Androidセキュアな開発について考えてみた(明日敗訴しないためのセキュアコーディングver.2)

"OESPJEηΩϡΞ։ൃ ʹ͍ͭͯߟ͑ͯΈͨ ླ໦ɹݚޗ ໌೔ɺഊૌ͠ͳ͍ͨΊͷηΩϡΞίʔσΟϯάWFS

"CPVU.F w ໊લ w 5XJUUFS!LFOHPTDBM w (JUIVCLFOTDBM w ৬ྺ w
ηΩϡϦςΟܥ ೥݄ʙ w .POFZ'PSXBSEॴଐʢ೥݄ʙʣ

ࢲͱ"OESPJE w ೥݄͔Β"OESPJE։ൃʹࢀՃ w -PMMJQPQ͔Β w ઌഐ։ൃऀ͕ܦݧͨ͠ਏ͞Λ఻આͱͯ͠ͷΈ஌Δ

ࠓճ࿩͢͜ͱͷٕज़తൣғ

Ξ΢τϥΠϯ w എܠ w Ͳ͔͜ΒηΩϡΞ։ൃΛֶͿ͔ʁ w ݱঢ়ͷ՝୊ w ઃܭϑΣʔζɺ࣮૷ϑΣʔζɺӡ༻ϑΣʔζ w
·ͱΊ

ૌু w ొ৔ਓ෺ w "ࣾൃ஫ଆɻ&ίϚʔεͷड஫γεςϜΛઃܭʙอकࠐΈͰܖ໿ w #ࣾ։ൃଆʢड஫ଆ w ࣄ݅
w ίʔυϨϕϧͰͷηΩϡϦςΟରࡦෆ଍ʹΑΓΫϨΧ৘ใ͕ྲྀग़ w "ࣾ͸#ࣾΛz࠴຿ෆཤߦͱଛ֐ഛঈͰຽࣄૌু w ͨͩ͠ܖ໿ʹ͸ຊ݅΢ΣϒαΠτͷηΩϡϦςΟରࡦΛߨ͡Δٛ ຿Λෛ͏͜ͱ͸نఆ͞Ε͍ͯͳ͔ͬͨ <Ҿ༻>IUUQXXXTPGUJDPSKQTFNJ@PQQEG

݁Ռ ʊਓਓਓਓਓʊ ʼɹ#ࣾഊૌʻ ʉ:?:?:?:ʉ ʊਓਓਓਓਓਓਓਓਓਓਓʊ ʼ໿ສԁͷଛ֐ഛঈʻ ʉ:?:?:?:?:?:?:?:?:ʉ

൑ܾ w *1"ܦ࢈ল͕ಛఆͷ߈ܸʹର͢ΔରࡦΛਪ঑͍ͯ͠ ͨΊɺzඃࠂʹ͸ॏաࣦ͕ೝΊΒΕΔͱ͍͏΂͖zͱ ͞Εͨɻ <Ҿ༻>IUUQXXXTPGUJDPSKQTFNJ@PQQEG

݁ہ w ୭΋ಘ͠ͳ͍݁Ռʹͳͬͨ

୭ಘ w "ࣾʢൃ஫ଆʣ w Ϣʔβʔଛࣦɺ৴༻ࣦ௢ɺରԠඅ༻ͳͲͳͲͷଛ

୭ಘ w #ࣾʢड஫ଆʣ w ଛ֐ഛঈɺ৴༻ࣦ௢ͳͲͳͲͷଛ

ͳʹΑΓ w Ϣʔβʔʂɹ w ࣗ෼ͷ৘ใ͕ྲྀग़͢Δͱ͍͏ଛ w ࿙Ӯൃ֮࣌ͷରԠΛ͠ͳ͚Ε͹͍͚ͳ͍ଛ w ຊ౰ʹϝϯυ͍͘͞Ͱ͢ʢ࣮ମݧʣ w
࿙Ӯ༗ແͷ֬ೝɺ࿙Ӯൣғͷ֬ೝɺ࿙Ӯ಺༰ͷ֬ೝɺ ࿙Ӯ৘ใͷӨڹͷ൑அɺ࿙Ӯ৘ใͷมߋґཔɺ࿙Ӯ ରࡦͷ֬ೝ FUDFUD

