SlideShare una empresa de Scribd logo

Secure your Android app- fight the leaks!

Eyal Lezmy
Eyal Lezmy

You can consult the speaker's notes on the Google Drive presentation: http://bit.ly/droidcon-sec On the corporate environment, data is often more sensitive and strategic than the equipment. During this talk we will explore together the security issues that can occasionally cause leaks on an Android app and how to prevent them.

Tecnología
1 de 28
Descargar para leer sin conexión
SECURE YOUR APP FIGHT THE LEAKS! DROIDCON PARIS 2013
EYAL LEZMY ANDROID PRESALES ENGINEER, SAMSUNG B2B TREASURER AT PARIS ANDROID USER GROUP ANDROID GOOGLE DEVELOPER EXPERT Slides http://bit.ly/droidcon-sec http://eyal.fr
Company THE USER TRUSTS YOU DON'T LET HIM DOWN
APPS HAVE TO RESPECT THE DATA Different ways to unintentionally grant other apps access to the data inside your application : Exporting an unprotected component Storing personal data in a world readable file Logging personal data in logcat logs Copyright © 1995-2012 SAMSUNG All rights reserved
CHECK YOUR ANDROIDMANIFEST.XML It declares accessible app components Activity, Service, Receive,... Adding <intent-filter> => your element is exported by default ContentProvider is always exported by default, until android:targetSdkVersion="17" Copyright © 1995-2012 SAMSUNG All rights reserved
CHECK YOUR ANDROIDMANIFEST.XML Don't export app components unless you want to share their content with other applications <application android:label="@string/app_name"> … <service android:name=".ServiceExample“ android:exported="false"> <intent-filter> … </intent-filter> </service> … </application> Copyright © 1995-2012 SAMSUNG All rights reserved
CHECK YOUR ANDROIDMANIFEST.XML Don't export app components unless you want to share their content with other applications to <application android:label="@string/app_name"> ity itim … leg a? <service android:name=".ServiceExample“ ur at yo e d android:exported="false"> t is pos <intent-filter> ha ex … W </intent-filter> </service> … </application> Copyright © 1995-2012 SAMSUNG All rights reserved
PERMISIONS There are different permission protection levels: normal Lower risk permission dangerous Higher risk, access to user private data, potential negative impact signature Needs the same certificate signature Copyright © 1995-2012 SAMSUNG All rights reserved
PERMISIONS Lets look at the code: <permission android:name="com.example.EXAMPLE_PERM“ android:label="@string/example_perm_l“ android:description="@string/example_perm_d“ android:icon="@drawable/example_perm_i“ android:protectionLevel="signature" /> ... <service android:name=".ServiceExample“ android:permission="com.example.EXAMPLE_PERM"> <intent-filter>...</intent-filter> </service> Copyright © 1995-2012 SAMSUNG All rights reserved
PERMISIONS Don't be the weakest link Always check the permission of a caller if you use your permission private boolean checkPermission(Context context) { String permission = "com.example.EXAMPLE_PERM"; int res = context.checkCallingPermission(permission); return (res == PackageManager.PERMISSION_GRANTED); } Copyright © 1995-2012 SAMSUNG All rights reserved
DISABLE USELESS ACTIVITIES Fit your components lifecycle to your application's lifecycle If before configuration (login, account creation, ...) a service or activity is not useful, disable it If your application handles common implicit Intent's actions like ACTION_VIEW or ACTION_SEND consider disabling it by default Copyright © 1995-2012 SAMSUNG All rights reserved
DISABLE USELESS ACTIVITIES Disabled: <activity android:name="com.example.Activity" android:label="@string/app_name" android:enabled="false"> </activity> Enabled: PackageManager.setComponentEnabledSetting(componentName, newState, flags); Copyright © 1995-2012 SAMSUNG All rights reserved
