Commonly Overlooked Areas of Security Revisited

Commonly Overlooked Areas of Security Revisited @CliveLeeHere

https://www.oviahealth.com/careers

Maintainability affects Security

What We’ll Cover Logging

What We’ll Cover Logging Obfuscation

What We’ll Cover Logging Obfuscation Quick Reminders

Logging

Log.i("Tag", "Hi");

adb logcat Tag:I *:S Log.i("Tag", "Hi");

I/Tag: Hi adb logcat Tag:I *:S Log.i("Tag", "Hi");

Ways to Remove?

Option 1: Proguard

Option 1: Proguard / R8

-assumenosideeffects class_specification

-assumenosideeffects class_specification Specifies methods that don't have any side effects
(other than maybe returning a value). With some care, you can also use the option to remove logging code.

build.gradle

build.gradle release {  proguardFiles   getDefaultProguardFile(  ‘proguard-android-optimize.txt'),  'your-proguard-rules.pro'  }

your-proguard-rules.pro -assumenosideeffects build.gradle

your-proguard-rules.pro -assumenosideeffects class  android.util.Log { public static *** d(...); public
static *** v(...); public static *** i(...); } build.gradle

adb logcat Tag:I *:S

Option 1: Proguard / R8

build.gradle release {  proguardFiles   getDefaultProguardFile(  'proguard-android-optimize.txt'),  'your-proguard-rules.pro'  }

proguard-android-optimize.txt Adding optimization introduces certain risks.... The following flags turn
off various optimizations known to have issues, but the list may not be complete or up to date. ... Make sure you test thoroughly if you go this route.

build.gradle release {  proguardFiles   getDefaultProguardFile(  'proguard-android.txt'),  'your-proguard-rules.pro'  }

build.gradle proguard-android.txt -dontoptimize

proguard-android.txt -assumenosideeffects class_specification  Only applicable when optimizing.

proguard-android.txt -assumenosideeffects class_specification  [Use] with some care…

proguard-android.txt -assumenosideeffects class_specification  Only applicable when optimizing.

-assumenosideeffects your-proguard-rules.pro -assumenosideeffects

adb logcat Tag:I *:S

adb logcat Tag:I *:S I/Tag: Hi

I’m back!

your-proguard-rules.pro proguard-android- optimize.txt build.gradle

your-proguard-rules.pro build.gradle

Quick ‘Fix’ #1

build.gradle release {  proguardFiles getDefaultProguardFile(  ‘proguard-android.txt'),  ‘your-proguard-rules.pro'  }

build.gradle release {  proguardFiles   //ONLY USE THIS PROGUARD FILE 
‘your-proguard-rules.pro'  }

build.gradle your-proguard-rules.pro # from proguard-android-optimize.txt ... # NEVER ADD -dontoptimize

Quick Fix #2

build.gradle release {  proguardFiles   getDefaultProguardFile(  ‘proguard-android-optimize.txt’),  'your-proguard-rules.pro'  }

build.gradle release {  proguardFiles   //DON'T CHANGE THIS LINE  getDefaultProguardFile( 
‘proguard-android-optimize.txt’),  'your-proguard-rules.pro'  }

Big Scary Warnings

Big Scary Warnings = Not Enforced by Tools

Big Scary Warnings = Ignored Later

Quick Fix #1, #2

Option 2: BuildConfig & Timber

MyApplication

MyApplication if (BuildConfig.DEBUG) { Timber.plant(new DebugTree()); }

timber/build.gradle

timber/build.gradle apply plugin 'com.android.library'

android-module java-module

java-module apply plugin: ‘java-library' android-module

java-module android-module

Option 3: dependency injection

java-lib

java-lib public interface Logger { void d(); }

java-lib slf4j

java-lib android-lib public class MyLogger implements Logger { @Override public
void d(String msg) { Timber.d(msg); } }

java-lib android-lib app public class MyApp { @Inject Logger myLogger;
}

app @Module public abstract class SomeModule { @Binds abstract Logger
bindLogger( MyLogger logger); } public class MyApp { @Inject Logger myLogger; }

app if (BuildConfig.DEBUG) {...} @Module public abstract class SomeModule {
@Binds abstract Logger bindLogger( MyLogger logger); } public class MyApp { @Inject

android-lib/release public class MyLogger implements Logger { @Override public void
d(String msg) { //no-op } } app

android-lib public class MyLogger implements Logger { @Override public void
d(String msg) { //no-op } } app/release

android-lib app/release @Module public abstract class SomeModule { @Binds abstract
Logger bindLogger( MyLogger logger); }

app public class MyApplication { @Override public void onCreate() {
//after planting... Timber.i("LOGGING ENABLED”); }

