Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Android Security Tips

Avatar for Merab Tato Kutalia Merab Tato Kutalia
May 15, 2019
Technology
54
1

Android Security Tips

Android Security Tips

Avatar for Merab Tato Kutalia

Merab Tato Kutalia

May 15, 2019

More Decks by Merab Tato Kutalia

See All by Merab Tato Kutalia
What's new in Android 14?
Avatar for Merab Tato Kutalia tatocaster
0
190
Migrate to Gradle version catalog and convention plugins
Avatar for Merab Tato Kutalia tatocaster
3
1.9k
Make Codebases Secure with OWASP
Avatar for Merab Tato Kutalia tatocaster
0
210
Secure Coding Standards
Avatar for Merab Tato Kutalia tatocaster
0
170
ტანგო ანდროიდთან
Avatar for Merab Tato Kutalia tatocaster
0
320
Adopting Huawei Mobile Services
Avatar for Merab Tato Kutalia tatocaster
0
79
Android UI Testing & Challenges
Avatar for Merab Tato Kutalia tatocaster
1
120
Reverse & Inject - droidcon
Avatar for Merab Tato Kutalia tatocaster
3
320
mobile DevOps
Avatar for Merab Tato Kutalia tatocaster
1
150

Other Decks in Technology

See All in Technology
ワールドカフェI /チューターを改良する / World Café I and Improving the Tutors
Avatar for Kenji Saito ks91
PRO
0
320
Oracle AI Database@AWS:サービス概要のご紹介
Avatar for oracle4engineer oracle4engineer
PRO
4
2.4k
AI時代 に増える データ活用先
Avatar for ono.takayuki takahal
0
230
実践ハーネスエンジニアリング:TAKTで実現するAIエージェント制御 / Practical Harness Engineering: AI Agent Control Enabled by TAKT
Avatar for nrs nrslib
11
4.6k
QGISプラグイン CMChangeDetector
Avatar for Forestgeo.info naokimuroki
1
400
レビューしきれない?それは「全て人力でのレビュー」だからではないでしょうか
Avatar for amixedcolor amixedcolor
0
330
自分のハンドルは自分で握れ! ― 自分のケイパビリティを増やし、メンバーのケイパビリティ獲得を支援する ― / Take the wheel yourself
Avatar for TAKAKING22 takaking22
1
910
LLM時代の検索アーキテクチャと技術的意思決定
Avatar for shibuiwilliam shibuiwilliam
3
1.2k
ARIA Notifyについて
Avatar for ryokatsuse ryokatsuse
1
120
AI時代のガードレールとしてのAPIガバナンス
Avatar for 草薙昭彦 nagix
0
280
「責任あるAIエージェント」こそ自社で開発しよう!
Avatar for みのるん minorun365
9
2k
Standards et agents IA : un tour d’horizon de MCP, A2A, ADK et plus encore
Avatar for Guillaume Laforge glaforge
0
170

Featured

See All Featured
Breaking role norms: Why Content Design is so much more than writing copy - Taylor Woolridge
Avatar for UX Y'all uxyall
0
260
jQuery: Nuts, Bolts and Bling
Avatar for Doug Neiner dougneiner
66
8.4k
The Cult of Friendly URLs
Avatar for Andy Hume andyhume
79
6.8k
Typedesign – Prime Four
Avatar for Hannes Fritz hannesfritz
42
3k
Java REST API Framework Comparison - PWX 2021
Avatar for Matt Raible mraible
34
9.3k
Self-Hosted WebAssembly Runtime for Runtime-Neutral Checkpoint/Restore in Edge–Cloud Continuum
Avatar for Yuki Nakata chikuwait chikuwait
0
490
Ten Tips & Tricks for a 🌱 transition
Avatar for Manu Carrasco Molina stuffmc
0
99
SEO for Brand Visibility & Recognition
Avatar for Aleyda Solis aleyda
0
4.5k
Bridging the Design Gap: How Collaborative Modelling removes blockers to flow between stakeholders and teams @FastFlow conf
Avatar for Kenny Baas-Schwegler baasie
0
510
Marketing Yourself as an Engineer | Alaka | Gurzu
Avatar for Gurzu gurzu
0
180
Designing Dashboards & Data Visualisations in Web Apps
Avatar for Des Traynor destraynor
231
54k
How to Get Subject Matter Experts Bought In and Actively Contributing to SEO & PR Initiatives.
Avatar for Liv Day livdayseo
0
100

Transcript

  1. Android App Security Tips Merabi Kutalia

  2. Tato Kutalia tatocaster tatocaster.me github.com/tatocaster twitter.com/@TatoKutalia

  3. None

  4. Topics • data storage • app permissions • networking •

    webview(javascript) • dynamically loaded code

  5. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17)

  6. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable

  7. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q)

  8. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection)

  9. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection) • Shared preferences + leak

  10. app permissions • data leak caused by misused permissions

  11. networking • HTTPS (it’s 2019!)

  12. networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352)

  13. networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352) •

    GCM/FCM/SMS (Sensitive Data)

  14. webview • setJavascriptEnabled - No!

  15. webview • setJavascriptEnabled - No!

  16. webview • setJavascriptEnabled - No! • webkit

  17. dynamically loaded code • Yes you can (https://stackoverflow.com/q/ 6857807/6845290 )

  18. Proguard/R8

  19. Proguard • rules

  20. Tools • Apktool • Dex2Jar • JD-GUI

  21. Nomrebi .com

  22. Nomrebi .com

  23. None

  24. Thank you