Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Commonly Overlooked Areas of Security Revisited
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
Clive Lee
April 23, 2018
Technology
0
300
Commonly Overlooked Areas of Security Revisited
From AndroidMakers 2018 in Paris, France.
(Revised content from the Droidcon London 2017!)
Clive Lee
April 23, 2018
Tweet
Share
More Decks by Clive Lee
See All by Clive Lee
Augmented Reality: From Fun to Furnished
cliveleehere
0
92
Pragmatic Gradle for your Multi-Module Projects
cliveleehere
0
250
Other Decks in Technology
See All in Technology
AWS DevOps Agent x ECS on Fargate検証 / AWS DevOps Agent x ECS on Fargate
kinunori
2
130
ファインディの横断SREがTakumi byGMOと取り組む、セキュリティと開発スピードの両立
rvirus0817
1
1.6k
SREじゃなかった僕らがenablingを通じて「SRE実践者」になるまでのリアル / SRE Kaigi 2026
aeonpeople
6
2.6k
予期せぬコストの急増を障害のように扱う――「コスト版ポストモーテム」の導入とその後の改善
muziyoshiz
1
2.1k
旅先で iPad + Neovim で iOS 開発・執筆した話
zozotech
PRO
0
100
プロダクト成長を支える開発基盤とスケールに伴う課題
yuu26
4
1.4k
AIエージェントを開発しよう!-AgentCore活用の勘所-
yukiogawa
0
190
(技術的には)社内システムもOKなブラウザエージェントを作ってみた!
har1101
0
200
Context Engineeringが企業で不可欠になる理由
hirosatogamo
PRO
3
660
OWASP Top 10:2025 リリースと 少しの日本語化にまつわる裏話
okdt
PRO
3
840
【Ubie】AIを活用した広告アセット「爆速」生成事例 | AI_Ops_Community_Vol.2
yoshiki_0316
1
120
AIと新時代を切り拓く。これからのSREとメルカリIBISの挑戦
0gm
2
3.1k
Featured
See All Featured
State of Search Keynote: SEO is Dead Long Live SEO
ryanjones
0
120
Max Prin - Stacking Signals: How International SEO Comes Together (And Falls Apart)
techseoconnect
PRO
0
87
Reflections from 52 weeks, 52 projects
jeffersonlam
356
21k
Building a Modern Day E-commerce SEO Strategy
aleyda
45
8.7k
svc-hook: hooking system calls on ARM64 by binary rewriting
retrage
1
100
Speed Design
sergeychernyshev
33
1.5k
16th Malabo Montpellier Forum Presentation
akademiya2063
PRO
0
52
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
49
9.9k
The #1 spot is gone: here's how to win anyway
tamaranovitovic
2
950
How to Ace a Technical Interview
jacobian
281
24k
sira's awesome portfolio website redesign presentation
elsirapls
0
150
Ecommerce SEO: The Keys for Success Now & Beyond - #SERPConf2024
aleyda
1
1.8k
Transcript
Commonly Overlooked Areas of Security Revisited @CliveLeeHere
https://www.oviahealth.com/careers
None
Maintainability affects Security
What We’ll Cover Logging
What We’ll Cover Logging Obfuscation
What We’ll Cover Logging Obfuscation Quick Reminders
Logging
Logging
Log.i("Tag", "Hi");
adb logcat Tag:I *:S Log.i("Tag", "Hi");
I/Tag: Hi adb logcat Tag:I *:S Log.i("Tag", "Hi");
Hi!
Ways to Remove?
Option 1: Proguard
Option 1: Proguard / R8
-assumenosideeffects class_specification
-assumenosideeffects class_specification Specifies methods that don't have any side effects
(other than maybe returning a value). With some care, you can also use the option to remove logging code.
build.gradle
build.gradle release { proguardFiles getDefaultProguardFile( ‘proguard-android-optimize.txt'), 'your-proguard-rules.pro' }
build.gradle release { proguardFiles getDefaultProguardFile( ‘proguard-android-optimize.txt'), 'your-proguard-rules.pro' }
build.gradle release { proguardFiles getDefaultProguardFile( ‘proguard-android-optimize.txt'), 'your-proguard-rules.pro' }
your-proguard-rules.pro -assumenosideeffects build.gradle
your-proguard-rules.pro -assumenosideeffects class android.util.Log { public static *** d(...); public
static *** v(...); public static *** i(...); } build.gradle
your-proguard-rules.pro -assumenosideeffects class android.util.Log { public static *** d(...); public
static *** v(...); public static *** i(...); } build.gradle
adb logcat Tag:I *:S
adb logcat Tag:I *:S
Option 1: Proguard / R8
Maintainability affects Security
None
build.gradle release { proguardFiles getDefaultProguardFile( 'proguard-android-optimize.txt'), 'your-proguard-rules.pro' }
proguard-android-optimize.txt Adding optimization introduces certain risks.... The following flags turn
off various optimizations known to have issues, but the list may not be complete or up to date. ... Make sure you test thoroughly if you go this route.
