This presentation is aimed at Android app developers looking to deal with the insecurity that surrounds Android apps these days and how to create a secure app.

1. Godfrey Nolan

2. Why are we here?
Little bit of Android History
Secure Coding Practices
Secure Policy Scanner
Sample Demo App
Other tools

3. Malware
Known Exploits
Fake apps
Android versions

7. Top 10
Looking for new additions
Metrics

8. Opening files as WORLD_READABLE, WORLD_WRITABLE
Opening databases as WORLD_READABLE, WORLD_WRITABLE
Unencrypted SQLite database
Storing data on SD-CARD via WRITE_TO_EXTERNAL_STORAGE
Check app permissions
Check app is not looking for root permissions
Search for hardcoded usernames and passwords
Search for API calls
Detect Unencrypted communications
Check for basic obfuscation
Check location requests

9. Check app permissions
ACCESS_COARSE_LOCATION
ACCESS_FINE_LOCATION
CALL_PHONE
CAMERA
INTERNET
READ_CALENDAR
READ_CONTACTS
READ_INPUT_STATE
READ_SMS
RECORD_AUDIO
SEND_SMS
WRITE_CALENDAR
WRITE_CONTACTS

10. Policy Percentage
World Readable Writeable File 11
World Readable Writeable Database 0
Unencrypted Database 47
Access External Storage 32
Sketchy Permissions 72
Runtime Root Access 8.5
Username Password 81
Access Http 47
Unencrypted Communications 47
No Basic Obfuscation 94

12. Version 1
Run SPE
Version 2
Run SPE
Version 3
Run SPE

13. Secure Policy Enforcer (SPE)
Aspect Security’s Contrast
Checkmarx
Veracode Mobile
Using a CA cert to sign your APK
Mobile Device Management tools –
MobiControl

16. http://jon.oberheide.org/files/summercon12-bouncer.pdf
http://www.securelist.com/en/analysis/204792239/IT_Threat_Evolution_Q2_2012
http://developer.android.com/reference/android/Manifest.permission.html
https://www.pcisecuritystandards.org/security_standards/documents.php?documen
t=mobile_payment_security_guidelines1#mobile_payment_security_guidelines1

17. http://www.decompilingandroid.com
@decompiling
godfrey@riis.com
http://www.riis.com