Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Android Security Tips

Avatar for Merab Tato Kutalia Merab Tato Kutalia
May 15, 2019
Technology
1
38

Android Security Tips

Android Security Tips
Avatar for Merab Tato Kutalia

Merab Tato Kutalia

May 15, 2019
Tweet

More Decks by Merab Tato Kutalia

See All by Merab Tato Kutalia
What's new in Android 14?
Avatar for Merab Tato Kutalia tatocaster
0
150
Migrate to Gradle version catalog and convention plugins
Avatar for Merab Tato Kutalia tatocaster
3
1.8k
Make Codebases Secure with OWASP
Avatar for Merab Tato Kutalia tatocaster
0
180
Secure Coding Standards
Avatar for Merab Tato Kutalia tatocaster
0
140
ტანგო ანდროიდთან
Avatar for Merab Tato Kutalia tatocaster
0
220
Adopting Huawei Mobile Services
Avatar for Merab Tato Kutalia tatocaster
0
55
Android UI Testing & Challenges
Avatar for Merab Tato Kutalia tatocaster
1
90
Reverse & Inject - droidcon
Avatar for Merab Tato Kutalia tatocaster
3
280
mobile DevOps
Avatar for Merab Tato Kutalia tatocaster
1
120

Other Decks in Technology

See All in Technology
Slackひと声でブログ校正!Claudeレビュー自動化編
Avatar for Yusuke Shimizu yusukeshimizu
3
180
OSMnx Galleryの紹介
Avatar for mopinfish mopinfish
0
150
NW運用の工夫と発明
Avatar for Akira Kanai / recuraki recuraki
1
790
他チームへ越境したら、生データ提供ソリューションのクエリ費用95%削減へ繋がった話 / Cross-Team Impact: 95% Off Raw Data Query Costs
Avatar for yamamoto-yuta yamamotoyuta
0
240
libsyncrpcってなに?
Avatar for uhyo uhyo
0
150
Machine Intelligence for Vision, Language, and Actions
Avatar for Semantic Machine Intelligence Lab., Keio Univ. keio_smilab
PRO
0
500
面接を通過するためにやってて良かったこと3選
Avatar for SansanTech sansantech
PRO
0
130
Roo Codeにすべてを委ねるためのルール運用
Avatar for PharmaX(旧YOJO Technologies)開発チーム pharma_x_tech
1
230
ソフトウェアは捨てやすく作ろう/Let's make software easy to discard
Avatar for Genki Sano sanogemaru
10
5.8k
いまさら聞けない Git 超入門 〜Gitって結局なに?から始める第一歩〜
Avatar for とことんDevOps devops_vtj
0
170
ITエンジニアを取り巻く環境とキャリアパス / A career path for Japanese IT engineers
Avatar for 高玉 広和 / TAKATAMA Hirokazu takatama
4
1.5k
All About Sansan – for New Global Engineers
Avatar for Sansan, Inc. sansan33
PRO
1
1.2k

Featured

See All Featured
Let's Do A Bunch of Simple Stuff to Make Websites Faster
Avatar for Chris Coyier chriscoyier
507
140k
Fashionably flexible responsive web design (full day workshop)
Avatar for Andy Clarke malarkey
407
66k
jQuery: Nuts, Bolts and Bling
Avatar for Doug Neiner dougneiner
63
7.8k
Principles of Awesome APIs and How to Build Them.
Avatar for Keavy McMinn keavy
126
17k
Helping Users Find Their Own Way: Creating Modern Search Experiences
Avatar for Dan Newman danielanewman
29
2.6k
The Invisible Side of Design
Avatar for Vitaly Friedman smashingmag
299
50k
Practical Orchestrator
Avatar for Shlomi Noach shlominoach
188
11k
Visualization
Avatar for Eitan Lees eitanlees
146
16k
Site-Speed That Sticks
Avatar for Harry Roberts csswizardry
7
590
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
Avatar for soudai sone soudai
PRO
180
53k
Designing Dashboards & Data Visualisations in Web Apps
Avatar for Des Traynor destraynor
231
53k
Mobile First: as difficult as doing things right
Avatar for Swwweet swwweet
223
9.6k

Transcript

  1. Android App Security Tips Merabi Kutalia

  2. Tato Kutalia tatocaster tatocaster.me github.com/tatocaster twitter.com/@TatoKutalia

  3. None

  4. Topics • data storage • app permissions • networking •

    webview(javascript) • dynamically loaded code

  5. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17)

  6. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable

  7. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q)

  8. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection)

  9. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection) • Shared preferences + leak

  10. app permissions • data leak caused by misused permissions

  11. networking • HTTPS (it’s 2019!)

  12. networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352)

  13. networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352) •

    GCM/FCM/SMS (Sensitive Data)

  14. webview • setJavascriptEnabled - No!

  15. webview • setJavascriptEnabled - No!

  16. webview • setJavascriptEnabled - No! • webkit

  17. dynamically loaded code • Yes you can (https://stackoverflow.com/q/ 6857807/6845290 )

  18. Proguard/R8

  19. Proguard • rules

  20. Tools • Apktool • Dex2Jar • JD-GUI

  21. Nomrebi .com

  22. Nomrebi .com

  23. None

  24. Thank you