Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Android Security Tips

Avatar for Merab Tato Kutalia Merab Tato Kutalia
May 15, 2019
Technology
1
45

Android Security Tips

Android Security Tips

Avatar for Merab Tato Kutalia

Merab Tato Kutalia

May 15, 2019
Tweet

More Decks by Merab Tato Kutalia

See All by Merab Tato Kutalia
What's new in Android 14?
Avatar for Merab Tato Kutalia tatocaster
0
170
Migrate to Gradle version catalog and convention plugins
Avatar for Merab Tato Kutalia tatocaster
3
1.9k
Make Codebases Secure with OWASP
Avatar for Merab Tato Kutalia tatocaster
0
200
Secure Coding Standards
Avatar for Merab Tato Kutalia tatocaster
0
160
ტანგო ანდროიდთან
Avatar for Merab Tato Kutalia tatocaster
0
280
Adopting Huawei Mobile Services
Avatar for Merab Tato Kutalia tatocaster
0
70
Android UI Testing & Challenges
Avatar for Merab Tato Kutalia tatocaster
1
110
Reverse & Inject - droidcon
Avatar for Merab Tato Kutalia tatocaster
3
310
mobile DevOps
Avatar for Merab Tato Kutalia tatocaster
1
140

Other Decks in Technology

See All in Technology
プロンプトエンジニアリングを超えて:自由と統制のあいだでつくる Platform × Context Engineering
Avatar for yuriemori yuriemori
0
420
Introduction to Sansan Meishi Maker Development Engineer
Avatar for Sansan, Inc. sansan33
PRO
0
330
Java 25に至る道
Avatar for Yuichi.Sakuraba skrb
3
210
Master Dataグループ紹介資料
Avatar for Sansan, Inc. sansan33
PRO
1
4.2k
「違う現場で格闘する二人」——社内コミュニティがつないだトヨタ流アジャイルの実践とその先
Avatar for Shin shinichitakeuchi
0
330
Data Hubグループ 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
0
2.6k
ファインディにおけるフロントエンド技術選定の歴史
Avatar for puku0x puku0x
2
1.4k
困ったCSVファイルの話
Avatar for もっち mottyzzz
0
200
旬のブリと旬の技術で楽しむ AI エージェント設計開発レシピ
Avatar for Akira Inoue chack411
1
240
2025年の医用画像AI/AI×medical_imaging_in_2025_generated_by_AI
Avatar for YoshihiroTodoroki tdys13
0
330
国井さんにPurview の話を聞く会
Avatar for Kunii, Suguru sophiakunii
1
370
業務の煩悩を祓うAI活用術108選 / AI 108 Usages
Avatar for 株式会社スマートバンク smartbank
9
21k

Featured

See All Featured
Dealing with People You Can't Stand - Big Design 2015
Avatar for Cassini Nazir cassininazir
367
27k
KATA
Avatar for Megan Lloyd mclloyd
PRO
33
15k
The State of eCommerce SEO: How to Win in Today's Products SERPs - #SEOweek
Avatar for Aleyda Solis aleyda
2
9.3k
Designing for Timeless Needs
Avatar for Cassini Nazir cassininazir
0
110
The Invisible Side of Design
Avatar for Vitaly Friedman smashingmag
302
51k
How to Ace a Technical Interview
Avatar for Jacob Kaplan-Moss jacobian
281
24k
Build The Right Thing And Hit Your Dates
Avatar for Maggie C. maggiecrowley
38
3k
A Soul's Torment
Avatar for Nat Ma seathinner
4
2.1k
Color Theory Basics | Prateek | Gurzu
Avatar for Gurzu gurzu
0
170
Building a A Zero-Code AI SEO Workflow
Avatar for Ian Lurie portentint
PRO
0
240
Fireside Chat
Avatar for paigeccino paigeccino
41
3.8k
From Legacy to Launchpad: Building Startup-Ready Communities
Avatar for Dug Song dugsong
0
120

Transcript

  1. Android App Security Tips Merabi Kutalia

  2. Tato Kutalia tatocaster tatocaster.me github.com/tatocaster twitter.com/@TatoKutalia

  3. None

  4. Topics • data storage • app permissions • networking •

    webview(javascript) • dynamically loaded code

  5. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17)

  6. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable

  7. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q)

  8. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection)

  9. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection) • Shared preferences + leak

  10. app permissions • data leak caused by misused permissions

  11. networking • HTTPS (it’s 2019!)

  12. networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352)

  13. networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352) •

    GCM/FCM/SMS (Sensitive Data)

  14. webview • setJavascriptEnabled - No!

  15. webview • setJavascriptEnabled - No!

  16. webview • setJavascriptEnabled - No! • webkit

  17. dynamically loaded code • Yes you can (https://stackoverflow.com/q/ 6857807/6845290 )

  18. Proguard/R8

  19. Proguard • rules

  20. Tools • Apktool • Dex2Jar • JD-GUI

  21. Nomrebi .com

  22. Nomrebi .com

  23. None

  24. Thank you