SlideShare a Scribd company logo

Securing android applications

Jose Manuel Ortega Candel
Jose Manuel Ortega Candel

The document discusses securing Android applications. It covers the Android architecture, permissions model, data storage, content providers, networking, SQLite encryption, static analysis, and obfuscation. The key topics are the Dalvik VM, sandbox model, permissions, signing applications, minimizing permissions, HTTPS for networking, SQLite encryption, Lint for static analysis, and Proguard for obfuscation.

Mobile
1 of 100
Download to read offline
SECURING ANDROID APPLICATIONS October 2014
http://www.linkedin.com/jmortega1 https://speakerdeck.com/jmortega/ @jmortegac
ARCHITECTURE / DALVIK VM / SANDBOX ANDROID APPLICATIONS / PERMISSIONS UTILS EXECUTION ENVIRONMENT TOOLS ECLIPSE / ANDROID STUDIO COMPONENTS SECURITY / STATIC ANALYSIS ENCRYPTION / OBSFUSCATION REVERSING APK TOOLS APK ANALYZERS / PENTESTING / FORENSICS
Android Architecture
Dalvik VM REGISTER-BASED VIRTUAL MACHINE RUN ON A SLOW CPU WITH LITTLE RAM OPTIMIZED FOR MOBILE DEVICES DEX(Dalvik executable)
Dalvik vs ART(4.4) DALVIK ART Just-In-Time (JIT) Compilation Ahead-Of-Time (AOT) Compilation Cache builds up over time Boot times are faster Cache is built at first boot Rebooting device takes significantly longer Apps compiled when executed Stores Compiled Apps Consumes much more internal storage space Settings>Developer options>Select runtime
Sandbox Each app gets a unique linux ID(uid) and Groud ID(gid) Gets own dedicated process and dedicated dalvik VM Applications are "self-signed" with certificate signed by Developer Apps can share the data with other apps using content providers Permissions determine the capacity for communication components The App Data gets stored in /data/data/<app process> accessible only by UID and GID (root exceptional)
/data/data Apps installed by user Apps installed by google default : play store, play music , maps Apps that are manufacturer specific : HTC sense, touchwiz Apps that are shipped with stock rom : browsers ROOT
Android Applications
APK Generating ZIP + jarsigner+ zipalign for optimizing apk
Obtain APK Google Play Alternative markets (BlackMart, Fdroid, Aptoide) Apk extractor http://apps.evozi.com/apk-downloader
Permissions model Android permissions protect Access to sensitive APIs Access to content providers Inter- and intra-application communication Protection mechanism to interact with other applications Location (GPS), Camera, Bluetooth, Telephony, SMS/MMS, Network/data AndroidManifest.xml
Permissions
Permissions  Be carefull with install applications  Recommend install some application to check permissions  Disable automatic updates and check application permissions manually each time an application wants to be installed or updated
Permissions in apps Check permissions in runtime PackageManager pm = context.getPackageManager(); int hasPerm = pm.checkPermission( android.Manifest.permission.WRITE_EXTERNAL_STORAGE, context.getPackageName()); if (hasPerm != PackageManager.PERMISSION_GRANTED) { // do stuff} private boolean checkWriteExternalPermission(){ String permission = "android.permission.WRITE_EXTERNAL_STORAGE"; int res = getContext().checkCallingOrSelfPermission(permission); return (res == PackageManager.PERMISSION_GRANTED); }
Protection levels normal: Default level for not application system, always granted dangerous: Higher-Risk permission for access to private data. Requires user approval. SEND_SMS,ACCESS_FINE_LOCATION signature Matching signature key. Two apps signed with the same certificate system, signatureOrSystem:Same as signature, but also system apps pre- installed like Google Play Services
Permissions in apps Minimize requested permissions Users like apps that request few permissions 33% apps request more permissions that they need Get Camera Pic need android.permission.CAMERA? ContentValues contentValues = new ContentValues(); contentValues.put(MediaStore.Images.Media.DESCRIPTION, "Image capture"); contentValues.put(MediaStore.Images.Media.TITLE, "new image"); Uri uri = getContentResolver().insert(MediaStore.Images.Media.EXTERNAL_CONTENT_URI, contentValues); Intent intent = new Intent(MediaStore.ACTION_IMAGE_CAPTURE); intent.putExtra(MediaStore.EXTRA_OUTPUT, uri); intent.putExtra(MediaStore.EXTRA_VIDEO_QUALITY, 1); startActivityForResult(intent, 1);
Permissions in apps Application don`t need permission to get a camera pic <uses-permission android:name="android.permission.CAMERA" /> Where is the permission? In the Google Camera Application GoogleCamera.apk
Permissions in apps Create custom permissions <permission android:name="android.permission.CUSTOM_PERMISSION" android:protectionLevel="normal" android:label="@string/custom_permission_label"> <permission android:name="android.permission.SEND_SMS" android:permissionGroup=“android.permission-group.COST_MONEY" android:protectionLevel="dangerous" android:label="@string/permlab_sendSms" android:description="@string/permdesc_sendSms" />
Permissions in apps Group permissions <permission-group android:name="android.permission-group.LOCATION" android:description="@string/permgroupdesc_location" /> <!-- Allows an application to access fine (e.g., GPS) location --> <permission android:name="android.permission.ACCESS_FINE_LOCATION" android:permissionGroup="android.permission-group.LOCATION" android:protectionLevel="dangerous" android:description="@string/permdesc_accessFineLocation" /> <!-- Allows an application to access coarse (e.g., Cell-ID, WiFi) location --> <permission android:name="android.permission.ACCESS_COARSE_LOCATION" android:permissionGroup="android.permission-group.LOCATION" android:protectionLevel="dangerous" android:description="@string/permdesc_accessCoarseLocation" />
Install in SD CARD <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.example1" android:versionCode=“1" android:versionName="1.0" android:installLocation="auto|preferExternal"> <uses-sdk android:minSdkVersion="8" android:targetSdkVersion="19" /> </manifest> $ adb shell $ pm set-install-location 2 0 [auto]: Let system decide the best location1 [internal]: Install on internal device storage2 [external]: Install on external media
Check if Play Store is the installer Check if Debuggable
Check Running emulator Check Debugger certificate
Check signing key
Root detection private boolean isDeviceRooted(){ try{ Runtime.getRuntime().exec("su"); return true; }catch(IOExeception ex){ return false; } } public static boolean() isDeviceRooted(){ File f= new File("/system/sbin/su"); return f.exits(); }
Malware •Installing applications from known sites •Check permissions during installation / upgrade •Review comments from users •Update the operating system and applications. •Disable automatic connection to WiFi networks and avoid connecting to free WiFi •Disable BlueTooth when not in use Recommendations to avoid malware
Malware detection in Google play Bluebox Security Scanner SRT AppScanner Lookout Mobile Security Advanced Mobile Care Malwarebytes Anti-Malware CM Security
foresafe.com/scan mobilesandbox.org andrototal.org copperdroid
Signing applications Purpose of certificates in Android is to distinguish application authors Android won't allow application to be upgraded unless signed with same certificate the applications are signed with the same key. Android allows applications that are signed with the same certificate to run in the same processes All applications must be signed with a digital certificate
Signing applications Java keytool $ keytool -genkey -v -keystore <keystore filename> -alias <alias for key> -keyalg RSA -keysize 2048 -validity 10000
Sign apk with private key Check the apk signature sm 236 Sun Feb 02 15:08:10 CET 2014 javamail.pop3.provider X.509, CN=Android Debug, O=Android, C=US [certificate is valid from 3/04/13 18:13 to 27/03/43 17:13] 54226 Sun Feb 02 15:08:10 CET 2014 META-INF/MANIFEST.MF 54279 Sun Feb 02 15:08:10 CET 2014 META-INF/CERT.SF 1203 Sun Feb 02 15:08:10 CET 2014 META-INF/CERT.RSA s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore i = at least one certificate was found in identity scope jar verified. Signing applications $ jarsigner -verify -certs -verbose testing.apk $ jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore mykeystore testing.apk <alias_name>
Android Studio Tool included in Android SDK for apk compress and optimizing $ zipalign -f 4 app-signed.apk final-app.apk Build > Generate Signed APK
Eclipse/Android Studio
Content Providers A specialized type of complex data store in Android to standardize access and manipulation of stored data Browser: bookmarks, browse history CallLog: missed calls, call details Contacts: Contact details MediaStore: Media files
Content Providers Offers a structured storage mechanism that can be limited to your own application or exported to allow access by other applications. android:exported =“false" android:exported ="true" Versions >= 4.2 exported=“false” by default <provider android:name=".data.DataProvider" android:multiprocess="true" android:authorities="myapp.data.DataProvider" android:readPermission="myapp.permission.READ" android:writePermission="myapp.permission.WRITE" />
Data Storage Shared preferences External storage Requires permission android.permission.WRITE_EXTERNAL_STORAGE Internal storage Better than external since permissions not required Sqlite3 File DataBase with extension *.db stored in /data/data/[package_name]/databases Cloud Google Cloud Messaging(GCM) ROOT
Shared preferences An xml key-value pairs file stored in /data/data/com.your.package/shared_prefs/preferences.xml Used by an application in order to save small sets of data for the application Storing sensitive information in shared preferences is not recommended Library for securing shared preferences Encrypt the key-value pairs AES symmetric key https://github.com/scottyab/secure-preferences ROOT
