Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Commonly Overlooked Areas of Security Revisited

Avatar for Clive Lee Clive Lee
April 23, 2018
Technology
310
0

Commonly Overlooked Areas of Security Revisited

From AndroidMakers 2018 in Paris, France.

(Revised content from the Droidcon London 2017!)

Avatar for Clive Lee

Clive Lee

April 23, 2018

More Decks by Clive Lee

See All by Clive Lee
Augmented Reality: From Fun to Furnished
Avatar for Clive Lee cliveleehere
0
96
Pragmatic Gradle for your Multi-Module Projects
Avatar for Clive Lee cliveleehere
0
260

Other Decks in Technology

See All in Technology
もりもり新機能を一挙紹介! AgentCoreに入門して、AWS上にAIエージェントを構築しよう
Avatar for みのるん minorun365
PRO
5
350
ITエンジニアを取り巻く環境とキャリアパス / A career path for Japanese IT engineers
Avatar for 高玉 広和 / TAKATAMA Hirokazu takatama
4
1.8k
AIが変えた"品質の守り方"
Avatar for kkakizaki kkakizaki
13
5.5k
AIガバナンス実践 - 生成AIコネクタのデータ漏洩リスクと実務対策
Avatar for 西岡 賢一郎 (Kenichiro Nishioka) knishioka
0
150
Claude Codeを組織で使いこなす— サーバサイドAIエージェント運用の実践知
Avatar for PERSOL CAREER Dev | techtekt techtekt
PRO
0
130
Spring Boot における​ AOT Cache 活用テクニックと​ 起動時間改善事例​
Avatar for NTTドコモソリューションズ Java担当 ntt_dsol_java
0
180
AI-DLCを活用した高品質・安全なAI駆動開発実践 / AI Driven Development
Avatar for 吉田真吾 yoshidashingo
1
270
Datadog 認定試験の概要と対策
Avatar for Uechi Shingo uechishingo
0
210
Unlocking the Apps
Avatar for Tim Perry pimterry
0
130
AI駆動開発でなんでもハンズオン環境をつくってみた
Avatar for yoshimi0227 yoshimi0227
0
180
マーケットプレイス版Oracle WebCenter Content For OCI
Avatar for oracle4engineer oracle4engineer
PRO
5
1.7k
AI フレンドリーなエラー監視を TypeScript で実現する
Avatar for Shinobu Hayashi shinyaigeek
2
200

Featured

See All Featured
The Illustrated Guide to Node.js - THAT Conference 2024
Avatar for David Neal reverentgeek
1
370
Neural Spatial Audio Processing for Sound Field Analysis and Control
Avatar for NII S. Koyama's Lab skoyamalab
0
310
Designing Dashboards & Data Visualisations in Web Apps
Avatar for Des Traynor destraynor
231
55k
Scaling GitHub
Avatar for Zach Holman holman
464
140k
Automating Front-end Workflow
Avatar for Addy Osmani addyosmani
1370
210k
Jess Joyce - The Pitfalls of Following Frameworks
Avatar for Tech SEO Connect techseoconnect
PRO
1
160
Save Time (by Creating Custom Rails Generators)
Avatar for Garrett Dimon garrettdimon
PRO
32
3.3k
A brief & incomplete history of 
UX Design for the World Wide Web: 1989–2019
Avatar for Jason CranfordTeague jct
2
380
Music & Morning Musume
Avatar for Bryan Veloso bryan
47
7.2k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
Avatar for Tammy Everts tammyeverts
55
3.4k
State of Search Keynote: SEO is Dead Long Live SEO
Avatar for Ryan Jones ryanjones
0
200
Sam Torres - BigQuery for SEOs
Avatar for Tech SEO Connect techseoconnect
PRO
0
280

Transcript

  1. Commonly Overlooked Areas of Security Revisited @CliveLeeHere

  2. https://www.oviahealth.com/careers

  3. None

  4. Maintainability affects Security

  5. What We’ll Cover Logging

  6. What We’ll Cover Logging Obfuscation

  7. What We’ll Cover Logging Obfuscation Quick Reminders

  8. Logging

  9. Logging

  10. Log.i("Tag", "Hi");

  11. adb logcat Tag:I *:S Log.i("Tag", "Hi");

  12. I/Tag: Hi adb logcat Tag:I *:S Log.i("Tag", "Hi");

  13. Hi!

  14. Ways to Remove?

  15. Option 1: Proguard

  16. Option 1: Proguard / R8

  17. -assumenosideeffects class_specification

  18. -assumenosideeffects class_specification Specifies methods that don't have any side effects

    (other than maybe returning a value). With some care, you can also use the option to remove logging code.