build.gradle release { proguardFiles getDefaultProguardFile( 'proguard-android-optimize.txt'), 'your-proguard-rules.pro' }
build.gradle release { proguardFiles getDefaultProguardFile( 'proguard-android.txt'), 'your-proguard-rules.pro' }
build.gradle release { proguardFiles getDefaultProguardFile( 'proguard-android.txt'), 'your-proguard-rules.pro' }
build.gradle proguard-android.txt -dontoptimize
proguard-android.txt -assumenosideeffects class_specification Only applicable when optimizing.
proguard-android.txt -assumenosideeffects class_specification [Use] with some care…
proguard-android.txt -assumenosideeffects class_specification Only applicable when optimizing.
-assumenosideeffects your-proguard-rules.pro -assumenosideeffects
adb logcat Tag:I *:S
adb logcat Tag:I *:S I/Tag: Hi
I’m back!
Maintainability affects Security
your-proguard-rules.pro proguard-android- optimize.txt build.gradle
your-proguard-rules.pro build.gradle
Quick ‘Fix’ #1
build.gradle release { proguardFiles getDefaultProguardFile( ‘proguard-android.txt'), ‘your-proguard-rules.pro' }
build.gradle release { proguardFiles //ONLY USE THIS PROGUARD FILE
‘your-proguard-rules.pro' }
build.gradle your-proguard-rules.pro # from proguard-android-optimize.txt ... # NEVER ADD -dontoptimize
build.gradle your-proguard-rules.pro # from proguard-android-optimize.txt ... # NEVER ADD -dontoptimize
Quick Fix #2
build.gradle release { proguardFiles getDefaultProguardFile( ‘proguard-android-optimize.txt’), 'your-proguard-rules.pro' }
build.gradle release { proguardFiles //DON'T CHANGE THIS LINE getDefaultProguardFile(
‘proguard-android-optimize.txt’), 'your-proguard-rules.pro' }
build.gradle release { proguardFiles //DON'T CHANGE THIS LINE getDefaultProguardFile(
‘proguard-android-optimize.txt’), 'your-proguard-rules.pro' }
None
Big Scary Warnings
Big Scary Warnings = Not Enforced by Tools
Big Scary Warnings = Ignored Later
Quick Fix #1, #2
Option 2: BuildConfig & Timber
MyApplication
MyApplication if (BuildConfig.DEBUG) { Timber.plant(new DebugTree()); }
timber/build.gradle
timber/build.gradle apply plugin 'com.android.library'
android-module java-module
java-module apply plugin: ‘java-library' android-module
java-module android-module
None
Option 3: dependency injection
java-lib
java-lib public interface Logger { void d(); }
java-lib slf4j
java-lib android-lib public class MyLogger implements Logger { @Override public
void d(String msg) { Timber.d(msg); } }
java-lib android-lib app public class MyApp { @Inject Logger myLogger;
}
app @Module public abstract class SomeModule { @Binds abstract Logger
bindLogger( MyLogger logger); } public class MyApp { @Inject Logger myLogger; }
app if (BuildConfig.DEBUG) {...} @Module public abstract class SomeModule {
@Binds abstract Logger bindLogger( MyLogger logger); } public class MyApp { @Inject
android-lib/release public class MyLogger implements Logger { @Override public void
d(String msg) { //no-op } } app
android-lib public class MyLogger implements Logger { @Override public void
d(String msg) { //no-op } } app/release
android-lib app/release @Module public abstract class SomeModule { @Binds abstract
Logger bindLogger( MyLogger logger); }
None
None
app public class MyApplication { @Override public void onCreate() {
//after planting... Timber.i("LOGGING ENABLED”); }
None
Obfuscation
Obfuscation
Obfuscation
Obfuscation Security
Obfuscation Proguard
Obfuscation R8
Obfuscation Libraries
Obfuscation Libraries Keep Narrowly
None
build.gradle release { proguardFiles getDefaultProguardFile( 'proguard-android-optimize.txt'), 'your-proguard-rules.pro' }
build.gradle release { proguardFiles getDefaultProguardFile( 'proguard-android.txt'), 'your-proguard-rules.pro' }
build.gradle release { proguardFiles getDefaultProguardFile( 'proguard-android.txt'), 'your-proguard-rules.pro' }
your-proguard-rules.pro -keep class com.some.library.**
your-proguard-rules.pro -keep class com.some.library.OneClass
your-proguard-rules.pro -keep class com.some.library.OneClass -keep class * implements com.some.library.SomeInterface
your-proguard-rules.pro -keep class com.some.library.OneClass -keep class * implements com.some.library.SomeInterface -keepclasseswithmembers
class * { @com.some.library.* <methods>;
Obfuscation Libraries
Obfuscation Your Own Code?