Secure Shared preferences ROOT
Networking Use HttpsURLConnection for secure web traffic HTTPS + CA Certificate import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.SSLContext; import javax.net.ssl.TrustManagerFactory; // build key store with ca certificate KeyStore keyStore = buildKeyStore(context, certRawResId); // Create a TrustManager that trusts the CAs in our KeyStore String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm(); TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm); tmf.init(keyStore); // Create an SSLContext that uses our TrustManager SSLContext sslContext = SSLContext.getInstance("TLS"); sslContext.init(null, tmf.getTrustManagers(), null); // Create a connection from url RL url = new URL(urlString); HttpsURLConnection urlConnection = (HttpsURLConnection) url.openConnection(); urlConnection.setSSLSocketFactory(sslContext.getSocketFactory());
Webview class WebAppInterface { private String sensitiveInformation; public String toString() { return sensitiveInformation; } } WebView webview = new WebView(this); setContentView(webview); webView.loadUrl("http://website.com"); webView.addJavascriptInterface(new WebAppInterface(this), "injectedObject"); Vulnerability in version 4.1.2(API 16) Jelly Bean in Cross-site scripting (XSS), Cross-site Request Forgery (CSRF) attacks With JavaScript and Java Reflection can access any of the public methods of the WebAppInterface setJavascriptEnabled(true);
Webview <script> function execute(){ var sendSMS=Android.getClass.forName("android.telephony. SmsManager"). getMethod("getDefault",null).invoke(null,null); sendSMS.sendTextMessage("+323232323",null,"message", null,null); } </script>
Webview best practices Disable JavaScript and Plugin support if they are not needed. Disable local file access. Restricts access to the app’s resource and asset directory. Prevent loading content from 3rd party hosts. Activate SSL in activity using HTTPS In 4.2 @JavascriptInterface method annotation for limit access methods from javascript. Avoid exposing protected data in javascript interface @JavascriptInterface public void method() { dostuff(); }
Webview best practices Not save passwords Not saving form data Clear Cache webSettings.setSavePassword(false); webSettings.setSaveFormData(false); @Override public void onPageFinished(WebView view, String url) { super.onPageFinished(view, url); view.clearCache(true); //delete local files in the browser }
SQLite SQLiteDatabase db = dbHelper.getWriteableDatabase(); String userQuery = "SELECT lastName FROM useraccounts WHERE userID = ?"; SQLiteStatement prepStatement =db.compileStatement(userQuery); prepStatement.bindString(1, "userID"); prepStatement.simpleQueryForString(); Prepared statements to avoid sql injection rawQuery compileStatement
SQLite Cipher https://github.com/sqlcipher/android-database-sqlcipher public void initDB(Context context, String password) { SQLiteDatabase database = SQLiteDatabase.openOrCreateDatabase(DB_NAME,password, null); database.execSQL("create table MyTable(a, b)"); } import net.sqlcipher.database.*; import android.database.sqlite.*;
Static analysis
Static analysis
LINT ECLIPSE /ANDROID STUDIO Scans Android project sources for potential bugs Comes with the SDK and detects common programming errors
Lint $ lint --check Security --html security_report.html <project_home> http://developer.android.com/tools/help/lint.html
ANDROID STUDIO
SONARQuBE http://www.sonarqube.org/
Encryption in phone  Supported since Android 3.0  Encrypts the entire device with AES 128.  Based on dm-crypt implementation  PBKDF2 algorithm for password  Takes at Least 1 h for Encryption of Data.  Denoted to reduce in performance.
Encryption in applications Android Crypto API Based in javax.crypto from javaSE  Obtain secretKey public static SecretKey generateKey(char[] password, byte[] salt) throws Exception { int iterations = 1000; int outputKeyLength = 256; SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance(“PBKDF2WithHmacSHA1”); KeySpec keySpec = new PBEKeySpec(password, salt,iterations, outputKeyLength); byte[] keyBytes = secretKeyFactory.generateSecret(keySpec).getEncoded(); return new SecretKeySpec(keyBytes, “AES”); } import java.security.*; import javax.crypto.*;
Encryption in applications public static String encryptText(char[] password, String plainText) throws Exception { //Obtain secretkey SecureRandom secureRandom = new SecureRandom(); int saltLength = 8; byte[] salt = new byte[saltLength]; secureRandom.nextBytes(salt); SecretKey secretKey = generateKey(password, salt); Cipher cipher = Cipher.getInstance(“AES/CBC/PKCS5Padding”); byte[] initVector = new byte[cipher.getBlockSize()]; secureRandom.nextBytes(initVector); IvParameterSpec ivParameterSpec = new IvParameterSpec(initVector); cipher.init(Cipher.ENCRYPT_MODE, secretKey, ivParameterSpec); byte[] cipherData = cipher.doFinal(plainText.getBytes(“UTF-8”)); return Base64.encodeToString(cipherData,Base64.NO_WRAP | Base64.NO_PADDING) + “]” + Base64.encodeToString(initVector,Base64.NO_WRAP | Base64.NO_PADDING) + “]” + Base64.encodeToString(salt,Base64.NO_WRAP | Base64.NO_PADDING); }
Obsfuscation Renames classes, fields and methods using short names (a,b,c,..)
Obsfuscation in android projects Proguard Integrated in SDK  http://developer.android.com/tools/help/proguard.html  Enable Proguard in eclipse proguard.config=${sdk.dir}/tools/proguard/proguard-android.txt:proguard-project. txt
Obsfuscation in android projects Enable Proguard in android STUDIO In build.gradle android { buildTypes { release { runProguard true proguardFile getDefaultProguardFile('proguard-android.txt') , 'proguard-rules.pro' } }
Proguard.config -optimizationpasses 5 -dontusemixedcaseclassnames -dontskipnonpubliclibraryclasses -dontpreverify -verbose -optimizations !code/simplification/arithmetic,!field/*,!class/merging/* -keep public class * extends android.app.Activity -keep public class * extends android.app.Application -keep public class * extends android.app.Service -keep public class * extends android.content.BroadcastReceiver -keep public class * extends android.content.ContentProvider -keep public class * extends android.app.backup.BackupAgentHelper -keep public class * extends android.preference.Preference -keep public class com.android.vending.licensing.ILicensingService -keepclasseswithmembernames class * { native <methods>; } -keepclasseswithmembernames class * { public <init>(android.content.Context, android.util.AttributeSet); } -keepclasseswithmembernames class * { public <init>(android.content.Context, android.util.AttributeSet, int); } -keepclassmembers enum * { public static **[] values(); public static ** valueOf(java.lang.String); } -keep class * implements android.os.Parcelable { public static final android.os.Parcelable$Creator *; }
Proguard tool http://proguard.sourceforge.net
Reverse Engineering Android Application
Rename Android app (.apk) to .zip Extract zip Run dex2jar on the extracted file Open the .jar in a java decompiler Reverse Engineering Android Application
Apk Tool Reverses .apk file to an android project $ apktool d target.apk output_directory
Apk Tool
Java vs Smali Reverses .apk file to an android project Learning smali through dalvik codes http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html
Dex2jar http://code.google.com/p/dex2jar Converts Android’s Dalvik executables into Java jar files. $ unzip target.apk $ d2jdex2jar.sh classes.dex -o target.jar
Dex2jar activity_main.xml
Java Decompiler  http://java.decompiler.free.fr
Dex to Java Decompiler https://github.com/skylot/jadx Decompile directly form apk or dex
Android Application Vulnerability Scanner java –jar ScanAndroidApps.jar
Virtuous Ten Studio http://virtuous-ten-studio.com/ Only for windows
Virtuous Ten Studio
Virtuous Ten Studio
Apk Analyser https://github.com/maaaaz/androwarn https://github.com/sonyxperiadev/ApkAnalyser https://github.com/honeynet/apkinspector https://code.google.com/p/droidbox
Apk Analyser http://developer.sonymobile.com/knowledge-base/tools/analyse-your-apks-with-apkanalyser/ java -jar ApkAnalyser.jar
Androwarn python androwarn.py -i my_apk.apk -r html -v 3
DroidBox python apimonitor.py my_apk.apk
Dexter online https://dexter.bluebox.com
Dexter online
TraceDroid http://tracedroid.few.vu.nl Records the behavior of the executed app, such as its network communication, the UI, but also its internal function calls and Java code that is executed. Emulates a few actions, such as user interaction, incoming calls and SMS messages, etc. - this will reveal most malicious intents of an app.
Pentesting Virtual Machine with tools for Reverse Engineering https://redmine.honeynet.org/projects/are/wiki https://appsec-labs.com/AppUse Hacking distro dedicated to Mobile forensics and Security
https://github.com/viaforensics/android-forensics http://andriller.com/ Forensics analisys
Intent Snifer —Sees Activity’s startup Intents —android.permission.GET_TASKS: Recent tasks Intents ActivityManager am = (ActivityManager) getSystemService(ACTIVITY_SERVICE); List<RecentTaskInfo> rti = am.getRecentTasks(1000,ActivityManager.RECENT_WITH_EXCLUDED); for (RecentTaskInfo c : rti) { log.append("received: " + rti.toString() + "n"); }
Books
References http://code.google.com/p/dex2jar/ https://code.google.com/p/android-apktool https://code.google.com/p/androguard/wiki/Installation http://ashishb.net/security/android-security-related-tools http://androidcracking.blogspot.com.es http://developer.android.com/guide/topics/security/permissions.html http://source.android.com/devices/tech/security/#android- application-security http://siis.cse.psu.edu/android_sec_tutorial.html
Securing android applications

