SlideShare una empresa de Scribd logo

SECURE YOUR APP FIGHT THE LEAKS

Eyal Lezmy
Eyal Lezmy

You can consult the speaker's notes on the Google Drive presentation: http://bit.ly/droidcon-sec On the corporate environment, data is often more sensitive and strategic than the equipment. During this talk we will explore together the security issues that can occasionally cause leaks on an Android app and how to prevent them.

Tecnología
1 de 28
Descargar para leer sin conexión
SECURE YOUR APP FIGHT THE LEAKS! DROIDCON PARIS 2013
EYAL LEZMY ANDROID PRESALES ENGINEER, SAMSUNG B2B TREASURER AT PARIS ANDROID USER GROUP ANDROID GOOGLE DEVELOPER EXPERT Slides http://bit.ly/droidcon-sec http://eyal.fr
Company THE USER TRUSTS YOU DON'T LET HIM DOWN
APPS HAVE TO RESPECT THE DATA Different ways to unintentionally grant other apps access to the data inside your application : Exporting an unprotected component Storing personal data in a world readable file Logging personal data in logcat logs Copyright © 1995-2012 SAMSUNG All rights reserved
CHECK YOUR ANDROIDMANIFEST.XML It declares accessible app components Activity, Service, Receive,... Adding <intent-filter> => your element is exported by default ContentProvider is always exported by default, until android:targetSdkVersion="17" Copyright © 1995-2012 SAMSUNG All rights reserved
CHECK YOUR ANDROIDMANIFEST.XML Don't export app components unless you want to share their content with other applications <application android:label="@string/app_name"> … <service android:name=".ServiceExample“ android:exported="false"> <intent-filter> … </intent-filter> </service> … </application> Copyright © 1995-2012 SAMSUNG All rights reserved
CHECK YOUR ANDROIDMANIFEST.XML Don't export app components unless you want to share their content with other applications to <application android:label="@string/app_name"> ity itim … leg a? <service android:name=".ServiceExample“ ur at yo e d android:exported="false"> t is pos <intent-filter> ha ex … W </intent-filter> </service> … </application> Copyright © 1995-2012 SAMSUNG All rights reserved
PERMISIONS There are different permission protection levels: normal Lower risk permission dangerous Higher risk, access to user private data, potential negative impact signature Needs the same certificate signature Copyright © 1995-2012 SAMSUNG All rights reserved
PERMISIONS Lets look at the code: <permission android:name="com.example.EXAMPLE_PERM“ android:label="@string/example_perm_l“ android:description="@string/example_perm_d“ android:icon="@drawable/example_perm_i“ android:protectionLevel="signature" /> ... <service android:name=".ServiceExample“ android:permission="com.example.EXAMPLE_PERM"> <intent-filter>...</intent-filter> </service> Copyright © 1995-2012 SAMSUNG All rights reserved
PERMISIONS Don't be the weakest link Always check the permission of a caller if you use your permission private boolean checkPermission(Context context) { String permission = "com.example.EXAMPLE_PERM"; int res = context.checkCallingPermission(permission); return (res == PackageManager.PERMISSION_GRANTED); } Copyright © 1995-2012 SAMSUNG All rights reserved
DISABLE USELESS ACTIVITIES Fit your components lifecycle to your application's lifecycle If before configuration (login, account creation, ...) a service or activity is not useful, disable it If your application handles common implicit Intent's actions like ACTION_VIEW or ACTION_SEND consider disabling it by default Copyright © 1995-2012 SAMSUNG All rights reserved
DISABLE USELESS ACTIVITIES Disabled: <activity android:name="com.example.Activity" android:label="@string/app_name" android:enabled="false"> </activity> Enabled: PackageManager.setComponentEnabledSetting(componentName, newState, flags); Copyright © 1995-2012 SAMSUNG All rights reserved
