Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Android Security Tips

Merab Tato Kutalia
May 15, 2019
Technology
1
33

Android Security Tips

Android Security Tips

Merab Tato Kutalia

May 15, 2019
Tweet

More Decks by Merab Tato Kutalia

See All by Merab Tato Kutalia
What's new in Android 14?
tatocaster
0
140
Migrate to Gradle version catalog and convention plugins
tatocaster
3
1.8k
Make Codebases Secure with OWASP
tatocaster
0
180
Secure Coding Standards
tatocaster
0
130
ტანგო ანდროიდთან
tatocaster
0
200
Adopting Huawei Mobile Services
tatocaster
0
51
Android UI Testing & Challenges
tatocaster
1
71
Reverse & Inject - droidcon
tatocaster
3
260
mobile DevOps
tatocaster
1
95

Other Decks in Technology

See All in Technology
Docker Desktop で Docker を始めよう
zembutsu
PRO
0
180
【JAWS-UG大阪 reInvent reCap LT大会 サンバが始まったら強制終了】“1分”で初めてのソロ参戦reInventを数字で振り返りながら反省する
ttelltte
0
140
Reactフレームワークプロダクトを
モバイルアプリにして、もっと便利に。 ユーザに価値を届けよう。/React Framework with Capacitor
rdlabo
0
130
When Windows Meets Kubernetes…
pichuang
0
310
データ基盤におけるIaCの重要性とその運用
mtpooh
4
530
Bring Your Own Container: When Containers Turn the Key to EDR Bypass/byoc-avtokyo2024
tkmru
0
860
Git scrapingで始める継続的なデータ追跡 / Git Scraping
ohbarye
5
500
.NET 最新アップデート ~ AI とクラウド時代のアプリモダナイゼーション
chack411
0
200
20250116_自部署内でAmazon Nova体験会をやってみた話
riz3f7
1
100
【Oracle Cloud ウェビナー】2025年のセキュリティ脅威を読み解く:リスクに備えるためのレジリエンスとデータ保護
oracle4engineer
PRO
1
100
DMMブックスへのTipKit導入
ttyi2
1
110
30分でわかる「リスクから学ぶKubernetesコンテナセキュリティ」/30min-k8s-container-sec
mochizuki875
3
450

Featured

See All Featured
Large-scale JavaScript Application Architecture
addyosmani
510
110k
GitHub's CSS Performance
jonrohan
1030
460k
Optimizing for Happiness
mojombo
376
70k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Rails Girls Zürich Keynote
gr2m
94
13k
Making Projects Easy
brettharned
116
6k
Being A Developer After 40
akosma
89
590k
Bootstrapping a Software Product
garrettdimon
PRO
305
110k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
3.6k
Side Projects
sachag
452
42k
GraphQLの誤解/rethinking-graphql
sonatard
68
10k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
38
1.9k

Transcript

  1. Android App Security Tips Merabi Kutalia

  2. Tato Kutalia tatocaster tatocaster.me github.com/tatocaster twitter.com/@TatoKutalia

  3. None

  4. Topics • data storage • app permissions • networking •

    webview(javascript) • dynamically loaded code

  5. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17)

  6. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable

  7. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q)

  8. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection)

  9. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection) • Shared preferences + leak

  10. app permissions • data leak caused by misused permissions

  11. networking • HTTPS (it’s 2019!)

  12. networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352)

  13. networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352) •

    GCM/FCM/SMS (Sensitive Data)

  14. webview • setJavascriptEnabled - No!

  15. webview • setJavascriptEnabled - No!

  16. webview • setJavascriptEnabled - No! • webkit

  17. dynamically loaded code • Yes you can (https://stackoverflow.com/q/ 6857807/6845290 )

  18. Proguard/R8

  19. Proguard • rules

  20. Tools • Apktool • Dex2Jar • JD-GUI

  21. Nomrebi .com

  22. Nomrebi .com

  23. None

  24. Thank you