Lock in $30 Savings on PRO—Offer Ends Soon! ⏳
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Commonly Overlooked Areas of Security Revisited
Search
Clive Lee
April 23, 2018
Technology
0
300
Commonly Overlooked Areas of Security Revisited
From AndroidMakers 2018 in Paris, France.
(Revised content from the Droidcon London 2017!)
Clive Lee
April 23, 2018
Tweet
Share
More Decks by Clive Lee
See All by Clive Lee
Augmented Reality: From Fun to Furnished
cliveleehere
0
92
Pragmatic Gradle for your Multi-Module Projects
cliveleehere
0
250
Other Decks in Technology
See All in Technology
新 Security HubがついにGA!仕組みや料金を深堀り #AWSreInvent #regrowth / AWS Security Hub Advanced GA
masahirokawahara
1
2.2k
年間40件以上の登壇を続けて見えた「本当の発信力」/ 20251213 Masaki Okuda
shift_evolve
PRO
1
140
たまに起きる外部サービスの障害に備えたり備えなかったりする話
egmc
0
230
[デモです] NotebookLM で作ったスライドの例
kongmingstrap
0
160
AI時代の新規LLMプロダクト開発: Findy Insightsを3ヶ月で立ち上げた舞台裏と振り返り
dakuon
0
200
Jakarta Agentic AI Specification - Status and Future
reza_rahman
0
110
JEDAI認定プログラム JEDAI Order 2026 エントリーのご案内 / JEDAI Order 2026 Entry
databricksjapan
0
140
Sansanが実践する Platform EngineeringとSREの協創
sansantech
PRO
2
920
SQLだけでマイグレーションしたい!
makki_d
0
430
子育てで想像してなかった「見えないダメージ」 / Unforeseen "hidden burdens" of raising children.
pauli
2
270
Power of Kiro : あなたの㌔はパワステ搭載ですか?
r3_yamauchi
PRO
0
180
Fashion×AI「似合う」を届けるためのWEARのAI戦略
zozotech
PRO
2
830
Featured
See All Featured
Product Roadmaps are Hard
iamctodd
PRO
55
12k
Making Projects Easy
brettharned
120
6.5k
How to Ace a Technical Interview
jacobian
281
24k
Become a Pro
speakerdeck
PRO
31
5.7k
Principles of Awesome APIs and How to Build Them.
keavy
127
17k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
12
980
The Art of Programming - Codeland 2020
erikaheidi
56
14k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
508
140k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
48
9.8k
Code Reviewing Like a Champion
maltzj
527
40k
Optimising Largest Contentful Paint
csswizardry
37
3.5k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
162
16k
Transcript
Commonly Overlooked Areas of Security Revisited @CliveLeeHere
https://www.oviahealth.com/careers
None
Maintainability affects Security
What We’ll Cover Logging
What We’ll Cover Logging Obfuscation
What We’ll Cover Logging Obfuscation Quick Reminders
Logging
Logging
Log.i("Tag", "Hi");
adb logcat Tag:I *:S Log.i("Tag", "Hi");
I/Tag: Hi adb logcat Tag:I *:S Log.i("Tag", "Hi");
Hi!
Ways to Remove?
Option 1: Proguard
Option 1: Proguard / R8
-assumenosideeffects class_specification
-assumenosideeffects class_specification Specifies methods that don't have any side effects
(other than maybe returning a value). With some care, you can also use the option to remove logging code.
build.gradle
build.gradle release { proguardFiles getDefaultProguardFile( ‘proguard-android-optimize.txt'), 'your-proguard-rules.pro' }
build.gradle release { proguardFiles getDefaultProguardFile( ‘proguard-android-optimize.txt'), 'your-proguard-rules.pro' }
build.gradle release { proguardFiles getDefaultProguardFile( ‘proguard-android-optimize.txt'), 'your-proguard-rules.pro' }
your-proguard-rules.pro -assumenosideeffects build.gradle
your-proguard-rules.pro -assumenosideeffects class android.util.Log { public static *** d(...); public
static *** v(...); public static *** i(...); } build.gradle
your-proguard-rules.pro -assumenosideeffects class android.util.Log { public static *** d(...); public
static *** v(...); public static *** i(...); } build.gradle
adb logcat Tag:I *:S
adb logcat Tag:I *:S
Option 1: Proguard / R8
Maintainability affects Security
None
build.gradle release { proguardFiles getDefaultProguardFile( 'proguard-android-optimize.txt'), 'your-proguard-rules.pro' }
proguard-android-optimize.txt Adding optimization introduces certain risks.... The following flags turn
off various optimizations known to have issues, but the list may not be complete or up to date. ... Make sure you test thoroughly if you go this route.
