Who Do You Think Owns Your Android Application?

Transcript

1. Who Do You Think Owns Your Android Application? Nazneen Rupawalla

   Vo d Q A

2. 2 Insecure apps can grant unwanted access to data.

3. COMMON MAL W ARE Backdoor apps Downloaders Mobile spies Click

   Fraud enablers Rooting enablers Data stealers 3

4. Permissions 4 Service Database Activity APPLICATION COMPONENTS

5. 5 Service Database Activity Settings File Activity Content Provider Cloud

6. INTENT FILTER • Action • Components can subscribe to the

   action 6

7. INTENT FILTER • Explicitly mark components as exported or not.

   • Grant appropriate permissions in the manifest file. • Will help solve the Confused Deputy Problem. 7

8. 8 WiFi Manager Innocent App Malicious App WiFi Access? Access

   Granted WiFi Access? Access Confused Deputy Problem

9. WiFi Manager Innocent App Malicious App WiFi Access? Access Granted

   WiFi Access? Access Granted 9

10. BROADCAST RECEIVER 10 Downloading in progress WiFi is cut off

    Downloading stops. App registers for network broadcast WiFi is connected again Broadcast is sent by OS Broadcast is received by app. Downloading resumed.

11. BROADCAST RECEIVER EXAMPLE 11 • Enforce a permission • Use

    Intent.setPackage • Use LocalBroadcastManager

12. PERMISSIONS 12 • Bad Reviews • Extra Permissions can cause

    a security vulnerability

13. • SMS • Camera EXTRA PERMISSIONS EXAMPLES 13

14. 14 Hacker App to test these vulnerabilities

15. 15 Logging

16. 16 Proguard obfuscation

17. 17 Android Lint

18. 18 Zero permissions apps are secure apps?

19. LINKS Github Repo: https://github.com/AndroidSecurityBasics/ Blog Link: https://www.thoughtworks.com/insights/blog/who-do-you-think-owns- your-android-app

20. THANK YOU Presented By – Nazneen Rupawalla (@Nzneen)