Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Android Security Tips
Search
Merab Tato Kutalia
May 15, 2019
Technology
1
32
Android Security Tips
Android Security Tips
Merab Tato Kutalia
May 15, 2019
Tweet
Share
More Decks by Merab Tato Kutalia
See All by Merab Tato Kutalia
What's new in Android 14?
tatocaster
0
130
Migrate to Gradle version catalog and convention plugins
tatocaster
3
1.7k
Make Codebases Secure with OWASP
tatocaster
0
170
Secure Coding Standards
tatocaster
0
120
ტანგო ანდროიდთან
tatocaster
0
180
Adopting Huawei Mobile Services
tatocaster
0
47
Android UI Testing & Challenges
tatocaster
1
67
Reverse & Inject - droidcon
tatocaster
3
230
mobile DevOps
tatocaster
1
82
Other Decks in Technology
See All in Technology
プログラム検証入門
riru
6
870
watsonx.ai Dojo 環境準備について
oniak3ibm
PRO
0
300
効果的なオンコール対応と障害対応
ryuichi1208
6
3.1k
Envoy External AuthZとgRPC Extensionを利用した「頑張らない」Microservices認証認可基盤
andoshin11
0
250
たった1人からはじめる【Agile Community of Practice】~ソース原理とFearless Changeを添えて~
ktc_corporate_it
1
480
「家族アルバム みてね」における運用管理・ オブザーバビリティの全貌 / Overview of Operation Management and Observability in FamilyAlbum
isaoshimizu
4
160
スタッフエンジニアの道: The Staff Engineer’s Path
snoozer05
PRO
44
14k
サーバー管理しないサーバーサービスManaged DevOps Pool
kkamegawa
0
130
サプライチェーン攻撃に備える
ryunen344
0
280
ネットワークだけ隔離されたコンテナ作成デモ / Kichijoji.pm36
tenforward
1
230
GC24 Recap: Interface Internals
task4233
0
130
ついに出た!OpenAIの最新モデル「o1」って何がすごいの?
minorun365
PRO
3
1k
Featured
See All Featured
10 Git Anti Patterns You Should be Aware of
lemiorhan
653
58k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
1
52
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Designing with Data
zakiwarfel
98
5k
Build The Right Thing And Hit Your Dates
maggiecrowley
30
2.3k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
36
2.1k
The Power of CSS Pseudo Elements
geoffreycrofte
71
5.3k
Typedesign – Prime Four
hannesfritz
39
2.3k
Practical Orchestrator
shlominoach
185
10k
GraphQLの誤解/rethinking-graphql
sonatard
65
9.8k
Automating Front-end Workflow
addyosmani
1365
200k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
26
1.3k
Transcript
Android App Security Tips Merabi Kutalia
Tato Kutalia tatocaster tatocaster.me github.com/tatocaster twitter.com/@TatoKutalia
None
Topics • data storage • app permissions • networking •
webview(javascript) • dynamically loaded code
data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17)
data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •
External Storage is globally readable
data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •
External Storage is globally readable • Scoped Storage(Android Q)
data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •
External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection)
data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •
External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection) • Shared preferences + leak
app permissions • data leak caused by misused permissions
networking • HTTPS (it’s 2019!)
networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352)
networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352) •
GCM/FCM/SMS (Sensitive Data)
webview • setJavascriptEnabled - No!
webview • setJavascriptEnabled - No!
webview • setJavascriptEnabled - No! • webkit
dynamically loaded code • Yes you can (https://stackoverflow.com/q/ 6857807/6845290 )
Proguard/R8
Proguard • rules
Tools • Apktool • Dex2Jar • JD-GUI
Nomrebi .com
Nomrebi .com
None
Thank you