build.gradle release { proguardFiles getDefaultProguardFile( 'proguard-android-optimize.txt'), 'your-proguard-rules.pro' }
build.gradle release { proguardFiles getDefaultProguardFile( 'proguard-android.txt'), 'your-proguard-rules.pro' }
build.gradle release { proguardFiles getDefaultProguardFile( 'proguard-android.txt'), 'your-proguard-rules.pro' }
build.gradle proguard-android.txt -dontoptimize
proguard-android.txt -assumenosideeffects class_specification Only applicable when optimizing.
proguard-android.txt -assumenosideeffects class_specification [Use] with some care…
proguard-android.txt -assumenosideeffects class_specification Only applicable when optimizing.
-assumenosideeffects your-proguard-rules.pro -assumenosideeffects
adb logcat Tag:I *:S
adb logcat Tag:I *:S I/Tag: Hi
I’m back!
Maintainability affects Security
your-proguard-rules.pro proguard-android- optimize.txt build.gradle
your-proguard-rules.pro build.gradle
Quick ‘Fix’ #1
build.gradle release { proguardFiles getDefaultProguardFile( ‘proguard-android.txt'), ‘your-proguard-rules.pro' }
build.gradle release { proguardFiles //ONLY USE THIS PROGUARD FILE
‘your-proguard-rules.pro' }
build.gradle your-proguard-rules.pro # from proguard-android-optimize.txt ... # NEVER ADD -dontoptimize
build.gradle your-proguard-rules.pro # from proguard-android-optimize.txt ... # NEVER ADD -dontoptimize
Quick Fix #2
build.gradle release { proguardFiles getDefaultProguardFile( ‘proguard-android-optimize.txt’), 'your-proguard-rules.pro' }
build.gradle release { proguardFiles //DON'T CHANGE THIS LINE getDefaultProguardFile(
‘proguard-android-optimize.txt’), 'your-proguard-rules.pro' }
build.gradle release { proguardFiles //DON'T CHANGE THIS LINE getDefaultProguardFile(
‘proguard-android-optimize.txt’), 'your-proguard-rules.pro' }
None
Big Scary Warnings
Big Scary Warnings = Not Enforced by Tools
Big Scary Warnings = Ignored Later
Quick Fix #1, #2
Option 2: BuildConfig & Timber
MyApplication
MyApplication if (BuildConfig.DEBUG) { Timber.plant(new DebugTree()); }
timber/build.gradle
timber/build.gradle apply plugin 'com.android.library'
android-module java-module
java-module apply plugin: ‘java-library' android-module
java-module android-module
None
Option 3: dependency injection
java-lib
java-lib public interface Logger { void d(); }
java-lib slf4j
java-lib android-lib public class MyLogger implements Logger { @Override public
void d(String msg) { Timber.d(msg); } }
java-lib android-lib app public class MyApp { @Inject Logger myLogger;
}
app @Module public abstract class SomeModule { @Binds abstract Logger
bindLogger( MyLogger logger); } public class MyApp { @Inject Logger myLogger; }
app if (BuildConfig.DEBUG) {...} @Module public abstract class SomeModule {
@Binds abstract Logger bindLogger( MyLogger logger); } public class MyApp { @Inject
android-lib/release public class MyLogger implements Logger { @Override public void
d(String msg) { //no-op } } app
android-lib public class MyLogger implements Logger { @Override public void
d(String msg) { //no-op } } app/release
android-lib app/release @Module public abstract class SomeModule { @Binds abstract
Logger bindLogger( MyLogger logger); }
None
None
app public class MyApplication { @Override public void onCreate() {
//after planting... Timber.i("LOGGING ENABLED”); }
None
Obfuscation
Obfuscation
Obfuscation
Obfuscation Security
Obfuscation Proguard
Obfuscation R8
Obfuscation Libraries
Obfuscation Libraries Keep Narrowly
None
build.gradle release { proguardFiles getDefaultProguardFile( 'proguard-android-optimize.txt'), 'your-proguard-rules.pro' }
build.gradle release { proguardFiles getDefaultProguardFile( 'proguard-android.txt'), 'your-proguard-rules.pro' }
build.gradle release { proguardFiles getDefaultProguardFile( 'proguard-android.txt'), 'your-proguard-rules.pro' }
your-proguard-rules.pro -keep class com.some.library.**
your-proguard-rules.pro -keep class com.some.library.OneClass
your-proguard-rules.pro -keep class com.some.library.OneClass -keep class * implements com.some.library.SomeInterface
your-proguard-rules.pro -keep class com.some.library.OneClass -keep class * implements com.some.library.SomeInterface -keepclasseswithmembers
class * { @com.some.library.* <methods>;
Obfuscation Libraries
Obfuscation Your Own Code?