STORING DATA WISELY Protect personal data using MODE_PRIVATE for data files, shared preferences, and databases: openFileOutput() openSharedPreferences() openOrCreateDatabase() External storage (sdcard) is shared storage Copyright © 1995-2012 SAMSUNG All rights reserved
PLEASE... SHUT THE FUCK UP! Don't expose data through logcat on production Detect the build mode with BuildConfig.DEBUG public static final boolean SHOW_LOG = BuildConfig.DEBUG; public static void d(final String tag, final String msg) { if (SHOW_LOG) Log.d(tag, msg); } Be careful about this subject and test it during QA Copyright © 1995-2012 SAMSUNG All rights reserved
PROTECTING APP FROM USERS No more android:debuggable on the manifest Don't leave this enabled in release code! ADT 8.0+ do it for you automatically Copyright © 1995-2012 SAMSUNG All rights reserved
PROTECTING APP FROM USERS $ adb shell shell@android:/ $ run-as com.android.example sh shell@android:/data/data/com.android.example $ id uid=10060(app_60) gid=10060(app_60) shell@android:/data/data/com.android.example $ ls files/secret_data.txt shell@android:/data/data/com.android.example $ cat files/secret_data.txt Copyright © 1995-2012 SAMSUNG All rights reserved
IT'S NOT JUST ABOUT YOUR APP INSECURE NETWORK LOST OR STOLEN DEVICES
USE SAFE NETWORKING HTTPS and SSL can protect against Man in the Middle attacks and prevent casual snooping Server certificate validity must be correctly checked "15% of apps have weak or bad SSL implementation on the Play Store" Free certified SSL: https://www.startssl.com/ Copyright © 1995-2012 SAMSUNG All rights reserved
DATA ENCRYPTION DOESN'T SOLVE ALL PROBLEMS ...but it may help discouraging curious. Use a peer-reviewed library like KeyCzar Take care of the key : Create it at first start, with true random Or grab a user key from your server Or ask the user for a passphrase you won't store Copyright © 1995-2012 SAMSUNG All rights reserved
DEVICE ADMINISTRATION On a corporate environment, device administration can be considered Password management Device encryption Disable camera Lock the device Remote wipe Copyright © 1995-2012 SAMSUNG All rights reserved
BEHIND THE STAGE The APK's content is always world readable, take care about what you put inside Sensitive files should be kept out of the APK Java is open source, your code too Using Proguard takes a single line of code Or... Dex encryption AAPT modified Logic on server Copyright © 1995-2012 SAMSUNG All rights reserved
IT'S NOT JUST ABOUT SECURITY THINK ABOUT POLITICS...
THE SECURITY PARADOX Copyright © 1995-2012 SAMSUNG All rights reserved
NEVER FORGET THE USER, NEVAAAAA! "The more secure you make something, the less secure it becomes" Level the security following the user acceptance or... Users will find workarounds Users won't use your service Copyright © 1995-2012 SAMSUNG All rights reserved
REFERENCES Google I/O 2012 Sessions Android Developpers Live Youtube channel Android Developement Android Developement: Using Cryptography The Commons Blog InformationWeek: Security Paradox ThreatPost: SLL implementation on Android apps StartSSL Free certificates Copyright © 1995-2012 SAMSUNG All rights reserved
SAMSUNG SMART APP CHALLENGE 2013 SAMSUNG SMART APP CHALLENGE 2013 A Global app challenge Apps for the Galaxy S4 Use of Samsung Chord SDK Apply June 20 - August 31 $800,000 for 10 winners www.smartappchallenge.com
SAMSUNG DEVELOPERS http://developer.samsung.com SDKs and Documentation Samsung Chord SDK Bluetooth Low Energy SDK S Pen & Multi Window SDK AllShare Framework Remote Test Lab Test your applications on real devices through the internet Free 24H 365 Days Real Device, NOT emulator Multiple Devices
THANK YOU! Slides http://bit.ly/droidcon-sec http://eyal.fr

