Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Commonly Overlooked Areas of Security Revisited
Search
Clive Lee
April 23, 2018
Technology
320
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Commonly Overlooked Areas of Security Revisited
From AndroidMakers 2018 in Paris, France.
(Revised content from the Droidcon London 2017!)
Clive Lee
April 23, 2018
More Decks by Clive Lee
See All by Clive Lee
Augmented Reality: From Fun to Furnished
cliveleehere
0
97
Pragmatic Gradle for your Multi-Module Projects
cliveleehere
0
260
Other Decks in Technology
See All in Technology
AIに「使われる」時代のSaaS戦略 〜既存WebAPIのMCPサーバー化における開発ノウハウ〜
ekispert_api
0
290
CSに"SLO"は要らない、経営層に"99.9%"は伝わらない - SREを全社に"翻訳"する3原則
cscengineer
PRO
0
1.8k
「ちゃんとやっている」は独りよがりだった ― 不安に寄り添うインシデント対応へ / Towards incident response that addresses anxieties
chmikata
1
1.2k
SRE Lounge Hiroshimaへの招待
grimoh
0
240
Text-to-SQLをAgentCoreで実現し、生成されるSQLの精度を定量的に評価する
yakumo
2
580
SRE依存からの脱却 運用を開 発チームへ移す、 フルサイ クル開 発体制の実践
joooee0000
0
290
飲食店もAIで。レジ締めやハンディシステムをつくってる話 / Using AI for restaurant management
vtryo
0
240
小さいから、全部わかる。— 常駐AI "xangi" のすすめ
sugupoko
0
270
Zoom2Youtube.Claude
kawaguti
PRO
2
410
そのハーネス、本当に境界になっていますか? AIエージェント時代の実行環境設計【MEGU-Meet #4】
cscengineer
PRO
0
110
プロンプト_きのこカンファレンス2026_LT
yurufuwahealer
0
140
依頼文化をやめる日 EM視点で語るPlatform EngineeringとInclusive SRE / Discussing Platform Engineering and Inclusive SRE from an EM's Perspective
shin1988
3
2.4k
Featured
See All Featured
Balancing Empowerment & Direction
lara
6
1.2k
Done Done
chrislema
186
16k
Documentation Writing (for coders)
carmenintech
77
5.4k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
31
2.8k
Efficient Content Optimization with Google Search Console & Apps Script
katarinadahlin
PRO
1
670
The untapped power of vector embeddings
frankvandijk
2
1.8k
DBのスキルで生き残る技術 - AI時代におけるテーブル設計の勘所
soudai
PRO
67
56k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
231
55k
Being A Developer After 40
akosma
91
590k
The SEO Collaboration Effect
kristinabergwall1
1
500
Crafting Experiences
bethany
1
210
Facilitating Awesome Meetings
lara
57
7k
Transcript
Commonly Overlooked Areas of Security Revisited @CliveLeeHere
https://www.oviahealth.com/careers
None
Maintainability affects Security
What We’ll Cover Logging
What We’ll Cover Logging Obfuscation
What We’ll Cover Logging Obfuscation Quick Reminders
Logging
Logging
Log.i("Tag", "Hi");
adb logcat Tag:I *:S Log.i("Tag", "Hi");
I/Tag: Hi adb logcat Tag:I *:S Log.i("Tag", "Hi");
Hi!
Ways to Remove?
Option 1: Proguard
Option 1: Proguard / R8
-assumenosideeffects class_specification
-assumenosideeffects class_specification Specifies methods that don't have any side effects
(other than maybe returning a value). With some care, you can also use the option to remove logging code.
