Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
What Android developers should know about security
Search
bolot
February 24, 2017
Technology
330
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
What Android developers should know about security
Presented at DevNexus in Atlanta
bolot
February 24, 2017
More Decks by bolot
See All by bolot
Coroutines: Kotlin Versus DCSF18
bolot
2
930
MLKit DevFest18 ATL
bolot
0
200
Kotlin Coroutines: Beyond async-await
bolot
2
700
Kotlin - Class Destroyer
bolot
0
640
Secure Networking, Connect Tech 2017
bolot
0
96
Defensive Android Security
bolot
0
130
android transition framework
bolot
0
170
Other Decks in Technology
See All in Technology
AIチャット検索改善の3週間
kworkdev
PRO
2
190
5分でわかる Amazon Connect_20260608
hwangbyeonghun
0
120
2026-06-23 知らないままで大丈夫?開発品質・効率向上が期待できるIBM Bob便利機能6選
yutanonaka
0
120
アラート調査向けAIエージェントの本番導入とその後/AI Agents for Alert Investigation: Production Deployment and After
taddy_919
1
190
AI時代に求められる技術力 フロンティア・クリエイティビティ / Technical Excellence in the AI Era: Frontier Creativity
kaonavi
0
110
Agile and AI Redmine Japan 2026
hiranabe
4
490
AI時代のコスト管理を考えよう〜明日から使える実践AWSノウハウ~
yoshimi0227
0
910
5分でわかるDuckDB Quack
chanyou0311
4
260
FPC(フレキシブル)基板にZephyr実装してみた。
iotengineer22
0
180
フルカイテン株式会社 エンジニア向け採用資料
fullkaiten
0
11k
AI 不只幫你寫 Code: 當專案從 300 暴增到 1500, 我們如何撐住 DevOps
appleboy
0
260
Flow 不死:AI 時代 DevOps 的不變本質
cheng_wei_chen
2
530
Featured
See All Featured
Believing is Seeing
oripsolob
1
150
Automating Front-end Workflow
addyosmani
1370
210k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
666
130k
<Decoding/> the Language of Devs - We Love SEO 2024
nikkihalliwell
1
260
How to Ace a Technical Interview
jacobian
281
24k
Context Engineering - Making Every Token Count
addyosmani
9
980
Marketing Yourself as an Engineer | Alaka | Gurzu
gurzu
0
240
Lessons Learnt from Crawling 1000+ Websites
charlesmeaden
PRO
1
1.3k
Claude Code のすすめ
schroneko
67
230k
Joys of Absence: A Defence of Solitary Play
codingconduct
1
400
HDC tutorial
michielstock
2
720
Exploring anti-patterns in Rails
aemeredith
3
430
Transcript
What Android Developers Should Know About Security
Bolot Kerimbaev Android and iOS instructor and developer
Android App Developers https://www.bignerdranch.com/app-development/case-studies/
What Is Security?
None
What Is Security? • Confidentiality • Integrity • Availability
What Is Security? • Threats • Risks • Responses •
Remediations
Threat model • Malicious apps • Stolen phones • Wi-Fi
hotspots • Malicious HTML, SMS
Case Study: Stagefright • Media server framework • Attack via
malicious MMS • Remote code execution • Privilege escalation • Publicly disclosed July 2015 • Apps are impacted
Demolition Man, 1993
Android Security
Android Security • Application Signing • (SE)Linux • Permissions •
Interprocess Communication • Verified Boot
KitKat Lollipop Marshmallow Nougat SELinux, enforcing mode Full disk encryption,
hardware bound Hardware-Isolated Security File-based encryption, Direct Boot Device monitoring warnings WebView updates Verified Boot Verified Boot, strictly enforced Per user VPN Position Independent Executables Fingerprints Library load-order randomization Fortify Source level 2 TLS v1.2 Runtime Permissions APK Signature v2 Certificate pinning Smart Lock StrictMode, disable cleartext Network security config https://source.android.com/security/enhancements/index.html
Challenges • Fragmentation • Google vs OEMs vs Carriers vs
Qualcomm • Vulnerabilities
Case Study: Stagefright Pre-N Nougat
Who Cares About Security?
Security and Design • Most people think it’s important •
Cannot be applied at the end • Changes can be costly if not planned
None
Mobile & Server
Security practices https://security.googleblog.com/2015/07/new-research-comparing-how-security.html
Security practices • Software Updates • Password Manager • 2-Factor
Authentication
Security Updates
Password Managers
2-Factor Authentication
Security practices • Software Updates • Password Manager • 2-Factor
Authentication • VPN • Backups • Leak Notifications
What Can App Developers Do?
Checklists • Android Security Checklist • Industry Specific: PCI, HIPAA
• OWASP
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
Software Updates • Follow best practices, plan for upgrades •
Train engineers • Perform audits • APIs: evolution, deprecation • Keep up with tools updates
Password Management • Integrate with password managers • Implement single
sign-on, OAuth, etc. • Don’t use device ID • Don’t store passwords • Careful about custom password text fields
Case Study: Smart Lock
2-Factor Authentication • TOTP (Google Authenticator, Authy) • FIDO U2F
(Yubikey) • Don’t use SMS
Secure Communication • Use HTTPS (TLS) everywhere • Enable Network
Security Configuration • Certificate pinning
Protect User Data • Secure storage • Easy backups and
data restoration • Cryptography
Vulnerability Reporting • Make it easy to report issues in
your app • Track vulnerabilities
What Can Developers Do? • Practice security as a user
• Optimize for best security practices • Training • Checklists • Audits, Reviews
Questions? • @bolot • @bignerdranch • Android Security course, Q3
2017