Recommended

[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security WorkshopOWASP
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android SecurityMarakana Inc.
 
Android securitybyexample
Android securitybyexampleAndroid securitybyexample
Android securitybyexamplePragati Rai
 
Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionTandhy Simanjuntak
 
A Closer Look on C&C Panels
A Closer Look on C&C PanelsA Closer Look on C&C Panels
A Closer Look on C&C PanelsTandhy Simanjuntak
 
Android sandbox
Android sandboxAndroid sandbox
Android sandboxAnusha Chavan
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSEC-Council
 
Bypassing the Android Permission Model
Bypassing the Android Permission ModelBypassing the Android Permission Model
Bypassing the Android Permission ModelGeorgia Weidman
 

Recommended

[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security WorkshopOWASP
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android SecurityMarakana Inc.
 
Android securitybyexample
Android securitybyexampleAndroid securitybyexample
Android securitybyexamplePragati Rai
 
Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionTandhy Simanjuntak
 
A Closer Look on C&C Panels
A Closer Look on C&C PanelsA Closer Look on C&C Panels
A Closer Look on C&C PanelsTandhy Simanjuntak
 
Android sandbox
Android sandboxAndroid sandbox
Android sandboxAnusha Chavan
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSEC-Council
 
Bypassing the Android Permission Model
Bypassing the Android Permission ModelBypassing the Android Permission Model
Bypassing the Android Permission ModelGeorgia Weidman
 
Android security
Android securityAndroid security
Android securityMidhun P Gopi
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
Android Security
Android SecurityAndroid Security
Android SecuritySuminda Gunawardhana
 
Android Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAndroid Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAvinash Birnale
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and SecurityKelwin Yang
 
Android security in depth
Android security in depthAndroid security in depth
Android security in depthSander Alberink
 
Permission enforcement s in android new (1)
Permission enforcement s in android new (1)Permission enforcement s in android new (1)
Permission enforcement s in android new (1)Siddhartha Kakarla
 
Automated Historical Performance Analysis with kmemtracer
Automated Historical Performance Analysis with kmemtracerAutomated Historical Performance Analysis with kmemtracer
Automated Historical Performance Analysis with kmemtracerKyungmin Lee
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on androidRavishankar Kumar
 
ANDROID
ANDROIDANDROID
ANDROIDRanjan Som
 
Android Security
Android SecurityAndroid Security
Android SecurityMehrnaz Amoon
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsBlrDroid
 
Android Programming made easy
Android Programming made easyAndroid Programming made easy
Android Programming made easyLars Vogel
 
Android Overview
Android OverviewAndroid Overview
Android OverviewRaju Kadam
 
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!Help Doctor, my application is an onion!
Help Doctor, my application is an onion!Sebastián Guerrero Selma
 
Android Development Tutorial V3
Android Development Tutorial V3Android Development Tutorial V3
Android Development Tutorial V3Diego Torres Milano
 
Android tutorial1
Android tutorial1Android tutorial1
Android tutorial1Милош Божовић
 
Android App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSecAndroid App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSecDroidConTLV
 
Android App development and test environment, Understaing android app structure
Android App development and test environment, Understaing android app structureAndroid App development and test environment, Understaing android app structure
Android App development and test environment, Understaing android app structureVijay Rastogi
 
Apps development for Recon HUDs
Apps development for Recon HUDsApps development for Recon HUDs
Apps development for Recon HUDsXavier Hallade
 
Android architecture
Android architectureAndroid architecture
Android architectureHari Krishna
 
Five android architecture
Five android architectureFive android architecture
Five android architectureTomislav Homan
 

More Related Content

What's hot

Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
Android Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAndroid Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAvinash Birnale
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and SecurityKelwin Yang
 
Android security in depth
Android security in depthAndroid security in depth
Android security in depthSander Alberink
 
Permission enforcement s in android new (1)
Permission enforcement s in android new (1)Permission enforcement s in android new (1)
Permission enforcement s in android new (1)Siddhartha Kakarla
 
Automated Historical Performance Analysis with kmemtracer
Automated Historical Performance Analysis with kmemtracerAutomated Historical Performance Analysis with kmemtracer
Automated Historical Performance Analysis with kmemtracerKyungmin Lee
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on androidRavishankar Kumar
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsBlrDroid
 
Android Programming made easy
Android Programming made easyAndroid Programming made easy
Android Programming made easyLars Vogel
 
Android Overview
Android OverviewAndroid Overview
Android OverviewRaju Kadam
 
Android App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSecAndroid App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSecDroidConTLV
 