Recomendados

Droidcon secureyourapp fighttheleaks-samsung
Droidcon secureyourapp fighttheleaks-samsungDroidcon secureyourapp fighttheleaks-samsung
Droidcon secureyourapp fighttheleaks-samsungottot
 
Instrumentation 101
Instrumentation 101Instrumentation 101
Instrumentation 101Apkudo
 
Testing Sucks, But It Doesn't Have To
Testing Sucks, But It Doesn't Have ToTesting Sucks, But It Doesn't Have To
Testing Sucks, But It Doesn't Have ToApkudo
 
PlayStore bashing: learn from the biggest fails on the Google Play Store
PlayStore bashing: learn from the biggest fails on the Google Play StorePlayStore bashing: learn from the biggest fails on the Google Play Store
PlayStore bashing: learn from the biggest fails on the Google Play StoreEyal Lezmy
 
Gradle plugin, take control of the build
Gradle plugin, take control of the buildGradle plugin, take control of the build
Gradle plugin, take control of the buildEyal Lezmy
 
Android, the life of your app
Android, the life of your appAndroid, the life of your app
Android, the life of your appEyal Lezmy
 
Build a user experience on Android
Build a user experience on AndroidBuild a user experience on Android
Build a user experience on AndroidEyal Lezmy
 
Android mit Google Befreiung, PlayStore Apps im eigenen Repo
Android mit Google Befreiung, PlayStore Apps im eigenen RepoAndroid mit Google Befreiung, PlayStore Apps im eigenen Repo
Android mit Google Befreiung, PlayStore Apps im eigenen RepoB1 Systems GmbH
 

Recomendados

Droidcon secureyourapp fighttheleaks-samsung
Droidcon secureyourapp fighttheleaks-samsungDroidcon secureyourapp fighttheleaks-samsung
Droidcon secureyourapp fighttheleaks-samsungottot
 
Instrumentation 101
Instrumentation 101Instrumentation 101
Instrumentation 101Apkudo
 
Testing Sucks, But It Doesn't Have To
Testing Sucks, But It Doesn't Have ToTesting Sucks, But It Doesn't Have To
Testing Sucks, But It Doesn't Have ToApkudo
 
PlayStore bashing: learn from the biggest fails on the Google Play Store
PlayStore bashing: learn from the biggest fails on the Google Play StorePlayStore bashing: learn from the biggest fails on the Google Play Store
PlayStore bashing: learn from the biggest fails on the Google Play StoreEyal Lezmy
 
Gradle plugin, take control of the build
Gradle plugin, take control of the buildGradle plugin, take control of the build
Gradle plugin, take control of the buildEyal Lezmy
 
Android, the life of your app
Android, the life of your appAndroid, the life of your app
Android, the life of your appEyal Lezmy
 
Build a user experience on Android
Build a user experience on AndroidBuild a user experience on Android
Build a user experience on AndroidEyal Lezmy
 
Android mit Google Befreiung, PlayStore Apps im eigenen Repo
Android mit Google Befreiung, PlayStore Apps im eigenen RepoAndroid mit Google Befreiung, PlayStore Apps im eigenen Repo
Android mit Google Befreiung, PlayStore Apps im eigenen RepoB1 Systems GmbH
 
Security Tips for Android App - iTrobes
Security Tips for Android App - iTrobesSecurity Tips for Android App - iTrobes
Security Tips for Android App - iTrobesiTrobes
 
Migrating JavaME Apps to Android
Migrating JavaME Apps to AndroidMigrating JavaME Apps to Android
Migrating JavaME Apps to AndroidMotorola Mobility - MOTODEV
 
Security - Part II.pdf
Security - Part II.pdfSecurity - Part II.pdf
Security - Part II.pdfShaiAlmog1
 
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015Codemotion
 
MobilizeUrApps - Android Application Development
MobilizeUrApps - Android Application DevelopmentMobilizeUrApps - Android Application Development
MobilizeUrApps - Android Application Developmentmobilizeurapps
 
