Who Do You Think Owns Your Android Application

Transcript

1. Who Do You Think Owns Your Android Application?

2. 2 Insecure apps can grant unwanted access to data

3. Android App

4. SERVICES 4 DEMO

5. SERVICES 5

6. SERVICES - SECURE IMPLEMENTATION 6 Mark components as exported =

   false Enforce a permission Helps solve the Confused Deputy Problem

7. 7 WiFi Access? Access Granted WiFi Access? Access Denied WiFi

   Manager Our app Malicious App CONFUSED DEPUTY PROBLEM

8. 8 WiFi Access? Access Granted WiFi Manager Our app Malicious

   App CONFUSED DEPUTY PROBLEM WiFi Access? Access Granted

9. BROADCAST RECEIVER 9 DEMO

10. BROADCAST RECEIVER 10

11. BROADCAST RECEIVER - SECURE IMPLEMENTATION 11 Enforce a permission

12. BROADCAST RECEIVER - SECURE IMPLEMENTATION 12 Use Intent.setPackage

13. BROADCAST RECEIVER - SECURE IMPLEMENTATION 13 Use LocalBroadcastManager

14. PERMISSIONS 14 Bad Reviews Extra permissions can cause a security

    vulnerability

15. CAMERA PERMISSION 15

16. SEND_SMS PERMISSION 16

17. 17 SSL Pinning

18. WEBVIEW 18

19. WEBVIEW : JAVA - JAVASCRIPT INTERFACE 19

20. WEBVIEW : ALTERNATIVE TO JAVA - JAVASCRIPT INTERFACE 20

21. 21 WEBVIEW : UNINTENDED URLS Whitelisting Blacklisting Files can be

    accessed using URL “file:///android_asset…….”

22. 22 Logging

23. 23 Hacker App to test these vulnerabilities

24. 24 Proguard obfuscation

25. 25 DexGuard

26. 26 Android Lint

27. 27 Zero permissions apps are secure apps?

28. LINKS Github Repo: https://github.com/AndroidSecurityBasics/ Blog Link: https://www.thoughtworks.com/insights/blog/ who-do-you-think-owns-your-android-app https://www.thoughtworks.com/de/insights/ blog/who-do-you-think-owns-your-android-app-

    part-two

29. THANK YOU