Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
What Android developers should know about security
Search
bolot
February 24, 2017
Technology
0
280
What Android developers should know about security
Presented at DevNexus in Atlanta
bolot
February 24, 2017
Tweet
Share
More Decks by bolot
See All by bolot
Coroutines: Kotlin Versus DCSF18
bolot
2
810
MLKit DevFest18 ATL
bolot
0
170
Kotlin Coroutines: Beyond async-await
bolot
2
620
Kotlin - Class Destroyer
bolot
0
550
Secure Networking, Connect Tech 2017
bolot
0
73
Defensive Android Security
bolot
0
97
android transition framework
bolot
0
130
Other Decks in Technology
See All in Technology
データモデリング通り #2オンライン勉強会 ~方法論の話をしよう~
datayokocho
0
180
React Server ComponentsでAPI不要の開発体験
polidog
PRO
0
330
AIのグローバルトレンド 2025 / ai global trend 2025
kyonmm
PRO
1
160
Engineering Failure-Resilient Systems
infraplumber0
0
120
20250807 Applied Engineer Open House
sakana_ai
PRO
2
540
JAWS AI/ML #30 AI コーディング IDE "Kiro" を触ってみよう
inariku
3
390
[kickflow]20250319_少人数チームでのAutify活用
otouhujej
0
130
Amazon Q Developerを活用したアーキテクチャのリファクタリング
k1nakayama
2
220
Claude CodeでKiroの仕様駆動開発を実現させるには...
gotalab555
3
1.1k
AI時代の大規模データ活用とセキュリティ戦略
ken5scal
0
160
Infrastructure as Prompt実装記 〜Bedrock AgentCoreで作る自然言語インフラエージェント〜
yusukeshimizu
1
150
メルカリIBIS:AIが拓く次世代インシデント対応
0gm
2
390
Featured
See All Featured
Code Review Best Practice
trishagee
69
19k
Reflections from 52 weeks, 52 projects
jeffersonlam
351
21k
Side Projects
sachag
455
43k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
GraphQLの誤解/rethinking-graphql
sonatard
71
11k
Writing Fast Ruby
sferik
628
62k
What's in a price? How to price your products and services
michaelherold
246
12k
Building Adaptive Systems
keathley
43
2.7k
YesSQL, Process and Tooling at Scale
rocio
173
14k
Scaling GitHub
holman
462
140k
Typedesign – Prime Four
hannesfritz
42
2.8k
The Cost Of JavaScript in 2023
addyosmani
53
8.8k
Transcript
What Android Developers Should Know About Security
Bolot Kerimbaev Android and iOS instructor and developer
Android App Developers https://www.bignerdranch.com/app-development/case-studies/
What Is Security?
None
What Is Security? • Confidentiality • Integrity • Availability
What Is Security? • Threats • Risks • Responses •
Remediations
Threat model • Malicious apps • Stolen phones • Wi-Fi
hotspots • Malicious HTML, SMS
Case Study: Stagefright • Media server framework • Attack via
malicious MMS • Remote code execution • Privilege escalation • Publicly disclosed July 2015 • Apps are impacted
Demolition Man, 1993
Android Security
Android Security • Application Signing • (SE)Linux • Permissions •
Interprocess Communication • Verified Boot
KitKat Lollipop Marshmallow Nougat SELinux, enforcing mode Full disk encryption,
hardware bound Hardware-Isolated Security File-based encryption, Direct Boot Device monitoring warnings WebView updates Verified Boot Verified Boot, strictly enforced Per user VPN Position Independent Executables Fingerprints Library load-order randomization Fortify Source level 2 TLS v1.2 Runtime Permissions APK Signature v2 Certificate pinning Smart Lock StrictMode, disable cleartext Network security config https://source.android.com/security/enhancements/index.html
Challenges • Fragmentation • Google vs OEMs vs Carriers vs
Qualcomm • Vulnerabilities
Case Study: Stagefright Pre-N Nougat
Who Cares About Security?
Security and Design • Most people think it’s important •
Cannot be applied at the end • Changes can be costly if not planned
None
Mobile & Server
Security practices https://security.googleblog.com/2015/07/new-research-comparing-how-security.html
Security practices • Software Updates • Password Manager • 2-Factor
Authentication
Security Updates
Password Managers
2-Factor Authentication
Security practices • Software Updates • Password Manager • 2-Factor
Authentication • VPN • Backups • Leak Notifications
What Can App Developers Do?
Checklists • Android Security Checklist • Industry Specific: PCI, HIPAA
• OWASP
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
Software Updates • Follow best practices, plan for upgrades •
Train engineers • Perform audits • APIs: evolution, deprecation • Keep up with tools updates
Password Management • Integrate with password managers • Implement single
sign-on, OAuth, etc. • Don’t use device ID • Don’t store passwords • Careful about custom password text fields
Case Study: Smart Lock
2-Factor Authentication • TOTP (Google Authenticator, Authy) • FIDO U2F
(Yubikey) • Don’t use SMS
Secure Communication • Use HTTPS (TLS) everywhere • Enable Network
Security Configuration • Certificate pinning
Protect User Data • Secure storage • Easy backups and
data restoration • Cryptography
Vulnerability Reporting • Make it easy to report issues in
your app • Track vulnerabilities
What Can Developers Do? • Practice security as a user
• Optimize for best security practices • Training • Checklists • Audits, Reviews
Questions? • @bolot • @bignerdranch • Android Security course, Q3
2017