Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[GDG BCN 2019] Introduction to Android App Secu...

[GDG BCN 2019] Introduction to Android App Security

Marc Obrador

October 16, 2019
Tweet

More Decks by Marc Obrador

Other Decks in Programming

Transcript

  1. Who am I? @marcobrador 2 Marc Obrador Head of Product

    Architecture @ Build38 Barcelona [email protected] @marcobrador /in/marc-obrador
  2. 3 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador
  3. 4 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador
  4. Mobile-first world Why do I need to care about Mobile

    App Security? 5 Smartphone = untrusted device Regulation (depending on market) Desktop Mobile 2009 2015 2020 0 20 40 60 80 100 Source: www.gs.statcounter.com @marcobrador
  5. -40 -20 0 20 40 60 80 -10 -5 0

    5 10 15 20 25 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 Investment Income Cumulated Profit The hacker’s perspective 10 @marcobrador
  6. -40 -20 0 20 40 60 80 -10 -5 0

    5 10 15 20 25 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 Investment Income Cumulated Profit The hacker’s perspective 13 @marcobrador
  7. -40 -20 0 20 40 60 80 -10 -5 0

    5 10 15 20 25 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 Investment Income Cumulated Profit How can I protect my app? 14 @marcobrador
  8. 15 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador
  9. 16 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador
  10. - MITM = eavesdropping of network data - It’s 2019

    – use HTTPS! - Certificate pinning is also a good idea Understanding MITM 17 @marcobrador
  11. Enforce HTTPS 18 * Applies only to API <= 27.

    Enforced by default on newer versions. Source: https://developer.android.com/training/articles/security-config @marcobrador
  12. 20 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador
  13. - Modifying an APK and redistributing it for malicious purposes

    - Goals: § Modify original behavior o Getting paid features for free o Cheating on a game (Pokémon GO) o … § Stealing user data What is it? 21 @marcobrador
  14. 25 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador
  15. - User may have legitimately rooted its device - Remote

    root exploits are a thing - No clear action… § Restrict some sensitive functionality § Design your security model assuming that root can (will) happen What to do if Root is found? 29 Source: - https://techcrunch.com/2019/08/29/google-iphone-secretly-hacked/ - https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html @marcobrador
  16. 30 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador
  17. - Know what you need to protect - 100% protection

    does not exist – aim for “good enough” - Secure Networking is a must - Java/Kotlin are super easy to reverse engineer § Move security-relevant logic to backend or write it in C/C++ - Root can be really bad – come up with a plan Recap 31 @marcobrador