Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Android Security Tips

Avatar for Merab Tato Kutalia Merab Tato Kutalia
May 15, 2019
Technology
1
40

Android Security Tips

Android Security Tips

Avatar for Merab Tato Kutalia

Merab Tato Kutalia

May 15, 2019
Tweet

More Decks by Merab Tato Kutalia

See All by Merab Tato Kutalia
What's new in Android 14?
Avatar for Merab Tato Kutalia tatocaster
0
160
Migrate to Gradle version catalog and convention plugins
Avatar for Merab Tato Kutalia tatocaster
3
1.9k
Make Codebases Secure with OWASP
Avatar for Merab Tato Kutalia tatocaster
0
190
Secure Coding Standards
Avatar for Merab Tato Kutalia tatocaster
0
150
ტანგო ანდროიდთან
Avatar for Merab Tato Kutalia tatocaster
0
260
Adopting Huawei Mobile Services
Avatar for Merab Tato Kutalia tatocaster
0
61
Android UI Testing & Challenges
Avatar for Merab Tato Kutalia tatocaster
1
100
Reverse & Inject - droidcon
Avatar for Merab Tato Kutalia tatocaster
3
300
mobile DevOps
Avatar for Merab Tato Kutalia tatocaster
1
130

Other Decks in Technology

See All in Technology
【Oracle Cloud ウェビナー】クラウド導入に「専用クラウド」という選択肢、Oracle AlloyとOCI Dedicated Region とは
Avatar for oracle4engineer oracle4engineer
PRO
3
110
SoccerNet GSRの紹介と技術応用:選手視点映像を提供するサッカー作戦盤ツール
Avatar for MIXI ENGINEERS mixi_engineers
PRO
1
180
空間を設計する力を考える / 20251004 Naoki Takahashi
Avatar for SHIFT EVOLVE shift_evolve
PRO
3
360
AWSにおけるTrend Vision Oneの効果について
Avatar for shima shimak
0
130
Escaping_the_Kraken_-_October_2025.pdf
Avatar for Maarten Dalmijn mdalmijn
0
140
Goに育てられ開発者向けセキュリティ事業を立ち上げた僕が今向き合う、AI × セキュリティの最前線 / Go Conference 2025
Avatar for GMO Flatt Security flatt_security
0
350
生成AIとM5Stack / M5 Japan Tour 2025 Autumn 東京
Avatar for you(@youtoy) you
PRO
0
220
Goにおける 生成AIによるコード生成の ベンチマーク評価入門
Avatar for どすこい daisuketakeda
2
110
関係性が駆動するアジャイル──GPTに人格を与えたら、対話を通してふりかえりを 習慣化できた話
Avatar for リリカル mhlyc
0
130
AI ReadyなData PlatformとしてのAutonomous Databaseアップデート
Avatar for oracle4engineer oracle4engineer
PRO
0
190
Where will it converge?
Avatar for Ibukun Adedeji ibknadedeji
0
190
Shirankedo NOCで見えてきたeduroam/OpenRoaming運用ノウハウと課題 - BAKUCHIKU BANBAN #2
Avatar for marokiki marokiki
0
150

Featured

See All Featured
Site-Speed That Sticks
Avatar for Harry Roberts csswizardry
11
880
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
Avatar for Tammy Everts tammyeverts
54
3k
RailsConf 2023
Avatar for Aaron Patterson tenderlove
30
1.2k
Statistics for Hackers
Avatar for Jake VanderPlas jakevdp
799
220k
Principles of Awesome APIs and How to Build Them.
Avatar for Keavy McMinn keavy
127
17k
Thoughts on Productivity
Avatar for Jon Yablonski jonyablonski
70
4.9k
Put a Button on it: Removing Barriers to Going Fast.
Avatar for kastner kastner
60
4k
The Psychology of Web Performance [Beyond Tellerrand 2023]
Avatar for Tammy Everts tammyeverts
49
3.1k
Into the Great Unknown - MozCon
Avatar for Noah Learner thekraken
40
2.1k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
Avatar for Dan Newman danielanewman
229
22k
Why You Should Never Use an ORM
Avatar for John Nunemaker jnunemaker
PRO
59
9.6k
StorybookのUI Testing Handbookを読んだ
Avatar for Shingo Yamazaki zakiyama
31
6.2k

Transcript

  1. Android App Security Tips Merabi Kutalia

  2. Tato Kutalia tatocaster tatocaster.me github.com/tatocaster twitter.com/@TatoKutalia

  3. None

  4. Topics • data storage • app permissions • networking •

    webview(javascript) • dynamically loaded code

  5. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17)

  6. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable

  7. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q)

  8. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection)

  9. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection) • Shared preferences + leak

  10. app permissions • data leak caused by misused permissions

  11. networking • HTTPS (it’s 2019!)

  12. networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352)

  13. networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352) •

    GCM/FCM/SMS (Sensitive Data)

  14. webview • setJavascriptEnabled - No!

  15. webview • setJavascriptEnabled - No!

  16. webview • setJavascriptEnabled - No! • webkit

  17. dynamically loaded code • Yes you can (https://stackoverflow.com/q/ 6857807/6845290 )

  18. Proguard/R8

  19. Proguard • rules

  20. Tools • Apktool • Dex2Jar • JD-GUI

  21. Nomrebi .com

  22. Nomrebi .com

  23. None

  24. Thank you