Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (14)
Similar to Android Security - Common Security Pitfalls in Android Applications
Similar to Android Security - Common Security Pitfalls in Android Applications (20)
More from BlrDroid
More from BlrDroid (20)
Recently uploaded
Recently uploaded (20)
Android Security - Common Security Pitfalls in Android Applications
- 1. Common Security Pitfalls in Android Apps Aditya Gupta Attify
- 2. Who Am i • Founder, Attify • Mobile Security Researcher • Developing a secure BYOD solution for enterprises • Co-creator of AFE (Android Framework for Exploitation) • Upcoming tool : DroidSE • Speaker/Trainer at BlackHat, Toorcon, ClubHack, Nullcon, OWASP AppSec, Syscan etc.
- 3. Agenda • Security Overview of Android Apps • Some vulnerabilities in Android Apps • Secure Coding
- 4. Android Security Model • Based on Linux • Security features are derived mostly from Linux • Application Isolation • Each app in its own DVM
- 5. Security Overview of Android Apps • Application Sandboxing • Data stored in /data/data/[package-name]/ • AndroidManifest.xml plays an important role • Permissions while accessing activities, services, content providers
- 6. Hard Coding Sensitive Info • Have seen some apps hardcode sensitive info • Reversing applications • Encrypting passwords : really common • Use protection to prevent apps from reversing • Don't ever hardcode a sensitive info in an app.
- 9. Logging Sensitive Information Log.d("Facebook-authorize", "Login Success! access_token=" + getAccessToken() + " expires=" + getAccessExpires());
- 10. Leaking Content Providers • Content Providers • What can one application do to another • Leakage of content providers • By default exported
- 14. Dropbox
- 22. Android WebView vuln • What's a Webview?
- 23. Android WebView vuln • Framing Web components into application • Could be really useful while building applications • Does it also allows Javascript?
- 24. Javascript in Webviews • Javascript is allowed in Webviews • Javascript could be used to interact with the app's interface • Malicious functions could be executed
- 25. Malicious functions with JS • Could be used to send SMS or place calls • Or to install another application • Get a reverse shell to a remote location • Modify file system or steal something from the device
- 28. Ad Libraries, anyone? • InMobi • List of Exposed methods : • makeCall • postToSocial • sendMail • sendSMS • takeCameraPicture • getGalleryImage
- 31. SQLite Injection • SQLite databases for storing application's data • Storing sensitive information in databases • Do you sanitize user input before applying SQL queries
- 32. Sample Code ! uname = (EditText) findViewById(R.id.username); pword = (EditText) findViewById(R.id.password); ! ! String getSQL = "SELECT * FROM " + tableName + " WHERE " + username + " = '" + uname + "' AND " + password + " = '" + pword + "'"; ! Cursor cursor = dataBase.rawQuery(getSQL , null);
- 33. Insecure File Permissions • File storing sensitive data need to have proper permissions • Should be accessible only by the application
- 37. Android Backup Vulnerability • Allows backup of application's data • No root needed in the device • Attacker could read/modify app's data and restore it back • Default behaviour in AndroidManifest.xml
- 42. Network Traffic
- 48. Content Providers <provider android.name="com.example.secure.SecureProvider" android.authorities="com.example.secure.mailprovider" android.readPermission="com.example.testapps.test1.permission.READ_DATE" android.writePermission="com.example.secure.permission.WRITE_DATA" android:grantUriPermissions="true"> ! </provider>
- 49. If you don't need android:exported = "false"
- 50. Summary • Avoid common mistakes • Store data in encrypted form • Sending data through HTTP/insecure HTTPs
- 52. ` • Drop a mail at adi@attify.com