Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
What Android developers should know about security
Search
bolot
February 24, 2017
Technology
0
250
What Android developers should know about security
Presented at DevNexus in Atlanta
bolot
February 24, 2017
Tweet
Share
More Decks by bolot
See All by bolot
Coroutines: Kotlin Versus DCSF18
bolot
2
740
MLKit DevFest18 ATL
bolot
0
160
Kotlin Coroutines: Beyond async-await
bolot
2
590
Kotlin - Class Destroyer
bolot
0
510
Secure Networking, Connect Tech 2017
bolot
0
70
Defensive Android Security
bolot
0
88
android transition framework
bolot
0
120
Other Decks in Technology
See All in Technology
Road to SRE NEXT@仙台 IVRyの組織の形とSLO運用の現状
abnoumaru
1
420
ソフトウェアプロジェクトの成功率が上がらない原因-「社会価値を考える」ということ-
ytanaka5569
0
130
パスキー導入の課題と ベストプラクティス、今後の展望
ritou
7
1.3k
マルチアカウント管理で必須!AWS Organizationsの機能とユースケース解説
nrinetcom
PRO
1
110
Medmain FACTBOOK
akinaootani
0
130
OPENLOGI Company Profile
hr01
0
61k
Enterprise AI in 2025?
pamelafox
0
110
Vision Language Modelを活用した メルカリの類似画像レコメンドの性能改善
yadayuki
9
1.3k
入社後SREチームのミッションや課題の整理をした話
morix1500
1
170
FinOps_Demo
tkhresk
0
100
AIエージェントキャッチアップと論文リサーチ
os1ma
6
1.3k
React Server Componentは 何を解決し何を解決しないのか / What do React Server Components solve, and what do they not solve?
kaminashi
6
1.3k
Featured
See All Featured
Bootstrapping a Software Product
garrettdimon
PRO
307
110k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
251
21k
The World Runs on Bad Software
bkeepers
PRO
67
11k
Bash Introduction
62gerente
611
210k
Designing for humans not robots
tammielis
251
25k
Unsuck your backbone
ammeep
670
57k
The Cult of Friendly URLs
andyhume
78
6.3k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
12
620
XXLCSS - How to scale CSS and keep your sanity
sugarenia
248
1.3M
We Have a Design System, Now What?
morganepeng
51
7.5k
Building Better People: How to give real-time feedback that sticks.
wjessup
367
19k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
331
21k
Transcript
What Android Developers Should Know About Security
Bolot Kerimbaev Android and iOS instructor and developer
Android App Developers https://www.bignerdranch.com/app-development/case-studies/
What Is Security?
None
What Is Security? • Confidentiality • Integrity • Availability
What Is Security? • Threats • Risks • Responses •
Remediations
Threat model • Malicious apps • Stolen phones • Wi-Fi
hotspots • Malicious HTML, SMS
Case Study: Stagefright • Media server framework • Attack via
malicious MMS • Remote code execution • Privilege escalation • Publicly disclosed July 2015 • Apps are impacted
Demolition Man, 1993
Android Security
Android Security • Application Signing • (SE)Linux • Permissions •
Interprocess Communication • Verified Boot
KitKat Lollipop Marshmallow Nougat SELinux, enforcing mode Full disk encryption,
hardware bound Hardware-Isolated Security File-based encryption, Direct Boot Device monitoring warnings WebView updates Verified Boot Verified Boot, strictly enforced Per user VPN Position Independent Executables Fingerprints Library load-order randomization Fortify Source level 2 TLS v1.2 Runtime Permissions APK Signature v2 Certificate pinning Smart Lock StrictMode, disable cleartext Network security config https://source.android.com/security/enhancements/index.html
Challenges • Fragmentation • Google vs OEMs vs Carriers vs
Qualcomm • Vulnerabilities
Case Study: Stagefright Pre-N Nougat
Who Cares About Security?
Security and Design • Most people think it’s important •
Cannot be applied at the end • Changes can be costly if not planned
None
Mobile & Server
Security practices https://security.googleblog.com/2015/07/new-research-comparing-how-security.html
Security practices • Software Updates • Password Manager • 2-Factor
Authentication
Security Updates
Password Managers
2-Factor Authentication
Security practices • Software Updates • Password Manager • 2-Factor
Authentication • VPN • Backups • Leak Notifications
What Can App Developers Do?
Checklists • Android Security Checklist • Industry Specific: PCI, HIPAA
• OWASP
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
Software Updates • Follow best practices, plan for upgrades •
Train engineers • Perform audits • APIs: evolution, deprecation • Keep up with tools updates
Password Management • Integrate with password managers • Implement single
sign-on, OAuth, etc. • Don’t use device ID • Don’t store passwords • Careful about custom password text fields
Case Study: Smart Lock
2-Factor Authentication • TOTP (Google Authenticator, Authy) • FIDO U2F
(Yubikey) • Don’t use SMS
Secure Communication • Use HTTPS (TLS) everywhere • Enable Network
Security Configuration • Certificate pinning
Protect User Data • Secure storage • Easy backups and
data restoration • Cryptography
Vulnerability Reporting • Make it easy to report issues in
your app • Track vulnerabilities
What Can Developers Do? • Practice security as a user
• Optimize for best security practices • Training • Checklists • Audits, Reviews
Questions? • @bolot • @bignerdranch • Android Security course, Q3
2017