Tracking your permissions with data access auditing

Slide 1

Slide 1 text

Ricardo Costeira @rcosteira79 Tracking Your Permissions With Data Access Auditing

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

A long time ago… but in this galaxy though ● App idea – Runbelievable ○ Step 1: Get to your starting point ○ Step 2: Start the timer ○ Step 3: run like the wind until you reach your destination ○ Step 4: Stop the timer ○ Step 5: Compare with previous runs with super high end complex machine learning algorithms that aim to improve your technique ○ Step 6: Boast about how fast you are by uploading your progress to Facebook

Slide 4

Slide 4 text

You need to compromise with the user ● In exchange for your super advanced running tech ● You need users to allow access to their location ● Since you eloquently explain why, users grant you access

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

Your app rocks! ● Everyone loves running thanks to you ❤‍♀ ● Facebook is ﬂooded with annoying Runbelievable progress reports ● 5 star reviews everywhere ● 7 out of 10 reviews mention something interesting...

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

New feature – HIIT workouts ● Exercise list ● Exercise descriptions ● Default workout plans ● Workout builders ● Timer for exercises ● Everything else you’ll remember along the way

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

What happened? ● When building the HIIT feature, you reused the startTimer() method… ● … which accesses user location data internally

Slide 12

Slide 12 text

Data Access Auditing ● Allows you to track access to private data ● Callback that you register on any Android component ○ AppOpsManager.OnOpNotedCallback ● Can provide the stack trace from the thread it’s called (if call is synchronous) ● Can track private data access made by 3rd party SDKs

Slide 13

Slide 13 text

No content

Slide 14

Slide 14 text

Data access auditing – Do I need it? ● Small team? Relatively simple app and/or project? Not that many permissions needed? Might not be worth it. ● Large and/or dynamic team? Complex project, with a lot of modules, and a lot of feature sets requesting all kinds of permissions? It might save the day.

Slide 15

Slide 15 text

Sample app ● https://github.com/rcosteira79/DataAccessAuditing-Playground

Slide 16

Slide 16 text

Ricardo Costeira @rcosteira79 Tracking Your Permissions With Data Access Auditing