Android App development and test environment, Understaing android app structure
Android App development and test environment, Understaing android app structureAndroid App development and test environment, Understaing android app structure
Android App development and test environment, Understaing android app structureVijay Rastogi
 
Apps development for Recon HUDs
Apps development for Recon HUDsApps development for Recon HUDs
Apps development for Recon HUDsXavier Hallade
 

What's hot (20)

Android security
Android securityAndroid security
Android security
 
Android Security
Android SecurityAndroid Security
Android Security
 
Android Security
Android SecurityAndroid Security
Android Security
 
Android Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAndroid Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon India
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and Security
 
Android security in depth
Android security in depthAndroid security in depth
Android security in depth
 
Permission enforcement s in android new (1)
Permission enforcement s in android new (1)Permission enforcement s in android new (1)
Permission enforcement s in android new (1)
 
Automated Historical Performance Analysis with kmemtracer
Automated Historical Performance Analysis with kmemtracerAutomated Historical Performance Analysis with kmemtracer
Automated Historical Performance Analysis with kmemtracer
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on android
 
ANDROID
ANDROIDANDROID
ANDROID
 
Android Security
Android SecurityAndroid Security
Android Security
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
 
Android Programming made easy
Android Programming made easyAndroid Programming made easy
Android Programming made easy
 
Android Overview
Android OverviewAndroid Overview
Android Overview
 
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
 
Android Development Tutorial V3
Android Development Tutorial V3Android Development Tutorial V3
Android Development Tutorial V3
 
Android tutorial1
Android tutorial1Android tutorial1
Android tutorial1
 
Android App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSecAndroid App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSec
 
Android App development and test environment, Understaing android app structure
Android App development and test environment, Understaing android app structureAndroid App development and test environment, Understaing android app structure
Android App development and test environment, Understaing android app structure
 
Apps development for Recon HUDs
Apps development for Recon HUDsApps development for Recon HUDs
Apps development for Recon HUDs
 

Viewers also liked

Android architecture
Android architectureAndroid architecture
Android architectureHari Krishna
 
Five android architecture
Five android architectureFive android architecture
Five android architectureTomislav Homan
 
Android architecture
Android architecture Android architecture
Android architecture Trong-An Bui
 
Android Architecture
Android ArchitectureAndroid Architecture
Android Architecturedeepakshare
 
Security threats in Android OS + App Permissions
Security threats in Android OS + App PermissionsSecurity threats in Android OS + App Permissions
Security threats in Android OS + App PermissionsHariharan Ganesan
 
Android training day 4
Android training day 4Android training day 4
Android training day 4Vivek Bhusal
 
Web Services and Android - OSSPAC 2009
Web Services and Android - OSSPAC 2009Web Services and Android - OSSPAC 2009
Web Services and Android - OSSPAC 2009sullis
 
Android permission system
Android permission systemAndroid permission system
Android permission systemShivang Goel
 
Android permission system
Android permission systemAndroid permission system
Android permission systemShivang Goel
 
Anatomizing online payment systems: hack to shop
Anatomizing online payment systems: hack to shopAnatomizing online payment systems: hack to shop
Anatomizing online payment systems: hack to shopAbhinav Mishra
 
Sandbox Introduction
Sandbox IntroductionSandbox Introduction
Sandbox Introductionmsimkin
 
Tips dan Third Party Library untuk Android - Part 1
Tips dan Third Party Library untuk Android - Part 1Tips dan Third Party Library untuk Android - Part 1
Tips dan Third Party Library untuk Android - Part 1Ibnu Sina Wardy
 
Android secuirty permission - upload
Android secuirty permission - uploadAndroid secuirty permission - upload
Android secuirty permission - uploadBin Yang
 
Android AsyncTask Tutorial
Android AsyncTask TutorialAndroid AsyncTask Tutorial
Android AsyncTask TutorialPerfect APK
 
Android 6.0 permission change
Android 6.0 permission changeAndroid 6.0 permission change
Android 6.0 permission change彥彬 洪
 

Viewers also liked (20)

Android architecture
Android architectureAndroid architecture
Android architecture
 
Five android architecture
Five android architectureFive android architecture
Five android architecture
 
Android architecture
Android architectureAndroid architecture
Android architecture
 
Android architecture
Android architecture Android architecture
Android architecture
 
Android Architecture
Android ArchitectureAndroid Architecture
Android Architecture
 
Security threats in Android OS + App Permissions
Security threats in Android OS + App PermissionsSecurity threats in Android OS + App Permissions
Security threats in Android OS + App Permissions
 
Android training day 4
Android training day 4Android training day 4
Android training day 4
 
Web Services and Android - OSSPAC 2009
Web Services and Android - OSSPAC 2009Web Services and Android - OSSPAC 2009
Web Services and Android - OSSPAC 2009
 
Android permission system
Android permission systemAndroid permission system
Android permission system
 
Android permission system
Android permission systemAndroid permission system
Android permission system
 
Anatomizing online payment systems: hack to shop
Anatomizing online payment systems: hack to shopAnatomizing online payment systems: hack to shop
Anatomizing online payment systems: hack to shop
 
Sandbox Introduction
Sandbox IntroductionSandbox Introduction
Sandbox Introduction
 
Tips dan Third Party Library untuk Android - Part 1
Tips dan Third Party Library untuk Android - Part 1Tips dan Third Party Library untuk Android - Part 1
Tips dan Third Party Library untuk Android - Part 1
 
Android(1)
Android(1)Android(1)
Android(1)
 
Android secuirty permission - upload
Android secuirty permission - uploadAndroid secuirty permission - upload
Android secuirty permission - upload
 
Android AsyncTask Tutorial
Android AsyncTask TutorialAndroid AsyncTask Tutorial
Android AsyncTask Tutorial
 
Json Tutorial
Json TutorialJson Tutorial
Json Tutorial
 
Android 6.0 permission change
Android 6.0 permission changeAndroid 6.0 permission change
Android 6.0 permission change
 
Basic Android Push Notification
Basic Android Push NotificationBasic Android Push Notification
Basic Android Push Notification
 
Android new permission model
Android new permission modelAndroid new permission model
Android new permission model
 

Similar to Securing android applications

Null mumbai-Android-Insecure-Data-Storage-Exploitation
Null mumbai-Android-Insecure-Data-Storage-ExploitationNull mumbai-Android-Insecure-Data-Storage-Exploitation
Null mumbai-Android-Insecure-Data-Storage-ExploitationNitesh Malviya
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingRomansh Yadav
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentestingMinali Arora
 
Introduction to Android Application Security Testing - 2nd Sep 2017
Introduction to Android Application Security Testing - 2nd Sep 2017Introduction to Android Application Security Testing - 2nd Sep 2017
Introduction to Android Application Security Testing - 2nd Sep 2017Satheesh Kumar V
 
Understanding Android Security
Understanding Android SecurityUnderstanding Android Security
Understanding Android SecurityAsanka Dilruk
 
Android Training in Chandigarh | Industrial Training in Android Apps Development
Android Training in Chandigarh | Industrial Training in Android Apps DevelopmentAndroid Training in Chandigarh | Industrial Training in Android Apps Development
Android Training in Chandigarh | Industrial Training in Android Apps DevelopmentBig Boxx Animation Academy
 
Get Ready for Target SDK Version 29 and 30
Get Ready for Target SDK Version 29 and 30Get Ready for Target SDK Version 29 and 30
Get Ready for Target SDK Version 29 and 30Somkiat Khitwongwattana
 
Getting started with android
Getting started with androidGetting started with android
Getting started with androidVandana Verma
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security modelPragati Rai
 
Android tutorial for beginners-traininginbangalore.com
Android tutorial for beginners-traininginbangalore.comAndroid tutorial for beginners-traininginbangalore.com
Android tutorial for beginners-traininginbangalore.comTIB Academy
 