ͳͷͰ w ηΩϡϦςΟؾʹͨ͠։ൃ͠Α͏ʂ w օͰ޾ͤʹͳΓ͍ͨ w ੬ऑੑ͸όάͳͷͰ඼࣭޲্ʹۈΊΑ͏ʂ

·ͱΊ

·ͣ͸ w ηΩϡΞίʔσΟϯάʂ

౰વɺ*1"͔Β୳ͯ͠ΈΔ

*1"ͷ"OESPJEֶशπʔϧ w ֶशɾ఺ݕπʔϧ͕͋ͬͨʂ w ͕͢͞*1"ɹͦ͜ʹᙺΕΔʂɹಌΕΔ <Ҿ༻*1"৘ใॲཧਪਐػߏ>IUUQTXXXJQBHPKQTFDVSJUZWVMOBODPMF

Ͱ΋ɾɾɾ

͜ͷੈʹر๬͸ͳ͍ͷ͔ʜ

ر๬ ॻ੶ ͋Γ·ͨ͠

w "OESPJE4FDVSJUZ҆શͳΞϓϦέʔγϣϯΛ࡞ ੒͢ΔͨΊʹ ஶλΦιϑτ΢ΣΞגࣜձࣾ ر๬ʢॻ੶ʣͦͷ w แׅతͳηΩϡϦςΟ։ൃͷϙΠϯτ w ηΩϡϦςΟ։ൃͷೖ໳ͱͯ͠࠷ద w
ࡴΒΕͨࣄྫΛ঺հ w ࣮૷΋هࡌ w ͪΐͬͱੲ ೥

ر๬ʢॻ੶ʣͦͷ w ࠷ڧ w ߋʹηΩϡΞʹ͍ͨ͠ਓ޲͚ w έʔεʹԠͨ͡ΨΠυ͕خ͍͠ w αϯϓϧίʔυ΋๛෋ w
࠷৽ͷόʔδϣϯΛ௥ै w ແྉ w ۀքج४Ͱ͸ͳ͍ w "OESPJEΞϓϦͷηΩϡΞઃܭɾηΩϡΞίʔσΟ ϯάΨΠυ ஶ+44&$

͜ΕͰ"OESPJEքͷॅਓ͸ कΒΕͨ

͜ΕͰ"OESPJEքͷॅਓ͸ कΒΕͨͯͳ͔ͬͨ

਺஋͔ΒݟΔηΩϡϦςΟ w ґવɺͷΞϓϦʹ੬ऑੑϦεΫ͕ଘࡏ w ҉߸௨৴͕ղಡɾվ͟Μ͞ΕΔϦεΫͷ͋ΔΞϓϦ ͸૿Ճ <Ҿ༻4POZ%JHJUBM/FUXPSL"QQMJDBUJPO>"OESPJE੬ऑੑௐࠪϨϙʔτ

ࣄྫ͔ΒݟΔηΩϡϦςΟ <Ҿ༻'JSF&ZF>IUUQTXXXpSFFZFDPNCMPHUISFBUSFTFBSDI BOPUIFS@QPQVMBS@BOESIUNM w -PH$BUʹػີ৘ใΛྲྀͯͨ͠ w τʔΫϯͳͲΛฏจͰωοτʹͳ ͕ͯͨ͠ w τʔΫϯ͕ӬଓԽ͞Ε͍ͯͨ
w ύεϫʔυ͕ऑ͍҉߸ํࣜͰ҉߸ Խ͞Εͯͨ

