Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Android Security Tips

Avatar for Merab Tato Kutalia Merab Tato Kutalia
May 15, 2019
Technology
1
40

Android Security Tips

Android Security Tips

Avatar for Merab Tato Kutalia

Merab Tato Kutalia

May 15, 2019
Tweet

More Decks by Merab Tato Kutalia

See All by Merab Tato Kutalia
What's new in Android 14?
Avatar for Merab Tato Kutalia tatocaster
0
160
Migrate to Gradle version catalog and convention plugins
Avatar for Merab Tato Kutalia tatocaster
3
1.9k
Make Codebases Secure with OWASP
Avatar for Merab Tato Kutalia tatocaster
0
190
Secure Coding Standards
Avatar for Merab Tato Kutalia tatocaster
0
150
ტანგო ანდროიდთან
Avatar for Merab Tato Kutalia tatocaster
0
250
Adopting Huawei Mobile Services
Avatar for Merab Tato Kutalia tatocaster
0
58
Android UI Testing & Challenges
Avatar for Merab Tato Kutalia tatocaster
1
100
Reverse & Inject - droidcon
Avatar for Merab Tato Kutalia tatocaster
3
290
mobile DevOps
Avatar for Merab Tato Kutalia tatocaster
1
130

Other Decks in Technology

See All in Technology
サービスロボット最前線:ugoが挑むPhysical AI活用
Avatar for Ken Matsui kmatsuiugo
0
190
AIエージェント就活入門 - MCPが履歴書になる未来
Avatar for Ikko Eltociear Ashimine eltociear
0
480
モダンな現場と従来型の組織——そこに生じる "不整合" を解消してこそチームがパフォーマンスを発揮できる / Team-oriented Organization Design 20250825
Avatar for mtx2s mtx2s
5
530
7月のガバクラ利用料が高かったので調べてみた
Avatar for 高橋広和 techniczna
3
360
生成AI利用プログラミング:誰でもプログラムが書けると 世の中どうなる?/opencampus202508
Avatar for Oka Natsuki okana2ki
0
190
実践アプリケーション設計 ①データモデルとドメインモデル
Avatar for Recruit recruitengineers
PRO
2
230
Claude Code x Androidアプリ 開発
Avatar for Shinnosuke Kugimiya kgmyshin
1
580
Yahoo!ニュースにおけるソフトウェア開発
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
0
350
株式会社ARAV 採用案内
Avatar for ARAV maqui
0
340
Devinを使ったモバイルアプリ開発 / Mobile app development with Devin
Avatar for Yuki Anzai yanzm
0
190
広島発!スタートアップ開発の裏側
Avatar for Sankyo Toshio tsankyo
0
240
そのコンポーネント、サーバー?クライアント?App Router開発のモヤモヤを可視化する補助輪
Avatar for Makoto Tateno makotot
4
440

Featured

See All Featured
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
Avatar for Eileen M. Uchitelle eileencodes
26
3k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
Avatar for mongodb mongodb
48
9.6k
Understanding Cognitive Biases in Performance Measurement
Avatar for Philip Tellis bluesmoon
29
1.8k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
Avatar for Aki / @LoveIdahoBurger aki_iinuma
126
53k
The World Runs on Bad Software
Avatar for Brandon Keepers bkeepers
PRO
70
11k
Fashionably flexible responsive web design (full day workshop)
Avatar for Andy Clarke malarkey
407
66k
The Power of CSS Pseudo Elements
Avatar for Geoffrey Crofte geoffreycrofte
77
5.9k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
Avatar for soudai sone soudai
PRO
183
54k
Product Roadmaps are Hard
Avatar for C. Todd Lombardo iamctodd
PRO
54
11k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
Avatar for Irina Nazarova irinanazarova
8
890
Keith and Marios Guide to Fast Websites
Avatar for Keith Pitt keithpitt
411
22k
Visualization
Avatar for Eitan Lees eitanlees
147
16k

Transcript

  1. Android App Security Tips Merabi Kutalia

  2. Tato Kutalia tatocaster tatocaster.me github.com/tatocaster twitter.com/@TatoKutalia

  3. None

  4. Topics • data storage • app permissions • networking •

    webview(javascript) • dynamically loaded code

  5. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17)

  6. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable

  7. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q)

  8. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection)

  9. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection) • Shared preferences + leak

  10. app permissions • data leak caused by misused permissions

  11. networking • HTTPS (it’s 2019!)

  12. networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352)

  13. networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352) •

    GCM/FCM/SMS (Sensitive Data)

  14. webview • setJavascriptEnabled - No!

  15. webview • setJavascriptEnabled - No!

  16. webview • setJavascriptEnabled - No! • webkit

  17. dynamically loaded code • Yes you can (https://stackoverflow.com/q/ 6857807/6845290 )

  18. Proguard/R8

  19. Proguard • rules

  20. Tools • Apktool • Dex2Jar • JD-GUI

  21. Nomrebi .com

  22. Nomrebi .com

  23. None

  24. Thank you