Uploaded byDom Digital
How secure is an android app?
The document discusses the security of Android applications through various aspects including APK structure, sandboxing, and reverse engineering techniques. It highlights the differences between native and hybrid applications, as well as best practices for securing apps, such as obfuscation and key management. Additionally, it outlines the advantages and disadvantages of hybrid apps in terms of user experience and security vulnerabilities.
![[Wroclaw #1] Android Security Workshop](https://cdn.slidesharecdn.com/ss_thumbnails/owaspplwroclaw1-160225150939-thumbnail.jpg?width=640&height=640&fit=bounds)
How secure is an android app?
- 1. How Secure is anAndroid App? Pedro Tavares 11 September, 2017
- 2. Pedro Tavares pedrotavares@domdigital.com Av. RainhaD. Amélia, 142 Cave 6300 - 749 Guarda, Portugal Agenda ● Scenario ● APK - What is it? Is it hackable? ● Sandboxing of Android Processes ● Dalvik VM vs Java VM ● Native vs Non-Native Applications ● CPTs and CPMDs ● Reverse Engineering ● Problem of Hybrid Apps ● Best Practices ● Suggestions # Agenda
- 3. Pedro Tavares pedrotavares@domdigital.com Av. RainhaD. Amélia, 142 Cave 6300 - 749 Guarda, Portugal Agenda: Scenario# Agenda server-side client-side
- 4. Pedro Tavares pedrotavares@domdigital.com Av. RainhaD. Amélia, 142 Cave 6300 - 749 Guarda, Portugal APK - What is it? Is it hackable? Android Package # Agenda # APK - What is it? terminal> unzip edpartners.apk RE is possible
- 5. Pedro Tavares pedrotavares@domdigital.com Av. RainhaD. Amélia, 142 Cave 6300 - 749 Guarda, Portugal Sandboxing of Android Processes ● Dedicated Virtual Machine (VM) ● Process Isolation (UID) ● Not shared resources ● Kernel protection # Agenda # APK - What is it? # Sandboxing of android ... Dalvik Virtual Machine
- 6. Pedro Tavares pedrotavares@domdigital.com Av. RainhaD. Amélia, 142 Cave 6300 - 749 Guarda, Portugal Dalvik VM vs Java VM# Agenda # APK - What is it? # Sandboxing of android … # Dalvik VM vs Java VM Java Source Code Java Byte Code Dalvik Byte Code Dalvik Executable Dalvik VM Java Source Code Java Byte Code Java Byte Code Java VM Java Compiler Java Compiler Dex Compiler Ant Gradle
- 7. Pedro Tavares pedrotavares@domdigital.com Av. RainhaD. Amélia, 142 Cave 6300 - 749 Guarda, Portugal Dalvik VM vs Java VM# Agenda # APK - What is it? # Sandboxing of android … # Dalvik VM vs Java VM
- 8. Pedro Tavares pedrotavares@domdigital.com Av. RainhaD. Amélia, 142 Cave 6300 - 749 Guarda, Portugal CPTs and CPMDs# Agenda # APK - What is it? # Sandboxing of android … # Dalvik VM vs Java VM # CPTs and CPMDs CPTs (Cross-platform Tools) CPMDs (Cross-platform to Mobile Development) Tools that automate the process of creation mobile applications. Web-based platforms which enable the process of creation mobile applications through CPTs on web-browsers.
- 9. Pedro Tavares pedrotavares@domdigital.com Av. RainhaD. Amélia, 142 Cave 6300 - 749 Guarda, Portugal Native vs Non-Native Applications# Agenda # APK - What is it? # Sandboxing of android … # Dalvik VM vs Java VM # CPTs and CPMDs # Native vs Non-Native ... Native Hybrid Web Fully Java Based. Direct communication with the native API. HTML5 based. Javascript provides a bridge with the native API of mobile operating system. Based in HTML5 and on web-services and online content.
- 10. Pedro Tavares pedrotavares@domdigital.com Av. RainhaD. Amélia, 142 Cave 6300 - 749 Guarda, Portugal # Agenda # APK - What is it? # Sandboxing of android … # Dalvik VM vs Java VM # CPTs and CPMDs # Native vs Non-Native … # Reverse Engineering Reverse Engineering App on phone App on marketplace .apk files resource .dex files Manifest .class files Java files Readable XML aapt (Android asset packaging tool) Dex > jar (dex2jar) Class > java (Java Decompiler) Extract APK HTML, CSS, Javascript, Images, assets, etc. Hybrid Apps unzip
- 11. Pedro Tavares pedrotavares@domdigital.com Av. RainhaD. Amélia, 142 Cave 6300 - 749 Guarda, Portugal Problem of Hybrid Apps# Agenda # APK - What is it? # Sandboxing of android … # Dalvik VM vs Java VM # CPTs and CPMDs # Native vs Non-Native … # Reverse Engineering # Problem of Hybrid Apps ● Best user experience ● Portability (multi-platforms) ● Cheaper origination costs ● Faster (initial) speed to market ● Weak security (obfuscation, encryption, etc.) ● Weak performance (a bridge is needed) ● Creates a lot of junk Advantages Know Problems
- 12. Pedro Tavares pedrotavares@domdigital.com Av. RainhaD. Amélia, 142 Cave 6300 - 749 Guarda, Portugal Best Practices# Agenda # APK - What is it? # Sandboxing of android … # Dalvik VM vs Java VM # CPTs and CPMDs # Native vs Non-Native … # Reverse Engineering # Problem of Hybrid Apps # Best Practices ● Architecture well-defined ● Obfuscation ○ Native Apps: ProGuard ○ Hybrid: Google Closure Compiler in the level ADVANCED_OPTIMIZATIONS ● Obfuscation not resolve hardcoded strings ○ Android Keystore System ■ Store keys in Internal Storage ➢ Trusted Execution Environment ○ oauth2 ● Javascript files available via remote callbacks ● Minify Javascript files Increase the cracking task
- 13. Pedro Tavares pedrotavares@domdigital.com Av. RainhaD. Amélia, 142 Cave 6300 - 749 Guarda, Portugal Suggestions# Agenda # APK - What is it? # Sandboxing of android … # Dalvik VM vs Java VM # CPTs and CPMDs # Native vs Non-Native … # Reverse Engineering # Problem of Hybrid Apps # Best Practices #Suggestions “Meteor.js: um framework além do MVC” www.meteor.com Obfuscation Android Keystore System (MinSDK 18, Android 4.3 and higher, and Smartphone support) https://medium.com/@vashisthg/android-secure-shared-preferences-10f8356a4c2b https://github.com/ophio/secure-preferences https://developer.android.com/training/articles/keystore.html#UsingAndroidKeyStore AWS Cognito, lambda, 3party apps, etc. https://aws.amazon.com/pt/mobile/
- 14.