×
Copy
Open
Link
Embed
Share
Beginning
This slide
Copy link URL
Copy link URL
Copy iframe embed code
Copy iframe embed code
Copy javascript embed code
Copy javascript embed code
Share
Tweet
Share
Tweet
Slide 1
Slide 1 text
Android App Security Tips Merabi Kutalia
Slide 2
Slide 2 text
Tato Kutalia tatocaster tatocaster.me github.com/tatocaster twitter.com/@TatoKutalia
Slide 3
Slide 3 text
No content
Slide 4
Slide 4 text
Topics • data storage • app permissions • networking • webview(javascript) • dynamically loaded code
Slide 5
Slide 5 text
data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17)
Slide 6
Slide 6 text
data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) • External Storage is globally readable
Slide 7
Slide 7 text
data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) • External Storage is globally readable • Scoped Storage(Android Q)
Slide 8
Slide 8 text
data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) • External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection)
Slide 9
Slide 9 text
data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) • External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection) • Shared preferences + leak
Slide 10
Slide 10 text
app permissions • data leak caused by misused permissions
Slide 11
Slide 11 text
networking • HTTPS (it’s 2019!)
Slide 12
Slide 12 text
networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352)
Slide 13
Slide 13 text
networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352) • GCM/FCM/SMS (Sensitive Data)
Slide 14
Slide 14 text
webview • setJavascriptEnabled - No!
Slide 15
Slide 15 text
webview • setJavascriptEnabled - No!
Slide 16
Slide 16 text
webview • setJavascriptEnabled - No! • webkit
Slide 17
Slide 17 text
dynamically loaded code • Yes you can (https://stackoverflow.com/q/ 6857807/6845290 )
Slide 18
Slide 18 text
Proguard/R8
Slide 19
Slide 19 text
Proguard • rules
Slide 20
Slide 20 text
Tools • Apktool • Dex2Jar • JD-GUI
Slide 21
Slide 21 text
Nomrebi .com
Slide 22
Slide 22 text
Nomrebi .com
Slide 23
Slide 23 text
No content
Slide 24
Slide 24 text
Thank you