  19. build.gradle

  20. build.gradle release {
 proguardFiles 
 getDefaultProguardFile(
 ‘proguard-android-optimize.txt'),
 'your-proguard-rules.pro'
 }

  21. build.gradle release {
 proguardFiles 
 getDefaultProguardFile(
 ‘proguard-android-optimize.txt'),
 'your-proguard-rules.pro'
 }

  22. build.gradle release {
 proguardFiles 
 getDefaultProguardFile(
 ‘proguard-android-optimize.txt'),
 'your-proguard-rules.pro'
 }

  23. your-proguard-rules.pro -assumenosideeffects build.gradle

  24. your-proguard-rules.pro -assumenosideeffects class
 android.util.Log { public static *** d(...); public

    static *** v(...); public static *** i(...); } build.gradle

  25. your-proguard-rules.pro -assumenosideeffects class
 android.util.Log { public static *** d(...); public

    static *** v(...); public static *** i(...); } build.gradle

  26. adb logcat Tag:I *:S

  27. adb logcat Tag:I *:S

  28. Option 1: Proguard / R8

  29. Maintainability affects Security

  30. None

  31. build.gradle release {
 proguardFiles 
 getDefaultProguardFile(
 'proguard-android-optimize.txt'),
 'your-proguard-rules.pro'
 }

  32. proguard-android-optimize.txt Adding optimization introduces certain risks.... The following flags turn

    off various optimizations known to have issues, but the list may not be complete or up to date. ... Make sure you test thoroughly if you go this route.

  33. build.gradle release {
 proguardFiles 
 getDefaultProguardFile(
 'proguard-android-optimize.txt'),
 'your-proguard-rules.pro'
 }

  34. build.gradle release {
 proguardFiles 
 getDefaultProguardFile(
 'proguard-android.txt'),
 'your-proguard-rules.pro'
 }

  35. build.gradle release {
 proguardFiles 
 getDefaultProguardFile(
 'proguard-android.txt'),
 'your-proguard-rules.pro'
 }

  36. build.gradle proguard-android.txt -dontoptimize

  37. proguard-android.txt -assumenosideeffects class_specification
 Only applicable when optimizing.

  38. proguard-android.txt -assumenosideeffects class_specification
 [Use] with some care…

  39. proguard-android.txt -assumenosideeffects class_specification
 Only applicable when optimizing.

  40. -assumenosideeffects your-proguard-rules.pro -assumenosideeffects

  41. adb logcat Tag:I *:S

  42. adb logcat Tag:I *:S I/Tag: Hi

  43. I’m back!

  44. Maintainability affects Security

  45. your-proguard-rules.pro proguard-android- optimize.txt build.gradle

  46. your-proguard-rules.pro build.gradle

  47. Quick ‘Fix’ #1

  48. build.gradle release {
 proguardFiles getDefaultProguardFile(
 ‘proguard-android.txt'),
 ‘your-proguard-rules.pro'
 }

  49. build.gradle release {
 proguardFiles 
 //ONLY USE THIS PROGUARD FILE


    ‘your-proguard-rules.pro'
 }

  50. build.gradle your-proguard-rules.pro # from proguard-android-optimize.txt ... # NEVER ADD -dontoptimize

  51. build.gradle your-proguard-rules.pro # from proguard-android-optimize.txt ... # NEVER ADD -dontoptimize

  52. Quick Fix #2

  53. build.gradle release {
 proguardFiles 
 getDefaultProguardFile(
 ‘proguard-android-optimize.txt’),
 'your-proguard-rules.pro'
 }

  54. build.gradle release {
 proguardFiles 
 //DON'T CHANGE THIS LINE
 getDefaultProguardFile(


    ‘proguard-android-optimize.txt’),
 'your-proguard-rules.pro'
 }

  55. build.gradle release {
 proguardFiles 
 //DON'T CHANGE THIS LINE
 getDefaultProguardFile(


    ‘proguard-android-optimize.txt’),
 'your-proguard-rules.pro'
 }
  56. None

  57. Big Scary Warnings

  58. Big Scary Warnings = Not Enforced by Tools

  59. Big Scary Warnings = Ignored Later

  60. Quick Fix #1, #2

  61. Option 2: BuildConfig & Timber

  62. MyApplication

  63. MyApplication if (BuildConfig.DEBUG) { Timber.plant(new DebugTree()); }

  64. timber/build.gradle

  65. timber/build.gradle apply plugin 'com.android.library'

  66. android-module java-module

  67. java-module apply plugin: ‘java-library' android-module

  68. java-module android-module

  69. None

  70. Option 3: dependency injection

  71. java-lib

  72. java-lib public interface Logger { void d(); }

  73. java-lib slf4j

  74. java-lib android-lib public class MyLogger implements Logger { @Override public

    void d(String msg) { Timber.d(msg); } }

  75. java-lib android-lib app public class MyApp { @Inject Logger myLogger;

    }

  76. app @Module public abstract class SomeModule { @Binds abstract Logger

    bindLogger( MyLogger logger); } public class MyApp { @Inject Logger myLogger; }

  77. app if (BuildConfig.DEBUG) {...} @Module public abstract class SomeModule {

    @Binds abstract Logger bindLogger( MyLogger logger); } public class MyApp { @Inject

  78. android-lib/release public class MyLogger implements Logger { @Override public void

    d(String msg) { //no-op } } app

  79. android-lib public class MyLogger implements Logger { @Override public void

    d(String msg) { //no-op } } app/release

  80. android-lib app/release @Module public abstract class SomeModule { @Binds abstract