Sightly_techInsight
Sightly_techInsightSightly_techInsight
Sightly_techInsightPurnendra Pratap Singh
 
Using APEX to Create a Mobile User Interface for Enterprise Manager 12c
Using APEX to Create a Mobile User Interface for Enterprise Manager 12cUsing APEX to Create a Mobile User Interface for Enterprise Manager 12c
Using APEX to Create a Mobile User Interface for Enterprise Manager 12cGokhan Atil
 
X Means Y
X Means YX Means Y
X Means YCommonsWare
 
Delivering Mobile Apps to the Field with Oracle JET
Delivering Mobile Apps to the Field with Oracle JETDelivering Mobile Apps to the Field with Oracle JET
Delivering Mobile Apps to the Field with Oracle JETSimon Haslam
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
Sst hackathon express
Sst hackathon expressSst hackathon express
Sst hackathon expressAeshan Wijetunge
 
JMP102 Extending Your App Arsenal With OpenSocial
JMP102 Extending Your App Arsenal With OpenSocialJMP102 Extending Your App Arsenal With OpenSocial
JMP102 Extending Your App Arsenal With OpenSocialRyan Baxter
 
Oracle mcs overview 1029
Oracle mcs overview 1029Oracle mcs overview 1029
Oracle mcs overview 1029Oracle Corporation
 
Introduction to JavaFX on Raspberry Pi
Introduction to JavaFX on Raspberry PiIntroduction to JavaFX on Raspberry Pi
Introduction to JavaFX on Raspberry PiBruno Borges
 
Securing Containers - Sathyajit Bhat - Adobe
Securing Containers - Sathyajit Bhat - AdobeSecuring Containers - Sathyajit Bhat - Adobe
Securing Containers - Sathyajit Bhat - AdobeCodeOps Technologies LLP
 
Iphone client-server app with Rails backend (v3)
Iphone client-server app with Rails backend (v3)Iphone client-server app with Rails backend (v3)
Iphone client-server app with Rails backend (v3)Sujee Maniyam
 
Android - Open Source Bridge 2011
Android - Open Source Bridge 2011Android - Open Source Bridge 2011
Android - Open Source Bridge 2011sullis
 
Lesson 10
Lesson 10Lesson 10
Lesson 10CITSimon
 
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...Codemotion
 
Building Mobile Apps: A PhoneGap Enterprise Introduction for Developers
Building Mobile Apps: A PhoneGap Enterprise Introduction for DevelopersBuilding Mobile Apps: A PhoneGap Enterprise Introduction for Developers
Building Mobile Apps: A PhoneGap Enterprise Introduction for Developersarumsey
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 

Más contenido relacionado

Similar a SECURE YOUR APP FIGHT THE LEAKS

Security Tips for Android App - iTrobes
Security Tips for Android App - iTrobesSecurity Tips for Android App - iTrobes
Security Tips for Android App - iTrobesiTrobes
 
Security - Part II.pdf
Security - Part II.pdfSecurity - Part II.pdf
Security - Part II.pdfShaiAlmog1
 
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015Codemotion
 
MobilizeUrApps - Android Application Development
MobilizeUrApps - Android Application DevelopmentMobilizeUrApps - Android Application Development
MobilizeUrApps - Android Application Developmentmobilizeurapps
 
Using APEX to Create a Mobile User Interface for Enterprise Manager 12c
Using APEX to Create a Mobile User Interface for Enterprise Manager 12cUsing APEX to Create a Mobile User Interface for Enterprise Manager 12c
Using APEX to Create a Mobile User Interface for Enterprise Manager 12cGokhan Atil
 
Delivering Mobile Apps to the Field with Oracle JET
Delivering Mobile Apps to the Field with Oracle JETDelivering Mobile Apps to the Field with Oracle JET
Delivering Mobile Apps to the Field with Oracle JETSimon Haslam
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
JMP102 Extending Your App Arsenal With OpenSocial
JMP102 Extending Your App Arsenal With OpenSocialJMP102 Extending Your App Arsenal With OpenSocial
JMP102 Extending Your App Arsenal With OpenSocialRyan Baxter
 
