Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[GDG BCN 2019] Introduction to Android App Secu...

Sponsored · SiteGround - Reliable hosting with speed, security, and support you can count on.
Avatar for Marc Obrador Marc Obrador
October 16, 2019
Programming
950
1

[GDG BCN 2019] Introduction to Android App Security

Avatar for Marc Obrador

Marc Obrador

October 16, 2019

More Decks by Marc Obrador

See All by Marc Obrador
[Droidcon London 2023] REST in Peace: A Journey Through API Protection
Avatar for Marc Obrador marcobrador
0
120
[Droidcon Berlin 2023] Obfuscation in Mobile Apps
Avatar for Marc Obrador marcobrador
0
1.4k
[WeAreDevelopers World Conference] Reversing Android Apps
Avatar for Marc Obrador marcobrador
0
700
[mDevCamp 2020] Reversing Android Apps
Avatar for Marc Obrador marcobrador
3
2.9k
Introduction to Mobile App Security
Avatar for Marc Obrador marcobrador
2
400
[ICE71 CyberSecurity Networking Night] Mobile App Security: A developer's introduction
Avatar for Marc Obrador marcobrador
0
800
[DroidCon Lisbon 2019] Intro to Android App Security
Avatar for Marc Obrador marcobrador
2
500

Other Decks in Programming

See All in Programming
Language Server 使ってる? 〜VSCode と Zed の場合〜 / Are you using a Language Server? ~For VS Code and Zed~
Avatar for NAGATA Hiroaki handlename
0
770
Spring Security 実践 ─ GraphQL APIで実務に役立つ 認証・認可 を学ぶ
Avatar for Wagyu wagyu
0
200
フロントエンドとバックエンドで「1文字」を揃えよう
Avatar for てきめん tekimen youkidearitai
PRO
0
230
TSKaigi Night Talks 2026_TypeScriptでサプライチェーンの整合性を型に閉じ込める
Avatar for ギークプラス ソフトウェア事業部 geekplus_tech
0
330
「AIで開発し、AIを届ける」をEvalでつなぐ 〜AIネイティブに始めるプロダクト開発の実践〜 / Connecting "Develop with AI, deliver AI" with Eval
Avatar for r-kagaya rkaga
4
4.8k
LLM Plugin for Node-REDの利用方法と開発について
Avatar for 404background 404background
0
160
AutonomyとControlのあいだ:Graflowで記述するAIエージェント協調
Avatar for Makoto Yui myui
0
110
Observability in Practice:Grafana 與 Edge Device SRE 的那些事
Avatar for Blueswen blueswen
0
150
[2026年度第1回ORセミナー] 計画最適化ベンチャーと競技プログラミング人材
Avatar for terry-u16 terryu16
0
250
PHPで使える日時の表現と、その知り方 #frontend_phpcon_do
Avatar for hideki kinjyo o0h
PRO
0
220
jQueryをバージョンアップする前に使いたいjQuery Migrate
Avatar for Atsushi Matsuo matsuo_atsushi
0
200
OSもどきOS
Avatar for Sora Arakawa arkw
0
470

Featured

See All Featured
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
Avatar for Addy Osmani addyosmani
10
1.2k
Stop Working from a Prison Cell
Avatar for Chris Michel hatefulcrawdad
274
21k
A designer walks into a library…
Avatar for Paul Jervis Heath pauljervisheath
211
24k
Performance Is Good for Brains [We Love Speed 2024]
Avatar for Tammy Everts tammyeverts
12
1.7k
SEO Brein meetup: CTRL+C is not how to scale international SEO
Avatar for Linda Hogenes lindahogenes
1
2.7k
Dominate Local Search Results - an insider guide to GBP, reviews, and Local SEO
Avatar for Greg Gifford greggifford
PRO
0
190
Avoiding the “Bad Training, Faster” Trap in the Age of AI
Avatar for Mike Taylor tmiket
0
170
Claude Code のすすめ
Avatar for schroneko schroneko
67
230k
Agile Actions for Facilitating Distributed Teams - ADO2019
Avatar for Mark Kilby mkilby
0
200
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
Avatar for Dan Newman danielanewman
231
23k
CSS Pre-Processors: Stylus, Less & Sass
Avatar for Bermon Painter bermonpainter
360
30k
Embracing the Ebb and Flow
Avatar for Simon Collison colly
88
5.1k

