Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
What Android developers should know about security
Search
bolot
February 24, 2017
Technology
0
270
What Android developers should know about security
Presented at DevNexus in Atlanta
bolot
February 24, 2017
Tweet
Share
More Decks by bolot
See All by bolot
Coroutines: Kotlin Versus DCSF18
bolot
2
800
MLKit DevFest18 ATL
bolot
0
160
Kotlin Coroutines: Beyond async-await
bolot
2
620
Kotlin - Class Destroyer
bolot
0
550
Secure Networking, Connect Tech 2017
bolot
0
73
Defensive Android Security
bolot
0
95
android transition framework
bolot
0
130
Other Decks in Technology
See All in Technology
AI によるドキュメント処理を加速するためのOCR 結果の永続化と再利用戦略
tomoaki25
0
170
DatabricksのOLTPデータベース『Lakebase』に詳しくなろう!
inoutk
0
160
AI時代の知識創造 ─GeminiとSECIモデルで読み解く “暗黙知”と創造の境界線
nyagasan
0
170
経理出身PdMがAIプロダクト開発を_ハンズオンで学んだ話.pdf
shunsukenarita
1
240
地域コミュニティへの「感謝」と「恩返し」 / 20250726jawsug-tochigi
kasacchiful
0
110
2025-07-31: GitHub Copilot Agent mode at Vibe Coding Cafe (15min)
chomado
1
190
With Devin -AIの自律とメンバーの自立
kotanin0
2
850
20250728 MCP, A2A and Multi-Agents in the future
yoshidashingo
1
130
自分がLinc’wellで提供しているプロダクトを理解するためにやったこと
murabayashi
1
170
AWS表彰プログラムとキャリアについて
naoki_0531
1
150
Step Functions First - サーバーレスアーキテクチャの新しいパラダイム
taikis
1
280
Recoil脱却の現状と挑戦
kirik
3
480
Featured
See All Featured
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
251
21k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
10
1k
Building a Scalable Design System with Sketch
lauravandoore
462
33k
Agile that works and the tools we love
rasmusluckow
329
21k
Product Roadmaps are Hard
iamctodd
PRO
54
11k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
60k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
35
2.5k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Designing Experiences People Love
moore
142
24k
Statistics for Hackers
jakevdp
799
220k
Fireside Chat
paigeccino
37
3.5k
Transcript
What Android Developers Should Know About Security
Bolot Kerimbaev Android and iOS instructor and developer
Android App Developers https://www.bignerdranch.com/app-development/case-studies/
What Is Security?
None
What Is Security? • Confidentiality • Integrity • Availability
What Is Security? • Threats • Risks • Responses •
Remediations
Threat model • Malicious apps • Stolen phones • Wi-Fi
hotspots • Malicious HTML, SMS
Case Study: Stagefright • Media server framework • Attack via
malicious MMS • Remote code execution • Privilege escalation • Publicly disclosed July 2015 • Apps are impacted
Demolition Man, 1993
Android Security
Android Security • Application Signing • (SE)Linux • Permissions •
Interprocess Communication • Verified Boot
KitKat Lollipop Marshmallow Nougat SELinux, enforcing mode Full disk encryption,
hardware bound Hardware-Isolated Security File-based encryption, Direct Boot Device monitoring warnings WebView updates Verified Boot Verified Boot, strictly enforced Per user VPN Position Independent Executables Fingerprints Library load-order randomization Fortify Source level 2 TLS v1.2 Runtime Permissions APK Signature v2 Certificate pinning Smart Lock StrictMode, disable cleartext Network security config https://source.android.com/security/enhancements/index.html
Challenges • Fragmentation • Google vs OEMs vs Carriers vs
Qualcomm • Vulnerabilities
Case Study: Stagefright Pre-N Nougat
Who Cares About Security?
Security and Design • Most people think it’s important •
Cannot be applied at the end • Changes can be costly if not planned
None
Mobile & Server
Security practices https://security.googleblog.com/2015/07/new-research-comparing-how-security.html
Security practices • Software Updates • Password Manager • 2-Factor
Authentication
Security Updates
Password Managers
2-Factor Authentication
Security practices • Software Updates • Password Manager • 2-Factor
Authentication • VPN • Backups • Leak Notifications
What Can App Developers Do?
Checklists • Android Security Checklist • Industry Specific: PCI, HIPAA
• OWASP
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
Software Updates • Follow best practices, plan for upgrades •
Train engineers • Perform audits • APIs: evolution, deprecation • Keep up with tools updates
Password Management • Integrate with password managers • Implement single
sign-on, OAuth, etc. • Don’t use device ID • Don’t store passwords • Careful about custom password text fields
Case Study: Smart Lock
2-Factor Authentication • TOTP (Google Authenticator, Authy) • FIDO U2F
(Yubikey) • Don’t use SMS
Secure Communication • Use HTTPS (TLS) everywhere • Enable Network
Security Configuration • Certificate pinning
Protect User Data • Secure storage • Easy backups and
data restoration • Cryptography
Vulnerability Reporting • Make it easy to report issues in
your app • Track vulnerabilities
What Can Developers Do? • Practice security as a user
• Optimize for best security practices • Training • Checklists • Audits, Reviews
Questions? • @bolot • @bignerdranch • Android Security course, Q3
2017