Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Android Security Development
Similar to Android Security Development (20)
Recently uploaded
Recently uploaded (20)
Android Security Development
- 1. Android Security Development SEAN
- 4. Sean • Developer • Developer • Developer
- 5. Something you need to know • USB • Screen • Clipboard • Permission • Database • Network • Cryptography • API Management
- 6. USB
- 8. ANDROID:ALLOWBACKUP = "TRUE" It will allow someone can backup databases and preferences.
- 10. ANDROID:DEBUGGABLE = "TRUE" It will let someone can see log message and do something more …
- 11. IF ANDROID:DEBUGGABLE MAKE ERROR NOTIFICATION IN ECLIPSE, IT IS ALL ABOUT ADT LINT.
- 12. CLICK ON "PROBLEMS" TAB
- 13. RIGHT CLICK ON ITEM AND CHOOSE "QUICK FIX"
- 15. SCREEN
- 16. GETWINDOW().SETFLAGS(LAYOUTPARAMS.F LAG_SECURE, LAYOUTPARAMS.FLAG_SECURE); It disable screen capture • [POWER] + [VOL-DWN] • OEM feature like SAMSUNG / HTC
- 17. CLIPBOARD
- 18. SAVE THE STATE OF APPLICATION onResume => FOREGROUND onPause => BACKGROUND
- 19. USE RUNNABLE AND POSTDELAYED 500 MS when onPause is triggered
- 20. DETECT STATE AND SETPRIMARYCLIP If STATE equals BACKGROUND, execute BaseActivity.this.mClipboardManager .setPrimaryClip(ClipData.newPlainText("", ""));
- 21. PERMISSION
- 22. ONLY USE NECESSARY PERMISSIONS
- 23. GOOGLE CLOUD MESSAGING NEEDS ANDROID.PERMISSION.GET_ACCOUNTS
- 24. BUT
- 25. GOOGLE CLOUD MESSAGING NEEDS ANDROID.PERMISSION.GET_ACCOUNTS
- 26. Database
- 27. SQLITE
- 29. SQLite Encryption Extension http://www.sqlite.org/see/
- 30. NETWORK
- 31. USE HTTPS WITH SELF-SIGNED CERTIFICATE
- 32. BUT
- 34. HOSTNAME IS VALID ?
- 35. VERIFY HOSTNAME
- 36. CHECK CERT ?
- 37. CLEAR KEYSTORE AND IMPORT SERVER CERT
- 38. DOUBLE CHECK CERT ?
- 39. VERIFY BINARY CONTENT OF SERVER CERT Avoid Man-in-the-Middle attack
- 40. WHY ?
- 41. SSL MECHANISM IN OS MAY BE WRONG APPLE SSL / TLS Bug ( CVE-2014-1266 )
- 42. SSL TUNNEL KEEP DATA SAFE ?
- 43. NO
- 44. YOU STILL NEED ENCRYPT DATA
- 46. DO NOT DO THIS
- 48. CRYPTOGRAPHY
- 49. BY ANDROID SDK OR ANDROID NDK ?
- 50. ANDROID SDK: JAVA DECOMPILE EASY ANALYSIS EASY
- 51. ANDROID NDK: C AND C++ DISASSEMBLE EASY ANALYSIS HARD
- 52. ANDROID NDK OpenSSL Inside
- 53. ANDROID NDK Customize ?
- 54. ANDROID NDK PolarSSL https://polarssl.org
- 55. PolarSSL Chang SBOX of AES, ...
- 56. SO, ALL KEY GENERATION AND ENCRYPTION MUST BE DONE IN ANDROID NDK
- 58. GENERATE KEY ?
- 59. RANDOM KEY HARDWARE ID USER KEY
- 60. RANDOM KEY One Key – One Encryption
- 61. HARDWARE ID IMEI / MEID WIFI MAC Address Bluetooth Address
- 62. IMEI / MEID ANDROID.PERMISSION.READ_PHONE_STATE WIFI MAC Address ANDROID.PERMISSION.ACCESS_WIFI_STATE Bluetooth Address ANDROID.PERMISSION.BLUETOOTH
- 63. USER KEY Input from user Only exist in memory Just clear when exit
- 66. SCRAMBLE ?
- 67. MORE COMPLEX THAN BASE64 WIKI: Common Scrambling Algorithm http://goo.gl/eP6lXj
- 68. THEN ?
- 71. GG
- 72. API MANAGEMENT
- 73. ACCESS TOKEN REFRESH PERIODICALLY RANDOM GENERATE
- 74. ACCESS TOKEN
- 75. ACCESS TOKEN ↓ USER ID
- 76. ACCESS TOKEN ↓ USER ID ↓ HARDWARE ID
- 77. ACCESS TOKEN ↓ USER ID ↓ HARDWARE ID ↓ ENCRYPT OR DECRYPT
- 78. ALL API ACCESS MUST WITH ACCESS TOKEN