Lorem ipsum dolor sit amet, consectetur adipiscing elit. Vestibulum euismod ipsum
et semper vestibulum. In congue, risus ac lobortis commodo, arcu elit congue nisi, e
ullamcorper diam quam in est. Quisque nec lectus eget metus pharetra placerat.
Quisque nisi lorem, convallis eget lobortis quis, suscipit eu sem. Sed ligula purus,
lacinia quis ultrices at, sollicitudin at lacus. Duis porta hendrerit semper. Sed vitae
mauris fringilla, porta turpis facilisis, facilisis risus. Integer quis lobortis velit. Vivamu
ut placerat ex. Nunc est purus, pretium vitae hendrerit fringilla, molestie at tortor.
Vestibulum vel purus et urna hendrerit pretium et quis nunc. Fusce sit amet neque in
justo elementum rutrum ut nec metus. Fusce sollicitudin, dui vel molestie aliquam,
ligula leo fringilla augue, a luctus quam sem sed tortor. Vivamus mattis nisi purus, si
amet efficitur lectus mollis nec. Etiam consectetur, nisl eu euismod posuere, justo
neque vehicula ex, nec lobortis augue neque id mi. Ut aliquam odio ac turpis
condimentum porttitor.
Mauris ut est eu sapien tempor congue. Proin ipsum sem, cursus quis magna eu,
finibus fringilla nulla. Vestibulum viverra felis ac arcu iaculis condimentum. Aenean
mattis magna non ipsum viverra accumsan. Suspendisse potenti. Nam quis dapibus
ipsum. Integer at tortor ac neque semper consectetur. Donec vitae mattis felis, quis
Slide 9
Slide 9 text
elementum dolor fringilla eu. Nulla luctus arcu et egestas ultrices. Quisque dignissim
lacinia vehicula. Suspendisse vitae nisl dapibus, dapibus elit quis, efficitur ex. Done
interdum est purus, nec tempor risus sollicitudin tincidunt. Vestibulum accumsan sed
libero ut tincidunt.
Interdum et malesuada fames ac ante ipsum primis in faucibus. Vestibulum vitae
consectetur ex, vitae viverra felis. Sed vitae imperdiet turpis. Donec eget velit
sagittis, hendrerit ante id, aliquet libero. Proin pulvinar ornare consectetur. Vestibulum
ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia Curae; Proin
consequat tincidunt risus et aliquam. Donec vel vulputate sem, sed ornare lorem.
Curabitur a maximus urna, ut blandit tellus.
Suspendisse I haven’t nisl a ultricies semper. Cras really purus mollis vestibulum
rhoncus. Sed hacked your orci, imperdiet vitae pharetra app, tincidunt laoreet lacus
Vivamus posuere nisl diam, ut efficitur mauris facilisis vehicula. Vestibulum risus veli
tincidunt a libero a, vestibulum tincidunt orci. Pellentesque in finibus est. Praesent
tempus tortor ac magna iaculis, sed cursus quam venenatis. Quisque pharetra
euismod auctor.
Slide 10
Slide 10 text
Sue-y
/s(j)uːi/
1. To become annoyed with someone who broke your
toy without permission and want to sue them for that.
“Company X got all ‘sue-y’ on me when I hacked their
app and showed the world"
• Encrypt all the values
• Utilise security features when they exist
• Certificate pinning
• DO NOT TRUST THE DEVICE
Slide 35
Slide 35 text
Someone will decompile your app
Slide 36
Slide 36 text
And when they do…
Slide 37
Slide 37 text
–Every Developer
“But I need magic strings”
Slide 38
Slide 38 text
Options
http://bit.ly/SafeKey
Encrypt
Make sure you encrypt or at least
encode them
Server
Get your keys of a server you own
Slide 39
Slide 39 text
start!
Slide 40
Slide 40 text
• Add tampering detection
• Check your app’s signature
• Check for rooted device
• Check for emulator
• Check if the app is debuggable
Slide 41
Slide 41 text
Tampering detection
// myPackageName should decode at runtime to "com.yourpackagename"
// google should decode at runtime to "com.android.vending";
// amazon should decode at runtime to "com.amazon.venezia";
public boolean isHacked(Context context, String myPackageName, String google, String amazon)
{
//Crooks renamed your app?
if (context.getPackageName().compareTo(myPackageName != 0)
return true; // BOOM!
