SlideShare a Scribd company logo

Android security

Download as PPTX, PDF
M
Mobile Rtpl

The document discusses developing secure Android apps and provides guidelines for doing so. It outlines potential attack vectors like malicious apps or files and the importance of following security best practices such as using encryption, testing third party libraries, and securing intents, logs, and webviews. The document encourages avoiding simple validation logic, using tokens for authentication, HTTPS, and provides tips for code obfuscation as well as tools that can help find vulnerabilities.

Mobile
Related topics:
Mobile App Insights
1 of 22
Downloaded 81 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Android Security Developing Secure App
Secure Coding Guidelines •Such guidelines even exists? •Who cares! No one's gonna hack my app. •Lets finish this project anyhow!!!
Secure Coding Guidelines • Computer Emergency ResponseTeam (CERT) • Expert groups that handle Computer/IT security incidents. • Issued Android Secure Coding Guidelines. • Mission: We reduce the number of vulnerabilities to a level that can be fully mitigated in operational environments.
Packaging
AttackVectors in Android
AttackVectors
AttackVectors • Mounting SD Card in PC • Malicious App • Network Attack • Malicious File Attack • User’s Unawareness • USB Debugging • Root permissions!! (Can do anything)
Security Policy in Android
Unix Security Policy 1. Process Isolation 2. Hardware Isolation 3. User Permission Model 4. R/W/X Permissions to file 5. Secure IPC
Android Security Policy 1. Application Isolation 2. Sandbox of Application 3. Secure Communication 4. Signing the Application 5. Permission model of Application
To Do's To Secure Apps
Avoid Simple Logics private void validate(){ if(mLoginAccess == 1 ){ // TODO: update user. } } private void validate() { if (mLogin.hasAccess == true) { // TODO: update user. } } private void validate() { if (mLogin.hasAccess) { // TODO: update user. } }
Test 3rd Party Libraries! •Caution: Developers rely heavily on third-party libraries. It is important to thoroughly probe and test this as you test your code. Third-party libraries can contain vulnerabilities and weaknesses. Many developers assume third-party libraries are well-developed and tested, however, issues can and do exist in their code.
Use Encryption •Caution: External storage can become unavailable if the user mounts the external storage on a computer or removes the media, and there's no security enforced upon files you save to the external storage. All applications can read and write files placed on the external storage and the user can remove them. http://developer.android.com/guide/topics/data/data- storage.html
But How to Encrypt? To Secure Apps
How to Encrypt or Encode? 1. Encode Shared Preferences 2.Encrypt SQLite: SQLCipher 3. Encrypt Network:TLS 4.Data Encryption: Facebook’s Conceal Library 5.MD5, SHA Sensitive Data
To be Secured 1. Secure Intents 2.SecureWebView 3. Secure Logs 4.Secure Intent Leaks
Code Obfuscation 1. Proguard 2.Don't include unused Classes and Libraries 3. Difficult to protect from Smali Decompilation
To Use 1. Use ofTokens for Authentication 2.Use of HTTPS!
Our Evils 1. ADB 2.MaliciousApplications 3. Unprotected Network 4.Sniffers
Our Friends 1. Android Fuzzers 2.Xposed Framework 3. Drozer 4.APKtool or any other StaticAnalysisTool 5.PenetrationTools for Android 6.and Many more...
Thank you! @DearDhruv

More Related Content

PPT
Android Security
Suminda Gunawardhana
 
PDF
Android Security
Lars Jacobs
 
PPTX
Mobile security
priyanka pandey
 
PPTX
Android security
Midhun P Gopi
 
PPTX
Android Security
Arqum Ahmad
 
PPTX
Mobile security
CyberoamAcademy
 
PPTX
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
PPTX
Mobile security
Mphasis
 
Android Security
Suminda Gunawardhana
 
Android Security
Lars Jacobs
 
Mobile security
priyanka pandey
 
Android security
Midhun P Gopi
 
Android Security
Arqum Ahmad
 
Mobile security
CyberoamAcademy
 
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
Mobile security
Mphasis
 

What's hot (20)

PDF
Mobile Application Security
cclark_isec
 
PDF
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Ajin Abraham
 
PPTX
Understanding android security model
Pragati Rai
 
PDF
Mobile Security
Xavier Mertens
 
PDF
Android Security & Penetration Testing
Subho Halder
 
PPTX
Introduction To Exploitation & Metasploit
Raghav Bisht
 
PPTX
Mobile Application Security
Ishan Girdhar
 
PDF
Ransomware: History, Analysis, & Mitigation - PDF
Andy Thompson
 
PDF
Mobile Malware
Martin Holovský
 
PPTX
What is Ransomware
jeetendra mandal
 
PPTX
Mobile Application Testing Training Presentation
MobiGnosis
 
PPTX
iOS-Application-Security-iAmPr3m
Prem Kumar (OSCP)
 