ࣄྫ͔ΒݟΔηΩϡϦςΟ <Ҿ༻'JSF&ZF>IUUQTXXXpSFFZFDPNCMPHUISFBUSFTFBSDI BOPUIFS@QPQVMBS@BOESIUNM w 8FC7JFX্ͷ௨৴ͰIUUQ௨৴ Λ࢖ͬͯͨͷͰɺ௨৴Λվ᜵͞ ΕΔ

ॻ੶ͷΧόʔൣғͳͷʹ ͳͥʁ

·ͱΊ

"OESPJEͷηΩϡϦςΟൣғ w ൣғ w ϑΝΠϧΞΫηεݖݶɺ"1,ϑΝΠϧอޢɺύʔ ϛογϣϯɺ"DUJWJUZ #SPBEDBTU 4FSWJDF $POUFOU1SPWJEFSɺΠϯςϯτɺ҉߸Խɺ
42-JUFɺ-PHDBU 8FC7JFX "DDPVOU.BOHFS IUUQT ϓϥΠόγʔ৘ใɺύεϫʔυೖྗը໘ ΞϓϦέʔγϣϯอޢ ূ໌ॻ ৽͍͠ 1FSNJTTJPO $MJQCPBSE FUD FUD

"OESPJEͷηΩϡϦςΟൣғ w ൣғ w ϑΝΠϧΞΫηεݖݶɺ"1,ϑΝΠϧอޢɺύʔ ϛογϣϯɺ"DUJWJUZ #SPBEDBTU 4FSWJDF $POUFOU1SPWJEFSɺΠϯςϯτɺ҉߸Խɺ
42-JUFɺ-PHDBU 8FC7JFX "DDPVOU.BOHFS IUUQT ϓϥΠόγʔ৘ใɺύεϫʔυೖྗը໘ ΞϓϦέʔγϣϯอޢ ূ໌ॻ ৽͍͠ 1FSNJTTJPO $MJQCPBSE FUD FUD ɾɾɾώϩ͘Ͷ

։ൃऀͷ੹೚ൣғ w ηΩϡϦςΟൣғ w ϑΝΠϧΞΫηεݖݶɺ"1,ϑΝΠϧอޢɺύʔϛογϣϯɺ"DUJWJUZ #SPBEDBTU 4FSWJDF $POUFOU1SPWJEFSɺΠϯςϯτɺ҉߸Խɺ42-JUFɺ -PH$BU
8FC7JFX "DDPVOU.BOHFS IUUQT ϓϥΠόγʔ৘ใɺύεϫʔυ ೖྗը໘ ΞϓϦέʔγϣϯอޢ ূ໌ॻͷ؅ཧํ๏ ৽͍͠1FSNJTTJPO $MJQCPBSE FUD FUD w ʹՃ͑ͯ ࣗ෼ͷମݧྫ w ৽ن։ൃʢ໿̎ϲ݄ʣɺαʔϏεͷ,1*ʹԊ࣮ͬͨ૷ͷఏҊ શମͷઃܭ ίϯ ϙʔωϯτͷϥΠϑαΠΫϧΛߟྀͨ͠σʔλͷ΍ΓऔΓ ΧελϜ7JFXͷ࡞ ੒ σβΠφʔͱͷࣗࣾϒϥϯυͱ.BUFSJBM%FTJHOΨΠυʹԊͬͨσβΠϯͷ ݕ౼ɺ8FCଆ୲౰ऀͱͷ"1*࢓༷ݕ౼ ΧελϚʔαϙʔτ͔ΒͷόάใࠂରԠ $*؀ڥͷ੔උɺςετͷ࡞੒ɺ"404&0ରࡦ FUD FUD

