The talk would aim to give an overview of the tools we have to increase the security of applications before publishing them on the market or distribute the apk. These could be talking points: -Static and dynamic analysis application code for detecting potential vulnerabilities. -Development security in android components -New permissions model from version 6 where the user can allow or deny permissions in runtime -Libraries that allow encrypted data, for example SQLCipher to encrypt a SQLite database or to encrypt xml preferences files like securePreferences
18. QARK
▪ Identifies permissions and exported components
(activities,services..) on Manifest
▪ Looks for WORLD_READABLE and
WORLD_WRITABLE files
▪ Looks for X.509 certificates validation issues
28. BURP SUITE
▪ Intercepting network traffic
▪ HTTP proxy tool
▪ Able to intercept layer traffic and allows users to
manipulate the HTTP request and response
40. LOG INFORMATION
public static final boolean SHOW_LOG =
BuildConfig.DEBUG;
public static void d(final String tag, final String
msg) {
if (SHOW_LOG)
Log.d(tag, msg);
}
43. SECURITY IN CONTENT PROVIDERS
▪ Components provide a standardized interface
for sharing data between applications
▪ URI addressing scheme
▪ Can perform queries equivalent to SELECT,
UPDATE,INSERT, DELETE
44. SQLCIPHER
▪ SQLCipher is a SQL extension that provides
transparent AES encryption of database files
▪ 256-bit AES Encrypt SQLite database
▪ http://sqlcipher.net/sqlcipher-for-android
55. ENCRYPT NETWORK REQUESTS
▪ Best practice is to always encrypt network
communications
▪ HTTPS and SSL can protect against MitM attacks
and prevent casual sniffing traffic.
▪ Server certificate validity is checked by default
58. Runtime Permissions
▪ All permissions granted at install time
▪ Dangerous permissions require user
confirmation
▪ Prompt for dangerous permissions at
runtime
▪ Granted/revoked by permission group
▪ Managed per app, per user
▪ /data/system/users/0/runtime-permissions.xml
63. OBFUSCATION
▪ The obfuscator can use several techniques to protect
a Java/Android application:
▪ change names of classes, methods, fields
▪ modify the control flow
▪ code optimization
▪ dynamic code loading
▪ change instructions with metamorphic technique
64. PROGUARD
▪ File shrinker: detects and removes unused
classes, fields, methods,and attributes
▪ Optimizer: optimizes bytecode and removes
unused instructions
▪ Obfuscator: renames classes, fields, and
methods using short meaningless names
76. BEST PRACTICES
▪ Don’t hardcode sensitive information
▪ Don’t store sensitive information
▪ Don’t store at easily readable location like
memory card
▪ Encrypt the stored data
▪ Implement SSL
77. BEST PRACTICES
▪ Protect the webserver against application layer
attacks
▪ Prefer encryption over encoding or obfuscation
▪ Sanitize inputs, use prepared statements
(protection against sql injection)