DroidCon Poland - Secure Development with Android

Secure Development with Android Enrique López-Mañas Nick Skelton

Ego Slide • IT Consultor • Google Developer Expert •
@eenriquelopez

Ego Slide • Software Manager @ Sixt Germany • @nshred
• Not very egotistical

Agenda • Introduction • Securing network communications • File Storage
• Reverse Engineering and Obfuscation • Demo

HTTP Sniﬃng with Chuck • HTTP proxies: • Charles (Mac)
• Fiddler (Windows) • Great for debugging dodgy backends • Great for simulating dodgy connections • Works with SSL

External Storage vs Internal Storage • getExternalStorageDirectory() is like parking
your car on the street • All apps can access your ﬁles • Files may not be removed on uninstall • SD Card can be removed • getFilesDir() is like parking in your own garage • Other apps are generally not able to get in your sandbox • Rooted phones and emulators can access it

File Encryption • Facebook Conceal encryption • Simple • Secure
out of the box (AES-GCM) • Small payload (85kb) • https://github.com/facebook/conceal

File Encryption • IOCypher and SQLCypher • Great for encrypting
a complete ﬁlesystem or database • More complicated in terms of setup, keygen and error handling

Reverse Engineering • Obtaining source code from a compiled binary

Why Java? • Java is partially compiled, and then interpreted
• JVM and opcodes are ﬁxed • Few instructions • No real protection

Why Android? • APKs are easily downloadable • Obfuscation does
not happen by default • APK to Jar Translation is easy

Legal issues recipes • Don’t decompile, recompile, and pass it
oﬀ as your own • Don’t try to sell it as your own • If License Agreement forbids decompiling, do not decompile • Don’t decompile to remove protection mechanisms

Legal issues recipes YES • Understand interoperatibility • Create a
program interface NO • Create a copy and sell it

Purpose

Obtain APKs • Pulling from device • Using GooglePlay Python
API • Alternative sources • Sniﬀer transfers

Protecting against Reverse Engineering 1. Writing two versions of the
app 2. Obfuscation (When obfuscation is outlawed, only outlaws will sifjdifdm woﬁeﬁemfeifm) 3. Webservices 4. FingerPrinting code 5. Native methods for storing strings

Code • HTTP Sniﬃng • Securing ﬁles & credentials •
Reverse Engineering

We love feedback! • http://bit.ly/feedbackDroidconPL • https://github.com/kikoso/DroidCon-Poland

#dﬁst

DroidCon Poland - Secure Development with Android

DroidCon Poland - Secure Development with Android

Enrique López Mañas

More Decks by Enrique López Mañas

Other Decks in Programming

Featured

Transcript

Secure Development with Android Enrique López-Mañas Nick Skelton

Ego Slide • IT Consultor • Google Developer Expert •

Ego Slide • Software Manager @ Sixt Germany • @nshred

Agenda • Introduction • Securing network communications • File Storage

HTTP Sniﬃng with Chuck • HTTP proxies: • Charles (Mac)

External Storage vs Internal Storage • getExternalStorageDirectory() is like parking

File Encryption • Facebook Conceal encryption • Simple • Secure

File Encryption • IOCypher and SQLCypher • Great for encrypting

Reverse Engineering • Obtaining source code from a compiled binary

Why Java? • Java is partially compiled, and then interpreted

Why Android? • APKs are easily downloadable • Obfuscation does

Legal issues recipes • Don’t decompile, recompile, and pass it

Legal issues recipes YES • Understand interoperatibility • Create a

Purpose

Purpose

Obtain APKs • Pulling from device • Using GooglePlay Python

Protecting against Reverse Engineering 1. Writing two versions of the

Code • HTTP Sniﬃng • Securing ﬁles & credentials •

We love feedback! • http://bit.ly/feedbackDroidconPL • https://github.com/kikoso/DroidCon-Poland

#dﬁst