build.gradle
build.gradle release { proguardFiles getDefaultProguardFile( ‘proguard-android-optimize.txt'), 'your-proguard-rules.pro' }
build.gradle release { proguardFiles getDefaultProguardFile( ‘proguard-android-optimize.txt'), 'your-proguard-rules.pro' }
build.gradle release { proguardFiles getDefaultProguardFile( ‘proguard-android-optimize.txt'), 'your-proguard-rules.pro' }
your-proguard-rules.pro -assumenosideeffects build.gradle
your-proguard-rules.pro -assumenosideeffects class android.util.Log { public static *** d(...); public
static *** v(...); public static *** i(...); } build.gradle
your-proguard-rules.pro -assumenosideeffects class android.util.Log { public static *** d(...); public
static *** v(...); public static *** i(...); } build.gradle
adb logcat Tag:I *:S
adb logcat Tag:I *:S
Option 1: Proguard / R8
Maintainability affects Security
None
build.gradle release { proguardFiles getDefaultProguardFile( 'proguard-android-optimize.txt'), 'your-proguard-rules.pro' }
proguard-android-optimize.txt Adding optimization introduces certain risks.... The following flags turn
off various optimizations known to have issues, but the list may not be complete or up to date. ... Make sure you test thoroughly if you go this route.
build.gradle release { proguardFiles getDefaultProguardFile( 'proguard-android-optimize.txt'), 'your-proguard-rules.pro' }
build.gradle release { proguardFiles getDefaultProguardFile( 'proguard-android.txt'), 'your-proguard-rules.pro' }
build.gradle release { proguardFiles getDefaultProguardFile( 'proguard-android.txt'), 'your-proguard-rules.pro' }
build.gradle proguard-android.txt -dontoptimize
proguard-android.txt -assumenosideeffects class_specification Only applicable when optimizing.
proguard-android.txt -assumenosideeffects class_specification [Use] with some care…
proguard-android.txt -assumenosideeffects class_specification Only applicable when optimizing.
-assumenosideeffects your-proguard-rules.pro -assumenosideeffects
adb logcat Tag:I *:S
adb logcat Tag:I *:S I/Tag: Hi
I’m back!
Maintainability affects Security
your-proguard-rules.pro proguard-android- optimize.txt build.gradle
your-proguard-rules.pro build.gradle
Quick ‘Fix’ #1
build.gradle release { proguardFiles getDefaultProguardFile( ‘proguard-android.txt'), ‘your-proguard-rules.pro' }
build.gradle release { proguardFiles //ONLY USE THIS PROGUARD FILE
‘your-proguard-rules.pro' }
build.gradle your-proguard-rules.pro # from proguard-android-optimize.txt ... # NEVER ADD -dontoptimize
build.gradle your-proguard-rules.pro # from proguard-android-optimize.txt ... # NEVER ADD -dontoptimize
Quick Fix #2
build.gradle release { proguardFiles getDefaultProguardFile( ‘proguard-android-optimize.txt’), 'your-proguard-rules.pro' }
build.gradle release { proguardFiles //DON'T CHANGE THIS LINE getDefaultProguardFile(
‘proguard-android-optimize.txt’), 'your-proguard-rules.pro' }
build.gradle release { proguardFiles //DON'T CHANGE THIS LINE getDefaultProguardFile(
‘proguard-android-optimize.txt’), 'your-proguard-rules.pro' }
None
Big Scary Warnings
Big Scary Warnings = Not Enforced by Tools
Big Scary Warnings = Ignored Later
Quick Fix #1, #2
Option 2: BuildConfig & Timber
MyApplication
MyApplication if (BuildConfig.DEBUG) { Timber.plant(new DebugTree()); }
timber/build.gradle
timber/build.gradle apply plugin 'com.android.library'
android-module java-module
java-module apply plugin: ‘java-library' android-module
java-module android-module
None
Option 3: dependency injection
java-lib
java-lib public interface Logger { void d(); }
java-lib slf4j
java-lib android-lib public class MyLogger implements Logger { @Override public
void d(String msg) { Timber.d(msg); } }
java-lib android-lib app public class MyApp { @Inject Logger myLogger;
}
app @Module public abstract class SomeModule { @Binds abstract Logger
bindLogger( MyLogger logger); } public class MyApp { @Inject Logger myLogger; }
app if (BuildConfig.DEBUG) {...} @Module public abstract class SomeModule {
@Binds abstract Logger bindLogger( MyLogger logger); } public class MyApp { @Inject
android-lib/release public class MyLogger implements Logger { @Override public void
d(String msg) { //no-op } } app
android-lib public class MyLogger implements Logger { @Override public void
d(String msg) { //no-op } } app/release
android-lib app/release @Module public abstract class SomeModule { @Binds abstract
Logger bindLogger( MyLogger logger); }
None
None
app public class MyApplication { @Override public void onCreate() {
//after planting... Timber.i("LOGGING ENABLED”); }
None
Obfuscation
Obfuscation
Obfuscation
Obfuscation Security
Obfuscation Proguard
Obfuscation R8
Obfuscation Libraries
Obfuscation Libraries Keep Narrowly
None
build.gradle release { proguardFiles getDefaultProguardFile( 'proguard-android-optimize.txt'), 'your-proguard-rules.pro' }
build.gradle release { proguardFiles getDefaultProguardFile( 'proguard-android.txt'), 'your-proguard-rules.pro' }
build.gradle release { proguardFiles getDefaultProguardFile( 'proguard-android.txt'), 'your-proguard-rules.pro' }
your-proguard-rules.pro -keep class com.some.library.**
your-proguard-rules.pro -keep class com.some.library.OneClass
your-proguard-rules.pro -keep class com.some.library.OneClass -keep class * implements com.some.library.SomeInterface
your-proguard-rules.pro -keep class com.some.library.OneClass -keep class * implements com.some.library.SomeInterface -keepclasseswithmembers
class * { @com.some.library.* <methods>;
Obfuscation Libraries
Obfuscation Your Own Code?