Introduction to JavaFX on Raspberry Pi
Introduction to JavaFX on Raspberry PiIntroduction to JavaFX on Raspberry Pi
Introduction to JavaFX on Raspberry PiBruno Borges
 
Securing Containers - Sathyajit Bhat - Adobe
Securing Containers - Sathyajit Bhat - AdobeSecuring Containers - Sathyajit Bhat - Adobe
Securing Containers - Sathyajit Bhat - AdobeCodeOps Technologies LLP
 
Iphone client-server app with Rails backend (v3)
Iphone client-server app with Rails backend (v3)Iphone client-server app with Rails backend (v3)
Iphone client-server app with Rails backend (v3)Sujee Maniyam
 
Android - Open Source Bridge 2011
Android - Open Source Bridge 2011Android - Open Source Bridge 2011
Android - Open Source Bridge 2011sullis
 
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...Codemotion
 
Building Mobile Apps: A PhoneGap Enterprise Introduction for Developers
Building Mobile Apps: A PhoneGap Enterprise Introduction for DevelopersBuilding Mobile Apps: A PhoneGap Enterprise Introduction for Developers
Building Mobile Apps: A PhoneGap Enterprise Introduction for Developersarumsey
 

Similar a SECURE YOUR APP FIGHT THE LEAKS (20)

Security Tips for Android App - iTrobes
Security Tips for Android App - iTrobesSecurity Tips for Android App - iTrobes
Security Tips for Android App - iTrobes
 
Migrating JavaME Apps to Android
Migrating JavaME Apps to AndroidMigrating JavaME Apps to Android
Migrating JavaME Apps to Android
 
Security - Part II.pdf
Security - Part II.pdfSecurity - Part II.pdf
Security - Part II.pdf
 
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015
 
MobilizeUrApps - Android Application Development
MobilizeUrApps - Android Application DevelopmentMobilizeUrApps - Android Application Development
MobilizeUrApps - Android Application Development
 
Sightly_techInsight
Sightly_techInsightSightly_techInsight
Sightly_techInsight
 
Using APEX to Create a Mobile User Interface for Enterprise Manager 12c
Using APEX to Create a Mobile User Interface for Enterprise Manager 12cUsing APEX to Create a Mobile User Interface for Enterprise Manager 12c
Using APEX to Create a Mobile User Interface for Enterprise Manager 12c
 
X Means Y
X Means YX Means Y
X Means Y
 
Delivering Mobile Apps to the Field with Oracle JET
Delivering Mobile Apps to the Field with Oracle JETDelivering Mobile Apps to the Field with Oracle JET
Delivering Mobile Apps to the Field with Oracle JET
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 
Sst hackathon express
Sst hackathon expressSst hackathon express
Sst hackathon express
 
JMP102 Extending Your App Arsenal With OpenSocial
JMP102 Extending Your App Arsenal With OpenSocialJMP102 Extending Your App Arsenal With OpenSocial
JMP102 Extending Your App Arsenal With OpenSocial
 
Oracle mcs overview 1029
Oracle mcs overview 1029Oracle mcs overview 1029
Oracle mcs overview 1029
 
Introduction to JavaFX on Raspberry Pi
Introduction to JavaFX on Raspberry PiIntroduction to JavaFX on Raspberry Pi
Introduction to JavaFX on Raspberry Pi
 
Securing Containers - Sathyajit Bhat - Adobe
Securing Containers - Sathyajit Bhat - AdobeSecuring Containers - Sathyajit Bhat - Adobe
Securing Containers - Sathyajit Bhat - Adobe
 
Iphone client-server app with Rails backend (v3)
Iphone client-server app with Rails backend (v3)Iphone client-server app with Rails backend (v3)
Iphone client-server app with Rails backend (v3)
 
Android - Open Source Bridge 2011
Android - Open Source Bridge 2011Android - Open Source Bridge 2011
Android - Open Source Bridge 2011
 
Lesson 10
Lesson 10Lesson 10
Lesson 10
 
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...
 
