Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Safety first

Safety first

Best practices in app security presentation held at the 360AnDev conference in Denver, CO

Ana Baotić

July 28, 2016

More Decks by Ana Baotić

Other Decks in Programming


  1. Safety first Best practices in app security ANA BAOTIĆ TECHNICAL

  2. KEYSTORE Can be used for ALL build types You should

    NEVER lose it No one should EVER acquire it
  3. public abstract class e {
 private int a = -1;

    private String b = null;
 protected boolean k = false;
 public abstract void a(Intent var1);
 protected final void a(String var1) {
 this.b = var1;
 public final void c() {
 this.a = -1;
 this.b = null;
 public final boolean d() {
 return this.k;
  4. private readable safe Internal storage yes yes yes External storage

    no yes no Content providers depends yes yes Shared prefs. yes yes yes
  5. <?xml version="1.0" encoding="utf-8"?> <network-security-config>
 <domain-config cleartextTrafficPermitted="false"> <domain includeSubdomains="true">example.com</domain> 

    <certificates src="@raw/my_ca"/> </trust-anchors> <pin-set expiration="2018-01-01"> <pin digest="SHA-256">7HIpa...BCoQYcRhJ3Y=</pin> <!-- backup pin --> <pin digest="SHA-256">fwza0...gO/04cDM1oE=</pin> </pin-set> </domain-config> </network-security-config> CONFIGURE IT
  6. INCLUDE YOUR CLIENTS IN THE PROCESS Keep them up-to-date Help

    them understand risks and advise them Insist on updates and security patches
  7. THINGS TO REMEMBER Use internal storage if applicable Encrypt data

    Use HTTPS Pin certificates Be aware of the update cycle
  8. REFERENCES • Gradle configuration • http://developer.android.com/guide/topics/data/data- storage.html#db • https://codahale.com/how-to-safely-store-a-password/ •

    http://www.developereconomics.com/android- cryptography-tools-for-beginners/ • https://www.airpair.com/android/posts/adding- tampering-detection-to-your-android-app
  9. REFERENCES • Android fingeprint security • Infinum security articles •

    Infinum Android newsletter • Keeping secrets in a Vault
  10. Thank you! Visit www.infinum.co or find us on social networks:

    infinum.co infinumco infinumco infinum [email protected] @ABAOTIC