Obfuscation Your Own Code? @Keep
@Keep
@Keep ? ? ? ?
@Keep ? ? ? ?
Maintainability affects Security
• Maintainability @Keep
• Maintainability • Refactoring @Keep
• Maintainability • Refactoring • Organization @Keep
SomeClass.java @Keep public class SomeClass { } Refactoring with @Keep
CoolClass.java @Keep public class CoolClass { } Refactoring with @Keep
com.yo.CoolClass.java @Keep public class CoolClass { } Refactoring with @Keep
SomeClass.java Refactoring with .pro
SomeClass.java Refactoring with .pro your-proguard-rules.pro -keep class com.your.code.SomeClass
CoolClass.java Refactoring with .pro your-proguard-rules.pro -keep class com.your.code.SomeClass
“Occurrences found in comments, strings and non-code files”
com.yo.SomeClass.java Refactoring with .pro your-proguard-rules.pro -keep class com.your.code.SomeClass
Refactoring with .pro
com.some.package public class SomeClass1 {} public class SomeClass2 {} public
class SomeClass3 {} Organization with .pro
Organization with .pro your-proguard-rules.pro -keep class com.some.package.** com.some.package
Organization with .pro com.feature1.model com.feature2.model
Organization with .pro your-proguard-rules.pro -keep class com.feature1.model.** -keep class com.feature2.model.**
Organization with @Keep com.feature1.model @Keep public class SomeClass1 {} @Keep
public class SomeClass2 {} @Keep public class SomeClass3 {}
Organization with @Keep com.feature1.model com.feature2.model
Organization with @Keep com.feature1.model com.feature2.model public class CoolClass1 {} public
class CoolClass2 {} public class CoolClass3 {}
Organization with @Keep com.feature1.model com.feature2.model @Keep public class CoolClass1 {}
@Keep public class CoolClass2 {} @Keep public class CoolClass3 {}
Organization with @Keep
@Keep
@Keep Encourages Narrower Rules
None
Obfuscation
Obfuscation Android NDK
Obfuscation Android NDK
Maintainability affects Security
NDK Maintainability C / C++ / JNI
NDK Maintainability C / C++ / JNI Documentation
NDK Maintainability C / C++ / JNI Documentation Development Tools
NDK Maintainability C / C++ / JNI Documentation Development Tools
Build Times
NDK Maintainability C / C++ / JNI Documentation Development Tools
Build Times Automated Testing
NDK Maintainability C / C++ / JNI Documentation Development Tools
Build Times Automated Testing CI
None
Quick Reminders
Build Process / CI Don’t Trust the Interwebz
Build Process / CI Don’t Trust the Interwebz
Build Process / CI Don’t Trust the Interwebz Use Google
Play App signing
Build Process / CI Don’t Trust the Interwebz Use Google
Play App signing Don’t Add Your Key in Source Control
Build Process / CI Don’t Trust the Interwebz Use Google
Play App signing Don’t Add Your Key in Source Control Encrypt if Needed for CI
Manage Up & Down
Libraries
Thanks! @CliveLeeHere