Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Android Security Tips

Sponsored · SiteGround - Reliable hosting with speed, security, and support you can count on.
Avatar for Merab Tato Kutalia Merab Tato Kutalia
May 15, 2019
Technology
63
1

Android Security Tips

Android Security Tips

Avatar for Merab Tato Kutalia

Merab Tato Kutalia

May 15, 2019

More Decks by Merab Tato Kutalia

See All by Merab Tato Kutalia
What's new in Android 14?
Avatar for Merab Tato Kutalia tatocaster
0
210
Migrate to Gradle version catalog and convention plugins
Avatar for Merab Tato Kutalia tatocaster
3
1.9k
Make Codebases Secure with OWASP
Avatar for Merab Tato Kutalia tatocaster
0
220
Secure Coding Standards
Avatar for Merab Tato Kutalia tatocaster
0
180
ტანგო ანდროიდთან
Avatar for Merab Tato Kutalia tatocaster
0
330
Adopting Huawei Mobile Services
Avatar for Merab Tato Kutalia tatocaster
0
83
Android UI Testing & Challenges
Avatar for Merab Tato Kutalia tatocaster
1
130
Reverse & Inject - droidcon
Avatar for Merab Tato Kutalia tatocaster
3
330
mobile DevOps
Avatar for Merab Tato Kutalia tatocaster
1
160

Other Decks in Technology

See All in Technology
速さだけじゃない! VoidZero ツールが移行先に選ばれる理由
Avatar for mizdra mizdra
PRO
6
760
Agentic ERPをどう設計するか ー 受発注エージェントを動かす、現場の知見と設計思想ー
Avatar for 株式会社リチェルカ recerqainc
1
1.6k
TypeScript Compiler APIとPHP-Parserを活用し、TypeScriptとPHPで型を共有する
Avatar for did0es shuta13
0
360
Building applications in the Gemini API family.
Avatar for LINE Developers Taiwan line_developers_tw
PRO
0
1.7k
新規事業を牽引する技術選定 〜フルスタックTypeScript開発の実践事例〜
Avatar for Katsuma Narisawa nullnull
3
350
AI Adaptable なテストを整える工夫 / Ways to Make Your Tests AI-Adaptable
Avatar for 株式会社ビットキー / Bitkey Inc. bitkey
PRO
3
220
Agentic Defenseとともにセキュリティエンジニアが輝き続けるには / How Security Engineers Can Keep Excelling with Agentic Defense
Avatar for Yuji Oshima yuj1osm
0
100
Databricks 月刊サービスアップデート 2026年05月号
Avatar for ちょし tyosi1212
0
210
ChatworkとBPaaS 異なる特性で学んだAI機能開発の ベストプラクティス
Avatar for kubell kubell_hr
2
2.8k
「気づいたら仕事が終わっている」バクラクAIエージェント本番運用の裏側 / layerx-bakuraku-aie2026
Avatar for Yuya Matsumura yuya4
18
10k
生成 AI × MCP で切り拓く次世代 SRE!自律型運用への挑戦と開発者体験の進化
Avatar for _awache _awache
0
160
Djangoユーザが知っ得なPostgreSQL機能 - 設計の選択肢を増やす / Djang-use-PostgreSQL
Avatar for soudai sone soudai
PRO
0
190

Featured

See All Featured
How to Align SEO within the Product Triangle To Get 
Buy-In & Support - #RIMC
Avatar for Aleyda Solis aleyda
2
1.5k
Utilizing Notion as your number one productivity tool
Avatar for Mfonobong Umondia mfonobong
4
310
How to Grow Your eCommerce with AI & Automation
Avatar for Katarina Dahlin katarinadahlin
PRO
1
200
Odyssey Design
Avatar for Ryan Kendrick rkendrick25
PRO
2
690
Designing for Performance
Avatar for Lara Hogan lara
611
70k
Reality Check: Gamification 10 Years Later
Avatar for Sebastian Deterding codingconduct
0
2.2k
We Analyzed 250 Million AI Search Results: Here's What I Found
Avatar for Josh Blyskal joshbly
1
1.3k
A brief & incomplete history of 
UX Design for the World Wide Web: 1989–2019
Avatar for Jason CranfordTeague jct
2
390
JAMstack: Web Apps at Ludicrous Speed - All Things Open 2022
Avatar for David Neal reverentgeek
1
460
Beyond borders and beyond the search box: How to win the global "messy middle" with AI-driven SEO
Avatar for David Carrasco davidcarrasco
3
150
Product Roadmaps are Hard
Avatar for C. Todd Lombardo iamctodd
PRO
55
12k
Leo the Paperboy
Avatar for Maya Tellez mayatellez
7
1.8k

Transcript

  1. Android App Security Tips Merabi Kutalia

  2. Tato Kutalia tatocaster tatocaster.me github.com/tatocaster twitter.com/@TatoKutalia

  3. None

  4. Topics • data storage • app permissions • networking •

    webview(javascript) • dynamically loaded code

  5. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17)

  6. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable

  7. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q)

  8. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection)

  9. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection) • Shared preferences + leak

  10. app permissions • data leak caused by misused permissions

  11. networking • HTTPS (it’s 2019!)

  12. networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352)

  13. networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352) •

    GCM/FCM/SMS (Sensitive Data)

  14. webview • setJavascriptEnabled - No!

  15. webview • setJavascriptEnabled - No!

  16. webview • setJavascriptEnabled - No! • webkit

  17. dynamically loaded code • Yes you can (https://stackoverflow.com/q/ 6857807/6845290 )

  18. Proguard/R8

  19. Proguard • rules

  20. Tools • Apktool • Dex2Jar • JD-GUI

  21. Nomrebi .com

  22. Nomrebi .com

  23. None

  24. Thank you