STORING DATA WISELY Protect personal data using MODE_PRIVATE for data files, shared preferences, and databases: openFileOutput() openSharedPreferences() openOrCreateDatabase() External storage (sdcard) is shared storage Copyright © 1995-2012 SAMSUNG All rights reserved
PLEASE... SHUT THE FUCK UP! Don't expose data through logcat on production Detect the build mode with BuildConfig.DEBUG public static final boolean SHOW_LOG = BuildConfig.DEBUG; public static void d(final String tag, final String msg) { if (SHOW_LOG) Log.d(tag, msg); } Be careful about this subject and test it during QA Copyright © 1995-2012 SAMSUNG All rights reserved
PROTECTING APP FROM USERS No more android:debuggable on the manifest Don't leave this enabled in release code! ADT 8.0+ do it for you automatically Copyright © 1995-2012 SAMSUNG All rights reserved
PROTECTING APP FROM USERS $ adb shell shell@android:/ $ run-as com.android.example sh shell@android:/data/data/com.android.example $ id uid=10060(app_60) gid=10060(app_60) shell@android:/data/data/com.android.example $ ls files/secret_data.txt shell@android:/data/data/com.android.example $ cat files/secret_data.txt Copyright © 1995-2012 SAMSUNG All rights reserved
IT'S NOT JUST ABOUT YOUR APP INSECURE NETWORK LOST OR STOLEN DEVICES
USE SAFE NETWORKING HTTPS and SSL can protect against Man in the Middle attacks and prevent casual snooping Server certificate validity must be correctly checked "15% of apps have weak or bad SSL implementation on the Play Store" Free certified SSL: https://www.startssl.com/ Copyright © 1995-2012 SAMSUNG All rights reserved
DATA ENCRYPTION DOESN'T SOLVE ALL PROBLEMS ...but it may help discouraging curious. Use a peer-reviewed library like KeyCzar Take care of the key : Create it at first start, with true random Or grab a user key from your server Or ask the user for a passphrase you won't store Copyright © 1995-2012 SAMSUNG All rights reserved
DEVICE ADMINISTRATION On a corporate environment, device administration can be considered Password management Device encryption Disable camera Lock the device Remote wipe Copyright © 1995-2012 SAMSUNG All rights reserved
BEHIND THE STAGE The APK's content is always world readable, take care about what you put inside Sensitive files should be kept out of the APK Java is open source, your code too Using Proguard takes a single line of code Or... Dex encryption AAPT modified Logic on server Copyright © 1995-2012 SAMSUNG All rights reserved
IT'S NOT JUST ABOUT SECURITY THINK ABOUT POLITICS...
THE SECURITY PARADOX Copyright © 1995-2012 SAMSUNG All rights reserved
NEVER FORGET THE USER, NEVAAAAA! "The more secure you make something, the less secure it becomes" Level the security following the user acceptance or... Users will find workarounds Users won't use your service Copyright © 1995-2012 SAMSUNG All rights reserved
REFERENCES Google I/O 2012 Sessions Android Developpers Live Youtube channel Android Developement Android Developement: Using Cryptography The Commons Blog InformationWeek: Security Paradox ThreatPost: SLL implementation on Android apps StartSSL Free certificates Copyright © 1995-2012 SAMSUNG All rights reserved
SAMSUNG SMART APP CHALLENGE 2013 SAMSUNG SMART APP CHALLENGE 2013 A Global app challenge Apps for the Galaxy S4 Use of Samsung Chord SDK Apply June 20 - August 31 $800,000 for 10 winners www.smartappchallenge.com
SAMSUNG DEVELOPERS http://developer.samsung.com SDKs and Documentation Samsung Chord SDK Bluetooth Low Energy SDK S Pen & Multi Window SDK AllShare Framework Remote Test Lab Test your applications on real devices through the internet Free 24H 365 Days Real Device, NOT emulator Multiple Devices
THANK YOU! Slides http://bit.ly/droidcon-sec http://eyal.fr

