The document outlines the key aspects of Android application security from a professional perspective, discussing the Android security model, potential vulnerabilities, and the penetration testing process. It highlights various security issues such as insecure file permissions, bad encryption practices, insufficient transport layer protection, and weak server-side controls, while emphasizing the importance of proper authorization, authentication, and interprocess communication. The author aims to raise awareness about common security pitfalls in Android applications to encourage better security practices among developers.

1. Dos and Don'ts of Android
Application Security
(Security Professional Perspective)
Bijay Limbu Senihang
@bhutabe

2. root@root:~$ whoami
• Information Security Consultant @EntrustNP
• Co-founder of Nep Security
• Security Researcher
• Trainer/Lecturer
• Loyal Husband

3. </Agenda>
• Introduction to Android Security Model
• Needs of Android Application Security
• Penetration Testing Process
• Vulnerabilities found in Android Application

4. </Introduction>

5. </Android is everywhere>

6. </Inside Android>
• Based on Linux Kernel 3.x
• Run Application in Dalvik VM
Environment
• Dex--Dalvik Byte Code
• Apk --Zip
• AndroidManifest.xml
Java Dalvik Byte Code APK

7. </Inside APK>

8. </Android App Components

9. </Android Security Model>
• Creates unique user for each application by
Android
• Each application runs in a sandbox using its UID
• Security is enforced at the OS and the
application level
• Each application is signed
• Applications are totally isolated by default

10. </Where is the Problem?>

11. </Pen-testing Process>
• Extraction of Application from device
• Reverse Engineering Application
• Analyzing the Application
• Monitoring Process Activity
• Observing File Access
• Debugging the running apps
• Analyzing Memory dumps
• Analyzing Network Traffic
• Analyzing remote services

12. </Vulnerabilities >

13. </Insecure File System Permission>
• Weak File Permission
– Files on /data/data/APP with “everyone
read” permission
– Files stored on SD Card with no
permission
• Unnecessary File Permission

15. </Insecure Client Data Storage>
• Data found in apps
– Private Information – Phone numbers, Addresses, Emails
– Sensitive Information -usernames, passwords, encryption
keys, credit cards, session identifiers, tokens, etc.
• Interesting places that might contain sensitive data
– SQLite databases
– Log Files
– XML Data Stores or Manifest Files
– Binary data stores
– SD Card
– Cloud

16. </Bad Encryption>
• Hard-coded key is stored in the source code
• Same key for all users
• Key can be stolen by other apps due to bad
permissions
• Key is stored right next the encrypted data
• Custom, easily defeated crypto implementation
(“encraption”)

17. </Insufficient Transport Layer Protection>
• Weak SSL Cipher
TrustManager[]trustAllCerts = new TrustManager[] {new X509TrustManager(){
public java.security.certX509Certificate[]getAcceptIssuers(){
return new java.security.certX509Certificate[]{};
}
public void checkClientTrusted(X509Certificate[] chain, Strng authType)
throws CertificateException{}
public void checkServerTrusted(X509Certificate[]chain, String authType)
throws CertificateException{}
}};
• Out of Date/Self Signed
Certificates

18. </Weak Server Side Controls>
• Sql Injection
• XSS
• CSRF
• RCE
• XXE etc...

19. </Poor Authorization and Authentication>
• Device authentication based on IMEI,
IMSI, UUID is insufficient.
– Hardware identifiers persist across data
wipes and factory reset
– Never use device identifiers as session
token
• Enforcing client side security is
insufficient

20. </Insecure Interprocess Communication>
• Interoperability – Any application can start another
application's component
• “Intent” delivers an asynchronous message to the system to
activate components in another application

21. </Insecure Interprocess Communication>
• Unauthorized caller/intent spoofing
• Permission re-delegation/Confused
deputy
• Phishing/CSRF
• Intent sniffing
• DoS
• Component hijack/identity theft

22. </Hard Coded Information>
• API keys
• Usernames and Passwords
• Encryption Keys
• Sensitive business logic an “secret
algorithm”
• URL's

23. </Insecure Log Exposure>
• Logs can contain info such as
– Important events (app start, user login
details, page load)
– Exceptions
– Sensitive variables(encryption keys,
serial numbers)
– Sensitive information(credit cards,
passwords)

24. </Security Matters!!>

25. </Any Question?>