmad
 
Android Security
Android SecurityAndroid Security
Android Security
Lars Jacobs
 
Android Security
Android SecurityAndroid Security
Android Security
Suminda Gunawardhana
 
Mobile security
Mobile securityMobile security
Mobile security
priyanka pandey
 
Android security
Android securityAndroid security
Android security
Midhun P Gopi
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security model
Pragati Rai
 
Mobile Device Security
Mobile Device SecurityMobile Device Security
Mobile Device Security
Nemwos
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
Marakana Inc.
 
Understanding Android Security
Understanding Android SecurityUnderstanding Android Security
Understanding Android Security
Asanka Dilruk
 
Mobile security
Mobile securityMobile security
Mobile security
Tapan Khilar
 
Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.
VodqaBLR
 
Smartphone security
Smartphone securitySmartphone security
Smartphone security
Manish Gupta
 
OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for Mobile
Appvigil - Mobile App Security Scanner
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
Satish b
 
Android Application Development
Android Application DevelopmentAndroid Application Development
Android Application Development
Benny Skogberg
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
Xavier Mertens
 
Mobile security in Cyber Security
Mobile security in Cyber SecurityMobile security in Cyber Security
Mobile security in Cyber Security
Geo Marian
 
Desktop Pc Computer Security
Desktop Pc Computer SecurityDesktop Pc Computer Security
Desktop Pc Computer Security
Nicholas Davis
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
Subho Halder
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
Ishan Girdhar
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetup
kunwaratul hax0r
 
Wireless and mobile security
Wireless and mobile securityWireless and mobile security
Wireless and mobile security
Pushkar Pashupat
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
NowSecure
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
Cláudio André
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting
Sina Manavi
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
Yogesh Ojha
 
Mobile protection
Mobile protection Mobile protection
Mobile protection
preetpatel72
 
Mobile device privacy and security
Mobile device privacy and securityMobile device privacy and security
Mobile device privacy and security
Imran Khan
 
Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solution
Tandhy Simanjuntak
 
Android security in depth
Android security in depthAndroid security in depth
Android security in depth
Sander Alberink
 

More Related Content

What's hot

Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
Satish b
 
Desktop Pc Computer Security
Desktop Pc Computer SecurityDesktop Pc Computer Security
Desktop Pc Computer Security
Nicholas Davis
 

What's hot (20)

Understanding Android Security
Understanding Android SecurityUnderstanding Android Security
Understanding Android Security
 
Mobile security
Mobile securityMobile security
Mobile security
 
Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.
 
Smartphone security
Smartphone securitySmartphone security
Smartphone security
 
OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for Mobile
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
 
Android Application Development
Android Application DevelopmentAndroid Application Development
Android Application Development
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
 
Mobile security in Cyber Security
Mobile security in Cyber SecurityMobile security in Cyber Security
Mobile security in Cyber Security
 
Desktop Pc Computer Security
Desktop Pc Computer SecurityDesktop Pc Computer Security
Desktop Pc Computer Security
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetup
 
Wireless and mobile security
Wireless and mobile securityWireless and mobile security
Wireless and mobile security
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
 
Mobile protection
Mobile protection Mobile protection
Mobile protection
 
Mobile device privacy and security
Mobile device privacy and securityMobile device privacy and security
Mobile device privacy and security
 

Viewers also liked

Information Security and Privacy
Information Security and PrivacyInformation Security and Privacy
Information Security and Privacy
Anika Tasnim Hafiz
 
Security in Android Applications / Александр Смирнов (RedMadRobot)
Security in Android Applications / Александр Смирнов (RedMadRobot)Security in Android Applications / Александр Смирнов (RedMadRobot)
Security in Android Applications / Александр Смирнов (RedMadRobot)
Ontico
 
Android security model
Android security modelAndroid security model
Android security model
rrand1
 

Viewers also liked (16)

Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solution
 
Android security in depth
Android security in depthAndroid security in depth
Android security in depth
 
Security threats in Android OS + App Permissions
Security threats in Android OS + App PermissionsSecurity threats in Android OS + App Permissions
Security threats in Android OS + App Permissions
 
Android sandbox
Android sandboxAndroid sandbox
Android sandbox
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android Security
 
Information Security and Privacy
Information Security and PrivacyInformation Security and Privacy
Information Security and Privacy
 
Digging for Android Kernel Bugs
Digging for Android Kernel BugsDigging for Android Kernel Bugs
Digging for Android Kernel Bugs
 
Security in Android Applications / Александр Смирнов (RedMadRobot)
Security in Android Applications / Александр Смирнов (RedMadRobot)Security in Android Applications / Александр Смирнов (RedMadRobot)
Security in Android Applications / Александр Смирнов (RedMadRobot)
 
