Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
What Android developers should know about security
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
bolot
February 24, 2017
Technology
330
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
What Android developers should know about security
Presented at DevNexus in Atlanta
bolot
February 24, 2017
More Decks by bolot
See All by bolot
Coroutines: Kotlin Versus DCSF18
bolot
2
930
MLKit DevFest18 ATL
bolot
0
200
Kotlin Coroutines: Beyond async-await
bolot
2
700
Kotlin - Class Destroyer
bolot
0
640
Secure Networking, Connect Tech 2017
bolot
0
96
Defensive Android Security
bolot
0
130
android transition framework
bolot
0
170
Other Decks in Technology
See All in Technology
「軸足」は 固定しなくていい - 熱量と強みで描く、しなやかなキャリアの形
kakehashi
PRO
1
270
AIに障害切り分けを全部やってもらった。 。 。 。
estie
0
190
AI 不只幫你寫 Code: 當專案從 300 暴增到 1500, 我們如何撐住 DevOps
appleboy
0
250
AIAU_UMEMOGU_ninomiya_slide
ninomiya_ii
0
270
「ビジネスがわかるエンジニア」とは何か?
ryooob
0
330
現場のトークンマネジメント
dak2
1
190
フルカイテン株式会社 エンジニア向け採用資料
fullkaiten
0
11k
いまさら聞けない「仕様駆動開発入門」 〜AI活用時代の開発プロセスを考える〜
findy_eventslides
2
220
MUSUBI 田中裕一『AIと共に行う「しごとのリデザイン」- スモールバックオフィス編』AI Ops Lab #4
musubi
0
320
4人目のSREはAgent
tanimuyk
0
210
2026年6月23日 Syncable Tech + Start Python Club にて
hamukazu
0
150
GitHub Copilot app最速の発信の裏側
tomokusaba
1
270
Featured
See All Featured
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
162
16k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
141
35k
Automating Front-end Workflow
addyosmani
1370
210k
Bridging the Design Gap: How Collaborative Modelling removes blockers to flow between stakeholders and teams @FastFlow conf
baasie
0
590
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
123
22k
Principles of Awesome APIs and How to Build Them.
keavy
128
18k
The Curious Case for Waylosing
cassininazir
1
400
StorybookのUI Testing Handbookを読んだ
zakiyama
31
6.8k
How to audit for AI Accessibility on your Front & Back End
davetheseo
0
450
Ruling the World: When Life Gets Gamed
codingconduct
0
260
Building the Perfect Custom Keyboard
takai
2
800
How Fast Is Fast Enough? [PerfNow 2025]
tammyeverts
3
620
Transcript
What Android Developers Should Know About Security
Bolot Kerimbaev Android and iOS instructor and developer
Android App Developers https://www.bignerdranch.com/app-development/case-studies/
What Is Security?
None
What Is Security? • Confidentiality • Integrity • Availability
What Is Security? • Threats • Risks • Responses •
Remediations
Threat model • Malicious apps • Stolen phones • Wi-Fi
hotspots • Malicious HTML, SMS
Case Study: Stagefright • Media server framework • Attack via
malicious MMS • Remote code execution • Privilege escalation • Publicly disclosed July 2015 • Apps are impacted
Demolition Man, 1993
Android Security
Android Security • Application Signing • (SE)Linux • Permissions •
Interprocess Communication • Verified Boot
KitKat Lollipop Marshmallow Nougat SELinux, enforcing mode Full disk encryption,
hardware bound Hardware-Isolated Security File-based encryption, Direct Boot Device monitoring warnings WebView updates Verified Boot Verified Boot, strictly enforced Per user VPN Position Independent Executables Fingerprints Library load-order randomization Fortify Source level 2 TLS v1.2 Runtime Permissions APK Signature v2 Certificate pinning Smart Lock StrictMode, disable cleartext Network security config https://source.android.com/security/enhancements/index.html
Challenges • Fragmentation • Google vs OEMs vs Carriers vs
Qualcomm • Vulnerabilities
Case Study: Stagefright Pre-N Nougat
Who Cares About Security?
Security and Design • Most people think it’s important •
Cannot be applied at the end • Changes can be costly if not planned
None
Mobile & Server
Security practices https://security.googleblog.com/2015/07/new-research-comparing-how-security.html
Security practices • Software Updates • Password Manager • 2-Factor
Authentication
Security Updates
Password Managers
2-Factor Authentication
Security practices • Software Updates • Password Manager • 2-Factor
Authentication • VPN • Backups • Leak Notifications
What Can App Developers Do?
Checklists • Android Security Checklist • Industry Specific: PCI, HIPAA
• OWASP
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
Software Updates • Follow best practices, plan for upgrades •
Train engineers • Perform audits • APIs: evolution, deprecation • Keep up with tools updates
Password Management • Integrate with password managers • Implement single
sign-on, OAuth, etc. • Don’t use device ID • Don’t store passwords • Careful about custom password text fields
Case Study: Smart Lock
2-Factor Authentication • TOTP (Google Authenticator, Authy) • FIDO U2F
(Yubikey) • Don’t use SMS
Secure Communication • Use HTTPS (TLS) everywhere • Enable Network
Security Configuration • Certificate pinning
Protect User Data • Secure storage • Easy backups and
data restoration • Cryptography
Vulnerability Reporting • Make it easy to report issues in
your app • Track vulnerabilities
What Can Developers Do? • Practice security as a user
• Optimize for best security practices • Training • Checklists • Audits, Reviews
Questions? • @bolot • @bignerdranch • Android Security course, Q3
2017