PPTX
Osint {open source intelligence }
AkshayJha40
 
PPTX
Mobile security
Naveen Kumar
 
PPT
Introduction To OWASP
Marco Morana
 
PDF
Mobile Security
MarketingArrowECS_CZ
 
PDF
Malware classification and detection
Chong-Kuan Chen
 
PPTX
Pentesting Android Apps
Abdelhamid Limami
 
PPTX
IOS security
bakhti rahman
 
PDF
iOS Application Penetration Testing
n|u - The Open Security Community
 
Mobile Application Security
cclark_isec
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Ajin Abraham
 
Understanding android security model
Pragati Rai
 
Mobile Security
Xavier Mertens
 
Android Security & Penetration Testing
Subho Halder
 
Introduction To Exploitation & Metasploit
Raghav Bisht
 
Mobile Application Security
Ishan Girdhar
 
Ransomware: History, Analysis, & Mitigation - PDF
Andy Thompson
 
Mobile Malware
Martin Holovský
 
What is Ransomware
jeetendra mandal
 
Mobile Application Testing Training Presentation
MobiGnosis
 
iOS-Application-Security-iAmPr3m
Prem Kumar (OSCP)
 
Osint {open source intelligence }
AkshayJha40
 
Mobile security
Naveen Kumar
 
Introduction To OWASP
Marco Morana
 
Mobile Security
MarketingArrowECS_CZ
 
Malware classification and detection
Chong-Kuan Chen
 
Pentesting Android Apps
Abdelhamid Limami
 
IOS security
bakhti rahman
 
iOS Application Penetration Testing
n|u - The Open Security Community
 
Ad

Viewers also liked (18)

PPTX
Permission in Android Security: Threats and solution
Tandhy Simanjuntak
 
PDF
Deep Dive Into Android Security
Marakana Inc.
 
ODP
Android security in depth
Sander Alberink
 
PPTX
Security threats in Android OS + App Permissions
Hariharan Ganesan
 
PPT
Understanding Android Security
Asanka Dilruk
 
PPTX
Android sandbox
Anusha Chavan
 
PDF
Brief Tour about Android Security
National Cheng Kung University
 
PPTX
Information Security and Privacy
Anika Tasnim Hafiz
 
PDF
Digging for Android Kernel Bugs
Jiahong Fang
 
PDF
Security in Android Applications / Александр Смирнов (RedMadRobot)
Ontico
 
PDF
Android coding standard
Rakesh Jha
 
PDF
Android Security Overview and Safe Practices for Web-Based Android Applications
h4oxer
 
PDF
Android Security - Common Security Pitfalls in Android Applications
BlrDroid
 
PPSX
Mobile device security informative v2
Salman Zahid
 
PPTX
Android security model
rrand1
 
PDF
Testing Android Security
Jose Manuel Ortega Candel
 
PDF
Fuzzing the Media Framework in Android
E Hacking
 
PDF
Android system security
Chong-Kuan Chen
 
Permission in Android Security: Threats and solution
Tandhy Simanjuntak
 
Deep Dive Into Android Security
Marakana Inc.
 
Android security in depth
Sander Alberink
 
Security threats in Android OS + App Permissions
Hariharan Ganesan
 
Understanding Android Security
Asanka Dilruk
 
Android sandbox
Anusha Chavan
 
Brief Tour about Android Security
National Cheng Kung University
 
Information Security and Privacy
Anika Tasnim Hafiz
 
Digging for Android Kernel Bugs
Jiahong Fang
 
Security in Android Applications / Александр Смирнов (RedMadRobot)
Ontico
 
Android coding standard
Rakesh Jha
 
Android Security Overview and Safe Practices for Web-Based Android Applications
h4oxer
 
Android Security - Common Security Pitfalls in Android Applications
BlrDroid
 
Mobile device security informative v2
Salman Zahid
 
Android security model
rrand1
 
Testing Android Security
Jose Manuel Ortega Candel
 
Fuzzing the Media Framework in Android
E Hacking
 
Android system security
Chong-Kuan Chen
 
Ad

Similar to Android security (20)

