Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Commonly Overlooked Areas of Security Revisited
Search
Clive Lee
April 23, 2018
Technology
310
0
Share
Commonly Overlooked Areas of Security Revisited
From AndroidMakers 2018 in Paris, France.
(Revised content from the Droidcon London 2017!)
Clive Lee
April 23, 2018
More Decks by Clive Lee
See All by Clive Lee
Augmented Reality: From Fun to Furnished
cliveleehere
0
95
Pragmatic Gradle for your Multi-Module Projects
cliveleehere
0
260
Other Decks in Technology
See All in Technology
フロントエンドの相手が変わった - AIが加わったWebの新しいインターフェース設計
azukiazusa1
33
11k
変化の激しい時代をゴキゲンに生き抜くために 〜ストレスマネジメントのススメ〜
kakehashi
PRO
5
1.2k
「背中を見て育て」からの卒業 〜専門技術としてのテスト設計を軸に、品質保証のバトンを繋ぐ〜 #genda_tech_talk
nihonbuson
PRO
1
1k
Purview Endpoint DLP 動かしてみた
kozakigh
0
240
ESP32 IoTを動かしながらメモリ使用量を観測してみた話
zozotech
PRO
0
100
AI時代に越境し、 組織を変えるQAスキルの正体 / QA Skills for Transforming an Organization
mii3king
5
4.2k
[Scram Fest Niigata2026]Quality as Code〜AIにQAの思考を再現させる試み〜
masamiyajiri
1
300
Claude Code / Codex / Kiro に AWS 権限を 渡すとき、何を設計すべきか
k_adachi_01
3
590
セキュリティ対策、何からはじめる? CloudNative環境の脅威モデリングと リスク評価実践入門 #cloudnativekaigi
varu3
2
590
"うちにはまだ早い"は本当? ─ 小さく始めるPlatform Engineering入門
harukasakihara
4
440
ボトムアップ限界を越える - 20チームを束る "Drive Map" / Beyond Bottom-Up: A 'Drive Map' for 20 Teams
kaonavi
0
170
The 7 pitfalls of AI
ufried
0
200
Featured
See All Featured
Digital Projects Gone Horribly Wrong (And the UX Pros Who Still Save the Day) - Dean Schuster
uxyall
0
1.3k
Game over? The fight for quality and originality in the time of robots
wayneb77
1
170
How Software Deployment tools have changed in the past 20 years
geshan
0
33k
コードの90%をAIが書く世界で何が待っているのか / What awaits us in a world where 90% of the code is written by AI
rkaga
61
43k
New Earth Scene 8
popppiees
3
2.2k
Building AI with AI
inesmontani
PRO
1
970
How Fast Is Fast Enough? [PerfNow 2025]
tammyeverts
3
560
Future Trends and Review - Lecture 12 - Web Technologies (1019888BNR)
signer
PRO
0
3.5k
Navigating Team Friction
lara
192
16k
Java REST API Framework Comparison - PWX 2021
mraible
34
9.3k
ラッコキーワード サービス紹介資料
rakko
1
3.2M
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
28
3.5k
Transcript
Commonly Overlooked Areas of Security Revisited @CliveLeeHere
https://www.oviahealth.com/careers
None
Maintainability affects Security
What We’ll Cover Logging
What We’ll Cover Logging Obfuscation
What We’ll Cover Logging Obfuscation Quick Reminders
Logging
Logging
Log.i("Tag", "Hi");
adb logcat Tag:I *:S Log.i("Tag", "Hi");
I/Tag: Hi adb logcat Tag:I *:S Log.i("Tag", "Hi");
Hi!
Ways to Remove?
Option 1: Proguard
Option 1: Proguard / R8
-assumenosideeffects class_specification
-assumenosideeffects class_specification Specifies methods that don't have any side effects
(other than maybe returning a value). With some care, you can also use the option to remove logging code.
build.gradle
build.gradle release { proguardFiles getDefaultProguardFile( ‘proguard-android-optimize.txt'), 'your-proguard-rules.pro' }
build.gradle release { proguardFiles getDefaultProguardFile( ‘proguard-android-optimize.txt'), 'your-proguard-rules.pro' }
build.gradle release { proguardFiles getDefaultProguardFile( ‘proguard-android-optimize.txt'), 'your-proguard-rules.pro' }
your-proguard-rules.pro -assumenosideeffects build.gradle
your-proguard-rules.pro -assumenosideeffects class android.util.Log { public static *** d(...); public
static *** v(...); public static *** i(...); } build.gradle
your-proguard-rules.pro -assumenosideeffects class android.util.Log { public static *** d(...); public
static *** v(...); public static *** i(...); } build.gradle
adb logcat Tag:I *:S
adb logcat Tag:I *:S
Option 1: Proguard / R8
Maintainability affects Security
None
build.gradle release { proguardFiles getDefaultProguardFile( 'proguard-android-optimize.txt'), 'your-proguard-rules.pro' }
proguard-android-optimize.txt Adding optimization introduces certain risks.... The following flags turn
off various optimizations known to have issues, but the list may not be complete or up to date. ... Make sure you test thoroughly if you go this route.