Obfuscation Your Own Code? @Keep
@Keep
@Keep ? ? ? ?
@Keep ? ? ? ?
Maintainability affects Security
• Maintainability @Keep
• Maintainability • Refactoring @Keep
• Maintainability • Refactoring • Organization @Keep
SomeClass.java @Keep public class SomeClass { } Refactoring with @Keep
CoolClass.java @Keep public class CoolClass { } Refactoring with @Keep
com.yo.CoolClass.java @Keep public class CoolClass { } Refactoring with @Keep
SomeClass.java Refactoring with .pro
SomeClass.java Refactoring with .pro your-proguard-rules.pro -keep class com.your.code.SomeClass
CoolClass.java Refactoring with .pro your-proguard-rules.pro -keep class com.your.code.SomeClass
“Occurrences found in comments, strings and non-code files”
com.yo.SomeClass.java Refactoring with .pro your-proguard-rules.pro -keep class com.your.code.SomeClass
Refactoring with .pro
com.some.package public class SomeClass1 {} public class SomeClass2 {} public
class SomeClass3 {} Organization with .pro
Organization with .pro your-proguard-rules.pro -keep class com.some.package.** com.some.package
Organization with .pro com.feature1.model com.feature2.model
Organization with .pro your-proguard-rules.pro -keep class com.feature1.model.** -keep class com.feature2.model.**
Organization with @Keep com.feature1.model @Keep public class SomeClass1 {} @Keep
public class SomeClass2 {} @Keep public class SomeClass3 {}
Organization with @Keep com.feature1.model com.feature2.model
Organization with @Keep com.feature1.model com.feature2.model public class CoolClass1 {} public
class CoolClass2 {} public class CoolClass3 {}
Organization with @Keep com.feature1.model com.feature2.model @Keep public class CoolClass1 {}
@Keep public class CoolClass2 {} @Keep public class CoolClass3 {}
Organization with @Keep
@Keep
@Keep Encourages Narrower Rules
None
Obfuscation
Obfuscation Android NDK
Obfuscation Android NDK
Maintainability affects Security
NDK Maintainability C / C++ / JNI
NDK Maintainability C / C++ / JNI Documentation
NDK Maintainability C / C++ / JNI Documentation Development Tools
NDK Maintainability C / C++ / JNI Documentation Development Tools
Build Times
NDK Maintainability C / C++ / JNI Documentation Development Tools
Build Times Automated Testing
NDK Maintainability C / C++ / JNI Documentation Development Tools
Build Times Automated Testing CI
None
Quick Reminders
Build Process / CI Don’t Trust the Interwebz
Build Process / CI Don’t Trust the Interwebz
Build Process / CI Don’t Trust the Interwebz Use Google
Play App signing
Build Process / CI Don’t Trust the Interwebz Use Google
Play App signing Don’t Add Your Key in Source Control
Build Process / CI Don’t Trust the Interwebz Use Google
Play App signing Don’t Add Your Key in Source Control Encrypt if Needed for CI
Manage Up & Down
Libraries
Thanks! @CliveLeeHere
cliveleehere
masahirokawahara
shift_evolve
egmc
kongmingstrap
dakuon
reza_rahman
databricksjapan
sansantech
makki_d
pauli
r3_yamauchi
zozotech
iamctodd
brettharned
jacobian
speakerdeck
keavy
tammyeverts
erikaheidi
chriscoyier
mongodb
maltzj
csswizardry
sstephenson
![proguard-android.txt -assumenosideeffects class_specification [Use] with some care…](https://files.speakerdeck.com/presentations/b10fce1bd2aa4643a8f1fe28e506208f/slide_37.jpg){kind=link}
