Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Commonly Overlooked Areas of Security Revisited
Search
Clive Lee
April 23, 2018
Technology
0
290
Commonly Overlooked Areas of Security Revisited
From AndroidMakers 2018 in Paris, France.
(Revised content from the Droidcon London 2017!)
Clive Lee
April 23, 2018
Tweet
Share
More Decks by Clive Lee
See All by Clive Lee
Augmented Reality: From Fun to Furnished
cliveleehere
0
89
Pragmatic Gradle for your Multi-Module Projects
cliveleehere
0
240
Other Decks in Technology
See All in Technology
What's new in OpenShift 4.19
redhatlivestreaming
1
230
上長や社内ステークホルダーに対する解像度を上げて、より良い補完関係を築く方法 / How-to-increase-resolution-and-build-better-complementary-relationships-with-your-bosses-and-internal-stakeholders
madoxten
13
7.6k
kubellが挑むBPaaSにおける、人とAIエージェントによるサービス開発の最前線と技術展望
kubell_hr
1
290
技術職じゃない私がVibe Codingで感じた、AGIが身近になる未来
blueb
0
120
OpenTelemetry Collector internals
ymotongpoo
5
540
今からでも間に合う! 生成AI「RAG」再入門 / Re-introduction to RAG in Generative AI
hideakiaoyagi
1
170
産業機械をElixirで制御する
kikuyuta
0
170
フルカイテン株式会社 エンジニア向け採用資料
fullkaiten
0
7.3k
API の仕様から紐解く「MCP 入門」 ~MCP の「コンテキスト」って何だ?~
cdataj
0
150
生成AIをテストプロセスに活用し"よう"としている話 #jasstnano
makky_tyuyan
0
160
Eight Engineering Unit 紹介資料
sansan33
PRO
0
3.4k
讓測試不再 BB! 從 BDD 到 CI/CD, 不靠人力也能 MVP
line_developers_tw
PRO
0
160
Featured
See All Featured
Adopting Sorbet at Scale
ufuk
77
9.4k
StorybookのUI Testing Handbookを読んだ
zakiyama
30
5.8k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
26k
KATA
mclloyd
29
14k
Embracing the Ebb and Flow
colly
86
4.7k
How to Ace a Technical Interview
jacobian
276
23k
Imperfection Machines: The Place of Print at Facebook
scottboms
267
13k
Faster Mobile Websites
deanohume
307
31k
Build The Right Thing And Hit Your Dates
maggiecrowley
36
2.7k
The Art of Programming - Codeland 2020
erikaheidi
54
13k
The Cost Of JavaScript in 2023
addyosmani
50
8.3k
The World Runs on Bad Software
bkeepers
PRO
68
11k
Transcript
Commonly Overlooked Areas of Security Revisited @CliveLeeHere
https://www.oviahealth.com/careers
None
Maintainability affects Security
What We’ll Cover Logging
What We’ll Cover Logging Obfuscation
What We’ll Cover Logging Obfuscation Quick Reminders
Logging
Logging
Log.i("Tag", "Hi");
adb logcat Tag:I *:S Log.i("Tag", "Hi");
I/Tag: Hi adb logcat Tag:I *:S Log.i("Tag", "Hi");
Hi!
Ways to Remove?
Option 1: Proguard
Option 1: Proguard / R8
-assumenosideeffects class_specification
-assumenosideeffects class_specification Specifies methods that don't have any side effects
(other than maybe returning a value). With some care, you can also use the option to remove logging code.
build.gradle
build.gradle release { proguardFiles getDefaultProguardFile( ‘proguard-android-optimize.txt'), 'your-proguard-rules.pro' }
build.gradle release { proguardFiles getDefaultProguardFile( ‘proguard-android-optimize.txt'), 'your-proguard-rules.pro' }
build.gradle release { proguardFiles getDefaultProguardFile( ‘proguard-android-optimize.txt'), 'your-proguard-rules.pro' }
your-proguard-rules.pro -assumenosideeffects build.gradle
your-proguard-rules.pro -assumenosideeffects class android.util.Log { public static *** d(...); public
static *** v(...); public static *** i(...); } build.gradle
your-proguard-rules.pro -assumenosideeffects class android.util.Log { public static *** d(...); public
static *** v(...); public static *** i(...); } build.gradle
adb logcat Tag:I *:S
adb logcat Tag:I *:S
Option 1: Proguard / R8
Maintainability affects Security
None
build.gradle release { proguardFiles getDefaultProguardFile( 'proguard-android-optimize.txt'), 'your-proguard-rules.pro' }
proguard-android-optimize.txt Adding optimization introduces certain risks.... The following flags turn
off various optimizations known to have issues, but the list may not be complete or up to date. ... Make sure you test thoroughly if you go this route.
