Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Android Security Tips

Merab Tato Kutalia
May 15, 2019
Technology
1
34

Android Security Tips

Android Security Tips

Merab Tato Kutalia

May 15, 2019
Tweet

More Decks by Merab Tato Kutalia

See All by Merab Tato Kutalia
What's new in Android 14?
tatocaster
0
140
Migrate to Gradle version catalog and convention plugins
tatocaster
3
1.8k
Make Codebases Secure with OWASP
tatocaster
0
180
Secure Coding Standards
tatocaster
0
130
ტანგო ანდროიდთან
tatocaster
0
200
Adopting Huawei Mobile Services
tatocaster
0
52
Android UI Testing & Challenges
tatocaster
1
73
Reverse & Inject - droidcon
tatocaster
3
270
mobile DevOps
tatocaster
1
98

Other Decks in Technology

See All in Technology
管理者しか知らないOutlookの裏側のAIを覗く#AzureTravelers
hirotomotaguchi
2
440
Developers Summit 2025 浅野卓也(13-B-7 LegalOn Technologies)
legalontechnologies
PRO
0
740
ユーザーストーリーマッピングから始めるアジャイルチームと並走するQA / Starting QA with User Story Mapping
katawara
0
210
抽象化をするということ - 具体と抽象の往復を身につける / Abstraction and concretization
soudai
19
8.1k
Oracle Base Database Service 技術詳細
oracle4engineer
PRO
6
57k
エンジニアの育成を支える爆速フィードバック文化
sansantech
PRO
3
1.1k
関東Kaggler会LT: 人狼コンペとLLM量子化について
nejumi
3
600
開発組織のための セキュアコーディング研修の始め方
flatt_security
3
2.4k
ハッキングの世界に迫る~攻撃者の思考で考えるセキュリティ~
nomizone
13
5.2k
Helm , Kustomize に代わる !? 次世代 k8s パッケージマネージャー Glasskube 入門 / glasskube-entry
parupappa2929
0
250
技術的負債解消の取り組みと専門チームのお話 #技術的負債_Findy
bengo4com
1
1.3k
Tech Blogを書きやすい環境づくり
lycorptech_jp
PRO
1
240

Featured

See All Featured
Fireside Chat
paigeccino
34
3.2k
GraphQLとの向き合い方2022年版
quramy
44
13k
The World Runs on Bad Software
bkeepers
PRO
67
11k
Agile that works and the tools we love
rasmusluckow
328
21k
A Tale of Four Properties
chriscoyier
158
23k
Optimizing for Happiness
mojombo
376
70k
Scaling GitHub
holman
459
140k
Automating Front-end Workflow
addyosmani
1368
200k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
30
4.6k
A Modern Web Designer's Workflow
chriscoyier
693
190k
How to train your dragon (web standard)
notwaldorf
91
5.8k
What's in a price? How to price your products and services
michaelherold
244
12k

Transcript

  1. Android App Security Tips Merabi Kutalia

  2. Tato Kutalia tatocaster tatocaster.me github.com/tatocaster twitter.com/@TatoKutalia

  3. None

  4. Topics • data storage • app permissions • networking •

    webview(javascript) • dynamically loaded code

  5. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17)

  6. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable

  7. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q)

  8. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection)

  9. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection) • Shared preferences + leak

  10. app permissions • data leak caused by misused permissions

  11. networking • HTTPS (it’s 2019!)

  12. networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352)

  13. networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352) •

    GCM/FCM/SMS (Sensitive Data)

  14. webview • setJavascriptEnabled - No!

  15. webview • setJavascriptEnabled - No!

  16. webview • setJavascriptEnabled - No! • webkit

  17. dynamically loaded code • Yes you can (https://stackoverflow.com/q/ 6857807/6845290 )

  18. Proguard/R8

  19. Proguard • rules

  20. Tools • Apktool • Dex2Jar • JD-GUI

  21. Nomrebi .com

  22. Nomrebi .com

  23. None

  24. Thank you