։ൃऀͷ੹೚ൣғ w ηΩϡϦςΟൣғ w ϑΝΠϧΞΫηεݖݶɺ"1,ϑΝΠϧอޢɺύʔϛογϣϯɺ"DUJWJUZ #SPBEDBTU 4FSWJDF $POUFOU1SPWJEFSɺΠϯςϯτɺ҉߸Խɺ42-JUFɺ -PH$BU
8FC7JFX "DDPVOU.BOHFS IUUQT ϓϥΠόγʔ৘ใɺύεϫʔυ ೖྗը໘ ΞϓϦέʔγϣϯอޢ ূ໌ॻͷ؅ཧํ๏ ৽͍͠1FSNJTTJPO $MJQCPBSE FUD FUD w ʹՃ͑ͯ ࣗ෼ͷମݧྫ w ৽ن։ൃʢ໿̎ϲ݄ʣɺαʔϏεͷ,1*ʹԊ࣮ͬͨ૷ͷఏҊ શମͷઃܭ ίϯ ϙʔωϯτͷϥΠϑαΠΫϧΛߟྀͨ͠σʔλͷ΍ΓऔΓ ΧελϜ7JFXͷ࡞ ੒ σβΠφʔͱͷࣗࣾϒϥϯυͱ.BUFSJBM%FTJHOΨΠυʹԊͬͨσβΠϯͷ ݕ౼ɺ8FCଆ୲౰ऀͱͷ"1*࢓༷ݕ౼ ΧελϚʔαϙʔτ͔ΒͷόάใࠂରԠ $*؀ڥͷ੔උɺςετͷ࡞੒ɺ"404&0ରࡦ FUD FUD ɾɾɾΩπ͘Ͷ

ಙؙઌੜ΋ಉ͡Α͏ͳ͜ͱݴͬ ͯͨʢͱࢥ͏ʣ <Ҿ༻ηΩϡΞίʔσΟϯάํ๏࿦࠶ߏஙͷࢼΈ IUUQXXXTMJEFTIBSFOFUPDLFHIFNSFDPOTUSVDUJPOPGTFDVSFDPEJOHNFUIPEPMPHJFT

՝୊͸ w ࣮૷࣌͸޿ൣғͳηΩϡϦςΟΛΧόʔ͢Δ༨ྗ͕ ͳ͍ w ͦ΋ͦ΋ߟ͑ͭ͘͜ͱ͢Βͳ͍͔΋͠Εͳ͍

ղܾํ๏͸ w ։ൃͷ࣮૷͚࣌ͩͰͳ͘ɺ֤ஈ֊ͰඞཁͳηΩϡϦ ςΟରࡦΛߟ͑Δ͜ͱ

#VJME4FDVSJUZ*Oͷ঺հ w ࠷ۙηΩϡϦςΟۀքͰ੝Γ্͕ͬͯΔ w l#VJME4FDVSJUZ*OJTBDPMMBCPSBUJWFF⒎PSUUIBU QSPWJEFTQSBDUJDFT UPPMT HVJEFMJOFT SVMFT QSJODJQMFT
BOEPUIFSSFTPVSDFTUIBUTPGUXBSFEFWFMPQFST BSDIJUFDUT BOETFDVSJUZQSBDUJUJPOFSTDBOVTFUPCVJME TFDVSJUZJOUPTPGUXBSFJOFWFSZQIBTFPGJUT EFWFMPQNFOUz w CZ64$&35 ถࠃࠃ౔҆શอোলʢ%)4ʣ഑Լͷ৘ใηΩϡϦςΟରࡦ૊৫ <Ҿ༻>IUUQXXXTPGUJDPSKQTFNJ@PQQEG

#VJME4FDVSJUZ*Oͷ঺հ w ࠷ۙηΩϡϦςΟۀքͰ੝Γ্͕ͬͯΔ w lιϑτ΢ΣΞ։ൃͷશ޻ఔʹηΩϡϦςΟΛ૊Έ ࠐΊΔΑ͏ͳϕετɾϓϥΫςΟεɺπʔϧɺΨΠ υϥΠϯ౳ͷϦιʔεΛ։ൃऀͳͲʹఏڙ͢Δڠಉ తͳऔΓ૊Έz <Ҿ༻>IUUQXXXTPGUJDPSKQTFNJ@PQQEG