Easy steps to develop android application (tutorial)
Easy steps to develop android application (tutorial)Easy steps to develop android application (tutorial)
Easy steps to develop android application (tutorial)Dewan Razib
 
Advanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to AndroidAdvanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to Androidsecurityxploded
 
Mobile SDKs: Use with Caution - Ori Lentzitzky
Mobile SDKs: Use with Caution - Ori LentzitzkyMobile SDKs: Use with Caution - Ori Lentzitzky
Mobile SDKs: Use with Caution - Ori LentzitzkyDroidConTLV
 
Mobile App Security Testing
Mobile App Security TestingMobile App Security Testing
Mobile App Security TestingSarwar Jahan M
 
Mobile application security
Mobile application securityMobile application security
Mobile application securityShubhneet Goel
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
 

Similar to Securing android applications (20)

Securing Android
Securing AndroidSecuring Android
Securing Android
 
Appium
AppiumAppium
Appium
 
Null mumbai-Android-Insecure-Data-Storage-Exploitation
Null mumbai-Android-Insecure-Data-Storage-ExploitationNull mumbai-Android-Insecure-Data-Storage-Exploitation
Null mumbai-Android-Insecure-Data-Storage-Exploitation
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentesting
 
Introduction to Android Application Security Testing - 2nd Sep 2017
Introduction to Android Application Security Testing - 2nd Sep 2017Introduction to Android Application Security Testing - 2nd Sep 2017
Introduction to Android Application Security Testing - 2nd Sep 2017
 
Android Froyo
Android FroyoAndroid Froyo
Android Froyo
 
Understanding Android Security
Understanding Android SecurityUnderstanding Android Security
Understanding Android Security
 
Android Training in Chandigarh | Industrial Training in Android Apps Development
Android Training in Chandigarh | Industrial Training in Android Apps DevelopmentAndroid Training in Chandigarh | Industrial Training in Android Apps Development
Android Training in Chandigarh | Industrial Training in Android Apps Development
 
Get Ready for Target SDK Version 29 and 30
Get Ready for Target SDK Version 29 and 30Get Ready for Target SDK Version 29 and 30
Get Ready for Target SDK Version 29 and 30
 
Getting started with android
Getting started with androidGetting started with android
Getting started with android
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security model
 
Android tutorial for beginners-traininginbangalore.com
Android tutorial for beginners-traininginbangalore.comAndroid tutorial for beginners-traininginbangalore.com
Android tutorial for beginners-traininginbangalore.com
 
Easy steps to develop android application (tutorial)
Easy steps to develop android application (tutorial)Easy steps to develop android application (tutorial)
Easy steps to develop android application (tutorial)
 
Advanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to AndroidAdvanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to Android
 
Mobile SDKs: Use with Caution - Ori Lentzitzky
Mobile SDKs: Use with Caution - Ori LentzitzkyMobile SDKs: Use with Caution - Ori Lentzitzky
Mobile SDKs: Use with Caution - Ori Lentzitzky
 
Mobile App Security Testing
Mobile App Security TestingMobile App Security Testing
Mobile App Security Testing
 
Mobile application security
Mobile application securityMobile application security
Mobile application security
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
 

More from Jose Manuel Ortega Candel

Asegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdf
Asegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdfAsegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdf
Asegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdfJose Manuel Ortega Candel
 
PyGoat Analizando la seguridad en aplicaciones Django.pdf
PyGoat Analizando la seguridad en aplicaciones Django.pdfPyGoat Analizando la seguridad en aplicaciones Django.pdf
PyGoat Analizando la seguridad en aplicaciones Django.pdfJose Manuel Ortega Candel
 
Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...
Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...
Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...Jose Manuel Ortega Candel
 
Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops Jose Manuel Ortega Candel
 
Evolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdfEvolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdfJose Manuel Ortega Candel
 
Implementing Observability for Kubernetes.pdf
Implementing Observability for Kubernetes.pdfImplementing Observability for Kubernetes.pdf
Implementing Observability for Kubernetes.pdfJose Manuel Ortega Candel
 
Seguridad en arquitecturas serverless y entornos cloud
Seguridad en arquitecturas serverless y entornos cloudSeguridad en arquitecturas serverless y entornos cloud
Seguridad en arquitecturas serverless y entornos cloudJose Manuel Ortega Candel
 
Construyendo arquitecturas zero trust sobre entornos cloud
Construyendo arquitecturas zero trust sobre entornos cloud Construyendo arquitecturas zero trust sobre entornos cloud
Construyendo arquitecturas zero trust sobre entornos cloud Jose Manuel Ortega Candel
 
Tips and tricks for data science projects with Python
Tips and tricks for data science projects with Python Tips and tricks for data science projects with Python
Tips and tricks for data science projects with Python Jose Manuel Ortega Candel
 
Sharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8sSharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8sJose Manuel Ortega Candel
 
Python para equipos de ciberseguridad(pycones)
Python para equipos de ciberseguridad(pycones)Python para equipos de ciberseguridad(pycones)
Python para equipos de ciberseguridad(pycones)Jose Manuel Ortega Candel
 
Shodan Tips and tricks. Automatiza y maximiza las búsquedas shodan
Shodan Tips and tricks. Automatiza y maximiza las búsquedas shodanShodan Tips and tricks. Automatiza y maximiza las búsquedas shodan
Shodan Tips and tricks. Automatiza y maximiza las búsquedas shodanJose Manuel Ortega Candel
 
ELK para analistas de seguridad y equipos Blue Team
ELK para analistas de seguridad y equipos Blue TeamELK para analistas de seguridad y equipos Blue Team
ELK para analistas de seguridad y equipos Blue TeamJose Manuel Ortega Candel
 
Monitoring and managing Containers using Open Source tools
Monitoring and managing Containers using Open Source toolsMonitoring and managing Containers using Open Source tools
Monitoring and managing Containers using Open Source toolsJose Manuel Ortega Candel
 
Python memory managment. Deeping in Garbage collector
Python memory managment. Deeping in Garbage collectorPython memory managment. Deeping in Garbage collector
Python memory managment. Deeping in Garbage collectorJose Manuel Ortega Candel
 

More from Jose Manuel Ortega Candel (20)

Asegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdf
Asegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdfAsegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdf
Asegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdf
 
PyGoat Analizando la seguridad en aplicaciones Django.pdf
PyGoat Analizando la seguridad en aplicaciones Django.pdfPyGoat Analizando la seguridad en aplicaciones Django.pdf
PyGoat Analizando la seguridad en aplicaciones Django.pdf
 
Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...
Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...
Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...
 
Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops
 
Evolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdfEvolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdf
 
Implementing Observability for Kubernetes.pdf
Implementing Observability for Kubernetes.pdfImplementing Observability for Kubernetes.pdf
Implementing Observability for Kubernetes.pdf
 
Computación distribuida usando Python
Computación distribuida usando PythonComputación distribuida usando Python
Computación distribuida usando Python
 
Seguridad en arquitecturas serverless y entornos cloud
Seguridad en arquitecturas serverless y entornos cloudSeguridad en arquitecturas serverless y entornos cloud
Seguridad en arquitecturas serverless y entornos cloud
 
Construyendo arquitecturas zero trust sobre entornos cloud
Construyendo arquitecturas zero trust sobre entornos cloud Construyendo arquitecturas zero trust sobre entornos cloud
Construyendo arquitecturas zero trust sobre entornos cloud
 
Tips and tricks for data science projects with Python
Tips and tricks for data science projects with Python Tips and tricks for data science projects with Python
Tips and tricks for data science projects with Python
 
Sharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8sSharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8s
 
Implementing cert-manager in K8s
Implementing cert-manager in K8sImplementing cert-manager in K8s
Implementing cert-manager in K8s
 
