Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Android Security Tips
Search
Merab Tato Kutalia
May 15, 2019
Technology
1
40
Android Security Tips
Android Security Tips
Merab Tato Kutalia
May 15, 2019
Tweet
Share
More Decks by Merab Tato Kutalia
See All by Merab Tato Kutalia
What's new in Android 14?
tatocaster
0
160
Migrate to Gradle version catalog and convention plugins
tatocaster
3
1.8k
Make Codebases Secure with OWASP
tatocaster
0
190
Secure Coding Standards
tatocaster
0
140
ტანგო ანდროიდთან
tatocaster
0
230
Adopting Huawei Mobile Services
tatocaster
0
55
Android UI Testing & Challenges
tatocaster
1
95
Reverse & Inject - droidcon
tatocaster
3
290
mobile DevOps
tatocaster
1
120
Other Decks in Technology
See All in Technology
Oracle Audit Vault and Database Firewall 20 概要
oracle4engineer
PRO
2
1.6k
OAuth/OpenID Connectで実現するMCPのセキュアなアクセス管理
kuralab
5
850
強化されたAmazon Location Serviceによる新機能と開発者体験
dayjournal
2
150
CIでのgolangci-lintの実行を約90%削減した話
kazukihayase
0
340
Amazon S3標準/ S3 Tables/S3 Express One Zoneを使ったログ分析
shigeruoda
2
380
実践! AIエージェント導入記
1mono2prod
0
140
IAMのマニアックな話 2025を執筆して、 見えてきたAWSアカウント管理の現在
nrinetcom
PRO
4
650
知識を整理して未来を作る 〜SKDとAI協業への助走〜
yosh1995
0
140
Oracle Cloud Infrastructure:2025年6月度サービス・アップデート
oracle4engineer
PRO
1
140
Amazon Q Developer for GitHubとAmplify Hosting でサクッとデジタル名刺を作ってみた
kmiya84377
0
3.5k
AI技術トレンド勉強会 #1MCPの基礎と実務での応用
nisei_k
1
240
本当に使える?AutoUpgrade の新機能を実践検証してみた
oracle4engineer
PRO
1
120
Featured
See All Featured
Being A Developer After 40
akosma
90
590k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
46
9.6k
Building Applications with DynamoDB
mza
95
6.5k
GraphQLとの向き合い方2022年版
quramy
46
14k
Thoughts on Productivity
jonyablonski
69
4.7k
YesSQL, Process and Tooling at Scale
rocio
173
14k
The World Runs on Bad Software
bkeepers
PRO
69
11k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
34
3k
How GitHub (no longer) Works
holman
314
140k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
137
34k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.3k
Art, The Web, and Tiny UX
lynnandtonic
299
21k
Transcript
Android App Security Tips Merabi Kutalia
Tato Kutalia tatocaster tatocaster.me github.com/tatocaster twitter.com/@TatoKutalia
None
Topics • data storage • app permissions • networking •
webview(javascript) • dynamically loaded code
data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17)
data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •
External Storage is globally readable
data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •
External Storage is globally readable • Scoped Storage(Android Q)
data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •
External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection)
data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •
External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection) • Shared preferences + leak
app permissions • data leak caused by misused permissions
networking • HTTPS (it’s 2019!)
networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352)
networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352) •
GCM/FCM/SMS (Sensitive Data)
webview • setJavascriptEnabled - No!
webview • setJavascriptEnabled - No!
webview • setJavascriptEnabled - No! • webkit
dynamically loaded code • Yes you can (https://stackoverflow.com/q/ 6857807/6845290 )
Proguard/R8
Proguard • rules
Tools • Apktool • Dex2Jar • JD-GUI
Nomrebi .com
Nomrebi .com
None
Thank you