Ͳ͏͍͏͜ͱ͔ɺͱݴ͏ͱ <Ҿ༻גࣜձࣾηλɾΠϯλʔφγϣφϧ>IUUQXXXTFUBJOUFSOBUJPOBMDPKQWJFUOBN@P⒎TIPSFTFDVSJUZPQUJPOIUNM

ࠓճ͸͜Μͳײ͡Ͱ۠੾Δ ઃܭϑΣʔζ ࣮૷ϑΣʔ ζ ӡ༻ϑΣʔζ <Ҿ༻גࣜձࣾηλɾΠϯλʔφγϣφϧ>IUUQXXXTFUBJOUFSOBUJPOBMDPKQWJFUOBN@P⒎TIPSFTFDVSJUZPQUJPOIUNM

·ͱΊ

ઃܭϑΣʔζͷηΩϡΞ։ൃ w ࣮૷ͦͷ΋ͷͰ͸ͳ͍ w ։ൃܭը΁ηΩϡϦςΟͷཁ݅Λ૊ΈࠐΉ w αʔϏε্ͷϦεΫʹର͢ΔڴҖͱ੬ऑੑͷચग़͠ w ϦεΫͷݦࡏԽ֖વੑ΍Өڹʹجͮ͘΍Δ΍Β൑அ

ͳͥઃܭஈ֊Ͱ΍Δͷ͔ʁ w ίεύ͕͍͍ w ઃܭ࣌ΑΓӡ༻։࢝ޙͷରࡦඅ͸dഒ w ͷ੬ऑੑ͸ઃܭஈ֊Ͱੜ·ΕΔʢιʔεະ֬ೝʜ <Ҿ༻/3*>IUUQpTOSJDPKQKB+1QVCMJDBUJPOLJOZV@JUGCBDLOVNCFS

"OESPJEઃܭ࣌ͷϙΠϯτ w ίίΒ΁Μʹ͍ͭͯಛʹ஫ҙΛ෷͍͍ͨʢLFOHPTDBMతʹʣ w ख໭Γ޻਺ɾӨڹ͕େ͖͍΋ͷ w σʔλͷอ؅ํ๏ w ηογϣϯͷอ࣋ͷ͔ͨ͠ w
1FSNJTTJPO w SE1BSUZ੡ͷ޿ࠂϞδϡʔϧ w 8FC7JFXͰԿॲͰ࢖ͬͯɺԿΛ͍͔ͨ͠ w ҉߸Խํࣜ w ࿈ܞΞϓϦͷ༗ແʢίϯϙʔωϯτؒͷ࿈ܞʣ

$BTF.POFZ'PSXBSE w ɹɹɹɹɹͷ##൛։ൃΛΠϝʔδ w αʔϏε঺հۚ༥ػؔʹࢿ࢈৘ใΛεΫϨΠϐϯ άʹ͍ͬͯɺͦΕΛҰݩԽ͢ΔΞϓϦ

σʔλͷอଘํ๏ w ΞϓϦͰѻ͏σʔλͷॏཁ౓Λߟ͑Δ w ۚ༥ػؔͷϩάΠϯϑΥʔϜؔ࿈ͷ৘ใॏཁ౓௿ w σʔλྔ͕େ͖͍ͷͰ42-JUF࢖ͬͯฏจͰอଘ w ύείʔυॏཁ౓த w
ύείʔυ͸҉߸Խ͓͖͍ͯͨ͠ͷͰ'JMFʹॻ͖ग़͢ w "&4$#$QLDTQBEEJOH w ଞͷ৘ใॏཁ౓ߴ w ϩʔΧϧʹอଘ͠ͳ͍

1FSNJTTJPO w ωοτϫʔΫ௨৴ɺϢʔβʔΞΧ΢ϯτɺࢦ໲ೝূ ͙Β͍͔͠࢖Θͳ͍ <uses-permission android:name="android.permission.INTERNET" /> <uses-permission android:name="android.permission.USE_FINGERPRINT"