    Logger bindLogger( MyLogger logger); }
  81. None
  82. None

  83. app public class MyApplication { @Override public void onCreate() {

    //after planting... Timber.i("LOGGING ENABLED”); }
  84. None

  85. Obfuscation

  86. Obfuscation

  87. Obfuscation

  88. Obfuscation Security

  89. Obfuscation Proguard

  90. Obfuscation R8

  91. Obfuscation Libraries

  92. Obfuscation Libraries Keep Narrowly

  93. None

  94. build.gradle release {
 proguardFiles 
 getDefaultProguardFile(
 'proguard-android-optimize.txt'),
 'your-proguard-rules.pro'
 }

  95. build.gradle release {
 proguardFiles 
 getDefaultProguardFile(
 'proguard-android.txt'),
 'your-proguard-rules.pro'
 }

  96. build.gradle release {
 proguardFiles 
 getDefaultProguardFile(
 'proguard-android.txt'),
 'your-proguard-rules.pro'
 }

  97. your-proguard-rules.pro -keep class com.some.library.**

  98. your-proguard-rules.pro -keep class com.some.library.OneClass

  99. your-proguard-rules.pro -keep class com.some.library.OneClass -keep class * implements com.some.library.SomeInterface

  100. your-proguard-rules.pro -keep class com.some.library.OneClass -keep class * implements com.some.library.SomeInterface -keepclasseswithmembers

    class * { @com.some.library.* <methods>;

  101. Obfuscation Libraries

  102. Obfuscation Your Own Code?

  103. Obfuscation Your Own Code? @Keep

  104. @Keep

  105. @Keep ? ? ? ?

  106. @Keep ? ? ? ?

  107. Maintainability affects Security

  108. • Maintainability @Keep

  109. • Maintainability • Refactoring @Keep

  110. • Maintainability • Refactoring • Organization @Keep

  111. SomeClass.java @Keep public class SomeClass { } Refactoring with @Keep

  112. CoolClass.java @Keep public class CoolClass { } Refactoring with @Keep

  113. com.yo.CoolClass.java @Keep public class CoolClass { } Refactoring with @Keep

  114. SomeClass.java Refactoring with .pro

  115. SomeClass.java Refactoring with .pro your-proguard-rules.pro -keep class com.your.code.SomeClass

  116. CoolClass.java Refactoring with .pro your-proguard-rules.pro -keep class com.your.code.SomeClass

  117. “Occurrences found in comments, strings and non-code files”

  118. com.yo.SomeClass.java Refactoring with .pro your-proguard-rules.pro -keep class com.your.code.SomeClass

  119. Refactoring with .pro

  120. com.some.package public class SomeClass1 {} public class SomeClass2 {} public

    class SomeClass3 {} Organization with .pro

  121. Organization with .pro your-proguard-rules.pro -keep class com.some.package.** com.some.package

  122. Organization with .pro com.feature1.model com.feature2.model

  123. Organization with .pro your-proguard-rules.pro -keep class com.feature1.model.** -keep class com.feature2.model.**

  124. Organization with @Keep com.feature1.model @Keep public class SomeClass1 {} @Keep

    public class SomeClass2 {} @Keep public class SomeClass3 {}

  125. Organization with @Keep com.feature1.model com.feature2.model

  126. Organization with @Keep com.feature1.model com.feature2.model public class CoolClass1 {} public

    class CoolClass2 {} public class CoolClass3 {}

  127. Organization with @Keep com.feature1.model com.feature2.model @Keep public class CoolClass1 {}

    @Keep public class CoolClass2 {} @Keep public class CoolClass3 {}

  128. Organization with @Keep

  129. @Keep

  130. @Keep Encourages Narrower Rules

  131. None

  132. Obfuscation

  133. Obfuscation Android NDK

  134. Obfuscation Android NDK

  135. Maintainability affects Security

  136. NDK Maintainability C / C++ / JNI

  137. NDK Maintainability C / C++ / JNI Documentation

  138. NDK Maintainability C / C++ / JNI Documentation Development Tools

  139. NDK Maintainability C / C++ / JNI Documentation Development Tools

    Build Times

  140. NDK Maintainability C / C++ / JNI Documentation Development Tools

    Build Times Automated Testing

  141. NDK Maintainability C / C++ / JNI Documentation Development Tools

    Build Times Automated Testing CI
  142. None

  143. Quick Reminders

  144. Build Process / CI Don’t Trust the Interwebz

  145. Build Process / CI Don’t Trust the Interwebz

  146. Build Process / CI Don’t Trust the Interwebz Use Google

    Play App signing

  147. Build Process / CI Don’t Trust the Interwebz Use Google

    Play App signing Don’t Add Your Key in Source Control

  148. Build Process / CI Don’t Trust the Interwebz Use Google

    Play App signing Don’t Add Your Key in Source Control Encrypt if Needed for CI

  149. Manage Up & Down

  150. Libraries

  151. Thanks! @CliveLeeHere