Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Android Security Tips

Avatar for Merab Tato Kutalia Merab Tato Kutalia
May 15, 2019
Technology
1
40

Android Security Tips

Android Security Tips
Avatar for Merab Tato Kutalia

Merab Tato Kutalia

May 15, 2019
Tweet

More Decks by Merab Tato Kutalia

See All by Merab Tato Kutalia
What's new in Android 14?
Avatar for Merab Tato Kutalia tatocaster
0
160
Migrate to Gradle version catalog and convention plugins
Avatar for Merab Tato Kutalia tatocaster
3
1.8k
Make Codebases Secure with OWASP
Avatar for Merab Tato Kutalia tatocaster
0
190
Secure Coding Standards
Avatar for Merab Tato Kutalia tatocaster
0
140
ტანგო ანდროიდთან
Avatar for Merab Tato Kutalia tatocaster
0
240
Adopting Huawei Mobile Services
Avatar for Merab Tato Kutalia tatocaster
0
55
Android UI Testing & Challenges
Avatar for Merab Tato Kutalia tatocaster
1
96
Reverse & Inject - droidcon
Avatar for Merab Tato Kutalia tatocaster
3
290
mobile DevOps
Avatar for Merab Tato Kutalia tatocaster
1
120

Other Decks in Technology

See All in Technology
対話型音声AIアプリケーションの信頼性向上の取り組み
Avatar for 株式会社IVRy(社員登壇資料) ivry_presentationmaterials
3
1.1k
Introduction to Sansan, inc / Sansan Global Development Center, Inc.
Avatar for Sansan, Inc. sansan33
PRO
0
2.7k
Amplify Gen2から知るAWS CDK Toolkit Libraryの使い方/How to use the AWS CDK Toolkit Library as known from Amplify Gen2
Avatar for MURAKAMI Masahiko fossamagna
1
350
データ戦略部門 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
1
3.3k
ClaudeCode_vs_GeminiCLI_Terraformで比較してみた
Avatar for t-kikuchi tkikuchi
1
1.8k
研究開発部メンバーの働き⽅ / Sansan R&D Profile
Avatar for Sansan, Inc. sansan33
PRO
3
18k
ビジネス職が分析も担う事業部制組織でのデータ活用の仕組みづくり / Enabling Data Analytics in Business-Led Divisional Organizations
Avatar for Hiroka Zaitsu zaimy
1
400
AWS Well-Architected から考えるオブザーバビリティの勘所 / Considering the Essentials of Observability from AWS Well-Architected
Avatar for SMS tech sms_tech
1
140
How to Quickly Call American Airlines®️ U.S. Customer Care : Full Guide
Avatar for goldfinch3710 flyaahelpguide
0
240
Deep Security Conference 2025:生成AI時代のセキュリティ監視 /dsc2025-genai-secmon
Avatar for Masayoshi Mizutani mizutani
4
3k
Delegating the chores of authenticating users to Keycloak
Avatar for Alexander Schwartz ahus1
0
190
cdk initで生成されるあのファイル達は何なのか/cdk-init-generated-files
Avatar for tomoki10 tomoki10
1
670

Featured

See All Featured
Learning to Love Humans: Emotional Interface Design
Avatar for Aarron Walter aarron
273
40k
Visualization
Avatar for Eitan Lees eitanlees
146
16k
A better future with KSS
Avatar for Kyle Neath kneath
238
17k
Raft: Consensus for Rubyists
Avatar for Patrick Van Stee vanstee
140
7k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
Avatar for Stéphanie Walter stephaniewalter
282
13k
Navigating Team Friction
Avatar for Lara Hogan lara
187
15k
Intergalactic Javascript Robots from Outer Space
Avatar for Vicent Martí tanoku
271
27k
How STYLIGHT went responsive
Avatar for nonsquared nonsquared
100
5.6k
Save Time (by Creating Custom Rails Generators)
Avatar for Garrett Dimon garrettdimon
PRO
31
1.3k
Imperfection Machines: The Place of Print at Facebook
Avatar for Scott Boms scottboms
267
13k
Into the Great Unknown - MozCon
Avatar for Noah Learner thekraken
40
1.9k
Building Flexible Design Systems
Avatar for Yesenia Perez-Cruz yeseniaperezcruz
328
39k

Transcript

  1. Android App Security Tips Merabi Kutalia

  2. Tato Kutalia tatocaster tatocaster.me github.com/tatocaster twitter.com/@TatoKutalia

  3. None

  4. Topics • data storage • app permissions • networking •

    webview(javascript) • dynamically loaded code

  5. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17)

  6. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable

  7. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q)

  8. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection)

  9. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection) • Shared preferences + leak

  10. app permissions • data leak caused by misused permissions

  11. networking • HTTPS (it’s 2019!)

  12. networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352)

  13. networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352) •

    GCM/FCM/SMS (Sensitive Data)

  14. webview • setJavascriptEnabled - No!

  15. webview • setJavascriptEnabled - No!

  16. webview • setJavascriptEnabled - No! • webkit

  17. dynamically loaded code • Yes you can (https://stackoverflow.com/q/ 6857807/6845290 )

  18. Proguard/R8

  19. Proguard • rules

  20. Tools • Apktool • Dex2Jar • JD-GUI

  21. Nomrebi .com

  22. Nomrebi .com

  23. None

  24. Thank you