8FC7JFX w '"2ͱར༻ن໿Λදࣔͤ͞Δ͘Β͍ w $ISPNF$VTUPN5BCΛ࢖͏

࿈ܞΞϓϦͷ༗ແ w ࣗࣾͷΞϓϦͱ࿈ܞ͢ΔͨΊͷಠࣗ1FSNJTTJPOΛ ࡞Δ w ௕͍ͷͰʮ"OESPJEΞϓϦͷηΩϡΞઃܭɾηΩϡ ΞίʔσΟϯάΨΠυʯΛࢀর͞Εͨ͠ w ࣗࣾݶఆ"DUJWJUZΛ࡞Δɾར༻͢Δ w
ಠࣗఆٛͷ4JHOBUVSF1FSNJTTJPOͰ ࣗࣾΞϓϦ࿈ܞ͢Δ

"OUJ$BTF4LZQF w Ϣʔβʔͷݸਓ৘ใɾνϟοτཤྺ͕ྲྀग़ͨ͠ w ಠࣗੜ੒ͨ͠σΟϨΫτϦɾϑΝΠϧԼʹอଘ͠ ͨ"OESPJE04ʹΑΔอޢػೳ͕͖͔ͳ͔ͬͨ w %#ϑΝΠϧ΋ฏจͰอଘ͞Ε͍ͯͨ w #VJMEJO4FDVSJUZͷʮઃܭϑΣʔζʯʹ͓͍ͯʮσʔ
λͷอ؅ํ๏ʯʹ͍ͭͯઃܭ͔Βߟ͑ͯΕ͹ɺ๷͛ ͨʢ͔΋ʣ

·ͱΊ

࣮૷ϑΣʔζͷηΩϡΞ։ൃ w ͋Δ͋ΔܥͷνΣοΫ͕ओ w IUUQT௨৴ʹ͓͚Δূ໌ॻݕূ࿙Ε w 8FC7JFXͷBEE+BWBTDSJQU*OUFSGBDF w -PH$BU w
͜͜͸։ൃऀͱͯ͠཈͓͍͑ͯͨํ͕͍͍ͱ͓΋͏ɹ

جຊతʹ࣮૷ํ๏͸

HHS ͹ग़͖ͯͯɺͦΕΛ࢖͑͹PL

ຊʹهࡌ͞Ε͍ͯͳ͍΋ͷ w 63-$POOFDUJPOΫϥεʹ͓͚Δ)551ϔομΠϯ δΣΫγϣϯରࡦ w TFU3FRVFTU1SPQFSUZBEE3FRVFTU1SPQFSUZΛར ༻͍ͯ͠Δͱɺ)551ϔομΛ௨ͯ͡೚ҙͷίʔυ ΛͲ͔͜ΒͰ΋࣮ߦ͞ΕΔՄೳੑ͕͋Δ w ࠜຊରࡦ0L)UUQҎ্ʹ͢Δ
w ϫʔΫΞϥ΢ϯυϔομͷೖྗ஋νΣοΫΛ͢Δ w ৄࡉIUUQTKWOKQWV+7/76

ϔομͷೖྗ஋νΣοΫ <Ҿ༻4RVBSF>IUUQTHJUIVCDPNTRVBSFPLIUUQCMPCNBTUFSPLIUUQTSDNBJOKBWB private void checkNameAndValue(String name, String value) { if
(name == null) throw new NullPointerException("name == null"); if (name.isEmpty()) throw new IllegalArgumentException("name is empty"); for (int i = 0, length = name.length(); i < length; i++) { char c = name.charAt(i); if (c <= '\u001f' || c >= '\u007f') { throw new IllegalArgumentException(String.format( "Unexpected char %#04x at %d in header name: %s", (int) c, i, name)); } } if (value == null) throw new NullPointerException("value == null"); for (int i = 0, length = value.length(); i < length; i++) { char c = value.charAt(i); if (c <= '\u001f' || c >= '\u007f') { throw new IllegalArgumentException(String.format( "Unexpected char %#04x at %d in %s value: %s", (int) c, i, name, value)); } } } w ରࡦࡁΈͷPLIUUQ͔Βίϐϖ

