Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Seguridad en las aplicaciones Android

D195407e71e25241001971f9fa5cca45?s=47 Alvaro
April 26, 2016
Technology
0
50

Seguridad en las aplicaciones Android

D195407e71e25241001971f9fa5cca45?s=128

Alvaro

April 26, 2016
Tweet

More Decks by Alvaro

See All by Alvaro
.NET Serialization: Detecting and defending vulnerable endpoints
D195407e71e25241001971f9fa5cca45?s=48 pwntester
0
3.5k
JVM Deserialization Attacks: Separating the Truth from the Hype
D195407e71e25241001971f9fa5cca45?s=48 pwntester
0
450
Attacking .NET Serialization
D195407e71e25241001971f9fa5cca45?s=48 pwntester
6
27k
Friday the 13th: JSON Attacks
D195407e71e25241001971f9fa5cca45?s=48 pwntester
0
7.1k
Friday the 13th: JSON Attacks
D195407e71e25241001971f9fa5cca45?s=48 pwntester
0
190
Friday the 13th: JSON Attacks
D195407e71e25241001971f9fa5cca45?s=48 pwntester
0
78
Surviving the Java Deserialization Apocalypse
D195407e71e25241001971f9fa5cca45?s=48 pwntester
0
5.5k
A Journey From JNDI/LDAP Manipulation to Remote Code Execution Dream Land
D195407e71e25241001971f9fa5cca45?s=48 pwntester
0
390
Serial Killer: Silently Pwning Your Java Endpoints
D195407e71e25241001971f9fa5cca45?s=48 pwntester
0
680

Other Decks in Technology

See All in Technology
漫画で使えそうな背景画像をblenderを使って作ってみた!
64482468d2ccebb9284315b8af68c0a1?s=48 nokonoko1203
1
340
ぼくらが選んだ次のMySQL 8.0 / MySQL80 Which We Choose
A3966f193f4bef226a0d3e3c1f728d7f?s=48 line_developers
PRO
7
3.3k
CityGMLとFBXの連携で地理空間のエンタメ化
A3990cfe49309642cb8d1f50b617c141?s=48 soh_mitian
0
770
Reactivity Transform
38bee248082f6071230de65e9d74a944?s=48 kazupon
1
420
森林情報のオープンデータと QGISでの利用
2a35cc4d9c9dd2672aba2f097980e5d1?s=48 kou_kita
0
340
DeFiChain Tech Talk - DFI Uniswap Staking, DeFi Options & DeFi Meta Chain
Cae2dd246ed83dd458e4ce5f927aa2f7?s=48 uzyn
0
120
バッファープールが大きいMySQL v5.7でDROP DATABASEが詰まった原因と対策 / Causes and Remedies for DROP DATABASE Stuck in MySQL v5.7 with Large Buffer Pool
A3966f193f4bef226a0d3e3c1f728d7f?s=48 line_developers
PRO
4
860
GitOps共有会
Dcd3088d21455622f419ddcbe6f798ab?s=48 johnmanjiro13
0
110
ふりかえりの技術 / retrospectives
88f4e84b94fe07cddbd9e6479d689192?s=48 soudai
3
190
ここが好きだよAWS管理ポリシー_devio2022/i_am_iam_lover
325ce6fcd0a74ff78990b8632817da55?s=48 yukihirochiba
0
3.3k
開発環境のセキュリティおよびCI/CDパイプラインのセキュア化
Dc03bf56cb3157b6036f9818593d7e40?s=48 rung
PRO
13
5.3k
Learning to Solve Hard Minimal Problems
2c88806cbaab6024dc95b9a654c99d86?s=48 takmin
1
530