//Rogues relocated your app?
String installer = context.getPackageManager().getInstallerPackageName(myPackageName);
if (installer == null)
return true; // BOOM!
if (installer.compareTo(google) != 0 && installer.compareTo(amazon) != 0)
return true; // BOOM!
return false;
}
http://bit.ly/isHacked
Slide 42
Slide 42 text
Tampering detection
// myPackageName should decode at runtime to "com.yourpackagename"
// google should decode at runtime to "com.android.vending";
// amazon should decode at runtime to "com.amazon.venezia";
public boolean isHacked(Context context, String myPackageName, String google, String amazon)
{
//Crooks renamed your app?
if (context.getPackageName().compareTo(myPackageName != 0)
return true; // BOOM!
//Rogues relocated your app?
String installer = context.getPackageManager().getInstallerPackageName(myPackageName);
if (installer == null)
return true; // BOOM!
if (installer.compareTo(google) != 0 && installer.compareTo(amazon) != 0)
return true; // BOOM!
return false;
}
http://bit.ly/android-tampering-detection
Slide 43
Slide 43 text
• Add tampering detection
• Check your app’s signature
• Check for rooted device
• Check for emulator
• Check if the app is debuggable
Slide 44
Slide 44 text
private static final int VALID = 0;
private static final int INVALID = 1;
private static final String APP_SIGNATURE = "1038C0E34658923C4192E61B16846";
public static int checkAppSignature(Context context) {
try {
PackageInfo packageInfo = context.getPackageManager()
.getPackageInfo(context.getPackageName(),
PackageManager.GET_SIGNATURES);
for (Signature signature : packageInfo.signatures) {
byte[] signatureBytes = signature.toByteArray();
MessageDigest md = MessageDigest.getInstance("SHA");
md.update(signature.toByteArray());
//compare signatures
if (SIGNATURE.equals(APP_SIGNATURE)){
return VALID;
};
}
} catch (Exception e) {
//assumes an issue in checking signature., but we let the caller decide on what to do.
}
return INVALID;
}
Check your app’s signature
http://bit.ly/AndroidTampering
Slide 45
Slide 45 text
• Add tampering detection
• Check your app’s signature
• Check for rooted device
• Check for emulator
• Check if the app is debuggable
• Add tampering detection
• Check your app’s signature
• Check for rooted device
• Check for emulator
• Check if the app is debuggable
Slide 48
Slide 48 text
Build.FINGERPRINT.startsWith("generic")
Check for emulator
Slide 49
Slide 49 text
• Add tampering detection
• Check your app’s signature
• Check for rooted device
• Check for emulator
• Check if the app is debuggable
Slide 50
Slide 50 text
public static boolean isDebuggable(Context context){
return (context.getApplicationInfo().flags &
ApplicationInfo.FLAG_DEBUGGABLE) != 0;
}
Check if the app is debuggable
Slide 51
Slide 51 text
Debuggable app
Slide 52
Slide 52 text
No content
Slide 53
Slide 53 text
Things to look at
• Protect your apps with tools like ProGuard and
DexGuard.
• Look at the SafetyNet API by Google
• Implement Network Security Configuration
http://bit.ly/SafeKey
Slide 54
Slide 54 text
ProGuard DexGuard
• Installed by default
• Name Obfuscation
• Code Optimisation
• Removal of Redundant Code
• FREE
• Class Encryption
• Call Hiding through Reflection
• String Encryption
• Certificate Checks
• Debug Detection
• Emulator Detection
• Root Detection
• Tamper Detection
• Costs $$$
Slide 55
Slide 55 text
Things to look at
• Protect your apps with tools like ProGuard and
DexGuard.
• Look at the SafetyNet API by Google
• Implement Network Security Configuration
http://bit.ly/SafeKey
Slide 56
Slide 56 text
SafetyNet API by Google
Slide 57
Slide 57 text
Things to look at
• Protect your apps with tools like ProGuard and
DexGuard.
• Look at the SafetyNet API by Google
• Implement Network Security Configuration
http://bit.ly/SafeKey