Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[DroidCon Lisbon 2019] Intro to Android App Sec...

Marc Obrador
September 10, 2019
Programming
2
440

[DroidCon Lisbon 2019] Intro to Android App Security

In this talk we cover the basics of Android App Security.
We first start with an introduction and motivation, talking about why do you need to care about app security, what are the important things to protect, and try to understand the motivation an attacker might have to hack your application.
After that we move on to more technical details, covering the things you (as a developer) can do to protect your applications against the most common security threads. This includes secure networking, user data protection, dealing with rooted devices, IP protection, etc.

Marc Obrador

September 10, 2019
Tweet

More Decks by Marc Obrador

See All by Marc Obrador
[Droidcon London 2023] REST in Peace: A Journey Through API Protection
marcobrador
0
88
[Droidcon Berlin 2023] Obfuscation in Mobile Apps
marcobrador
0
1.2k
[WeAreDevelopers World Conference] Reversing Android Apps
marcobrador
0
590
[mDevCamp 2020] Reversing Android Apps
marcobrador
3
2.7k
Introduction to Mobile App Security
marcobrador
2
370
[ICE71 CyberSecurity Networking Night] Mobile App Security: A developer's introduction
marcobrador
0
770
[GDG BCN 2019] Introduction to Android App Security
marcobrador
1
870

Other Decks in Programming

See All in Programming
Streams APIとTCPフロー制御 / Web Streams API and TCP flow control
tasshi
1
290
Content Security Policy入門 セキュリティ設定と 違反レポートのはじめ方 / Introduction to Content Security Policy Getting Started with Security Configuration and Violation Reporting
uskey512
1
430
Kaigi on Rails 2024 - Rails APIモードのためのシンプルで効果的なCSRF対策 / kaigionrails-2024-csrf
corocn
5
3.4k
カスタムしながら理解するGraphQL Connection
yanagii
1
1.2k
offers_20241022_imakiire.pdf
imakurusu
2
360
讓數據說話:用 Python、Prometheus 和 Grafana 講故事
eddie
0
350
ECS Service Connectのこれまでのアップデートと今後のRoadmapを見てみる
tkikuc
2
210
役立つログに取り組もう
irof
26
8.7k
go.mod、DockerfileやCI設定に分散しがちなGoのバージョンをまとめて管理する / Go Connect #3
arthur1
10
2.4k
qmuntal/stateless のススメ
sgash708
0
120
シールドクラスをはじめよう / Getting Started with Sealed Classes
mackey0225
3
400
ピラミッド、アイスクリームコーン、SMURF: 自動テストの最適バランスを求めて / Pyramid Ice-Cream-Cone and SMURF
twada
PRO
9
1k

Featured

See All Featured
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
131
33k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
Practical Orchestrator
shlominoach
186
10k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
41
2.1k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Learning to Love Humans: Emotional Interface Design
aarron
272
40k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
42
9.2k
Agile that works and the tools we love
rasmusluckow
327
21k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
How STYLIGHT went responsive
nonsquared
95
5.2k
4 Signs Your Business is Dying
shpigford
180
21k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
27
1.9k

Transcript

  1. Android App Security Introduction Marc Obrador Head of Product Architecture

    @ Build38

  2. Who am I? @marcobrador 2 Marc Obrador Head of Product

    Architecture @ Build38 Barcelona [email protected] @marcobrador /in/marc-obrador

  3. 3 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador

  4. 4 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador

  5. Mobile-first world Why do I need to care about Mobile

    App Security? 5 Smartphone = untrusted device Regulation (depending on market) Desktop Mobile 2009 2015 2020 0 20 40 60 80 100 Source: www.gs.statcounter.com @marcobrador

  6. What do I need to protect? 6 @marcobrador

  7. It depends What do I need to protect? 7 @marcobrador

  8. What do I need to protect? 8 User Data Your

    IP DRM @marcobrador

  9. Let’s first switch our perspective How can I protect my

    app? 9 @marcobrador

  10. -40 -20 0 20 40 60 80 -10 -5 0

    5 10 15 20 25 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 Investment Income Cumulated Profit The hacker’s perspective 10 @marcobrador

  11. How can I protect my app? 11 @marcobrador

  12. Make it unattractive for the hacker How can I protect

    my app? 12 @marcobrador

  13. -40 -20 0 20 40 60 80 -10 -5 0

    5 10 15 20 25 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 Investment Income Cumulated Profit The hacker’s perspective 13 @marcobrador

  14. -40 -20 0 20 40 60 80 -10 -5 0

    5 10 15 20 25 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 Investment Income Cumulated Profit How can I protect my app? 14 @marcobrador

  15. 15 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador

  16. 16 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador

  17. - MITM = eavesdropping of network data - It’s 2019

    – use HTTPS! - Certificate pinning is also a good idea Understanding MITM 17 @marcobrador

  18. Enforce HTTPS 18 * Applies only to API <= 27.

    Enforced by default on newer versions. Source: https://developer.android.com/training/articles/security-config @marcobrador

  19. Use Certificate Pinning 19 Source: https://developer.android.com/training/articles/security-config @marcobrador

  20. 20 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador

  21. - Modifying an APK and redistributing it for malicious purposes

    - Goals: § Modify original behavior o Getting paid features for free o Cheating on a game (Pokémon GO) o … § Stealing user data What is it? 21 @marcobrador

  22. Show me the code! 22 @marcobrador

  23. Preventing App Repackaging 23 Obfuscation Detect repackaging @marcobrador

  24. Repackaging detection 24 @marcobrador

  25. 25 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador

  26. Understanding “Root” 26 @marcobrador

  27. Root Detection 27 /scottyab/rootbeer /Stericson/RootTools SafetyNet Attestation API @marcobrador

  28. 28 What to do if Root is found? @marcobrador

  29. - User may have legitimately rooted its device - Remote

    root exploits are a thing - No clear action… § Restrict some sensitive functionality § Design your security model assuming that root can (will) happen What to do if Root is found? 29 @marcobrador

  30. 30 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador

  31. - Know what you need to protect - 100% protection

    does not exist – aim for “good enough” - Secure Networking is a must - Java/Kotlin are super easy to reverse engineer § Move security-relevant logic to backend or write it in C/C++ - Root can be really bad – come up with a plan Recap 31 @marcobrador

  32. Thank you! Any questions?