build.gradle release { proguardFiles getDefaultProguardFile( 'proguard-android-optimize.txt'), 'your-proguard-rules.pro' }
build.gradle release { proguardFiles getDefaultProguardFile( 'proguard-android.txt'), 'your-proguard-rules.pro' }
build.gradle release { proguardFiles getDefaultProguardFile( 'proguard-android.txt'), 'your-proguard-rules.pro' }
build.gradle proguard-android.txt -dontoptimize
proguard-android.txt -assumenosideeffects class_specification Only applicable when optimizing.
proguard-android.txt -assumenosideeffects class_specification [Use] with some care…
proguard-android.txt -assumenosideeffects class_specification Only applicable when optimizing.
-assumenosideeffects your-proguard-rules.pro -assumenosideeffects
adb logcat Tag:I *:S
adb logcat Tag:I *:S I/Tag: Hi
I’m back!
Maintainability affects Security
your-proguard-rules.pro proguard-android- optimize.txt build.gradle
your-proguard-rules.pro build.gradle
Quick ‘Fix’ #1
build.gradle release { proguardFiles getDefaultProguardFile( ‘proguard-android.txt'), ‘your-proguard-rules.pro' }
build.gradle release { proguardFiles //ONLY USE THIS PROGUARD FILE
‘your-proguard-rules.pro' }
build.gradle your-proguard-rules.pro # from proguard-android-optimize.txt ... # NEVER ADD -dontoptimize
build.gradle your-proguard-rules.pro # from proguard-android-optimize.txt ... # NEVER ADD -dontoptimize
Quick Fix #2
build.gradle release { proguardFiles getDefaultProguardFile( ‘proguard-android-optimize.txt’), 'your-proguard-rules.pro' }
build.gradle release { proguardFiles //DON'T CHANGE THIS LINE getDefaultProguardFile(
‘proguard-android-optimize.txt’), 'your-proguard-rules.pro' }
build.gradle release { proguardFiles //DON'T CHANGE THIS LINE getDefaultProguardFile(
‘proguard-android-optimize.txt’), 'your-proguard-rules.pro' }
None
Big Scary Warnings
Big Scary Warnings = Not Enforced by Tools
Big Scary Warnings = Ignored Later
Quick Fix #1, #2
Option 2: BuildConfig & Timber
MyApplication
MyApplication if (BuildConfig.DEBUG) { Timber.plant(new DebugTree()); }
timber/build.gradle
timber/build.gradle apply plugin 'com.android.library'
android-module java-module
java-module apply plugin: ‘java-library' android-module
java-module android-module
None
Option 3: dependency injection
java-lib
java-lib public interface Logger { void d(); }
java-lib slf4j
java-lib android-lib public class MyLogger implements Logger { @Override public
void d(String msg) { Timber.d(msg); } }
java-lib android-lib app public class MyApp { @Inject Logger myLogger;
}
app @Module public abstract class SomeModule { @Binds abstract Logger
bindLogger( MyLogger logger); } public class MyApp { @Inject Logger myLogger; }
app if (BuildConfig.DEBUG) {...} @Module public abstract class SomeModule {
@Binds abstract Logger bindLogger( MyLogger logger); } public class MyApp { @Inject
android-lib/release public class MyLogger implements Logger { @Override public void
d(String msg) { //no-op } } app
android-lib public class MyLogger implements Logger { @Override public void
d(String msg) { //no-op } } app/release
android-lib app/release @Module public abstract class SomeModule { @Binds abstract
Logger bindLogger( MyLogger logger); }
None
None
app public class MyApplication { @Override public void onCreate() {
//after planting... Timber.i("LOGGING ENABLED”); }
None
Obfuscation
Obfuscation
Obfuscation
Obfuscation Security
Obfuscation Proguard
Obfuscation R8
Obfuscation Libraries
Obfuscation Libraries Keep Narrowly
None
build.gradle release { proguardFiles getDefaultProguardFile( 'proguard-android-optimize.txt'), 'your-proguard-rules.pro' }
build.gradle release { proguardFiles getDefaultProguardFile( 'proguard-android.txt'), 'your-proguard-rules.pro' }
build.gradle release { proguardFiles getDefaultProguardFile( 'proguard-android.txt'), 'your-proguard-rules.pro' }
your-proguard-rules.pro -keep class com.some.library.**
your-proguard-rules.pro -keep class com.some.library.OneClass
your-proguard-rules.pro -keep class com.some.library.OneClass -keep class * implements com.some.library.SomeInterface
your-proguard-rules.pro -keep class com.some.library.OneClass -keep class * implements com.some.library.SomeInterface -keepclasseswithmembers
class * { @com.some.library.* <methods>;
Obfuscation Libraries
Obfuscation Your Own Code?