Python para equipos de ciberseguridad(pycones)
Python para equipos de ciberseguridad(pycones)Python para equipos de ciberseguridad(pycones)
Python para equipos de ciberseguridad(pycones)
 
Python para equipos de ciberseguridad
Python para equipos de ciberseguridad Python para equipos de ciberseguridad
Python para equipos de ciberseguridad
 
Shodan Tips and tricks. Automatiza y maximiza las búsquedas shodan
Shodan Tips and tricks. Automatiza y maximiza las búsquedas shodanShodan Tips and tricks. Automatiza y maximiza las búsquedas shodan
Shodan Tips and tricks. Automatiza y maximiza las búsquedas shodan
 
ELK para analistas de seguridad y equipos Blue Team
ELK para analistas de seguridad y equipos Blue TeamELK para analistas de seguridad y equipos Blue Team
ELK para analistas de seguridad y equipos Blue Team
 
Monitoring and managing Containers using Open Source tools
Monitoring and managing Containers using Open Source toolsMonitoring and managing Containers using Open Source tools
Monitoring and managing Containers using Open Source tools
 
Python Memory Management 101(Europython)
Python Memory Management 101(Europython)Python Memory Management 101(Europython)
Python Memory Management 101(Europython)
 
SecDevOps containers
SecDevOps containersSecDevOps containers
SecDevOps containers
 
Python memory managment. Deeping in Garbage collector
Python memory managment. Deeping in Garbage collectorPython memory managment. Deeping in Garbage collector
Python memory managment. Deeping in Garbage collector
 

Recently uploaded

CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun serviceCALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun serviceanilsa9823
 
Model Call Girl in Shalimar Bagh Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Shalimar Bagh Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Shalimar Bagh Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Shalimar Bagh Delhi reach out to us at 🔝8264348440🔝soniya singh
 
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual serviceanilsa9823
 
哪里有卖的《俄亥俄大学学历证书+俄亥俄大学文凭证书+俄亥俄大学学位证书》Q微信741003700《俄亥俄大学学位证书复制》办理俄亥俄大学毕业证成绩单|购买...
哪里有卖的《俄亥俄大学学历证书+俄亥俄大学文凭证书+俄亥俄大学学位证书》Q微信741003700《俄亥俄大学学位证书复制》办理俄亥俄大学毕业证成绩单|购买...哪里有卖的《俄亥俄大学学历证书+俄亥俄大学文凭证书+俄亥俄大学学位证书》Q微信741003700《俄亥俄大学学位证书复制》办理俄亥俄大学毕业证成绩单|购买...
哪里有卖的《俄亥俄大学学历证书+俄亥俄大学文凭证书+俄亥俄大学学位证书》Q微信741003700《俄亥俄大学学位证书复制》办理俄亥俄大学毕业证成绩单|购买...wyqazy
 
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,Pooja Nehwal
 
Chandigarh Call Girls Service ❤️🍑 9115573837 👄🫦Independent Escort Service Cha...
Chandigarh Call Girls Service ❤️🍑 9115573837 👄🫦Independent Escort Service Cha...Chandigarh Call Girls Service ❤️🍑 9115573837 👄🫦Independent Escort Service Cha...
Chandigarh Call Girls Service ❤️🍑 9115573837 👄🫦Independent Escort Service Cha...Niamh verma
 
9892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x79892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x7Pooja Nehwal
 

Recently uploaded (7)

CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun serviceCALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
 
Model Call Girl in Shalimar Bagh Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Shalimar Bagh Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Shalimar Bagh Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Shalimar Bagh Delhi reach out to us at 🔝8264348440🔝
 
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
 
哪里有卖的《俄亥俄大学学历证书+俄亥俄大学文凭证书+俄亥俄大学学位证书》Q微信741003700《俄亥俄大学学位证书复制》办理俄亥俄大学毕业证成绩单|购买...
哪里有卖的《俄亥俄大学学历证书+俄亥俄大学文凭证书+俄亥俄大学学位证书》Q微信741003700《俄亥俄大学学位证书复制》办理俄亥俄大学毕业证成绩单|购买...哪里有卖的《俄亥俄大学学历证书+俄亥俄大学文凭证书+俄亥俄大学学位证书》Q微信741003700《俄亥俄大学学位证书复制》办理俄亥俄大学毕业证成绩单|购买...
哪里有卖的《俄亥俄大学学历证书+俄亥俄大学文凭证书+俄亥俄大学学位证书》Q微信741003700《俄亥俄大学学位证书复制》办理俄亥俄大学毕业证成绩单|购买...
 
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
 
Chandigarh Call Girls Service ❤️🍑 9115573837 👄🫦Independent Escort Service Cha...
Chandigarh Call Girls Service ❤️🍑 9115573837 👄🫦Independent Escort Service Cha...Chandigarh Call Girls Service ❤️🍑 9115573837 👄🫦Independent Escort Service Cha...
Chandigarh Call Girls Service ❤️🍑 9115573837 👄🫦Independent Escort Service Cha...
 
9892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x79892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x7
 