Recomendados

Droidcon secureyourapp fighttheleaks-samsung
Droidcon secureyourapp fighttheleaks-samsungDroidcon secureyourapp fighttheleaks-samsung
Droidcon secureyourapp fighttheleaks-samsung
ottot
 
Instrumentation 101
Instrumentation 101Instrumentation 101
Instrumentation 101
Apkudo
 
Testing Sucks, But It Doesn't Have To
Testing Sucks, But It Doesn't Have ToTesting Sucks, But It Doesn't Have To
Testing Sucks, But It Doesn't Have To
Apkudo
 
PlayStore bashing: learn from the biggest fails on the Google Play Store
PlayStore bashing: learn from the biggest fails on the Google Play StorePlayStore bashing: learn from the biggest fails on the Google Play Store
PlayStore bashing: learn from the biggest fails on the Google Play Store
Eyal Lezmy
 
Gradle plugin, take control of the build
Gradle plugin, take control of the buildGradle plugin, take control of the build
Gradle plugin, take control of the build
Eyal Lezmy
 
Android, the life of your app
Android, the life of your appAndroid, the life of your app
Android, the life of your app
Eyal Lezmy
 
Build a user experience on Android
Build a user experience on AndroidBuild a user experience on Android
Build a user experience on Android
Eyal Lezmy
 
Android mit Google Befreiung, PlayStore Apps im eigenen Repo
Android mit Google Befreiung, PlayStore Apps im eigenen RepoAndroid mit Google Befreiung, PlayStore Apps im eigenen Repo
Android mit Google Befreiung, PlayStore Apps im eigenen Repo
B1 Systems GmbH
 

Recomendados

Droidcon secureyourapp fighttheleaks-samsung
Droidcon secureyourapp fighttheleaks-samsungDroidcon secureyourapp fighttheleaks-samsung
Droidcon secureyourapp fighttheleaks-samsung
ottot
 
Instrumentation 101
Instrumentation 101Instrumentation 101
Instrumentation 101
Apkudo
 
Testing Sucks, But It Doesn't Have To
Testing Sucks, But It Doesn't Have ToTesting Sucks, But It Doesn't Have To
Testing Sucks, But It Doesn't Have To
Apkudo
 
PlayStore bashing: learn from the biggest fails on the Google Play Store
PlayStore bashing: learn from the biggest fails on the Google Play StorePlayStore bashing: learn from the biggest fails on the Google Play Store
PlayStore bashing: learn from the biggest fails on the Google Play Store
Eyal Lezmy
 
Gradle plugin, take control of the build
Gradle plugin, take control of the buildGradle plugin, take control of the build
Gradle plugin, take control of the build
Eyal Lezmy
 
Android, the life of your app
Android, the life of your appAndroid, the life of your app
Android, the life of your app
Eyal Lezmy
 
Build a user experience on Android
Build a user experience on AndroidBuild a user experience on Android
Build a user experience on Android
Eyal Lezmy
 
Android mit Google Befreiung, PlayStore Apps im eigenen Repo
Android mit Google Befreiung, PlayStore Apps im eigenen RepoAndroid mit Google Befreiung, PlayStore Apps im eigenen Repo
Android mit Google Befreiung, PlayStore Apps im eigenen Repo
B1 Systems GmbH
 
Security Tips for Android App - iTrobes
Security Tips for Android App - iTrobesSecurity Tips for Android App - iTrobes
Security Tips for Android App - iTrobes
iTrobes
 
Migrating JavaME Apps to Android
Migrating JavaME Apps to AndroidMigrating JavaME Apps to Android
Migrating JavaME Apps to Android
Motorola Mobility - MOTODEV
 
Security - Part II.pdf
Security - Part II.pdfSecurity - Part II.pdf
Security - Part II.pdf
ShaiAlmog1
 
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015
Codemotion
 
MobilizeUrApps - Android Application Development
MobilizeUrApps - Android Application DevelopmentMobilizeUrApps - Android Application Development
MobilizeUrApps - Android Application Development
mobilizeurapps
 
Sightly_techInsight
Sightly_techInsightSightly_techInsight
Sightly_techInsight
Purnendra Pratap Singh
 
Using APEX to Create a Mobile User Interface for Enterprise Manager 12c
Using APEX to Create a Mobile User Interface for Enterprise Manager 12cUsing APEX to Create a Mobile User Interface for Enterprise Manager 12c
Using APEX to Create a Mobile User Interface for Enterprise Manager 12c
Gokhan Atil
 
X Means Y
X Means YX Means Y
X Means Y
CommonsWare
 
Delivering Mobile Apps to the Field with Oracle JET
Delivering Mobile Apps to the Field with Oracle JETDelivering Mobile Apps to the Field with Oracle JET
Delivering Mobile Apps to the Field with Oracle JET
Simon Haslam
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
Cláudio André
 
Sst hackathon express
Sst hackathon expressSst hackathon express
Sst hackathon express
Aeshan Wijetunge
 
JMP102 Extending Your App Arsenal With OpenSocial
JMP102 Extending Your App Arsenal With OpenSocialJMP102 Extending Your App Arsenal With OpenSocial
JMP102 Extending Your App Arsenal With OpenSocial
Ryan Baxter
 