Featured

See All Featured
The Language of Interfaces
Fde6c3a50ca518a909ef35c22c0ee0e4?s=48 destraynor
148
21k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
5b9fe87ec1faa67a4599782930f45ec9?s=48 sstephenson
151
13k
Happy Clients
C51b39fa3c79ccb99dcb8a076bc98287?s=48 brianwarren
89
5.6k
4 Signs Your Business is Dying
E4f5d494ebdc9e7cce1aecf3ce3e8bc1?s=48 shpigford
169
20k
The MySQL Ecosystem @ GitHub 2015
Be9caeb9d4ef9944d151af909063ed6e?s=48 samlambert
239
11k
Building an army of robots
5f2da528927a2ec9ba4fec2069cbc958?s=48 kneath
299
40k
Design by the Numbers
027d1ebf66cc039a0bd3b55eeadbe75d?s=48 sachag
271
17k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
95d9f37115fbb0d13135d0f77132f856?s=48 morganepeng
107
16k
How to Ace a Technical Interview
2f5463832ccb768ccb4a1ca3607c27ef?s=48 jacobian
267
21k
Fight the Zombie Pattern Library - RWD Summit 2016
9fa239b3154a0169d99ab7bf1422dd12?s=48 marcelosomers
226
15k
Typedesign – Prime Four
A0517b08532aec8ab2aae3f65d40ad86?s=48 hannesfritz
34
1.4k
Designing for Performance
245cee81a9c424266e5e401d844ea881?s=48 lara
597
64k

Transcript

  1. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Los smartphones nos han invadido, ¿y ahora qué? Seguridad en las aplicaciones Android Alvaro Muñoz | Software Security Consultant | @pwntester HP Enterprise Security Products

  2. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 2 Familiar Model

  3. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 3 Can’t We All Get Along? Your app  Formal communication - Inter-application - Intra-application - With the OS  A new trust boundary

  4. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 4 Android Talk OS App 2 App 1 App 3 Service 2 Service 1 Service Content Provider Broadcast Receiver Activity

  5. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 5 Google Android Vulnerabilities 1 Intent Hijacking 2 Intent Spoofing 3 Sticky Broadcast Tampering 4 Insecure Storage 5 Insecure Network Communication 6 SQL Injection 7 Promiscuous Privileges

  6. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 6 Description: Malicious app intercepts an intent bound for another app to compromise data or alter behavior Cause: Implicit intents (do not require strong permissions to receive) Fix: Explicit intents and receiver permissions Google Android Vulnerabilities Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  7. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 7 Google Android Vulnerabilities Showtime Search Results UI Handles Actions: willUpdateShowtimes, showtimesNoLocationError Implicit Intent Action: willUpdateShowtimes IMDb App Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  8. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 8 Google Android Vulnerabilities Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  9. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 9 Google Android Vulnerabilities Handles Actions: willUpdateShowtimes, showtimesNoLocationError Eavesdropping App Malicious Receiver Showtime Search Results UI Handles Actions: willUpdateShowtimes, showtimesNoLocationError Implicit Intent Action: willUpdateShowtimes IMDb App Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  10. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 10 Description: Malicious app spoofs a legitimate intent to inject data or alter behavior Cause: Public components (necessary to receive implicit intents) Fix: Explicit intents and receiver permissions Sensitive operations in private components Google Android Vulnerabilities Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  11. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 11 Google Android Vulnerabilities Malicious Component Action: showtimesNoLocationError Spoofing App Showtime Search Results UI Handles Actions: willUpdateShowtimes, showtimesNoLocationError IMDb App Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  12. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 12 Google Android Vulnerabilities Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  13. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 13 Description: Persistent intents can be accessed and removed by malicious apps Cause: BROADCAST_STICKY allows to full access to any sticky broadcasts Fix: Explicit, non-sticky broadcasts and receiver permissions Google Android Vulnerabilities Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  14. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 14 Google Android Vulnerabilities Requests BROADCAST_STICKY Permission Sticky Broadcasts (intents) Malicious App Victim App SB2 ? Receiver (expects SB2) SB1 SB3 Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  15. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 15 Empirical Results: DEFCON ‘11 Vulnerability Type % of Apps 1. Intent Hijacking 50% 2. Intent Spoofing 40% 3. Sticky Broadcast Tampering 6% 4. Insecure Storage 28% 5. Insecure Communication N/A 6. SQL Injection 17% 7. Promiscuous Privileges 31%

  16. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 16 Bonus: OWASP iGoat iGoat 1.0 documents 5 vulnerabilities We find 15+ iGoat 1.2 documents 7 vulnerabilities We find 20+

  17. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Gracias Alvaro Muñoz | Software Security Consultant | @pwntester HP Enterprise Security Products