Securing android applications

  • 3. ARCHITECTURE / DALVIK VM / SANDBOX ANDROID APPLICATIONS / PERMISSIONS UTILS EXECUTION ENVIRONMENT TOOLS ECLIPSE / ANDROID STUDIO COMPONENTS SECURITY / STATIC ANALYSIS ENCRYPTION / OBSFUSCATION REVERSING APK TOOLS APK ANALYZERS / PENTESTING / FORENSICS
  • 5. Dalvik VM REGISTER-BASED VIRTUAL MACHINE RUN ON A SLOW CPU WITH LITTLE RAM OPTIMIZED FOR MOBILE DEVICES DEX(Dalvik executable)
  • 6. Dalvik vs ART(4.4) DALVIK ART Just-In-Time (JIT) Compilation Ahead-Of-Time (AOT) Compilation Cache builds up over time Boot times are faster Cache is built at first boot Rebooting device takes significantly longer Apps compiled when executed Stores Compiled Apps Consumes much more internal storage space Settings>Developer options>Select runtime
  • 7. Sandbox Each app gets a unique linux ID(uid) and Groud ID(gid) Gets own dedicated process and dedicated dalvik VM Applications are "self-signed" with certificate signed by Developer Apps can share the data with other apps using content providers Permissions determine the capacity for communication components The App Data gets stored in /data/data/<app process> accessible only by UID and GID (root exceptional)
  • 8. /data/data Apps installed by user Apps installed by google default : play store, play music , maps Apps that are manufacturer specific : HTC sense, touchwiz Apps that are shipped with stock rom : browsers ROOT
  • 10. APK Generating ZIP + jarsigner+ zipalign for optimizing apk
  • 11. Obtain APK Google Play Alternative markets (BlackMart, Fdroid, Aptoide) Apk extractor http://apps.evozi.com/apk-downloader
  • 12.
  • 13. Permissions model Android permissions protect Access to sensitive APIs Access to content providers Inter- and intra-application communication Protection mechanism to interact with other applications Location (GPS), Camera, Bluetooth, Telephony, SMS/MMS, Network/data AndroidManifest.xml
  • 15. Permissions  Be carefull with install applications  Recommend install some application to check permissions  Disable automatic updates and check application permissions manually each time an application wants to be installed or updated
  • 16. Permissions in apps Check permissions in runtime PackageManager pm = context.getPackageManager(); int hasPerm = pm.checkPermission( android.Manifest.permission.WRITE_EXTERNAL_STORAGE, context.getPackageName()); if (hasPerm != PackageManager.PERMISSION_GRANTED) { // do stuff} private boolean checkWriteExternalPermission(){ String permission = "android.permission.WRITE_EXTERNAL_STORAGE"; int res = getContext().checkCallingOrSelfPermission(permission); return (res == PackageManager.PERMISSION_GRANTED); }
  • 17. Protection levels normal: Default level for not application system, always granted dangerous: Higher-Risk permission for access to private data. Requires user approval. SEND_SMS,ACCESS_FINE_LOCATION signature Matching signature key. Two apps signed with the same certificate system, signatureOrSystem:Same as signature, but also system apps pre- installed like Google Play Services
  • 18. Permissions in apps Minimize requested permissions Users like apps that request few permissions 33% apps request more permissions that they need Get Camera Pic need android.permission.CAMERA? ContentValues contentValues = new ContentValues(); contentValues.put(MediaStore.Images.Media.DESCRIPTION, "Image capture"); contentValues.put(MediaStore.Images.Media.TITLE, "new image"); Uri uri = getContentResolver().insert(MediaStore.Images.Media.EXTERNAL_CONTENT_URI, contentValues); Intent intent = new Intent(MediaStore.ACTION_IMAGE_CAPTURE); intent.putExtra(MediaStore.EXTRA_OUTPUT, uri); intent.putExtra(MediaStore.EXTRA_VIDEO_QUALITY, 1); startActivityForResult(intent, 1);
  • 19. Permissions in apps Application don`t need permission to get a camera pic <uses-permission android:name="android.permission.CAMERA" /> Where is the permission? In the Google Camera Application GoogleCamera.apk
  • 20. Permissions in apps Create custom permissions <permission android:name="android.permission.CUSTOM_PERMISSION" android:protectionLevel="normal" android:label="@string/custom_permission_label"> <permission android:name="android.permission.SEND_SMS" android:permissionGroup=“android.permission-group.COST_MONEY" android:protectionLevel="dangerous" android:label="@string/permlab_sendSms" android:description="@string/permdesc_sendSms" />
  • 21. Permissions in apps Group permissions <permission-group android:name="android.permission-group.LOCATION" android:description="@string/permgroupdesc_location" /> <!-- Allows an application to access fine (e.g., GPS) location --> <permission android:name="android.permission.ACCESS_FINE_LOCATION" android:permissionGroup="android.permission-group.LOCATION" android:protectionLevel="dangerous" android:description="@string/permdesc_accessFineLocation" /> <!-- Allows an application to access coarse (e.g., Cell-ID, WiFi) location --> <permission android:name="android.permission.ACCESS_COARSE_LOCATION" android:permissionGroup="android.permission-group.LOCATION" android:protectionLevel="dangerous" android:description="@string/permdesc_accessCoarseLocation" />
  • 22.
  • 23. Install in SD CARD <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.example1" android:versionCode=“1" android:versionName="1.0" android:installLocation="auto|preferExternal"> <uses-sdk android:minSdkVersion="8" android:targetSdkVersion="19" /> </manifest> $ adb shell $ pm set-install-location 2 0 [auto]: Let system decide the best location1 [internal]: Install on internal device storage2 [external]: Install on external media
  • 24. Check if Play Store is the installer Check if Debuggable
  • 25. Check Running emulator Check Debugger certificate
  • 27. Root detection private boolean isDeviceRooted(){ try{ Runtime.getRuntime().exec("su"); return true; }catch(IOExeception ex){ return false; } } public static boolean() isDeviceRooted(){ File f= new File("/system/sbin/su"); return f.exits(); }
  • 28.
  • 29. Malware •Installing applications from known sites •Check permissions during installation / upgrade •Review comments from users •Update the operating system and applications. •Disable automatic connection to WiFi networks and avoid connecting to free WiFi •Disable BlueTooth when not in use Recommendations to avoid malware
  • 30. Malware detection in Google play Bluebox Security Scanner SRT AppScanner Lookout Mobile Security Advanced Mobile Care Malwarebytes Anti-Malware CM Security
  • 32.
  • 33. Signing applications Purpose of certificates in Android is to distinguish application authors Android won't allow application to be upgraded unless signed with same certificate the applications are signed with the same key. Android allows applications that are signed with the same certificate to run in the same processes All applications must be signed with a digital certificate
  • 34. Signing applications Java keytool $ keytool -genkey -v -keystore <keystore filename> -alias <alias for key> -keyalg RSA -keysize 2048 -validity 10000
  • 35. Sign apk with private key Check the apk signature sm 236 Sun Feb 02 15:08:10 CET 2014 javamail.pop3.provider X.509, CN=Android Debug, O=Android, C=US [certificate is valid from 3/04/13 18:13 to 27/03/43 17:13] 54226 Sun Feb 02 15:08:10 CET 2014 META-INF/MANIFEST.MF 54279 Sun Feb 02 15:08:10 CET 2014 META-INF/CERT.SF 1203 Sun Feb 02 15:08:10 CET 2014 META-INF/CERT.RSA s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore i = at least one certificate was found in identity scope jar verified. Signing applications $ jarsigner -verify -certs -verbose testing.apk $ jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore mykeystore testing.apk <alias_name>
  • 36. Android Studio Tool included in Android SDK for apk compress and optimizing $ zipalign -f 4 app-signed.apk final-app.apk Build > Generate Signed APK
  • 38.
  • 39.
  • 40. Content Providers A specialized type of complex data store in Android to standardize access and manipulation of stored data Browser: bookmarks, browse history CallLog: missed calls, call details Contacts: Contact details MediaStore: Media files
  • 41. Content Providers Offers a structured storage mechanism that can be limited to your own application or exported to allow access by other applications. android:exported =“false" android:exported ="true" Versions >= 4.2 exported=“false” by default <provider android:name=".data.DataProvider" android:multiprocess="true" android:authorities="myapp.data.DataProvider" android:readPermission="myapp.permission.READ" android:writePermission="myapp.permission.WRITE" />
  • 42. Data Storage Shared preferences External storage Requires permission android.permission.WRITE_EXTERNAL_STORAGE Internal storage Better than external since permissions not required Sqlite3 File DataBase with extension *.db stored in /data/data/[package_name]/databases Cloud Google Cloud Messaging(GCM) ROOT
  • 43. Shared preferences An xml key-value pairs file stored in /data/data/com.your.package/shared_prefs/preferences.xml Used by an application in order to save small sets of data for the application Storing sensitive information in shared preferences is not recommended Library for securing shared preferences Encrypt the key-value pairs AES symmetric key https://github.com/scottyab/secure-preferences ROOT