Obfuscation Your Own Code? @Keep
@Keep
@Keep ? ? ? ?
@Keep ? ? ? ?
Maintainability affects Security
• Maintainability @Keep
• Maintainability • Refactoring @Keep
• Maintainability • Refactoring • Organization @Keep
SomeClass.java @Keep public class SomeClass { } Refactoring with @Keep
CoolClass.java @Keep public class CoolClass { } Refactoring with @Keep
com.yo.CoolClass.java @Keep public class CoolClass { } Refactoring with @Keep
SomeClass.java Refactoring with .pro
SomeClass.java Refactoring with .pro your-proguard-rules.pro -keep class com.your.code.SomeClass
CoolClass.java Refactoring with .pro your-proguard-rules.pro -keep class com.your.code.SomeClass
“Occurrences found in comments, strings and non-code files”
com.yo.SomeClass.java Refactoring with .pro your-proguard-rules.pro -keep class com.your.code.SomeClass
Refactoring with .pro
com.some.package public class SomeClass1 {} public class SomeClass2 {} public
class SomeClass3 {} Organization with .pro
Organization with .pro your-proguard-rules.pro -keep class com.some.package.** com.some.package
Organization with .pro com.feature1.model com.feature2.model
Organization with .pro your-proguard-rules.pro -keep class com.feature1.model.** -keep class com.feature2.model.**
Organization with @Keep com.feature1.model @Keep public class SomeClass1 {} @Keep
public class SomeClass2 {} @Keep public class SomeClass3 {}
Organization with @Keep com.feature1.model com.feature2.model
Organization with @Keep com.feature1.model com.feature2.model public class CoolClass1 {} public
class CoolClass2 {} public class CoolClass3 {}
Organization with @Keep com.feature1.model com.feature2.model @Keep public class CoolClass1 {}
@Keep public class CoolClass2 {} @Keep public class CoolClass3 {}
Organization with @Keep
@Keep
@Keep Encourages Narrower Rules
None
Obfuscation
Obfuscation Android NDK
Obfuscation Android NDK
Maintainability affects Security
NDK Maintainability C / C++ / JNI
NDK Maintainability C / C++ / JNI Documentation
NDK Maintainability C / C++ / JNI Documentation Development Tools
NDK Maintainability C / C++ / JNI Documentation Development Tools
Build Times
NDK Maintainability C / C++ / JNI Documentation Development Tools
Build Times Automated Testing
NDK Maintainability C / C++ / JNI Documentation Development Tools
Build Times Automated Testing CI
None
Quick Reminders
Build Process / CI Don’t Trust the Interwebz
Build Process / CI Don’t Trust the Interwebz
Build Process / CI Don’t Trust the Interwebz Use Google
Play App signing
Build Process / CI Don’t Trust the Interwebz Use Google
Play App signing Don’t Add Your Key in Source Control
Build Process / CI Don’t Trust the Interwebz Use Google
Play App signing Don’t Add Your Key in Source Control Encrypt if Needed for CI
Manage Up & Down
Libraries
Thanks! @CliveLeeHere
cliveleehere
azukiazusa1
kakehashi
nihonbuson
kozakigh
zozotech
mii3king
masamiyajiri
k_adachi_01
varu3
harukasakihara
kaonavi
ufried
uxyall
wayneb77
geshan
rkaga
popppiees
inesmontani
tammyeverts
signer
lara
mraible
rakko
eileencodes
![proguard-android.txt -assumenosideeffects class_specification [Use] with some care…](https://files.speakerdeck.com/presentations/b10fce1bd2aa4643a8f1fe28e506208f/slide_37.jpg){kind=link}