Transcript

  1. Android App Security Introduction Marc Obrador Head of Product Architecture

    @ Build38

  2. Who am I? @marcobrador 2 Marc Obrador Head of Product

    Architecture @ Build38 Barcelona [email protected] @marcobrador /in/marc-obrador

  3. 3 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador

  4. 4 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador

  5. Mobile-first world Why do I need to care about Mobile

    App Security? 5 Smartphone = untrusted device Regulation (depending on market) Desktop Mobile 2009 2015 2020 0 20 40 60 80 100 Source: www.gs.statcounter.com @marcobrador

  6. What do I need to protect? 6 @marcobrador

  7. It depends What do I need to protect? 7 @marcobrador

  8. What do I need to protect? 8 User Data Your

    Business DRM @marcobrador

  9. Let’s first switch our perspective How can I protect my

    app? 9 @marcobrador

  10. -40 -20 0 20 40 60 80 -10 -5 0

    5 10 15 20 25 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 Investment Income Cumulated Profit The hacker’s perspective 10 @marcobrador

  11. How can I protect my app? 11 @marcobrador

  12. Make it unattractive for the hacker How can I protect

    my app? 12 @marcobrador

  13. -40 -20 0 20 40 60 80 -10 -5 0

    5 10 15 20 25 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 Investment Income Cumulated Profit The hacker’s perspective 13 @marcobrador

  14. -40 -20 0 20 40 60 80 -10 -5 0

    5 10 15 20 25 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 Investment Income Cumulated Profit How can I protect my app? 14 @marcobrador

  15. 15 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador

  16. 16 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador

  17. - MITM = eavesdropping of network data - It’s 2019

    – use HTTPS! - Certificate pinning is also a good idea Understanding MITM 17 @marcobrador

  18. Enforce HTTPS 18 * Applies only to API <= 27.

    Enforced by default on newer versions. Source: https://developer.android.com/training/articles/security-config @marcobrador

  19. Use Certificate Pinning 19 Source: https://developer.android.com/training/articles/security-config @marcobrador

  20. 20 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador

  21. - Modifying an APK and redistributing it for malicious purposes

    - Goals: § Modify original behavior o Getting paid features for free o Cheating on a game (Pokémon GO) o … § Stealing user data What is it? 21 @marcobrador

  22. Show me the code! 22 @marcobrador

  23. Preventing App Repackaging 23 Obfuscation Detect repackaging @marcobrador

  24. Repackaging detection 24 @marcobrador

  25. 25 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador

  26. Understanding “Root” 26 @marcobrador

  27. Root Detection 27 /scottyab/rootbeer /KimChangYoun/rootbeerFresh /Stericson/RootTools SafetyNet Attestation API @marcobrador

  28. 28 What to do if Root is found? @marcobrador

  29. - User may have legitimately rooted its device - Remote

    root exploits are a thing - No clear action… § Restrict some sensitive functionality § Design your security model assuming that root can (will) happen What to do if Root is found? 29 Source: - https://techcrunch.com/2019/08/29/google-iphone-secretly-hacked/ - https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html @marcobrador

  30. 30 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador

  31. - Know what you need to protect - 100% protection

    does not exist – aim for “good enough” - Secure Networking is a must - Java/Kotlin are super easy to reverse engineer § Move security-relevant logic to backend or write it in C/C++ - Root can be really bad – come up with a plan Recap 31 @marcobrador

  32. Thank you! Any questions?