$30 off During Our Annual Pro Sale. View Details »

Android Security Tips

Avatar for Merab Tato Kutalia Merab Tato Kutalia
May 15, 2019
Technology
1
45

Android Security Tips

Android Security Tips

Avatar for Merab Tato Kutalia

Merab Tato Kutalia

May 15, 2019
Tweet

More Decks by Merab Tato Kutalia

See All by Merab Tato Kutalia
What's new in Android 14?
Avatar for Merab Tato Kutalia tatocaster
0
170
Migrate to Gradle version catalog and convention plugins
Avatar for Merab Tato Kutalia tatocaster
3
1.9k
Make Codebases Secure with OWASP
Avatar for Merab Tato Kutalia tatocaster
0
200
Secure Coding Standards
Avatar for Merab Tato Kutalia tatocaster
0
160
ტანგო ანდროიდთან
Avatar for Merab Tato Kutalia tatocaster
0
280
Adopting Huawei Mobile Services
Avatar for Merab Tato Kutalia tatocaster
0
68
Android UI Testing & Challenges
Avatar for Merab Tato Kutalia tatocaster
1
110
Reverse & Inject - droidcon
Avatar for Merab Tato Kutalia tatocaster
3
310
mobile DevOps
Avatar for Merab Tato Kutalia tatocaster
1
140

Other Decks in Technology

See All in Technology
特別捜査官等研修会
Avatar for Nomizo Nomizo nomizone
0
550
Amazon Quick Suite で始める手軽な AI エージェント
Avatar for shimy shimy
1
1.7k
Building Serverless AI Memory with Mastra × AWS
Avatar for vvatanabe vvatanabe
0
420
オープンソースKeycloakのMCP認可サーバの仕様の対応状況 / 20251219 OpenID BizDay #18 LT Keycloak
Avatar for OpenID Foundation Japan oidfj
0
160
Lookerで実現するセキュアな外部データ提供
Avatar for ZOZO Developers zozotech
PRO
0
200
SQLだけでマイグレーションしたい!
Avatar for MakKi makki_d
0
1.2k
松尾研LLM講座2025 応用編Day3「軽量化」 講義資料
Avatar for Aratako aratako
3
2.4k
MySQLとPostgreSQLのコレーション / Collation of MySQL and PostgreSQL
Avatar for とみたまさひろ tmtms
1
1.2k
ESXi のAIOps だ!2025冬
Avatar for Unno Wataru unnowataru
0
330
AWSインフルエンサーへの道 / load of AWS Influencer
Avatar for WHIsaiyo whisaiyo
0
210
MariaDB Connector/C のcaching_sha2_passwordプラグインの仕様について
Avatar for kubo ayumu boro1234
0
1k
"人"が頑張るAI駆動開発
Avatar for yoko yokomachi
1
120

Featured

See All Featured
The agentic SEO stack - context over prompts
Avatar for schlessera schlessera
0
560
Understanding Cognitive Biases in Performance Measurement
Avatar for Philip Tellis bluesmoon
32
2.8k
CSS Pre-Processors: Stylus, Less & Sass
Avatar for Bermon Painter bermonpainter
359
30k
Faster Mobile Websites
Avatar for Dean Hume deanohume
310
31k
Unsuck your backbone
Avatar for Amy Palamountain ammeep
671
58k
Bridging the Design Gap: How Collaborative Modelling removes blockers to flow between stakeholders and teams @FastFlow conf
Avatar for Kenny Baas-Schwegler baasie
0
400
Primal Persuasion: How to Engage the Brain for Learning That Lasts
Avatar for Mike Taylor tmiket
0
190
Between Models and Reality
Avatar for mayunak mayunak
0
150
Keith and Marios Guide to Fast Websites
Avatar for Keith Pitt keithpitt
413
23k
Producing Creativity
Avatar for Steve Smith orderedlist
PRO
348
40k
Bioeconomy Workshop: Dr. Julius Ecuru, Opportunities for a Bioeconomy in West Africa
Avatar for AKADEMIYA2063 akademiya2063
PRO
0
31
The Illustrated Children's Guide to Kubernetes
Avatar for Chris Short chrisshort
51
51k

Transcript

  1. Android App Security Tips Merabi Kutalia

  2. Tato Kutalia tatocaster tatocaster.me github.com/tatocaster twitter.com/@TatoKutalia

  3. None

  4. Topics • data storage • app permissions • networking •

    webview(javascript) • dynamically loaded code

  5. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17)

  6. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable

  7. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q)

  8. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection)

  9. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection) • Shared preferences + leak

  10. app permissions • data leak caused by misused permissions

  11. networking • HTTPS (it’s 2019!)

  12. networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352)

  13. networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352) •

    GCM/FCM/SMS (Sensitive Data)

  14. webview • setJavascriptEnabled - No!

  15. webview • setJavascriptEnabled - No!

  16. webview • setJavascriptEnabled - No! • webkit

  17. dynamically loaded code • Yes you can (https://stackoverflow.com/q/ 6857807/6845290 )

  18. Proguard/R8

  19. Proguard • rules

  20. Tools • Apktool • Dex2Jar • JD-GUI

  21. Nomrebi .com

  22. Nomrebi .com

  23. None

  24. Thank you