Más contenido relacionado La actualidad más candente (20) Similar a How to make Android apps secure: dos and don’ts (20) How to make Android apps secure: dos and don’ts1. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
How to make Android apps
secure: Dos and don’ts
2. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Connect with us
Follow us on Twitter @NowSecureMobile
—
NowSecure’s Secure Mobile Development Best Practices
www.nowsecure.com/resources/secure-mobile-development/
—
Visit our website https://www.nowsecure.com
3. Jake Van Dyke
Mobile security researcher
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Sam Bakken
Content marketing manager
4. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Pokemon GORead the NowSecure blog post about security risks and Pokemon GO:
https://www.nowsecure.com/blog/2016/07/12/pokemon-go-security-risks-what-cisos-and-security-
pros-need-to-know/
5. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Contents
● Overview
● Android app security fails
● Dos and don’ts
● Questions
6. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Overview
7. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
25%of apps include a
high-risk flaw
Mary Meeker,
Internet Trends 2016
33apps installed on
the average device
>8vulnerable apps
on a device
444,213
2016 NowSecure Mobile
Security Report
x =
8. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
53,844 devices in the average global
enterprise
444,213
vulnerable apps residing on
dual-use devices in the
average global enterprise
Ponemon Institute, The Economic Risk of Confidential Data on Mobile Devices in the Workplace
9. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Recent Android security developments
● Static analysis on apps submitted to Google Play
● Detecting links to third-party libraries
● Android Nougat
○ File system permission changes
○ Sharing files between apps
○ NDK apps linking to platform libraries
○ Android for Work apps
○ Crypto and SHA1PRNG are deprecated
○ Changes to trusted certificate authorities (CA)
https://developer.android.com/preview/behavior-changes.html
General tightening of security in the OS and SDK to provide a “safety net”
10. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Android app security fails
11. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Vulnerabilities in the Vitamio SDK
World Writable Code Is Bad, MMMMKAY
NowSecure Blog
Relevant best practice
Test third party libraries
“Third-party libraries can contain
vulnerabilities and weaknesses. Many
developers assume third-party libraries are
well-developed and tested, however, issues can
and do exist in their code.”
12. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
SwiftKey vulnerabilities
(CVE-2015-4640 & CVE-2015-4641)
Remote Code Execution as System User on Samsung Phones
NowSecure Blog
Relevant best practices
Fully validate SSL/TLS
“An application not properly validating its
connection to the server is susceptible to a
man-in-the-middle attack by a privileged
network attacker.”
Embrace least permissions
14. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
Secure Mobile Development Best Practices (SMDBP)
Review the NowSecure Secure Mobile Development Best Practices in their entirety:
https://www.nowsecure.com/resources/secure-mobile-development/
15. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Android
● Implement File Permissions Carefully
● Implement intents carefully
● Check Activities
● Use Broadcasts Carefully
● Implement Pending Intents Carefully
● Protect Application Services
Review the NowSecure Secure Mobile Development Best Practices in their entirety:
https://www.nowsecure.com/resources/secure-mobile-development/
● Avoid Intent Sniffing
● Implement Content Providers Carefully
● Follow WebView Best Practices
● Avoid Storing Cached Camera Images
● Avoid GUI Objects Caching
● Sign Android APKs
16. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Coding practices
● Increase Code Complexity and Use Obfuscation
● Avoid Simple Logic
● Test Third-Party libraries
● Implement Anti-tamper Techniques
● Securely Store Sensitive Data in RAM
● Understand Secure Deletion of Data
● Avoid Query String for Sensitive Data
Review the NowSecure Secure Mobile Development Best Practices in their entirety:
https://www.nowsecure.com/resources/secure-mobile-development/
Caching and logging
● Avoid Caching App Data
● Avoid Crash Logs
● Limit Caching of Username
● Carefully Manage Debug Logs
● Be Aware of the Keyboard Cache
● Be Aware of Copy and Paste
17. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Handling sensitive data
● Implement Secure Data Storage
● Use SECURE Setting For Cookies
● Fully validate SSL/TLS
● Protect Against SSL Downgrade attacks
● Limit Use of UUID
● Treat Geolocation Data Carefully
● Institute Local Session Timeout
Review the NowSecure Secure Mobile Development Best Practices in their entirety:
https://www.nowsecure.com/resources/secure-mobile-development/
● Implement Enhanced
/ Two-Factor Authentication
● Protect Application Settings
● Hide Account Numbers and Use Tokens
● Implement Secure Network Transmission
of Sensitive Data
● Validate Input From Client
18. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Webviews
● Prevent Framing and Clickjacking
● Protect against CSRF with form tokens
Review the NowSecure Secure Mobile Development Best Practices in their entirety:
https://www.nowsecure.com/resources/secure-mobile-development/
● Implement Proper Web Server Configuration
● Properly Configure Server-side SSL
● Use Proper Session Management
● Protect and Pen Test Web services
● Protect Internal Resources
Servers
19. Let’s talk - submit questions using the chat
function in the GoToWebinar interface
+1 312.878.1100
@NowSecureMobile
www.nowsecure.com
Learn more about developing secure Android and iOS apps with the
NowSecure Secure Mobile Development Best Practices -
www.nowsecure.com/resources/secure-mobile-development/