Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Seguridad en las aplicaciones Android

Alvaro
April 26, 2016
Technology
0
95

Seguridad en las aplicaciones Android

Alvaro

April 26, 2016
Tweet

More Decks by Alvaro

See All by Alvaro
.NET Serialization: Detecting and defending vulnerable endpoints
pwntester
0
4.7k
JVM Deserialization Attacks: Separating the Truth from the Hype
pwntester
0
690
Attacking .NET Serialization
pwntester
6
31k
Friday the 13th: JSON Attacks
pwntester
0
8.1k
Friday the 13th: JSON Attacks
pwntester
0
310
Friday the 13th: JSON Attacks
pwntester
0
170
Surviving the Java Deserialization Apocalypse
pwntester
0
6.4k
A Journey From JNDI/LDAP Manipulation to Remote Code Execution Dream Land
pwntester
0
630
Serial Killer: Silently Pwning Your Java Endpoints
pwntester
0
1.2k

Other Decks in Technology

See All in Technology
EventHub Startup CTO of the year 2024 ピッチ資料
eventhub
0
120
【Pycon mini 東海 2024】Google Colaboratoryで試すVLM
kazuhitotakahashi
2
540
OTelCol_TailSampling_and_SpanMetrics
gumamon
1
200
誰も全体を知らない ~ ロールの垣根を超えて引き上げる開発生産性 / Boosting Development Productivity Across Roles
kakehashi
1
230
なぜ今 AI Agent なのか _近藤憲児
kenjikondobai
4
1.4k
Amazon CloudWatch Network Monitor のススメ
yuki_ink
1
210
安心してください、日本語使えますよ―Ubuntu日本語Remix提供休止に寄せて― 2024-11-17
nobutomurata
1
1k
Incident Response Practices: Waroom's Features and Future Challenges
rrreeeyyy
0
160
プロダクト活用度で見えた真実 ホリゾンタルSaaSでの顧客解像度の高め方
tadaken3
0
180
Application Development WG Intro at AppDeveloperCon
salaboy
0
190
Taming you application's environments
salaboy
0
190
RubyのWebアプリケーションを50倍速くする方法 / How to Make a Ruby Web Application 50 Times Faster
hogelog
3
950

Featured

See All Featured
The Cult of Friendly URLs
andyhume
78
6k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
28
2k
A better future with KSS
kneath
238
17k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
8.2k
Building Applications with DynamoDB
mza
90
6.1k
Being A Developer After 40
akosma
87
590k
Why You Should Never Use an ORM
jnunemaker
PRO
54
9.1k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
506
140k
Designing for Performance
lara
604
68k
Keith and Marios Guide to Fast Websites
keithpitt
409
22k
Navigating Team Friction
lara
183
14k
How to Ace a Technical Interview
jacobian
276
23k

Transcript

  1. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Los smartphones nos han invadido, ¿y ahora qué? Seguridad en las aplicaciones Android Alvaro Muñoz | Software Security Consultant | @pwntester HP Enterprise Security Products

  2. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 2 Familiar Model

  3. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 3 Can’t We All Get Along? Your app  Formal communication - Inter-application - Intra-application - With the OS  A new trust boundary

  4. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 4 Android Talk OS App 2 App 1 App 3 Service 2 Service 1 Service Content Provider Broadcast Receiver Activity

  5. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 5 Google Android Vulnerabilities 1 Intent Hijacking 2 Intent Spoofing 3 Sticky Broadcast Tampering 4 Insecure Storage 5 Insecure Network Communication 6 SQL Injection 7 Promiscuous Privileges

  6. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 6 Description: Malicious app intercepts an intent bound for another app to compromise data or alter behavior Cause: Implicit intents (do not require strong permissions to receive) Fix: Explicit intents and receiver permissions Google Android Vulnerabilities Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  7. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 7 Google Android Vulnerabilities Showtime Search Results UI Handles Actions: willUpdateShowtimes, showtimesNoLocationError Implicit Intent Action: willUpdateShowtimes IMDb App Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  8. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 8 Google Android Vulnerabilities Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  9. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 9 Google Android Vulnerabilities Handles Actions: willUpdateShowtimes, showtimesNoLocationError Eavesdropping App Malicious Receiver Showtime Search Results UI Handles Actions: willUpdateShowtimes, showtimesNoLocationError Implicit Intent Action: willUpdateShowtimes IMDb App Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  10. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 10 Description: Malicious app spoofs a legitimate intent to inject data or alter behavior Cause: Public components (necessary to receive implicit intents) Fix: Explicit intents and receiver permissions Sensitive operations in private components Google Android Vulnerabilities Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  11. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 11 Google Android Vulnerabilities Malicious Component Action: showtimesNoLocationError Spoofing App Showtime Search Results UI Handles Actions: willUpdateShowtimes, showtimesNoLocationError IMDb App Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  12. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 12 Google Android Vulnerabilities Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  13. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 13 Description: Persistent intents can be accessed and removed by malicious apps Cause: BROADCAST_STICKY allows to full access to any sticky broadcasts Fix: Explicit, non-sticky broadcasts and receiver permissions Google Android Vulnerabilities Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  14. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 14 Google Android Vulnerabilities Requests BROADCAST_STICKY Permission Sticky Broadcasts (intents) Malicious App Victim App SB2 ? Receiver (expects SB2) SB1 SB3 Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  15. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 15 Empirical Results: DEFCON ‘11 Vulnerability Type % of Apps 1. Intent Hijacking 50% 2. Intent Spoofing 40% 3. Sticky Broadcast Tampering 6% 4. Insecure Storage 28% 5. Insecure Communication N/A 6. SQL Injection 17% 7. Promiscuous Privileges 31%

  16. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 16 Bonus: OWASP iGoat iGoat 1.0 documents 5 vulnerabilities We find 15+ iGoat 1.2 documents 7 vulnerabilities We find 20+

  17. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Gracias Alvaro Muñoz | Software Security Consultant | @pwntester HP Enterprise Security Products