Oracle mcs overview 1029
Oracle mcs overview 1029Oracle mcs overview 1029
Oracle mcs overview 1029
Oracle Corporation
 
Introduction to JavaFX on Raspberry Pi
Introduction to JavaFX on Raspberry PiIntroduction to JavaFX on Raspberry Pi
Introduction to JavaFX on Raspberry Pi
Bruno Borges
 
Securing Containers - Sathyajit Bhat - Adobe
Securing Containers - Sathyajit Bhat - AdobeSecuring Containers - Sathyajit Bhat - Adobe
Securing Containers - Sathyajit Bhat - Adobe
CodeOps Technologies LLP
 
Iphone client-server app with Rails backend (v3)
Iphone client-server app with Rails backend (v3)Iphone client-server app with Rails backend (v3)
Iphone client-server app with Rails backend (v3)
Sujee Maniyam
 
Android - Open Source Bridge 2011
Android - Open Source Bridge 2011Android - Open Source Bridge 2011
Android - Open Source Bridge 2011
sullis
 
Lesson 10
Lesson 10Lesson 10
Lesson 10
CITSimon
 
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...
Codemotion
 
Building Mobile Apps: A PhoneGap Enterprise Introduction for Developers
Building Mobile Apps: A PhoneGap Enterprise Introduction for DevelopersBuilding Mobile Apps: A PhoneGap Enterprise Introduction for Developers
Building Mobile Apps: A PhoneGap Enterprise Introduction for Developers
arumsey
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
apidays
 

Más contenido relacionado

Similar a Secure your Android app- fight the leaks!

JMP102 Extending Your App Arsenal With OpenSocial
JMP102 Extending Your App Arsenal With OpenSocialJMP102 Extending Your App Arsenal With OpenSocial
JMP102 Extending Your App Arsenal With OpenSocial
Ryan Baxter
 
Introduction to JavaFX on Raspberry Pi
Introduction to JavaFX on Raspberry PiIntroduction to JavaFX on Raspberry Pi
Introduction to JavaFX on Raspberry Pi
Bruno Borges
 
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...
Codemotion
 
Building Mobile Apps: A PhoneGap Enterprise Introduction for Developers
Building Mobile Apps: A PhoneGap Enterprise Introduction for DevelopersBuilding Mobile Apps: A PhoneGap Enterprise Introduction for Developers
Building Mobile Apps: A PhoneGap Enterprise Introduction for Developers
arumsey
 

Similar a Secure your Android app- fight the leaks! (20)

Security Tips for Android App - iTrobes
Security Tips for Android App - iTrobesSecurity Tips for Android App - iTrobes
Security Tips for Android App - iTrobes
 
Migrating JavaME Apps to Android
Migrating JavaME Apps to AndroidMigrating JavaME Apps to Android
Migrating JavaME Apps to Android
 
Security - Part II.pdf
Security - Part II.pdfSecurity - Part II.pdf
Security - Part II.pdf
 
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015
 
MobilizeUrApps - Android Application Development
MobilizeUrApps - Android Application DevelopmentMobilizeUrApps - Android Application Development
MobilizeUrApps - Android Application Development
 
Sightly_techInsight
Sightly_techInsightSightly_techInsight
Sightly_techInsight
 
Using APEX to Create a Mobile User Interface for Enterprise Manager 12c
Using APEX to Create a Mobile User Interface for Enterprise Manager 12cUsing APEX to Create a Mobile User Interface for Enterprise Manager 12c
Using APEX to Create a Mobile User Interface for Enterprise Manager 12c
 
X Means Y
X Means YX Means Y
X Means Y
 
Delivering Mobile Apps to the Field with Oracle JET
Delivering Mobile Apps to the Field with Oracle JETDelivering Mobile Apps to the Field with Oracle JET
Delivering Mobile Apps to the Field with Oracle JET
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 
Sst hackathon express
Sst hackathon expressSst hackathon express
Sst hackathon express
 
JMP102 Extending Your App Arsenal With OpenSocial
JMP102 Extending Your App Arsenal With OpenSocialJMP102 Extending Your App Arsenal With OpenSocial
JMP102 Extending Your App Arsenal With OpenSocial
 
