Android Developing Secure Application Harsh Dattani, GDG Baroda A learner like you all! No body is PRO in security 

AboutMe.apk A Cyber Security Student @Gujarat Forensic Sciences University and a Learner! Always! :P Om Shanti Harsh Dattani 

Secure Coding Guidelines ● Such guidelines even exists on Earth?? :D 

Secure Coding Guidelines ● Such guidelines even exists on Earth?? :D ● Who cares! No one’s gonna hack my app :P 

Secure Coding Guidelines ● Such guidelines even exists on Earth?? :D ● Who cares! No one’s gonna hack my app :P ● Lets finish this project anyhow!! ;) 

Secure Coding Guidelines ● Computer Emergency Response Teams (CERT) are expert groups that handle Computer/IT security incidents. ● Issued Android Secure Coding Guidelines. 

We all Know this! 

And this! ● Activity ● Content Providers ● Intents ● Permissions ● Services ● Shared Prefs ● Views (Mostly WebView) 

Also this! 

Assets in Android 

Assets in Android ● Device Information ● Personal Information (User’s) ● Friend’s Personal Information 

Attack Vectors in Android 

No content

Attack Vectors in Android ● Mounting SD Card in PC 

Attack Vectors in Android ● Mounting SD Card in PC ● Malicious App 

Attack Vectors in Android ● Mounting SD Card in PC ● Malicious App ● Network Attack 

Attack Vectors in Android ● Mounting SD Card in PC ● Malicious App ● Network Attack ● Malicious File Attack 

Attack Vectors in Android ● Mounting SD Card in PC ● Malicious App ● Network Attack ● Malicious File Attack ● User’s Unawareness 

Attack Vectors in Android ● Mounting SD Card in PC ● Malicious App ● Network Attack ● Malicious File Attack ● User’s Unawareness ● USB Debugging 

Attack Vectors in Android ● Mounting SD Card in PC ● Malicious App ● Network Attack ● Malicious File Attack ● User’s Unawareness ● USB Debugging ● Root permissions!! (Can do anything) 

Attack Vectors in Android ● Mounting SD Card in PC ● Malicious App ● Network Attack ● Malicious File Attack ● User’s Unawareness ● USB Debugging ● Root permissions!! (Can do anything) 

Security Policies 

Unix Security Policy 1. Process Isolation 2. Hardware Isolation 3. User Permission Model 4. R/W/X Permissions to file 5. Secure IPC 

Android Security Policy 1. Application Isolation 2. Sandbox of Application 3. Secure Communication 4. Signing the Application 5. Permission model of Application 

To Do’s to Secure Apps 

1. Avoid Simple Logics 

1: Avoid Simple logics if(LoginAccess==1){ ... ... } ---------------------------------------------------------------------------- if(Login.Access = True){ ... ... } 

2. Test 3rd Party Libraries! 

“Caution: Developers rely heavily on third-party libraries. It is important to thoroughly probe and test this as you test your code. Third-party libraries can contain vulnerabilities and weaknesses. Many developers assume third-party libraries are well-developed and tested, however, issues can and do exist in their code. 

3. Use Encryption 

“Caution: External storage can become unavailable if the user mounts the external storage on a computer or removes the media, and there's no security enforced upon files you save to the external storage. All applications can read and write files placed on the external storage and the user can remove them.” -- http://developer.android.com/guide/topics/data/data-storage.html 

But How to Encrypt? 

How to Encrypt or Encode? 1. Encode Shared Preferences 2. Encrypt SQLite: SQLCipher 3. Encrypt Network: TLS 4. Data Encryption: Facebook’s Conceal Library 5. MD5, SHA Sensitive Data 

4. Handle Input Data 

“Caution: An Android application can be coded in Java or native code, which is C++. When Java is used, many of the data validation issues like buffer overflow, format string issues, and others are eliminated, as the language itself is not vulnerable. When using native code, special care needs to be taken when data is read from an untrusted source because it is vulnerable to issues like buffer overflow, format string issues, and more.” -- White Paper by Mcafee 

5. Secure Intents 

6. Secure WebView 

● setJavaScriptEnabled(): Default is False ● setPluginState(): Default is OFF ● setAllowFileAccess(): Default is True ● setAllowContentAccess(): Default is True ● setAllowFileAccessFromFileURLs(): Default value is True for API level 15 and below, and False for API level level 16 and above. ● setAllowUniversalAccessFromFileURLs(): Default value is True for API level 15 and below, and False for API level level 16 and above. --------------------------------------------------------------------------------------------------------------------------------------------- ● Don’t: Enable JavaScript for all pages. ● Do: If Enabled, make sure it’s a local address or trusted address. ● Use HTTPS, whenever possible 

7. Secure Logs 

Log.v("method", Login.TAG + ", username=" + name); Log.v("method", Login.TAG + ", password=" + pass); ---------------------------------------------------------------------------- -assumenosideeffects class android.util.Log { public static *** d(...); public static *** w(...); public static *** v(...); public static *** i(...); } 

8. Secure Intent Leaks 

● Don’t Broadcast Sensitive information in Intents ● Attacker can intercept the broadcasted data. (Demo) ● Broadcast Securely using: LocalBroadcastManager.getInstance(this).sendBroadcast(intent); 

9. Code Obfuscation 

● Proguard ● Don’t include unused Classes and Libraries ● Difficult to protect from Smali Decompilation 

10. Use of Tokens for Authentication 

11. Use of HTTPS! 

Our Evils: 1. ADB 2. Malicious Applications 3. Unprotected Network 4. Sniffers 

Our Friends: 1. Android Fuzzers 2. Xposed Framework 3. Drozer 4. APKtool or any other Static Analysis Tool 5. Penetration Tools for Android and Many more... 

AskMe.apk? 

ContactMe.apk! [email protected] github.com/harshdattani