Obfuscation Your Own Code? @Keep
@Keep
@Keep ? ? ? ?
@Keep ? ? ? ?
Maintainability affects Security
• Maintainability @Keep
• Maintainability • Refactoring @Keep
• Maintainability • Refactoring • Organization @Keep
SomeClass.java @Keep public class SomeClass { } Refactoring with @Keep
CoolClass.java @Keep public class CoolClass { } Refactoring with @Keep
com.yo.CoolClass.java @Keep public class CoolClass { } Refactoring with @Keep
SomeClass.java Refactoring with .pro
SomeClass.java Refactoring with .pro your-proguard-rules.pro -keep class com.your.code.SomeClass
CoolClass.java Refactoring with .pro your-proguard-rules.pro -keep class com.your.code.SomeClass
“Occurrences found in comments, strings and non-code files”
com.yo.SomeClass.java Refactoring with .pro your-proguard-rules.pro -keep class com.your.code.SomeClass
Refactoring with .pro
com.some.package public class SomeClass1 {} public class SomeClass2 {} public
class SomeClass3 {} Organization with .pro
Organization with .pro your-proguard-rules.pro -keep class com.some.package.** com.some.package
Organization with .pro com.feature1.model com.feature2.model
Organization with .pro your-proguard-rules.pro -keep class com.feature1.model.** -keep class com.feature2.model.**
Organization with @Keep com.feature1.model @Keep public class SomeClass1 {} @Keep
public class SomeClass2 {} @Keep public class SomeClass3 {}
Organization with @Keep com.feature1.model com.feature2.model
Organization with @Keep com.feature1.model com.feature2.model public class CoolClass1 {} public
class CoolClass2 {} public class CoolClass3 {}
Organization with @Keep com.feature1.model com.feature2.model @Keep public class CoolClass1 {}
@Keep public class CoolClass2 {} @Keep public class CoolClass3 {}
Organization with @Keep
@Keep
@Keep Encourages Narrower Rules
None
Obfuscation
Obfuscation Android NDK
Obfuscation Android NDK
Maintainability affects Security
NDK Maintainability C / C++ / JNI
NDK Maintainability C / C++ / JNI Documentation
NDK Maintainability C / C++ / JNI Documentation Development Tools
NDK Maintainability C / C++ / JNI Documentation Development Tools
Build Times
NDK Maintainability C / C++ / JNI Documentation Development Tools
Build Times Automated Testing
NDK Maintainability C / C++ / JNI Documentation Development Tools
Build Times Automated Testing CI
None
Quick Reminders
Build Process / CI Don’t Trust the Interwebz
Build Process / CI Don’t Trust the Interwebz
Build Process / CI Don’t Trust the Interwebz Use Google
Play App signing
Build Process / CI Don’t Trust the Interwebz Use Google
Play App signing Don’t Add Your Key in Source Control
Build Process / CI Don’t Trust the Interwebz Use Google
Play App signing Don’t Add Your Key in Source Control Encrypt if Needed for CI
Manage Up & Down
Libraries
Thanks! @CliveLeeHere
SiteGround - Reliable hosting with speed, security, and support you can count on.
cliveleehere
kinunori
rvirus0817
aeonpeople
muziyoshiz
zozotech
yuu26
yukiogawa
har1101
hirosatogamo
okdt
yoshiki_0316
0gm
ryanjones
techseoconnect
jeffersonlam
aleyda
retrage
sergeychernyshev
akademiya2063
mongodb
tamaranovitovic
jacobian
elsirapls
![proguard-android.txt -assumenosideeffects class_specification [Use] with some care…](https://files.speakerdeck.com/presentations/b10fce1bd2aa4643a8f1fe28e506208f/slide_37.jpg){kind=link}
