Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Android Security Tips
Search
Merab Tato Kutalia
May 15, 2019
Technology
1
33
Android Security Tips
Android Security Tips
Merab Tato Kutalia
May 15, 2019
Tweet
Share
More Decks by Merab Tato Kutalia
See All by Merab Tato Kutalia
What's new in Android 14?
tatocaster
0
130
Migrate to Gradle version catalog and convention plugins
tatocaster
3
1.7k
Make Codebases Secure with OWASP
tatocaster
0
180
Secure Coding Standards
tatocaster
0
130
ტანგო ანდროიდთან
tatocaster
0
190
Adopting Huawei Mobile Services
tatocaster
0
48
Android UI Testing & Challenges
tatocaster
1
68
Reverse & Inject - droidcon
tatocaster
3
250
mobile DevOps
tatocaster
1
83
Other Decks in Technology
See All in Technology
サイバーセキュリティと認知バイアス:対策の隙を埋める心理学的アプローチ
shumei_ito
0
390
オープンソースAIとは何か? --「オープンソースAIの定義 v1.0」詳細解説
shujisado
9
1.1k
Introduction to Works of ML Engineer in LY Corporation
lycorp_recruit_jp
0
140
SRE×AIOpsを始めよう!GuardDutyによるお手軽脅威検出
amixedcolor
0
160
Platform Engineering for Software Developers and Architects
syntasso
1
520
Evangelismo técnico: ¿qué, cómo y por qué?
trishagee
0
360
ドメインの本質を掴む / Get the essence of the domain
sinsoku
2
160
TypeScriptの次なる大進化なるか!? 条件型を返り値とする関数の型推論
uhyo
2
1.7k
第1回 国土交通省 データコンペ参加者向け勉強会③- Snowflake x estie編 -
estie
0
130
Lambdaと地方とコミュニティ
miu_crescent
2
370
Lexical Analysis
shigashiyama
1
150
rootlessコンテナのすゝめ - 研究室サーバーでもできる安全なコンテナ管理
kitsuya0828
3
390
Featured
See All Featured
Designing on Purpose - Digital PM Summit 2013
jponch
115
7k
10 Git Anti Patterns You Should be Aware of
lemiorhan
655
59k
Keith and Marios Guide to Fast Websites
keithpitt
409
22k
Code Review Best Practice
trishagee
64
17k
Designing Experiences People Love
moore
138
23k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.7k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
42
9.2k
How to Ace a Technical Interview
jacobian
276
23k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
8
900
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.3k
Optimizing for Happiness
mojombo
376
70k
Transcript
Android App Security Tips Merabi Kutalia
Tato Kutalia tatocaster tatocaster.me github.com/tatocaster twitter.com/@TatoKutalia
None
Topics • data storage • app permissions • networking •
webview(javascript) • dynamically loaded code
data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17)
data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •
External Storage is globally readable
data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •
External Storage is globally readable • Scoped Storage(Android Q)
data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •
External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection)
data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •
External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection) • Shared preferences + leak
app permissions • data leak caused by misused permissions
networking • HTTPS (it’s 2019!)
networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352)
networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352) •
GCM/FCM/SMS (Sensitive Data)
webview • setJavascriptEnabled - No!
webview • setJavascriptEnabled - No!
webview • setJavascriptEnabled - No! • webkit
dynamically loaded code • Yes you can (https://stackoverflow.com/q/ 6857807/6845290 )
Proguard/R8
Proguard • rules
Tools • Apktool • Dex2Jar • JD-GUI
Nomrebi .com
Nomrebi .com
None
Thank you