Android coding standard
Android coding standard Android coding standard
Android coding standard
 
Android Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android ApplicationsAndroid Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android Applications
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
 
Mobile device security informative v2
Mobile device security informative v2Mobile device security informative v2
Mobile device security informative v2
 
Android security model
Android security modelAndroid security model
Android security model
 
Testing Android Security
Testing Android SecurityTesting Android Security
Testing Android Security
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in Android
 
Android system security
Android system securityAndroid system security
Android system security
 

Similar to Android security

Secure codingguide
Secure codingguideSecure codingguide
Secure codingguide
David Kwak
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
GTestClub
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
Stephan Chenette
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
Denim Group
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on android
Ravishankar Kumar
 

Similar to Android security (20)

DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applications
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensics
 
Mobile App Security - Best Practices
Mobile App Security - Best PracticesMobile App Security - Best Practices
Mobile App Security - Best Practices
 
<marquee>html title testfsdjk34254</marquee>
<marquee>html title testfsdjk34254</marquee><marquee>html title testfsdjk34254</marquee>
<marquee>html title testfsdjk34254</marquee>
 
" onclick="alert(1)
" onclick="alert(1)" onclick="alert(1)
" onclick="alert(1)
 
Secure codingguide
Secure codingguideSecure codingguide
Secure codingguide
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
 
YOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS ApplicationsYOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS Applications
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
 
AusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS ApplicationsAusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS Applications
 
Android Security and Peneteration Testing
Android Security and Peneteration TestingAndroid Security and Peneteration Testing
Android Security and Peneteration Testing
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on android
 
From velvet to silk there is still a lot of sweat
From velvet to silk there is still a lot of sweatFrom velvet to silk there is still a lot of sweat
From velvet to silk there is still a lot of sweat
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
 

Android security

  • 2. Secure Coding Guidelines •Such guidelines even exists? •Who cares! No one's gonna hack my app. •Lets finish this project anyhow!!!
  • 3. Secure Coding Guidelines • Computer Emergency ResponseTeam (CERT) • Expert groups that handle Computer/IT security incidents. • Issued Android Secure Coding Guidelines. • Mission: We reduce the number of vulnerabilities to a level that can be fully mitigated in operational environments.
  • 7. AttackVectors • Mounting SD Card in PC • Malicious App • Network Attack • Malicious File Attack • User’s Unawareness • USB Debugging • Root permissions!! (Can do anything)
  • 9. Unix Security Policy 1. Process Isolation 2. Hardware Isolation 3. User Permission Model 4. R/W/X Permissions to file 5. Secure IPC
  • 10. Android Security Policy 1. Application Isolation 2. Sandbox of Application 3. Secure Communication 4. Signing the Application 5. Permission model of Application
  • 12. Avoid Simple Logics private void validate(){ if(mLoginAccess == 1 ){ // TODO: update user. } } private void validate() { if (mLogin.hasAccess == true) { // TODO: update user. } } private void validate() { if (mLogin.hasAccess) { // TODO: update user. } }
  • 13. Test 3rd Party Libraries! •Caution: Developers rely heavily on third-party libraries. It is important to thoroughly probe and test this as you test your code. Third-party libraries can contain vulnerabilities and weaknesses. Many developers assume third-party libraries are well-developed and tested, however, issues can and do exist in their code.
  • 14. Use Encryption •Caution: External storage can become unavailable if the user mounts the external storage on a computer or removes the media, and there's no security enforced upon files you save to the external storage. All applications can read and write files placed on the external storage and the user can remove them. http://developer.android.com/guide/topics/data/data- storage.html
  • 15. But How to Encrypt? To Secure Apps
  • 16. How to Encrypt or Encode? 1. Encode Shared Preferences 2.Encrypt SQLite: SQLCipher 3. Encrypt Network:TLS 4.Data Encryption: Facebook’s Conceal Library 5.MD5, SHA Sensitive Data
  • 17. To be Secured 1. Secure Intents 2.SecureWebView 3. Secure Logs 4.Secure Intent Leaks
  • 18. Code Obfuscation 1. Proguard 2.Don't include unused Classes and Libraries 3. Difficult to protect from Smali Decompilation
  • 19. To Use 1. Use ofTokens for Authentication 2.Use of HTTPS!
  • 20. Our Evils 1. ADB 2.MaliciousApplications 3. Unprotected Network 4.Sniffers
  • 21. Our Friends 1. Android Fuzzers 2.Xposed Framework 3. Drozer 4.APKtool or any other StaticAnalysisTool 5.PenetrationTools for Android 6.and Many more...