·ͱΊ

ӡ༻ϑΣʔζͷηΩϡΞ։ൃ w ΞϓϦʹॺ໊͢Δূ໌ॻɾ,FZ4UPSF؅ཧͷ࿩

ূ໌ॻɾ,FZ4UPSFͷϦεΫ w ΞϓϦ੍͕ޚԼ͔Β཭ΕΔϦεΫ w ฆࣦͨ͠৔߹ΞϓϦͷΞϓσ͕Ͱ͖ͳ͘ͳΔ w ౪೉͞Εͨ৔߹ΞϓϦͷ৐ͬऔΓ w $BTF4UVEZ w
ݟͨ໨શ͘ಉ͡Ͱɺۚ༥ػؔϩάΠ ϯ࣌ͷ৘ใΛނҙͷ63-ʹྲྀ͢

͋Γ͕ͪ ͳӡ༻؀ڥ

ϩʔΧϧ։ൃ؀ڥ "༻ GFUDIQVTI TJHOEFQMPZ %༻ $༻ #༻ "༻

Կ͕໰୊ͳͷ͔

໰୊ w ։ൃ୺຤ຖʹಠཱͯ͠ΔͷͰLFZTUPSFͷ؅ཧ͕͠ ʹ͍͘ w ߈ܸ౳ʹΑΔLFZTUPSF͕࿙Ӯ͢Δνϟωϧ͕޿͍ w ߈ܸख๏΍߈ܸର৅ͳͲ͕޿͍ͱ͍͏ҙຯ w ࿙Ӯൃ֮࣌ͷ௥੻͕೉͍͠

΅͘ͷ͔Μ͕͍͖͑ͨ͞ΐ͏ͷ ӡ༻؀ڥ

ϩʔΧϧ։ൃ؀ڥ "༻ 'FUDI1VTI #༻ $༻ 'FUDIPS)PPL #VJME%FQMPZ #BDLVQ

ϩʔΧϧ։ൃ؀ڥ "༻ 'FUDI1VTI #༻ $༻ 'FUDIPS)PPL #VJME%FQMPZ #BDLVQ ϩʔΧϧʹ͸LFZTUPSFΛஔ͔ͳ͍

ϩʔΧϧ։ൃ؀ڥ "༻ 'FUDI1VTI #༻ $༻ 'FUDIPS)PPL #VJME%FQMPZ #BDLVQ ϦϦʔεϏϧυ͸$*πʔϧͷδϣϒ͔ΒͷΈ LFZ4UPSFΛू໿
։ൃऀ͸جຊ8FC$IBU͔ΒδϣϒΛΩοΫ͢ΔͷΈ TTIͳͲͷϦϞʔτૢ࡞͸ݶఆ͞Εͨ໾৬ͷΈ

ϩʔΧϧ։ൃ؀ڥ "༻ 'FUDI1VTI #༻ $༻ 'FUDIPS)PPL #VJME%FQMPZ #BDLVQ BQL͸खಈɾࣗಈͰEFQMPZπʔϧ΋͘͠͸4UPSFʹΞο ϓϩʔυͯ͠ɺ୺຤ʹ഑෍

ϩʔΧϧ։ൃ؀ڥ "༻ 'FUDI1VTI #༻ $༻ 'FUDIPS)PPL #VJME%FQMPZ #BDLVQ $*πʔϧฆࣦͳͲͰ$*্ͷLFZ4UPSF͕ফ͑ͨ৔߹ʹSFTUPSFͰ͖ ΔΑ͏ʹɺLFZ4UPSFΛετϨʔδʹόοΫΞοϓɻ
͜Ε΋ݶఆ͞Εͨۀछɾ໾৬ͷΈ͕ΞΫηεՄೳ

