Android Security Tips

Transcript

1. Android App Security Tips Merabi Kutalia

2. Tato Kutalia tatocaster tatocaster.me github.com/tatocaster twitter.com/@TatoKutalia

3. None

4. Topics • data storage • app permissions • networking •

   webview(javascript) • dynamically loaded code

5. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17)

6. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

   External Storage is globally readable

7. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

   External Storage is globally readable • Scoped Storage(Android Q)

8. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

   External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection)

9. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

   External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection) • Shared preferences + leak

10. app permissions • data leak caused by misused permissions

11. networking • HTTPS (it’s 2019!)

12. networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352)

13. networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352) •

    GCM/FCM/SMS (Sensitive Data)

14. webview • setJavascriptEnabled - No!

15. webview • setJavascriptEnabled - No!

16. webview • setJavascriptEnabled - No! • webkit

17. dynamically loaded code • Yes you can (https://stackoverflow.com/q/ 6857807/6845290 )

18. Proguard/R8

19. Proguard • rules

20. Tools • Apktool • Dex2Jar • JD-GUI

21. Nomrebi .com

22. Nomrebi .com

23. None

24. Thank you