Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Defensive Android Security

bolot
September 21, 2017
Programming
0
84

Defensive Android Security

Security vulnerabilities make great headlines. Attackers need to find only one weakness, you need to defend against them all. Fortunately, you are not alone. Learn about the security mechanisms in the Android platform and Google Play services. How to evaluate your own app's security using checklists like OWASP MASVS (Mobile Application Security Verification Standard).

bolot

September 21, 2017
Tweet

More Decks by bolot

See All by bolot
Coroutines: Kotlin Versus DCSF18
bolot
2
570
MLKit DevFest18 ATL
bolot
0
150
Kotlin Coroutines: Beyond async-await
bolot
2
480
Kotlin - Class Destroyer
bolot
0
400
Secure Networking, Connect Tech 2017
bolot
0
65
What Android developers should know about security
bolot
0
220
android transition framework
bolot
0
110

Other Decks in Programming

See All in Programming
新宿ダンジョンを可視化してみた
satoshi7190
3
380
効率化に挑戦してみたらモバイル開発が少し快適になった話
ryunakayama
0
140
はてなにおける CSS Modules、及び CSS Modules に足りないもの / CSS Modules in Hatena, and CSS Modules missing parts
mizdra
7
970
CREってこういうこと? 体験入社 - 提案資料 - / what-is-cre-trial-employment
shinden
1
510
Let's learn code review
riofujimon
2
570
敵対的ポイフル
futabato
0
130
Goのエラースタックトレースの歴史と今後
sonatard
10
1.8k
PHPはいつから死んでいるかの調査
chiroruxx
2
410
Snowflakeで眠ったデータを起こそう!
estie
0
140
障害対応を起点としたもっといい開発と運用のサイクル作りのためにできること / Hatena Enginner Seminar #29
polamjag
0
370
サイコロで理解する統計的仮説検定の考え方
tatamiya
4
1k
Scalable Customer Journey Orchestration (CJO)
lewuathe
0
420

Featured

See All Featured
Clear Off the Table
cherdarchuk
85
310k
KATA
mclloyd
16
12k
Ruby is Unlike a Banana
tanoku
96
10k
Teambox: Starting and Learning
jrom
128
8.4k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
117
18k
No one is an island. Learnings from fostering a developers community.
thoeni
16
2.1k
Imperfection Machines: The Place of Print at Facebook
scottboms
261
12k
Debugging Ruby Performance
tmm1
70
11k
Design by the Numbers
sachag
274
18k
Infographics Made Easy
chrislema
238
18k
Product Roadmaps are Hard
iamctodd
45
9.7k
Music & Morning Musume
bryan
41
5.6k

Transcript

  1. Defensive Android Security Bolot Kerimbaev, Big Nerd Ranch

  2. Headlines 143 million

  3. Security Bulletins

  4. Security Goals • Keep user data safe • Keep system

    integrity • Prevent unauthorized operations • Ensure communication integrity • Platform vs apps

  5. Security Goals • Planning • Cost / Benefit • Threat

    Modeling • Evaluation Value Attack Defense

  6. Defenses

  7. Attack Surface • Linux kernel, forked, older version • Communication,

    SMS, NFC, Bluetooth, USB • Device drivers, GPU, modem • Web view, Chrome • Android architecture, sandbox, permissions • Networking libraries, CA trust • Storage • Third party libraries • Other apps • Your own app

  8. Platform Security • Linux Security • Application Sandbox • Permissions

    • Software Updates • Application Signing • Secure IPC (Binder) • Keystore • Verified Boot • Google Play • Verify Apps • SafetyNet • ASLR, PIE, NX, SELinux

  9. Platform Security

  10. Oreo/Treble

  11. APK Signature v2

  12. Media Server Hardening

  13. Fingerprint Auth

  14. Platform Security • Android Security Year in Review • Security

    Bulletins • CDD, CTS

  15. Network Security • Modern TLS, Good Ciphers • PKI and

    Certificate Authority • Network Security Configuration • Use Good Libraries • Tomorrow: These and Other Rules

  16. Security Practices

  17. Checklists • Android Security Checklist • Industry Specific: PCI, HIPAA

    • OWASP MASVS

  18. Android Security Checklist

  19. OWASP

  20. App Security • Storage • Communication • Auth • Input

    Validation • IPC • WebView • Encryption • Keystore • Fingerprint • Auth

  21. What Can Developers Do? • Practice security as a user

    • Optimize for best security practices • Training • Checklists • Audits, Reviews

  22. Other Talks • DevNexus 2017 • Josh Skeen: Keeping Secrets

    Secure • What Android Developers Should Know About Security

  23. Resources • https://source.android.com/security • https://github.com/OWASP/owasp-mstg • https://github.com/OWASP/owasp-masvs • https://github.com/b-mueller/android_app_security_checklist •

    https://www.nngroup.com/articles/security-and-human-factors/

  24. Questions? • @bolot • @bignerdranch • BNR Security Courses -

    soon