build.gradle release { proguardFiles getDefaultProguardFile( 'proguard-android-optimize.txt'), 'your-proguard-rules.pro' }
build.gradle release { proguardFiles getDefaultProguardFile( 'proguard-android.txt'), 'your-proguard-rules.pro' }
build.gradle release { proguardFiles getDefaultProguardFile( 'proguard-android.txt'), 'your-proguard-rules.pro' }
build.gradle proguard-android.txt -dontoptimize
proguard-android.txt -assumenosideeffects class_specification Only applicable when optimizing.
proguard-android.txt -assumenosideeffects class_specification [Use] with some care…
proguard-android.txt -assumenosideeffects class_specification Only applicable when optimizing.
-assumenosideeffects your-proguard-rules.pro -assumenosideeffects
adb logcat Tag:I *:S
adb logcat Tag:I *:S I/Tag: Hi
I’m back!
Maintainability affects Security
your-proguard-rules.pro proguard-android- optimize.txt build.gradle
your-proguard-rules.pro build.gradle
Quick ‘Fix’ #1
build.gradle release { proguardFiles getDefaultProguardFile( ‘proguard-android.txt'), ‘your-proguard-rules.pro' }
build.gradle release { proguardFiles //ONLY USE THIS PROGUARD FILE
‘your-proguard-rules.pro' }
build.gradle your-proguard-rules.pro # from proguard-android-optimize.txt ... # NEVER ADD -dontoptimize
build.gradle your-proguard-rules.pro # from proguard-android-optimize.txt ... # NEVER ADD -dontoptimize
Quick Fix #2
build.gradle release { proguardFiles getDefaultProguardFile( ‘proguard-android-optimize.txt’), 'your-proguard-rules.pro' }
build.gradle release { proguardFiles //DON'T CHANGE THIS LINE getDefaultProguardFile(
‘proguard-android-optimize.txt’), 'your-proguard-rules.pro' }
build.gradle release { proguardFiles //DON'T CHANGE THIS LINE getDefaultProguardFile(
‘proguard-android-optimize.txt’), 'your-proguard-rules.pro' }
None
Big Scary Warnings
Big Scary Warnings = Not Enforced by Tools
Big Scary Warnings = Ignored Later
Quick Fix #1, #2
Option 2: BuildConfig & Timber
MyApplication
MyApplication if (BuildConfig.DEBUG) { Timber.plant(new DebugTree()); }
timber/build.gradle
timber/build.gradle apply plugin 'com.android.library'
android-module java-module
java-module apply plugin: ‘java-library' android-module
java-module android-module
None
Option 3: dependency injection
java-lib
java-lib public interface Logger { void d(); }
java-lib slf4j
java-lib android-lib public class MyLogger implements Logger { @Override public
void d(String msg) { Timber.d(msg); } }
java-lib android-lib app public class MyApp { @Inject Logger myLogger;
}
app @Module public abstract class SomeModule { @Binds abstract Logger
bindLogger( MyLogger logger); } public class MyApp { @Inject Logger myLogger; }
app if (BuildConfig.DEBUG) {...} @Module public abstract class SomeModule {
@Binds abstract Logger bindLogger( MyLogger logger); } public class MyApp { @Inject
android-lib/release public class MyLogger implements Logger { @Override public void
d(String msg) { //no-op } } app
android-lib public class MyLogger implements Logger { @Override public void
d(String msg) { //no-op } } app/release
android-lib app/release @Module public abstract class SomeModule { @Binds abstract
Logger bindLogger( MyLogger logger); }
None
None
app public class MyApplication { @Override public void onCreate() {
//after planting... Timber.i("LOGGING ENABLED”); }
None
Obfuscation
Obfuscation
Obfuscation
Obfuscation Security
Obfuscation Proguard
Obfuscation R8
Obfuscation Libraries
Obfuscation Libraries Keep Narrowly
None
build.gradle release { proguardFiles getDefaultProguardFile( 'proguard-android-optimize.txt'), 'your-proguard-rules.pro' }
build.gradle release { proguardFiles getDefaultProguardFile( 'proguard-android.txt'), 'your-proguard-rules.pro' }
build.gradle release { proguardFiles getDefaultProguardFile( 'proguard-android.txt'), 'your-proguard-rules.pro' }
your-proguard-rules.pro -keep class com.some.library.**
your-proguard-rules.pro -keep class com.some.library.OneClass
your-proguard-rules.pro -keep class com.some.library.OneClass -keep class * implements com.some.library.SomeInterface
your-proguard-rules.pro -keep class com.some.library.OneClass -keep class * implements com.some.library.SomeInterface -keepclasseswithmembers
class * { @com.some.library.* <methods>;
Obfuscation Libraries
Obfuscation Your Own Code?
