Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Who Do You Think Owns Your Android Application

Avatar for Nazneen Rupawalla Nazneen Rupawalla
April 19, 2016
Programming
61
0

Who Do You Think Owns Your Android Application

Presented at Droidcon Torino on 8th April 2016

Avatar for Nazneen Rupawalla

Nazneen Rupawalla

April 19, 2016

More Decks by Nazneen Rupawalla

See All by Nazneen Rupawalla
Who Do You Think Owns Your Android Application?
Avatar for Nazneen Rupawalla nazneen
0
390

Other Decks in Programming

See All in Programming
Observability in Practice:Grafana 與 Edge Device SRE 的那些事
Avatar for Blueswen blueswen
0
170
技術記事、 専門家としてのプログラマ、 言語化
Avatar for Koutarou Chikuba mizchi
13
6.2k
依存関係から依存物へ―Dependencyという言葉の歴史をひも解く
Avatar for j_lee_inst j_lee
0
120
Spring Security 実践 ─ GraphQL APIで実務に役立つ 認証・認可 を学ぶ
Avatar for Wagyu wagyu
0
240
AI時代のUIはどこへ行く?その2!
Avatar for Yusuke Wada yusukebe
21
7.3k
Strategic Design in the Frontend: Moduliths & Micro Frontends @DDDEurope
Avatar for Manfred Steyer manfredsteyer
PRO
0
110
不変条件と整合性境界—ビジネスが決める設計判断と実現パターン / Invariants and Consistency Boundaries
Avatar for nrs nrslib
13
5.5k
生成AI時代にこそ効くGo | Why Go Works in the Age of Generative AI
Avatar for mom0tomo mom0tomo
8
3.3k
並列実装の現場、2ヶ月間実務でAIを使い倒したAIもPCも私も限界が近い
Avatar for ming ming_ayami
0
130
軽量Java基盤の設計 DIコンテナに頼らない、長期保守と1秒起動の実現 JJUG CCC 2026 Spring
Avatar for Masaaki Takahashi macha64
0
540
決定論的オーケストレーションの設計と実装 / Design and Implementation of Deterministic Orchestration
Avatar for nrs nrslib
4
1.4k
その問い、本当に正しいですか?AI時代のエンジニアに必要な哲学と認知科学 / ai-philosophy-cognitive-science
Avatar for MinoDriven minodriven
11
5.8k

Featured

See All Featured
The Anti-SEO Checklist Checklist. Pubcon Cyber Week
Avatar for Ryan Jones ryanjones
0
160
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
Avatar for Eileen M. Uchitelle eileencodes
141
35k
Joys of Absence: A Defence of Solitary Play
Avatar for Sebastian Deterding codingconduct
1
400
30 Presentation Tips
Avatar for Ian Lurie portentint
PRO
1
330
Claude Code どこまでも/ Claude Code Everywhere
Avatar for nwiizo nwiizo
65
56k
Leveraging LLMs for student feedback in introductory data science courses - posit::conf(2025)
Avatar for Mine Cetinkaya-Rundel minecr
1
290
Tips & Tricks on How to Get Your First Job In Tech
Avatar for Honza Javorek honzajavorek
1
540
Bash Introduction
Avatar for André Augusto Costa Santos 62gerente
615
220k
職位にかかわらず全員がリーダーシップを発揮するチーム作り / Building a team where everyone can demonstrate leadership regardless of position
Avatar for MADOX madoxten
62
54k
The Cult of Friendly URLs
Avatar for Andy Hume andyhume
79
6.9k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
Avatar for Tammy Everts tammyeverts
55
3.4k
Avoiding the “Bad Training, Faster” Trap in the Age of AI
Avatar for Mike Taylor tmiket
0
180

Transcript

  1. Who Do You Think Owns Your Android Application?

  2. 2 Insecure apps can grant unwanted access to data

  3. Android App

  4. SERVICES 4 DEMO

  5. SERVICES 5

  6. SERVICES - SECURE IMPLEMENTATION 6 Mark components as exported =

    false Enforce a permission Helps solve the Confused Deputy Problem

  7. 7 WiFi Access? Access Granted WiFi Access? Access Denied WiFi

    Manager Our app Malicious App CONFUSED DEPUTY PROBLEM

  8. 8 WiFi Access? Access Granted WiFi Manager Our app Malicious

    App CONFUSED DEPUTY PROBLEM WiFi Access? Access Granted

  9. BROADCAST RECEIVER 9 DEMO

  10. BROADCAST RECEIVER 10

  11. BROADCAST RECEIVER - SECURE IMPLEMENTATION 11 Enforce a permission

  12. BROADCAST RECEIVER - SECURE IMPLEMENTATION 12 Use Intent.setPackage

  13. BROADCAST RECEIVER - SECURE IMPLEMENTATION 13 Use LocalBroadcastManager

  14. PERMISSIONS 14 Bad Reviews Extra permissions can cause a security

    vulnerability

  15. CAMERA PERMISSION 15

  16. SEND_SMS PERMISSION 16

  17. 17 SSL Pinning

  18. WEBVIEW 18

  19. WEBVIEW : JAVA - JAVASCRIPT INTERFACE 19

  20. WEBVIEW : ALTERNATIVE TO JAVA - JAVASCRIPT INTERFACE 20

  21. 21 WEBVIEW : UNINTENDED URLS Whitelisting Blacklisting Files can be

    accessed using URL “file:///android_asset…….”

  22. 22 Logging

  23. 23 Hacker App to test these vulnerabilities

  24. 24 Proguard obfuscation

  25. 25 DexGuard

  26. 26 Android Lint

  27. 27 Zero permissions apps are secure apps?

  28. LINKS Github Repo: https://github.com/AndroidSecurityBasics/ Blog Link: https://www.thoughtworks.com/insights/blog/ who-do-you-think-owns-your-android-app https://www.thoughtworks.com/de/insights/ blog/who-do-you-think-owns-your-android-app-

    part-two

  29. THANK YOU