  • 45. Networking Use HttpsURLConnection for secure web traffic HTTPS + CA Certificate import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.SSLContext; import javax.net.ssl.TrustManagerFactory; // build key store with ca certificate KeyStore keyStore = buildKeyStore(context, certRawResId); // Create a TrustManager that trusts the CAs in our KeyStore String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm(); TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm); tmf.init(keyStore); // Create an SSLContext that uses our TrustManager SSLContext sslContext = SSLContext.getInstance("TLS"); sslContext.init(null, tmf.getTrustManagers(), null); // Create a connection from url RL url = new URL(urlString); HttpsURLConnection urlConnection = (HttpsURLConnection) url.openConnection(); urlConnection.setSSLSocketFactory(sslContext.getSocketFactory());
  • 46. Webview class WebAppInterface { private String sensitiveInformation; public String toString() { return sensitiveInformation; } } WebView webview = new WebView(this); setContentView(webview); webView.loadUrl("http://website.com"); webView.addJavascriptInterface(new WebAppInterface(this), "injectedObject"); Vulnerability in version 4.1.2(API 16) Jelly Bean in Cross-site scripting (XSS), Cross-site Request Forgery (CSRF) attacks With JavaScript and Java Reflection can access any of the public methods of the WebAppInterface setJavascriptEnabled(true);
  • 47. Webview <script> function execute(){ var sendSMS=Android.getClass.forName("android.telephony. SmsManager"). getMethod("getDefault",null).invoke(null,null); sendSMS.sendTextMessage("+323232323",null,"message", null,null); } </script>
  • 48. Webview best practices Disable JavaScript and Plugin support if they are not needed. Disable local file access. Restricts access to the app’s resource and asset directory. Prevent loading content from 3rd party hosts. Activate SSL in activity using HTTPS In 4.2 @JavascriptInterface method annotation for limit access methods from javascript. Avoid exposing protected data in javascript interface @JavascriptInterface public void method() { dostuff(); }
  • 49. Webview best practices Not save passwords Not saving form data Clear Cache webSettings.setSavePassword(false); webSettings.setSaveFormData(false); @Override public void onPageFinished(WebView view, String url) { super.onPageFinished(view, url); view.clearCache(true); //delete local files in the browser }
  • 50. SQLite SQLiteDatabase db = dbHelper.getWriteableDatabase(); String userQuery = "SELECT lastName FROM useraccounts WHERE userID = ?"; SQLiteStatement prepStatement =db.compileStatement(userQuery); prepStatement.bindString(1, "userID"); prepStatement.simpleQueryForString(); Prepared statements to avoid sql injection rawQuery compileStatement
  • 51. SQLite Cipher https://github.com/sqlcipher/android-database-sqlcipher public void initDB(Context context, String password) { SQLiteDatabase database = SQLiteDatabase.openOrCreateDatabase(DB_NAME,password, null); database.execSQL("create table MyTable(a, b)"); } import net.sqlcipher.database.*; import android.database.sqlite.*;
  • 54. LINT ECLIPSE /ANDROID STUDIO Scans Android project sources for potential bugs Comes with the SDK and detects common programming errors
  • 55. Lint $ lint --check Security --html security_report.html <project_home> http://developer.android.com/tools/help/lint.html
  • 58.
  • 59.
  • 60. Encryption in phone  Supported since Android 3.0  Encrypts the entire device with AES 128.  Based on dm-crypt implementation  PBKDF2 algorithm for password  Takes at Least 1 h for Encryption of Data.  Denoted to reduce in performance.
  • 61. Encryption in applications Android Crypto API Based in javax.crypto from javaSE  Obtain secretKey public static SecretKey generateKey(char[] password, byte[] salt) throws Exception { int iterations = 1000; int outputKeyLength = 256; SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance(“PBKDF2WithHmacSHA1”); KeySpec keySpec = new PBEKeySpec(password, salt,iterations, outputKeyLength); byte[] keyBytes = secretKeyFactory.generateSecret(keySpec).getEncoded(); return new SecretKeySpec(keyBytes, “AES”); } import java.security.*; import javax.crypto.*;
  • 62. Encryption in applications public static String encryptText(char[] password, String plainText) throws Exception { //Obtain secretkey SecureRandom secureRandom = new SecureRandom(); int saltLength = 8; byte[] salt = new byte[saltLength]; secureRandom.nextBytes(salt); SecretKey secretKey = generateKey(password, salt); Cipher cipher = Cipher.getInstance(“AES/CBC/PKCS5Padding”); byte[] initVector = new byte[cipher.getBlockSize()]; secureRandom.nextBytes(initVector); IvParameterSpec ivParameterSpec = new IvParameterSpec(initVector); cipher.init(Cipher.ENCRYPT_MODE, secretKey, ivParameterSpec); byte[] cipherData = cipher.doFinal(plainText.getBytes(“UTF-8”)); return Base64.encodeToString(cipherData,Base64.NO_WRAP | Base64.NO_PADDING) + “]” + Base64.encodeToString(initVector,Base64.NO_WRAP | Base64.NO_PADDING) + “]” + Base64.encodeToString(salt,Base64.NO_WRAP | Base64.NO_PADDING); }
  • 63.
  • 64. Obsfuscation Renames classes, fields and methods using short names (a,b,c,..)
  • 65. Obsfuscation in android projects Proguard Integrated in SDK  http://developer.android.com/tools/help/proguard.html  Enable Proguard in eclipse proguard.config=${sdk.dir}/tools/proguard/proguard-android.txt:proguard-project. txt
  • 66. Obsfuscation in android projects Enable Proguard in android STUDIO In build.gradle android { buildTypes { release { runProguard true proguardFile getDefaultProguardFile('proguard-android.txt') , 'proguard-rules.pro' } }
  • 67. Proguard.config -optimizationpasses 5 -dontusemixedcaseclassnames -dontskipnonpubliclibraryclasses -dontpreverify -verbose -optimizations !code/simplification/arithmetic,!field/*,!class/merging/* -keep public class * extends android.app.Activity -keep public class * extends android.app.Application -keep public class * extends android.app.Service -keep public class * extends android.content.BroadcastReceiver -keep public class * extends android.content.ContentProvider -keep public class * extends android.app.backup.BackupAgentHelper -keep public class * extends android.preference.Preference -keep public class com.android.vending.licensing.ILicensingService -keepclasseswithmembernames class * { native <methods>; } -keepclasseswithmembernames class * { public <init>(android.content.Context, android.util.AttributeSet); } -keepclasseswithmembernames class * { public <init>(android.content.Context, android.util.AttributeSet, int); } -keepclassmembers enum * { public static **[] values(); public static ** valueOf(java.lang.String); } -keep class * implements android.os.Parcelable { public static final android.os.Parcelable$Creator *; }
  • 69.
  • 70.
  • 72. Rename Android app (.apk) to .zip Extract zip Run dex2jar on the extracted file Open the .jar in a java decompiler Reverse Engineering Android Application
  • 73. Apk Tool Reverses .apk file to an android project $ apktool d target.apk output_directory
  • 75. Java vs Smali Reverses .apk file to an android project Learning smali through dalvik codes http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html
  • 76. Dex2jar http://code.google.com/p/dex2jar Converts Android’s Dalvik executables into Java jar files. $ unzip target.apk $ d2jdex2jar.sh classes.dex -o target.jar
  • 78. Java Decompiler  http://java.decompiler.free.fr
  • 79. Dex to Java Decompiler https://github.com/skylot/jadx Decompile directly form apk or dex
  • 80.
  • 81. Android Application Vulnerability Scanner java –jar ScanAndroidApps.jar
  • 82. Virtuous Ten Studio http://virtuous-ten-studio.com/ Only for windows
  • 85. Apk Analyser https://github.com/maaaaz/androwarn https://github.com/sonyxperiadev/ApkAnalyser https://github.com/honeynet/apkinspector https://code.google.com/p/droidbox
  • 87. Androwarn python androwarn.py -i my_apk.apk -r html -v 3
  • 89.
  • 90.
  • 93. TraceDroid http://tracedroid.few.vu.nl Records the behavior of the executed app, such as its network communication, the UI, but also its internal function calls and Java code that is executed. Emulates a few actions, such as user interaction, incoming calls and SMS messages, etc. - this will reveal most malicious intents of an app.
  • 94. Pentesting Virtual Machine with tools for Reverse Engineering https://redmine.honeynet.org/projects/are/wiki https://appsec-labs.com/AppUse Hacking distro dedicated to Mobile forensics and Security
  • 96. Intent Snifer —Sees Activity’s startup Intents —android.permission.GET_TASKS: Recent tasks Intents ActivityManager am = (ActivityManager) getSystemService(ACTIVITY_SERVICE); List<RecentTaskInfo> rti = am.getRecentTasks(1000,ActivityManager.RECENT_WITH_EXCLUDED); for (RecentTaskInfo c : rti) { log.append("received: " + rti.toString() + "n"); }
  • 97.
  • 98. Books
  • 99. References http://code.google.com/p/dex2jar/ https://code.google.com/p/android-apktool https://code.google.com/p/androguard/wiki/Installation http://ashishb.net/security/android-security-related-tools http://androidcracking.blogspot.com.es http://developer.android.com/guide/topics/security/permissions.html http://source.android.com/devices/tech/security/#android- application-security http://siis.cse.psu.edu/android_sec_tutorial.html