ϩʔΧϧ։ൃ؀ڥ "༻ 'FUDI1VTI #༻ $༻ 'FUDIPS)PPL #VJME%FQMPZ #BDLVQ $*؀ڥʹݶΒͣɺҕୗ΍डୗͷ৔߹΋LFZ4UPSFͷόοΫΞοϓ͸ ͬ͞͞ͱऔ͓ͬͯ͘ͷ͕҆ṛ

Ξ΢τϥΠϯ w എܠͱΰʔϧ w Ͳ͔͜ΒηΩϡΞ։ൃΛֶͿ͔ʁ w ݱঢ়ͷ՝୊ w ઃܭϑΣʔζɺ࣮૷ϑΣʔζɺӡ༻ϑΣʔζ w
·ͱΊ

·ͱΊ w օ Ϣʔβʔɾ։ൃऀɾൃ஫ऀ Ͱ޾ͤʹͳΓ͍ͨ w ͦͷཁૉͱͯ͠ͷɾ඼࣭ͱͯ͠ͷηΩϡϦςΟ w ڭࡐ͸ἧ͍ͬͯΔ w
ڭࡐ͕͓΋͗͢Δ৔߹͸ɺ։ൃஈ֊͝ͱʹඞཁͳη ΩϡϦςΟࢪࡦΛ෼ղ͢Δ

օͰ҆શɾ҆৺ͳΤίγεςϜ Λఏڙ͍͖ͯ͠·͠ΐ͏ ݱࡏͷεϚϗϢʔβʔͷᶃ೔ͷར༻࣌ؒ͸1࣌ؒ49෼ɻ ΤίγεςϜࣗମ্͕෦Ͱ΋ɺΤίγεςϜͷ্ʹͷ͔ͬΔαʔϏε͕ةݥͳঢ়ଶͰ͸ɺ࣮ʹϢʔβʔ ͷ೔ৗੜ׆ͷ͏ͪ໾8%͕ةݥʹࡽ͞Ε͍ͯΔ͜ͱʹͳΔɻ ͜Ε͸͍Βͳ͍

͝ਗ਼ௌ ͋Γ͕ͱ͏͍͟͝·ͨ͠

͓·͚

/ʹ͓͚ΔηΩϡϦςΟ w /FUXPSL4FDVSJUZ$POpHVSBUJPO w ,FZ"UUFTUBUJPO w 1FSNJTTJPO

/FUXPSL4FDVSJUZ $POpHVSBUJPO w ίʔυͰهड़ͨ͠ূ໌ॻؔ࿈ͷಈ࡞ΛYNMͰॻ͚Δ w ৴པ͢Δ$"ͷϗϫΠτϦετԽ w ূ໌ॻϐχϯά w ฏจ௨৴ͷআ֎

,FZ"UUFTUBUJPO w )BSEXBSFCBDLFELFZTUPSFTͷϔϧύʔΈ͍ͨ ͳΠϝʔδ w )BSEXBSFCBDLFELFZTUPSFTͷݕূΛͯ͘͠Ε Δʁ

1FSNJTTJPO w (&5@"$$06/54 w %FQSFDBUFE w "$5*0/@01&/@&95&3/"-@%*3&$503: /&8 w "QQઐ༻ͷσΟϨΫτϦΛ࡞੒ɾݖݶ෇༩

ଞ w 0L)UUQ͕)551ͷ3'$४ڌʹͳͬͨͬΆ͍ w ೔ຊޠΛϔομʹೖΕΒΕͳ͘ͳͬͨ

Androidセキュアな開発について考えてみた(明日敗訴しないためのセキュアコーディングver.2)

Androidセキュアな開発について考えてみた(明日敗訴しないためのセキュアコーディングver.2)

More Decks by Kengo Suzuki

Other Decks in Programming

Featured

Transcript