Secure Development - Lviv IT Arena

Secure Development with Android Enrique López-Mañas

Ego Slide • IT Consultor • Google Developer Expert •
@eenriquelopez

Agenda • File Storage • Securing network communications • Reverse
Engineering and Obfuscation • Databases • Demo • Misc

External Storage vs Internal Storage • getExternalStorageDirectory() is like parking
your car on the street • All apps can access your ﬁles • Files may not be removed or uninstalled • SD Card can be removed

External Storage vs Internal Storage • getFilesDir() is like parking
in your own garage • Other apps are generally not able to get in your sandbox • Root phones and emulator can access it • Files get removed during uninstall

Other considerations No MODE_WORLD_READABLE ! No MODE_WORLD_WRITEABLE!    

Reverse Engineering • Obtaining source code from a compiled binary

Why Java? • Java is partially compiled, and then interpreted
• JVM and opcodes are ﬁxed • Few instructions • No real protection

Why Android? • APKs are easily downloadable • Obfuscation does
not happen by default • APK to Jar Translation is easy

Why Android?

Legal issues recipes • Don’t decompile, recompile, and pass it
oﬀ as your own • Don’t try to sell it as your own • If License Agreement forbids decompiling, do not decompile • Don’t decompile to remove protection mechanisms

Legal issues recipes YES • Understand interoperatibility • Create a
program interface NO • Create a copy and sell it

Purpose

Purpose http://bit.ly/leakingWhatsapp

Obtain APKs • Pulling from device • Using GooglePlay Python
API • Alternative sources • Sniﬀer transfers

Protecting against Reverse Engineering 1. Writing two versions of the
app 2. Obfuscation (When obfuscation is outlawed, only outlaws will sifjdifdm woﬁeﬁemfeifm) 3. Webservices 4. FingerPrinting code 5. Native methods

ProGuard

SQL Databases

SQL Databases Use an ORM!

Demo • HTTP Sniﬃng • Securing ﬁles & credentials •
Reverse Engineering

Native Code

Misc • Minimize permission usage • Perform Input Validation (buﬀer
overﬂow, etc) • Do not load code dynamically

We love feedback! • bit.ly/feedbackLVIV

Secure Development - Lviv IT Arena

Secure Development - Lviv IT Arena

Enrique López Mañas

More Decks by Enrique López Mañas

Other Decks in Programming

Featured

Transcript

Secure Development with Android Enrique López-Mañas

Ego Slide • IT Consultor • Google Developer Expert •

Agenda • File Storage • Securing network communications • Reverse

External Storage vs Internal Storage • getExternalStorageDirectory() is like parking

External Storage vs Internal Storage • getFilesDir() is like parking

Other considerations No MODE_WORLD_READABLE ! No MODE_WORLD_WRITEABLE!

Reverse Engineering • Obtaining source code from a compiled binary

Why Java? • Java is partially compiled, and then interpreted

Why Android? • APKs are easily downloadable • Obfuscation does

Why Android?

Legal issues recipes • Don’t decompile, recompile, and pass it

Legal issues recipes YES • Understand interoperatibility • Create a

Purpose

Purpose

Purpose

Purpose http://bit.ly/leakingWhatsapp

Obtain APKs • Pulling from device • Using GooglePlay Python

Protecting against Reverse Engineering 1. Writing two versions of the

ProGuard

SQL Databases

SQL Databases

SQL Databases

SQL Databases

SQL Databases Use an ORM!

Demo • HTTP Sniﬃng • Securing ﬁles & credentials •

Native Code

Native Code

Native Code

Native Code

Misc • Minimize permission usage • Perform Input Validation (buﬀer

We love feedback! • bit.ly/feedbackLVIV