Oracle mcs overview 1029
Oracle mcs overview 1029Oracle mcs overview 1029
Oracle mcs overview 1029
 
Introduction to JavaFX on Raspberry Pi
Introduction to JavaFX on Raspberry PiIntroduction to JavaFX on Raspberry Pi
Introduction to JavaFX on Raspberry Pi
 
Securing Containers - Sathyajit Bhat - Adobe
Securing Containers - Sathyajit Bhat - AdobeSecuring Containers - Sathyajit Bhat - Adobe
Securing Containers - Sathyajit Bhat - Adobe
 
Iphone client-server app with Rails backend (v3)
Iphone client-server app with Rails backend (v3)Iphone client-server app with Rails backend (v3)
Iphone client-server app with Rails backend (v3)
 
Android - Open Source Bridge 2011
Android - Open Source Bridge 2011Android - Open Source Bridge 2011
Android - Open Source Bridge 2011
 
Lesson 10
Lesson 10Lesson 10
Lesson 10
 
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...
 
Building Mobile Apps: A PhoneGap Enterprise Introduction for Developers
Building Mobile Apps: A PhoneGap Enterprise Introduction for DevelopersBuilding Mobile Apps: A PhoneGap Enterprise Introduction for Developers
Building Mobile Apps: A PhoneGap Enterprise Introduction for Developers
 

Último

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Último (20)

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 

Secure your Android app- fight the leaks!