Obfuscation Your Own Code? @Keep
@Keep
@Keep ? ? ? ?
@Keep ? ? ? ?
Maintainability affects Security
• Maintainability @Keep
• Maintainability • Refactoring @Keep
• Maintainability • Refactoring • Organization @Keep
SomeClass.java @Keep public class SomeClass { } Refactoring with @Keep
CoolClass.java @Keep public class CoolClass { } Refactoring with @Keep
com.yo.CoolClass.java @Keep public class CoolClass { } Refactoring with @Keep
SomeClass.java Refactoring with .pro
SomeClass.java Refactoring with .pro your-proguard-rules.pro -keep class com.your.code.SomeClass
CoolClass.java Refactoring with .pro your-proguard-rules.pro -keep class com.your.code.SomeClass
“Occurrences found in comments, strings and non-code files”
com.yo.SomeClass.java Refactoring with .pro your-proguard-rules.pro -keep class com.your.code.SomeClass
Refactoring with .pro
com.some.package public class SomeClass1 {} public class SomeClass2 {} public
class SomeClass3 {} Organization with .pro
Organization with .pro your-proguard-rules.pro -keep class com.some.package.** com.some.package
Organization with .pro com.feature1.model com.feature2.model
Organization with .pro your-proguard-rules.pro -keep class com.feature1.model.** -keep class com.feature2.model.**
Organization with @Keep com.feature1.model @Keep public class SomeClass1 {} @Keep
public class SomeClass2 {} @Keep public class SomeClass3 {}
Organization with @Keep com.feature1.model com.feature2.model
Organization with @Keep com.feature1.model com.feature2.model public class CoolClass1 {} public
class CoolClass2 {} public class CoolClass3 {}
Organization with @Keep com.feature1.model com.feature2.model @Keep public class CoolClass1 {}
@Keep public class CoolClass2 {} @Keep public class CoolClass3 {}
Organization with @Keep
@Keep
@Keep Encourages Narrower Rules
None
Obfuscation
Obfuscation Android NDK
Obfuscation Android NDK
Maintainability affects Security
NDK Maintainability C / C++ / JNI
NDK Maintainability C / C++ / JNI Documentation
NDK Maintainability C / C++ / JNI Documentation Development Tools
NDK Maintainability C / C++ / JNI Documentation Development Tools
Build Times
NDK Maintainability C / C++ / JNI Documentation Development Tools
Build Times Automated Testing
NDK Maintainability C / C++ / JNI Documentation Development Tools
Build Times Automated Testing CI
None
Quick Reminders
Build Process / CI Don’t Trust the Interwebz
Build Process / CI Don’t Trust the Interwebz
Build Process / CI Don’t Trust the Interwebz Use Google
Play App signing
Build Process / CI Don’t Trust the Interwebz Use Google
Play App signing Don’t Add Your Key in Source Control
Build Process / CI Don’t Trust the Interwebz Use Google
Play App signing Don’t Add Your Key in Source Control Encrypt if Needed for CI
Manage Up & Down
Libraries
Thanks! @CliveLeeHere
cliveleehere
redhatlivestreaming
madoxten
kubell_hr
blueb
ymotongpoo
hideakiaoyagi
kikuyuta
fullkaiten
cdataj
makky_tyuyan
sansan33
line_developers_tw
ufuk
zakiyama
cassininazir
mclloyd
colly
jacobian
scottboms
deanohume
maggiecrowley
erikaheidi
addyosmani
bkeepers
![proguard-android.txt -assumenosideeffects class_specification [Use] with some care…](https://files.speakerdeck.com/presentations/b10fce1bd2aa4643a8f1fe28e506208f/slide_37.jpg){kind=link}
