Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Seguridad en las aplicaciones Android

Avatar for Alvaro Alvaro
April 26, 2016
Technology
0
120

Seguridad en las aplicaciones Android

Avatar for Alvaro

Alvaro

April 26, 2016
Tweet

More Decks by Alvaro

See All by Alvaro
.NET Serialization: Detecting and defending vulnerable endpoints
Avatar for Alvaro pwntester
0
5k
JVM Deserialization Attacks: Separating the Truth from the Hype
Avatar for Alvaro pwntester
0
780
Attacking .NET Serialization
Avatar for Alvaro pwntester
6
32k
Friday the 13th: JSON Attacks
Avatar for Alvaro pwntester
0
8.3k
Friday the 13th: JSON Attacks
Avatar for Alvaro pwntester
0
380
Friday the 13th: JSON Attacks
Avatar for Alvaro pwntester
0
190
Surviving the Java Deserialization Apocalypse
Avatar for Alvaro pwntester
0
6.6k
A Journey From JNDI/LDAP Manipulation to Remote Code Execution Dream Land
Avatar for Alvaro pwntester
0
720
Serial Killer: Silently Pwning Your Java Endpoints
Avatar for Alvaro pwntester
0
1.4k

Other Decks in Technology

See All in Technology
Operating Operator
Avatar for Jun Kokatsu shhnjk
1
590
AWS Organizations 新機能!マルチパーティ承認の紹介
Avatar for yhana yhana
1
280
20250707-AI活用の個人差を埋めるチームづくり
Avatar for shnjtk shnjtk
6
3.9k
高速なプロダクト開発を実現、創業期から掲げるエンタープライズアーキテクチャ
Avatar for かわうそ kawauso
3
9.5k
DatabricksにOLTPデータベース『Lakebase』がやってきた!
Avatar for Takeru Ino inoutk
0
120
Delta airlines®️ USA Contact Numbers: Complete 2025 Support Guide
Avatar for ape1422 airtravelguide
0
340
american aa airlines®️ USA Contact Numbers: Complete 2025 Support Guide
Avatar for jackal5647 aaguide
0
250
KubeCon + CloudNativeCon Japan 2025 Recap by CA
Avatar for YuyaKoda ponkio_o
PRO
0
300
品質と速度の両立:生成AI時代の品質保証アプローチ
Avatar for odasho odasho
1
370
MobileActOsaka_250704.pdf
Avatar for AKAI Tadaaki akaitadaaki
0
140
OSSのSNSツール「Misskey」をさわってみよう(右下ワイプで私のOSCの20年を振り返ります) / 20250705-osc2025-do
Avatar for Akira Ouchi akkiesoft
0
170
DBのスキルで生き残る技術 - AI時代におけるテーブル設計の勘所
Avatar for soudai sone soudai
PRO
50
20k

Featured

See All Featured
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
Avatar for Tammy Everts tammyeverts
6
310
Being A Developer After 40
Avatar for Adrian Kosmaczewski akosma
90
590k
KATA
Avatar for Megan Lloyd mclloyd
30
14k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
Avatar for Irina Nazarova irinanazarova
8
820
Sharpening the Axe: The Primacy of Toolmaking
Avatar for Bryan Cantrill bcantrill
44
2.4k
Embracing the Ebb and Flow
Avatar for Simon Collison colly
86
4.7k
The World Runs on Bad Software
Avatar for Brandon Keepers bkeepers
PRO
69
11k
Designing for humans not robots
Avatar for Tammie Lister tammielis
253
25k
Why Our Code Smells
Avatar for Brandon Keepers bkeepers
PRO
336
57k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
Avatar for Sam Stephenson sstephenson
161
15k
Fashionably flexible responsive web design (full day workshop)
Avatar for Andy Clarke malarkey
407
66k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
Avatar for panda_program panda_program
107
19k

Transcript

  1. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Los smartphones nos han invadido, ¿y ahora qué? Seguridad en las aplicaciones Android Alvaro Muñoz | Software Security Consultant | @pwntester HP Enterprise Security Products

  2. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 2 Familiar Model

  3. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 3 Can’t We All Get Along? Your app  Formal communication - Inter-application - Intra-application - With the OS  A new trust boundary

  4. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 4 Android Talk OS App 2 App 1 App 3 Service 2 Service 1 Service Content Provider Broadcast Receiver Activity

  5. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 5 Google Android Vulnerabilities 1 Intent Hijacking 2 Intent Spoofing 3 Sticky Broadcast Tampering 4 Insecure Storage 5 Insecure Network Communication 6 SQL Injection 7 Promiscuous Privileges

  6. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 6 Description: Malicious app intercepts an intent bound for another app to compromise data or alter behavior Cause: Implicit intents (do not require strong permissions to receive) Fix: Explicit intents and receiver permissions Google Android Vulnerabilities Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  7. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 7 Google Android Vulnerabilities Showtime Search Results UI Handles Actions: willUpdateShowtimes, showtimesNoLocationError Implicit Intent Action: willUpdateShowtimes IMDb App Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  8. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 8 Google Android Vulnerabilities Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  9. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 9 Google Android Vulnerabilities Handles Actions: willUpdateShowtimes, showtimesNoLocationError Eavesdropping App Malicious Receiver Showtime Search Results UI Handles Actions: willUpdateShowtimes, showtimesNoLocationError Implicit Intent Action: willUpdateShowtimes IMDb App Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  10. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 10 Description: Malicious app spoofs a legitimate intent to inject data or alter behavior Cause: Public components (necessary to receive implicit intents) Fix: Explicit intents and receiver permissions Sensitive operations in private components Google Android Vulnerabilities Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  11. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 11 Google Android Vulnerabilities Malicious Component Action: showtimesNoLocationError Spoofing App Showtime Search Results UI Handles Actions: willUpdateShowtimes, showtimesNoLocationError IMDb App Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  12. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 12 Google Android Vulnerabilities Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  13. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 13 Description: Persistent intents can be accessed and removed by malicious apps Cause: BROADCAST_STICKY allows to full access to any sticky broadcasts Fix: Explicit, non-sticky broadcasts and receiver permissions Google Android Vulnerabilities Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  14. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 14 Google Android Vulnerabilities Requests BROADCAST_STICKY Permission Sticky Broadcasts (intents) Malicious App Victim App SB2 ? Receiver (expects SB2) SB1 SB3 Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  15. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 15 Empirical Results: DEFCON ‘11 Vulnerability Type % of Apps 1. Intent Hijacking 50% 2. Intent Spoofing 40% 3. Sticky Broadcast Tampering 6% 4. Insecure Storage 28% 5. Insecure Communication N/A 6. SQL Injection 17% 7. Promiscuous Privileges 31%

  16. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 16 Bonus: OWASP iGoat iGoat 1.0 documents 5 vulnerabilities We find 15+ iGoat 1.2 documents 7 vulnerabilities We find 20+

  17. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Gracias Alvaro Muñoz | Software Security Consultant | @pwntester HP Enterprise Security Products