Building Mobile Apps: A PhoneGap Enterprise Introduction for Developers
Building Mobile Apps: A PhoneGap Enterprise Introduction for DevelopersBuilding Mobile Apps: A PhoneGap Enterprise Introduction for Developers
Building Mobile Apps: A PhoneGap Enterprise Introduction for Developers
 

Último

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 

Último (20)

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 

SECURE YOUR APP FIGHT THE LEAKS

  • 1. SECURE YOUR APP FIGHT THE LEAKS! DROIDCON PARIS 2013
  • 2. EYAL LEZMY ANDROID PRESALES ENGINEER, SAMSUNG B2B TREASURER AT PARIS ANDROID USER GROUP ANDROID GOOGLE DEVELOPER EXPERT Slides http://bit.ly/droidcon-sec http://eyal.fr
  • 4. APPS HAVE TO RESPECT THE DATA Different ways to unintentionally grant other apps access to the data inside your application : Exporting an unprotected component Storing personal data in a world readable file Logging personal data in logcat logs Copyright © 1995-2012 SAMSUNG All rights reserved
  • 5. CHECK YOUR ANDROIDMANIFEST.XML It declares accessible app components Activity, Service, Receive,... Adding <intent-filter> => your element is exported by default ContentProvider is always exported by default, until android:targetSdkVersion="17" Copyright © 1995-2012 SAMSUNG All rights reserved
  • 6. CHECK YOUR ANDROIDMANIFEST.XML Don't export app components unless you want to share their content with other applications <application android:label="@string/app_name"> … <service android:name=".ServiceExample“ android:exported="false"> <intent-filter> … </intent-filter> </service> … </application> Copyright © 1995-2012 SAMSUNG All rights reserved
  • 7. CHECK YOUR ANDROIDMANIFEST.XML Don't export app components unless you want to share their content with other applications to <application android:label="@string/app_name"> ity itim … leg a? <service android:name=".ServiceExample“ ur at yo e d android:exported="false"> t is pos <intent-filter> ha ex … W </intent-filter> </service> … </application> Copyright © 1995-2012 SAMSUNG All rights reserved
  • 8. PERMISIONS There are different permission protection levels: normal Lower risk permission dangerous Higher risk, access to user private data, potential negative impact signature Needs the same certificate signature Copyright © 1995-2012 SAMSUNG All rights reserved
  • 9. PERMISIONS Lets look at the code: <permission android:name="com.example.EXAMPLE_PERM“ android:label="@string/example_perm_l“ android:description="@string/example_perm_d“ android:icon="@drawable/example_perm_i“ android:protectionLevel="signature" /> ... <service android:name=".ServiceExample“ android:permission="com.example.EXAMPLE_PERM"> <intent-filter>...</intent-filter> </service> Copyright © 1995-2012 SAMSUNG All rights reserved
  • 10. PERMISIONS Don't be the weakest link Always check the permission of a caller if you use your permission private boolean checkPermission(Context context) { String permission = "com.example.EXAMPLE_PERM"; int res = context.checkCallingPermission(permission); return (res == PackageManager.PERMISSION_GRANTED); } Copyright © 1995-2012 SAMSUNG All rights reserved
  • 11. DISABLE USELESS ACTIVITIES Fit your components lifecycle to your application's lifecycle If before configuration (login, account creation, ...) a service or activity is not useful, disable it If your application handles common implicit Intent's actions like ACTION_VIEW or ACTION_SEND consider disabling it by default Copyright © 1995-2012 SAMSUNG All rights reserved
