Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
What Android developers should know about security
Search
bolot
February 24, 2017
Technology
0
220
What Android developers should know about security
Presented at DevNexus in Atlanta
bolot
February 24, 2017
Tweet
Share
More Decks by bolot
See All by bolot
Coroutines: Kotlin Versus DCSF18
bolot
2
570
MLKit DevFest18 ATL
bolot
0
150
Kotlin Coroutines: Beyond async-await
bolot
2
480
Kotlin - Class Destroyer
bolot
0
400
Secure Networking, Connect Tech 2017
bolot
0
65
Defensive Android Security
bolot
0
84
android transition framework
bolot
0
110
Other Decks in Technology
See All in Technology
コンテナセキュリティの基本と脅威への対策
kyohmizu
3
750
リテール金融(キャッシュレス・ネット銀行・ネット証券)の競争環境と経済圏
8maki
0
560
Postman v10リリース後を振り返る / Looking back at Postman v10 after release
yokawasa
1
160
アクセス制御にまつわる改善 / Improving access control
itkq
0
520
Compose Compiler Metricsを使った実践的なコードレビュー
tomorrowkey
1
220
非同期推論システムによるコスト削減と信頼性向上
koki_nishihara
0
210
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
2.1k
Kernel MemoryでAzure OpenAI Serviceとお手軽データソース連携
mitsuzono
1
240
現代CSSフレームワークの内部実装とその仕組み
poteboy
8
3.6k
KubeConにproposalを送りたい人へのアドバイス
sat
PRO
3
240
Reducing Cross-Zone Egress at Spotify with Custom gRPC Load Balancing Recap
koh_naga
0
200
本当のAWS基礎
toru_kubota
0
500
Featured
See All Featured
The Language of Interfaces
destraynor
151
23k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
357
22k
4 Signs Your Business is Dying
shpigford
175
21k
Fireside Chat
paigeccino
21
2.6k
Unsuck your backbone
ammeep
663
57k
A Modern Web Designer's Workflow
chriscoyier
689
190k
Designing for Performance
lara
601
67k
Gamification - CAS2011
davidbonilla
76
4.6k
Being A Developer After 40
akosma
57
580k
Atom: Resistance is Futile
akmur
259
25k
YesSQL, Process and Tooling at Scale
rocio
164
13k
Teambox: Starting and Learning
jrom
128
8.4k
Transcript
What Android Developers Should Know About Security
Bolot Kerimbaev Android and iOS instructor and developer
Android App Developers https://www.bignerdranch.com/app-development/case-studies/
What Is Security?
None
What Is Security? • Confidentiality • Integrity • Availability
What Is Security? • Threats • Risks • Responses •
Remediations
Threat model • Malicious apps • Stolen phones • Wi-Fi
hotspots • Malicious HTML, SMS
Case Study: Stagefright • Media server framework • Attack via
malicious MMS • Remote code execution • Privilege escalation • Publicly disclosed July 2015 • Apps are impacted
Demolition Man, 1993
Android Security
Android Security • Application Signing • (SE)Linux • Permissions •
Interprocess Communication • Verified Boot
KitKat Lollipop Marshmallow Nougat SELinux, enforcing mode Full disk encryption,
hardware bound Hardware-Isolated Security File-based encryption, Direct Boot Device monitoring warnings WebView updates Verified Boot Verified Boot, strictly enforced Per user VPN Position Independent Executables Fingerprints Library load-order randomization Fortify Source level 2 TLS v1.2 Runtime Permissions APK Signature v2 Certificate pinning Smart Lock StrictMode, disable cleartext Network security config https://source.android.com/security/enhancements/index.html
Challenges • Fragmentation • Google vs OEMs vs Carriers vs
Qualcomm • Vulnerabilities
Case Study: Stagefright Pre-N Nougat
Who Cares About Security?
Security and Design • Most people think it’s important •
Cannot be applied at the end • Changes can be costly if not planned
None
Mobile & Server
Security practices https://security.googleblog.com/2015/07/new-research-comparing-how-security.html
Security practices • Software Updates • Password Manager • 2-Factor
Authentication
Security Updates
Password Managers
2-Factor Authentication
Security practices • Software Updates • Password Manager • 2-Factor
Authentication • VPN • Backups • Leak Notifications
What Can App Developers Do?
Checklists • Android Security Checklist • Industry Specific: PCI, HIPAA
• OWASP
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
Software Updates • Follow best practices, plan for upgrades •
Train engineers • Perform audits • APIs: evolution, deprecation • Keep up with tools updates
Password Management • Integrate with password managers • Implement single
sign-on, OAuth, etc. • Don’t use device ID • Don’t store passwords • Careful about custom password text fields
Case Study: Smart Lock
2-Factor Authentication • TOTP (Google Authenticator, Authy) • FIDO U2F
(Yubikey) • Don’t use SMS
Secure Communication • Use HTTPS (TLS) everywhere • Enable Network
Security Configuration • Certificate pinning
Protect User Data • Secure storage • Easy backups and
data restoration • Cryptography
Vulnerability Reporting • Make it easy to report issues in
your app • Track vulnerabilities
What Can Developers Do? • Practice security as a user
• Optimize for best security practices • Training • Checklists • Audits, Reviews
Questions? • @bolot • @bignerdranch • Android Security course, Q3
2017