Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[DroidCon Lisbon 2019] Intro to Android App Sec...

Marc Obrador
September 10, 2019
Programming
2
440

[DroidCon Lisbon 2019] Intro to Android App Security

In this talk we cover the basics of Android App Security.
We first start with an introduction and motivation, talking about why do you need to care about app security, what are the important things to protect, and try to understand the motivation an attacker might have to hack your application.
After that we move on to more technical details, covering the things you (as a developer) can do to protect your applications against the most common security threads. This includes secure networking, user data protection, dealing with rooted devices, IP protection, etc.

Marc Obrador

September 10, 2019
Tweet

More Decks by Marc Obrador

See All by Marc Obrador
[Droidcon London 2023] REST in Peace: A Journey Through API Protection
marcobrador
0
88
[Droidcon Berlin 2023] Obfuscation in Mobile Apps
marcobrador
0
1.2k
[WeAreDevelopers World Conference] Reversing Android Apps
marcobrador
0
590
[mDevCamp 2020] Reversing Android Apps
marcobrador
3
2.7k
Introduction to Mobile App Security
marcobrador
2
370
[ICE71 CyberSecurity Networking Night] Mobile App Security: A developer's introduction
marcobrador
0
770
[GDG BCN 2019] Introduction to Android App Security
marcobrador
1
870

Other Decks in Programming

See All in Programming
Make Impossible States Impossibleを 意識してReactのPropsを設計しよう
ikumatadokoro
0
170
シールドクラスをはじめよう / Getting Started with Sealed Classes
mackey0225
4
640
「今のプロジェクトいろいろ大変なんですよ、app/services とかもあって……」/After Kaigi on Rails 2024 LT Night
junk0612
5
2.1k
Arm移行タイムアタック
qnighy
0
310
Amazon Qを使ってIaCを触ろう!
maruto
0
400
型付き API リクエストを実現するいくつかの手法とその選択 / Typed API Request
euxn23
8
2.2k
Remix on Hono on Cloudflare Workers
yusukebe
1
280
どうして僕の作ったクラスが手続き型と言われなきゃいけないんですか
akikogoto
1
120
Jakarta EE meets AI
ivargrimstad
0
130
Better Code Design in PHP
afilina
PRO
0
120
Ethereum_.pdf
nekomatu
0
460
EventSourcingの理想と現実
wenas
6
2.3k

Featured

See All Featured
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
Keith and Marios Guide to Fast Websites
keithpitt
409
22k
What's in a price? How to price your products and services
michaelherold
243
12k
Intergalactic Javascript Robots from Outer Space
tanoku
269
27k
Visualization
eitanlees
145
15k
Measuring & Analyzing Core Web Vitals
bluesmoon
4
120
Designing Experiences People Love
moore
138
23k
What's new in Ruby 2.0
geeforr
343
31k
The Cost Of JavaScript in 2023
addyosmani
45
6.7k
Adopting Sorbet at Scale
ufuk
73
9.1k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
329
21k

Transcript

  1. Android App Security Introduction Marc Obrador Head of Product Architecture

    @ Build38

  2. Who am I? @marcobrador 2 Marc Obrador Head of Product

    Architecture @ Build38 Barcelona [email protected] @marcobrador /in/marc-obrador

  3. 3 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador

  4. 4 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador

  5. Mobile-first world Why do I need to care about Mobile

    App Security? 5 Smartphone = untrusted device Regulation (depending on market) Desktop Mobile 2009 2015 2020 0 20 40 60 80 100 Source: www.gs.statcounter.com @marcobrador

  6. What do I need to protect? 6 @marcobrador

  7. It depends What do I need to protect? 7 @marcobrador

  8. What do I need to protect? 8 User Data Your

    IP DRM @marcobrador

  9. Let’s first switch our perspective How can I protect my

    app? 9 @marcobrador

  10. -40 -20 0 20 40 60 80 -10 -5 0

    5 10 15 20 25 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 Investment Income Cumulated Profit The hacker’s perspective 10 @marcobrador

  11. How can I protect my app? 11 @marcobrador

  12. Make it unattractive for the hacker How can I protect

    my app? 12 @marcobrador

  13. -40 -20 0 20 40 60 80 -10 -5 0

    5 10 15 20 25 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 Investment Income Cumulated Profit The hacker’s perspective 13 @marcobrador

  14. -40 -20 0 20 40 60 80 -10 -5 0

    5 10 15 20 25 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 Investment Income Cumulated Profit How can I protect my app? 14 @marcobrador

  15. 15 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador

  16. 16 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador

  17. - MITM = eavesdropping of network data - It’s 2019

    – use HTTPS! - Certificate pinning is also a good idea Understanding MITM 17 @marcobrador

  18. Enforce HTTPS 18 * Applies only to API <= 27.

    Enforced by default on newer versions. Source: https://developer.android.com/training/articles/security-config @marcobrador

  19. Use Certificate Pinning 19 Source: https://developer.android.com/training/articles/security-config @marcobrador

  20. 20 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador

  21. - Modifying an APK and redistributing it for malicious purposes

    - Goals: § Modify original behavior o Getting paid features for free o Cheating on a game (Pokémon GO) o … § Stealing user data What is it? 21 @marcobrador

  22. Show me the code! 22 @marcobrador

  23. Preventing App Repackaging 23 Obfuscation Detect repackaging @marcobrador

  24. Repackaging detection 24 @marcobrador

  25. 25 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador

  26. Understanding “Root” 26 @marcobrador

  27. Root Detection 27 /scottyab/rootbeer /Stericson/RootTools SafetyNet Attestation API @marcobrador

  28. 28 What to do if Root is found? @marcobrador

  29. - User may have legitimately rooted its device - Remote

    root exploits are a thing - No clear action… § Restrict some sensitive functionality § Design your security model assuming that root can (will) happen What to do if Root is found? 29 @marcobrador

  30. 30 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador

  31. - Know what you need to protect - 100% protection

    does not exist – aim for “good enough” - Secure Networking is a must - Java/Kotlin are super easy to reverse engineer § Move security-relevant logic to backend or write it in C/C++ - Root can be really bad – come up with a plan Recap 31 @marcobrador

  32. Thank you! Any questions?