Obfuscation

Obfuscation Security

Obfuscation Proguard

Obfuscation R8

Obfuscation Libraries

Obfuscation Libraries Keep Narrowly

build.gradle release {  proguardFiles   getDefaultProguardFile(  'proguard-android.txt'),  'your-proguard-rules.pro'  }

your-proguard-rules.pro -keep class com.some.library.**

your-proguard-rules.pro -keep class com.some.library.OneClass

your-proguard-rules.pro -keep class com.some.library.OneClass -keep class * implements com.some.library.SomeInterface

your-proguard-rules.pro -keep class com.some.library.OneClass -keep class * implements com.some.library.SomeInterface -keepclasseswithmembers
class * { @com.some.library.* <methods>;

Obfuscation Libraries

Obfuscation Your Own Code?

Obfuscation Your Own Code? @Keep

@Keep ? ? ? ?

• Maintainability @Keep

• Maintainability • Refactoring @Keep

• Maintainability • Refactoring • Organization @Keep

SomeClass.java @Keep public class SomeClass { } Refactoring with @Keep

CoolClass.java @Keep public class CoolClass { } Refactoring with @Keep

com.yo.CoolClass.java @Keep public class CoolClass { } Refactoring with @Keep

SomeClass.java Refactoring with .pro

SomeClass.java Refactoring with .pro your-proguard-rules.pro -keep class com.your.code.SomeClass

CoolClass.java Refactoring with .pro your-proguard-rules.pro -keep class com.your.code.SomeClass

“Occurrences found in comments, strings and non-code files”

com.yo.SomeClass.java Refactoring with .pro your-proguard-rules.pro -keep class com.your.code.SomeClass

Refactoring with .pro

com.some.package public class SomeClass1 {} public class SomeClass2 {} public
class SomeClass3 {} Organization with .pro

Organization with .pro your-proguard-rules.pro -keep class com.some.package.** com.some.package

Organization with .pro com.feature1.model com.feature2.model

Organization with .pro your-proguard-rules.pro -keep class com.feature1.model.** -keep class com.feature2.model.**

Organization with @Keep com.feature1.model @Keep public class SomeClass1 {} @Keep
public class SomeClass2 {} @Keep public class SomeClass3 {}

Organization with @Keep com.feature1.model com.feature2.model

Organization with @Keep com.feature1.model com.feature2.model public class CoolClass1 {} public
class CoolClass2 {} public class CoolClass3 {}

Organization with @Keep com.feature1.model com.feature2.model @Keep public class CoolClass1 {}
@Keep public class CoolClass2 {} @Keep public class CoolClass3 {}

Organization with @Keep

@Keep Encourages Narrower Rules

Obfuscation

Obfuscation Android NDK

NDK Maintainability C / C++ / JNI

NDK Maintainability C / C++ / JNI Documentation

NDK Maintainability C / C++ / JNI Documentation Development Tools

Build Times

Build Times Automated Testing

Build Times Automated Testing CI

Quick Reminders

Build Process / CI Don’t Trust the Interwebz

Build Process / CI Don’t Trust the Interwebz Use Google
Play App signing

Play App signing Don’t Add Your Key in Source Control

Play App signing Don’t Add Your Key in Source Control Encrypt if Needed for CI

Manage Up & Down

Libraries

Thanks! @CliveLeeHere

Commonly Overlooked Areas of Security Revisited

Commonly Overlooked Areas of Security Revisited

More Decks by Clive Lee

Other Decks in Technology

Featured

Transcript