  • 1. SECURE YOUR APP FIGHT THE LEAKS! DROIDCON PARIS 2013
  • 2. EYAL LEZMY ANDROID PRESALES ENGINEER, SAMSUNG B2B TREASURER AT PARIS ANDROID USER GROUP ANDROID GOOGLE DEVELOPER EXPERT Slides http://bit.ly/droidcon-sec http://eyal.fr
  • 4. APPS HAVE TO RESPECT THE DATA Different ways to unintentionally grant other apps access to the data inside your application : Exporting an unprotected component Storing personal data in a world readable file Logging personal data in logcat logs Copyright © 1995-2012 SAMSUNG All rights reserved
  • 5. CHECK YOUR ANDROIDMANIFEST.XML It declares accessible app components Activity, Service, Receive,... Adding <intent-filter> => your element is exported by default ContentProvider is always exported by default, until android:targetSdkVersion="17" Copyright © 1995-2012 SAMSUNG All rights reserved
  • 6. CHECK YOUR ANDROIDMANIFEST.XML Don't export app components unless you want to share their content with other applications <application android:label="@string/app_name"> … <service android:name=".ServiceExample“ android:exported="false"> <intent-filter> … </intent-filter> </service> … </application> Copyright © 1995-2012 SAMSUNG All rights reserved
  • 7. CHECK YOUR ANDROIDMANIFEST.XML Don't export app components unless you want to share their content with other applications to <application android:label="@string/app_name"> ity itim … leg a? <service android:name=".ServiceExample“ ur at yo e d android:exported="false"> t is pos <intent-filter> ha ex … W </intent-filter> </service> … </application> Copyright © 1995-2012 SAMSUNG All rights reserved
  • 8. PERMISIONS There are different permission protection levels: normal Lower risk permission dangerous Higher risk, access to user private data, potential negative impact signature Needs the same certificate signature Copyright © 1995-2012 SAMSUNG All rights reserved
  • 9. PERMISIONS Lets look at the code: <permission android:name="com.example.EXAMPLE_PERM“ android:label="@string/example_perm_l“ android:description="@string/example_perm_d“ android:icon="@drawable/example_perm_i“ android:protectionLevel="signature" /> ... <service android:name=".ServiceExample“ android:permission="com.example.EXAMPLE_PERM"> <intent-filter>...</intent-filter> </service> Copyright © 1995-2012 SAMSUNG All rights reserved
  • 10. PERMISIONS Don't be the weakest link Always check the permission of a caller if you use your permission private boolean checkPermission(Context context) { String permission = "com.example.EXAMPLE_PERM"; int res = context.checkCallingPermission(permission); return (res == PackageManager.PERMISSION_GRANTED); } Copyright © 1995-2012 SAMSUNG All rights reserved
  • 11. DISABLE USELESS ACTIVITIES Fit your components lifecycle to your application's lifecycle If before configuration (login, account creation, ...) a service or activity is not useful, disable it If your application handles common implicit Intent's actions like ACTION_VIEW or ACTION_SEND consider disabling it by default Copyright © 1995-2012 SAMSUNG All rights reserved
  • 13. STORING DATA WISELY Protect personal data using MODE_PRIVATE for data files, shared preferences, and databases: openFileOutput() openSharedPreferences() openOrCreateDatabase() External storage (sdcard) is shared storage Copyright © 1995-2012 SAMSUNG All rights reserved
  • 14. PLEASE... SHUT THE FUCK UP! Don't expose data through logcat on production Detect the build mode with BuildConfig.DEBUG public static final boolean SHOW_LOG = BuildConfig.DEBUG; public static void d(final String tag, final String msg) { if (SHOW_LOG) Log.d(tag, msg); } Be careful about this subject and test it during QA Copyright © 1995-2012 SAMSUNG All rights reserved
  • 15. PROTECTING APP FROM USERS No more android:debuggable on the manifest Don't leave this enabled in release code! ADT 8.0+ do it for you automatically Copyright © 1995-2012 SAMSUNG All rights reserved
  • 16. PROTECTING APP FROM USERS $ adb shell shell@android:/ $ run-as com.android.example sh shell@android:/data/data/com.android.example $ id uid=10060(app_60) gid=10060(app_60) shell@android:/data/data/com.android.example $ ls files/secret_data.txt shell@android:/data/data/com.android.example $ cat files/secret_data.txt Copyright © 1995-2012 SAMSUNG All rights reserved
  • 17. IT'S NOT JUST ABOUT YOUR APP INSECURE NETWORK LOST OR STOLEN DEVICES
  • 18. USE SAFE NETWORKING HTTPS and SSL can protect against Man in the Middle attacks and prevent casual snooping Server certificate validity must be correctly checked "15% of apps have weak or bad SSL implementation on the Play Store" Free certified SSL: https://www.startssl.com/ Copyright © 1995-2012 SAMSUNG All rights reserved
  • 19. DATA ENCRYPTION DOESN'T SOLVE ALL PROBLEMS ...but it may help discouraging curious. Use a peer-reviewed library like KeyCzar Take care of the key : Create it at first start, with true random Or grab a user key from your server Or ask the user for a passphrase you won't store Copyright © 1995-2012 SAMSUNG All rights reserved
  • 20. DEVICE ADMINISTRATION On a corporate environment, device administration can be considered Password management Device encryption Disable camera Lock the device Remote wipe Copyright © 1995-2012 SAMSUNG All rights reserved
  • 21. BEHIND THE STAGE The APK's content is always world readable, take care about what you put inside Sensitive files should be kept out of the APK Java is open source, your code too Using Proguard takes a single line of code Or... Dex encryption AAPT modified Logic on server Copyright © 1995-2012 SAMSUNG All rights reserved
  • 22. IT'S NOT JUST ABOUT SECURITY THINK ABOUT POLITICS...
  • 23. THE SECURITY PARADOX Copyright © 1995-2012 SAMSUNG All rights reserved
  • 24. NEVER FORGET THE USER, NEVAAAAA! "The more secure you make something, the less secure it becomes" Level the security following the user acceptance or... Users will find workarounds Users won't use your service Copyright © 1995-2012 SAMSUNG All rights reserved
  • 25. REFERENCES Google I/O 2012 Sessions Android Developpers Live Youtube channel Android Developement Android Developement: Using Cryptography The Commons Blog InformationWeek: Security Paradox ThreatPost: SLL implementation on Android apps StartSSL Free certificates Copyright © 1995-2012 SAMSUNG All rights reserved
  • 26. SAMSUNG SMART APP CHALLENGE 2013 SAMSUNG SMART APP CHALLENGE 2013 A Global app challenge Apps for the Galaxy S4 Use of Samsung Chord SDK Apply June 20 - August 31 $800,000 for 10 winners www.smartappchallenge.com
  • 27. SAMSUNG DEVELOPERS http://developer.samsung.com SDKs and Documentation Samsung Chord SDK Bluetooth Low Energy SDK S Pen & Multi Window SDK AllShare Framework Remote Test Lab Test your applications on real devices through the internet Free 24H 365 Days Real Device, NOT emulator Multiple Devices