PDF
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
Felipe Prado
 
PDF
Yow connected developing secure i os applications
mgianarakis
 
PDF
Droidcon it-2014-marco-grassi-viaforensics
viaForensics
 
PDF
Mobile App Security - Best Practices
RedBlackTree
 
PDF
" onclick="alert(1)
slideshareperson2
 
PDF
<marquee>html title testfsdjk34254</marquee>
slideshareperson2
 
PDF
Secure codingguide
David Kwak
 
PPTX
Security testing of mobile applications
GTestClub
 
PPTX
Untitled 1
Sergey Kochergan
 
PDF
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
iphonepentest
 
PDF
YOW! Connected 2014 - Developing Secure iOS Applications
eightbit
 
PDF
Building Custom Android Malware BruCON 2013
Stephan Chenette
 
PDF
9 Writing Secure Android Applications
Sam Bowne
 
PDF
AusCERT - Developing Secure iOS Applications
eightbit
 
PPTX
Android Security and Peneteration Testing
Surabaya Blackhat
 
PPTX
Building a Mobile Security Program
Denim Group
 
PPT
Analysis and research of system security based on android
Ravishankar Kumar
 
PDF
From velvet to silk there is still a lot of sweat
Stefano Maccaglia
 
PPTX
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Anant Shrivastava
 
PPTX
Started In Security Now I'm Here
Christopher Grayson
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
Felipe Prado
 
Yow connected developing secure i os applications
mgianarakis
 
Droidcon it-2014-marco-grassi-viaforensics
viaForensics
 
Mobile App Security - Best Practices
RedBlackTree
 
" onclick="alert(1)
slideshareperson2
 
<marquee>html title testfsdjk34254</marquee>
slideshareperson2
 
Secure codingguide
David Kwak
 
Security testing of mobile applications
GTestClub
 
Untitled 1
Sergey Kochergan
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
iphonepentest
 
YOW! Connected 2014 - Developing Secure iOS Applications
eightbit
 
Building Custom Android Malware BruCON 2013
Stephan Chenette
 
9 Writing Secure Android Applications
Sam Bowne
 
AusCERT - Developing Secure iOS Applications
eightbit
 
Android Security and Peneteration Testing
Surabaya Blackhat
 
Building a Mobile Security Program
Denim Group
 
Analysis and research of system security based on android
Ravishankar Kumar
 
From velvet to silk there is still a lot of sweat
Stefano Maccaglia
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Anant Shrivastava
 
Started In Security Now I'm Here
Christopher Grayson
 

Android security

  • 2. Secure Coding Guidelines •Such guidelines even exists? •Who cares! No one's gonna hack my app. •Lets finish this project anyhow!!!
  • 3. Secure Coding Guidelines • Computer Emergency ResponseTeam (CERT) • Expert groups that handle Computer/IT security incidents. • Issued Android Secure Coding Guidelines. • Mission: We reduce the number of vulnerabilities to a level that can be fully mitigated in operational environments.
  • 7. AttackVectors • Mounting SD Card in PC • Malicious App • Network Attack • Malicious File Attack • User’s Unawareness • USB Debugging • Root permissions!! (Can do anything)
  • 9. Unix Security Policy 1. Process Isolation 2. Hardware Isolation 3. User Permission Model 4. R/W/X Permissions to file 5. Secure IPC
  • 10. Android Security Policy 1. Application Isolation 2. Sandbox of Application 3. Secure Communication 4. Signing the Application 5. Permission model of Application
  • 12. Avoid Simple Logics private void validate(){ if(mLoginAccess == 1 ){ // TODO: update user. } } private void validate() { if (mLogin.hasAccess == true) { // TODO: update user. } } private void validate() { if (mLogin.hasAccess) { // TODO: update user. } }
  • 13. Test 3rd Party Libraries! •Caution: Developers rely heavily on third-party libraries. It is important to thoroughly probe and test this as you test your code. Third-party libraries can contain vulnerabilities and weaknesses. Many developers assume third-party libraries are well-developed and tested, however, issues can and do exist in their code.
  • 14. Use Encryption •Caution: External storage can become unavailable if the user mounts the external storage on a computer or removes the media, and there's no security enforced upon files you save to the external storage. All applications can read and write files placed on the external storage and the user can remove them. http://developer.android.com/guide/topics/data/data- storage.html
  • 15. But How to Encrypt? To Secure Apps
  • 16. How to Encrypt or Encode? 1. Encode Shared Preferences 2.Encrypt SQLite: SQLCipher 3. Encrypt Network:TLS 4.Data Encryption: Facebook’s Conceal Library 5.MD5, SHA Sensitive Data
  • 17. To be Secured 1. Secure Intents 2.SecureWebView 3. Secure Logs 4.Secure Intent Leaks
  • 18. Code Obfuscation 1. Proguard 2.Don't include unused Classes and Libraries 3. Difficult to protect from Smali Decompilation
  • 19. To Use 1. Use ofTokens for Authentication 2.Use of HTTPS!
  • 20. Our Evils 1. ADB 2.MaliciousApplications 3. Unprotected Network 4.Sniffers
  • 21. Our Friends 1. Android Fuzzers 2.Xposed Framework 3. Drozer 4.APKtool or any other StaticAnalysisTool 5.PenetrationTools for Android 6.and Many more...