  • 13. STORING DATA WISELY Protect personal data using MODE_PRIVATE for data files, shared preferences, and databases: openFileOutput() openSharedPreferences() openOrCreateDatabase() External storage (sdcard) is shared storage Copyright © 1995-2012 SAMSUNG All rights reserved
  • 14. PLEASE... SHUT THE FUCK UP! Don't expose data through logcat on production Detect the build mode with BuildConfig.DEBUG public static final boolean SHOW_LOG = BuildConfig.DEBUG; public static void d(final String tag, final String msg) { if (SHOW_LOG) Log.d(tag, msg); } Be careful about this subject and test it during QA Copyright © 1995-2012 SAMSUNG All rights reserved
  • 15. PROTECTING APP FROM USERS No more android:debuggable on the manifest Don't leave this enabled in release code! ADT 8.0+ do it for you automatically Copyright © 1995-2012 SAMSUNG All rights reserved
  • 16. PROTECTING APP FROM USERS $ adb shell shell@android:/ $ run-as com.android.example sh shell@android:/data/data/com.android.example $ id uid=10060(app_60) gid=10060(app_60) shell@android:/data/data/com.android.example $ ls files/secret_data.txt shell@android:/data/data/com.android.example $ cat files/secret_data.txt Copyright © 1995-2012 SAMSUNG All rights reserved
  • 17. IT'S NOT JUST ABOUT YOUR APP INSECURE NETWORK LOST OR STOLEN DEVICES
  • 18. USE SAFE NETWORKING HTTPS and SSL can protect against Man in the Middle attacks and prevent casual snooping Server certificate validity must be correctly checked "15% of apps have weak or bad SSL implementation on the Play Store" Free certified SSL: https://www.startssl.com/ Copyright © 1995-2012 SAMSUNG All rights reserved
  • 19. DATA ENCRYPTION DOESN'T SOLVE ALL PROBLEMS ...but it may help discouraging curious. Use a peer-reviewed library like KeyCzar Take care of the key : Create it at first start, with true random Or grab a user key from your server Or ask the user for a passphrase you won't store Copyright © 1995-2012 SAMSUNG All rights reserved
  • 20. DEVICE ADMINISTRATION On a corporate environment, device administration can be considered Password management Device encryption Disable camera Lock the device Remote wipe Copyright © 1995-2012 SAMSUNG All rights reserved
  • 21. BEHIND THE STAGE The APK's content is always world readable, take care about what you put inside Sensitive files should be kept out of the APK Java is open source, your code too Using Proguard takes a single line of code Or... Dex encryption AAPT modified Logic on server Copyright © 1995-2012 SAMSUNG All rights reserved
  • 22. IT'S NOT JUST ABOUT SECURITY THINK ABOUT POLITICS...
  • 23. THE SECURITY PARADOX Copyright © 1995-2012 SAMSUNG All rights reserved
  • 24. NEVER FORGET THE USER, NEVAAAAA! "The more secure you make something, the less secure it becomes" Level the security following the user acceptance or... Users will find workarounds Users won't use your service Copyright © 1995-2012 SAMSUNG All rights reserved
  • 25. REFERENCES Google I/O 2012 Sessions Android Developpers Live Youtube channel Android Developement Android Developement: Using Cryptography The Commons Blog InformationWeek: Security Paradox ThreatPost: SLL implementation on Android apps StartSSL Free certificates Copyright © 1995-2012 SAMSUNG All rights reserved
  • 26. SAMSUNG SMART APP CHALLENGE 2013 SAMSUNG SMART APP CHALLENGE 2013 A Global app challenge Apps for the Galaxy S4 Use of Samsung Chord SDK Apply June 20 - August 31 $800,000 for 10 winners www.smartappchallenge.com
  • 27. SAMSUNG DEVELOPERS http://developer.samsung.com SDKs and Documentation Samsung Chord SDK Bluetooth Low Energy SDK S Pen & Multi Window SDK AllShare Framework Remote Test Lab Test your applications on real devices through the internet Free 24H 365 Days Real Device, NOT emulator Multiple Devices