Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Defensive Android Security

bolot
September 21, 2017
Programming
0
87

Defensive Android Security

Security vulnerabilities make great headlines. Attackers need to find only one weakness, you need to defend against them all. Fortunately, you are not alone. Learn about the security mechanisms in the Android platform and Google Play services. How to evaluate your own app's security using checklists like OWASP MASVS (Mobile Application Security Verification Standard).

bolot

September 21, 2017
Tweet

More Decks by bolot

See All by bolot
Coroutines: Kotlin Versus DCSF18
bolot
2
660
MLKit DevFest18 ATL
bolot
0
150
Kotlin Coroutines: Beyond async-await
bolot
2
560
Kotlin - Class Destroyer
bolot
0
450
Secure Networking, Connect Tech 2017
bolot
0
69
What Android developers should know about security
bolot
0
230
android transition framework
bolot
0
120

Other Decks in Programming

See All in Programming
PHP でアセンブリ言語のように書く技術
memory1994
PRO
1
170
TypeScriptでライブラリとの依存を限定的にする方法
tutinoko
3
690
AWS Lambdaから始まった
Serverlessの「熱」とキャリアパス / It started with AWS Lambda Serverless “fever” and career path
seike460
PRO
1
260
Less waste, more joy, and a lot more green: How Quarkus makes Java better
hollycummins
0
100
ふかぼれ!CSSセレクターモジュール / Fukabore! CSS Selectors Module
petamoriken
0
150
Ethereum_.pdf
nekomatu
0
460
cmp.Or に感動した
otakakot
3
200
GitHub Actionsのキャッシュと手を挙げることの大切さとそれに必要なこと
satoshi256kbyte
5
430
Outline View in SwiftUI
1024jp
1
330
RubyLSPのマルチバイト文字対応
notfounds
0
120
Better Code Design in PHP
afilina
PRO
0
130
3 Effective Rules for Using Signals in Angular
manfredsteyer
PRO
0
120

Featured

See All Featured
Automating Front-end Workflow
addyosmani
1366
200k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
191
16k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
93
16k
How to Ace a Technical Interview
jacobian
276
23k
Fashionably flexible responsive web design (full day workshop)
malarkey
405
65k
A better future with KSS
kneath
238
17k
Why You Should Never Use an ORM
jnunemaker
PRO
54
9.1k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
169
50k
The Cult of Friendly URLs
andyhume
78
6k
How to train your dragon (web standard)
notwaldorf
88
5.7k
The Art of Programming - Codeland 2020
erikaheidi
52
13k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k

Transcript

  1. Defensive Android Security Bolot Kerimbaev, Big Nerd Ranch

  2. Headlines 143 million

  3. Security Bulletins

  4. Security Goals • Keep user data safe • Keep system

    integrity • Prevent unauthorized operations • Ensure communication integrity • Platform vs apps

  5. Security Goals • Planning • Cost / Benefit • Threat

    Modeling • Evaluation Value Attack Defense

  6. Defenses

  7. Attack Surface • Linux kernel, forked, older version • Communication,

    SMS, NFC, Bluetooth, USB • Device drivers, GPU, modem • Web view, Chrome • Android architecture, sandbox, permissions • Networking libraries, CA trust • Storage • Third party libraries • Other apps • Your own app

  8. Platform Security • Linux Security • Application Sandbox • Permissions

    • Software Updates • Application Signing • Secure IPC (Binder) • Keystore • Verified Boot • Google Play • Verify Apps • SafetyNet • ASLR, PIE, NX, SELinux

  9. Platform Security

  10. Oreo/Treble

  11. APK Signature v2

  12. Media Server Hardening

  13. Fingerprint Auth

  14. Platform Security • Android Security Year in Review • Security

    Bulletins • CDD, CTS

  15. Network Security • Modern TLS, Good Ciphers • PKI and

    Certificate Authority • Network Security Configuration • Use Good Libraries • Tomorrow: These and Other Rules

  16. Security Practices

  17. Checklists • Android Security Checklist • Industry Specific: PCI, HIPAA

    • OWASP MASVS

  18. Android Security Checklist

  19. OWASP

  20. App Security • Storage • Communication • Auth • Input

    Validation • IPC • WebView • Encryption • Keystore • Fingerprint • Auth

  21. What Can Developers Do? • Practice security as a user

    • Optimize for best security practices • Training • Checklists • Audits, Reviews

  22. Other Talks • DevNexus 2017 • Josh Skeen: Keeping Secrets

    Secure • What Android Developers Should Know About Security

  23. Resources • https://source.android.com/security • https://github.com/OWASP/owasp-mstg • https://github.com/OWASP/owasp-masvs • https://github.com/b-mueller/android_app_security_checklist •

    https://www.nngroup.com/articles/security-and-human-factors/

  24. Questions? • @bolot • @bignerdranch • BNR Security Courses -

    soon