Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Seguridad en las aplicaciones Android

Avatar for Alvaro Alvaro
April 26, 2016
Technology
0
120

Seguridad en las aplicaciones Android

Avatar for Alvaro

Alvaro

April 26, 2016
Tweet

More Decks by Alvaro

See All by Alvaro
.NET Serialization: Detecting and defending vulnerable endpoints
Avatar for Alvaro pwntester
0
5k
JVM Deserialization Attacks: Separating the Truth from the Hype
Avatar for Alvaro pwntester
0
780
Attacking .NET Serialization
Avatar for Alvaro pwntester
6
32k
Friday the 13th: JSON Attacks
Avatar for Alvaro pwntester
0
8.3k
Friday the 13th: JSON Attacks
Avatar for Alvaro pwntester
0
380
Friday the 13th: JSON Attacks
Avatar for Alvaro pwntester
0
190
Surviving the Java Deserialization Apocalypse
Avatar for Alvaro pwntester
0
6.6k
A Journey From JNDI/LDAP Manipulation to Remote Code Execution Dream Land
Avatar for Alvaro pwntester
0
730
Serial Killer: Silently Pwning Your Java Endpoints
Avatar for Alvaro pwntester
0
1.4k

Other Decks in Technology

See All in Technology
microCMSではじめるAIライティング
Avatar for himaratsu himaratsu
0
150
AIでテストプロセス自動化に挑戦する
Avatar for K_SAK sakatakazunori
1
530
60以上のプロダクトを持つ組織における開発者体験向上への取り組み - チームAPIとBackstageで構築する組織の可視化基盤 - / sre next 2025 Efforts to Improve Developer Experience in an Organization with Over 60 Products
Avatar for VTRyo vtryo
3
1.9k
安定した基盤システムのためのライブラリ選定
Avatar for KAKEHASHI kakehashi
PRO
3
130
AWS 怖い話 WAF編 @fillz_noh #AWSStartup #AWSStartup_Kansai
Avatar for Yusuke WADA fillznoh
0
130
Delegating the chores of authenticating users to Keycloak
Avatar for Alexander Schwartz ahus1
0
190
「現場で活躍するAIエージェント」を実現するチームと開発プロセス
Avatar for takuya kikuchi tkikuchi1002
3
350
[SRE NEXT 2025] すみずみまで暖かく照らすあなたの太陽でありたい
Avatar for Hiroshi Toda carnappopper
2
470
無理しない AI 活用サービス / #jazug
Avatar for Kodai Sakabe koudaiii
0
100
毎晩の 負荷試験自動実行による効果
Avatar for Recruit recruitengineers
PRO
5
180
Four Keysから始める信頼性の改善 - SRE NEXT 2025
Avatar for ozaki-kota ozakikota
0
420
Snowflake Intelligenceという名のAI Agentが切り開くデータ活用の未来とその実現に必要なこと@SnowVillage『Data Management #1 Summit 2025 Recap!!』
Avatar for Ryo Suzuki ryo_suzuki
1
160

Featured

See All Featured
The Psychology of Web Performance [Beyond Tellerrand 2023]
Avatar for Tammy Everts tammyeverts
48
2.9k
Designing Experiences People Love
Avatar for Jonathan Moore moore
142
24k
GraphQLとの向き合い方2022年版
Avatar for Yosuke Kurami quramy
49
14k
Helping Users Find Their Own Way: Creating Modern Search Experiences
Avatar for Dan Newman danielanewman
29
2.7k
Building a Modern Day 
E-commerce SEO Strategy
Avatar for Aleyda Solis aleyda
42
7.4k
VelocityConf: Rendering Performance Case Studies
Avatar for Addy Osmani addyosmani
332
24k
The Invisible Side of Design
Avatar for Vitaly Friedman smashingmag
301
51k
Building an army of robots
Avatar for Kyle Neath kneath
306
45k
How STYLIGHT went responsive
Avatar for nonsquared nonsquared
100
5.6k
Designing Dashboards & Data Visualisations in Web Apps
Avatar for Des Traynor destraynor
231
53k
A Tale of Four Properties
Avatar for Chris Coyier chriscoyier
160
23k
YesSQL, Process and Tooling at Scale
Avatar for Rocio Delgado rocio
173
14k

Transcript

  1. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Los smartphones nos han invadido, ¿y ahora qué? Seguridad en las aplicaciones Android Alvaro Muñoz | Software Security Consultant | @pwntester HP Enterprise Security Products

  2. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 2 Familiar Model

  3. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 3 Can’t We All Get Along? Your app  Formal communication - Inter-application - Intra-application - With the OS  A new trust boundary

  4. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 4 Android Talk OS App 2 App 1 App 3 Service 2 Service 1 Service Content Provider Broadcast Receiver Activity

  5. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 5 Google Android Vulnerabilities 1 Intent Hijacking 2 Intent Spoofing 3 Sticky Broadcast Tampering 4 Insecure Storage 5 Insecure Network Communication 6 SQL Injection 7 Promiscuous Privileges

  6. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 6 Description: Malicious app intercepts an intent bound for another app to compromise data or alter behavior Cause: Implicit intents (do not require strong permissions to receive) Fix: Explicit intents and receiver permissions Google Android Vulnerabilities Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  7. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 7 Google Android Vulnerabilities Showtime Search Results UI Handles Actions: willUpdateShowtimes, showtimesNoLocationError Implicit Intent Action: willUpdateShowtimes IMDb App Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  8. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 8 Google Android Vulnerabilities Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  9. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 9 Google Android Vulnerabilities Handles Actions: willUpdateShowtimes, showtimesNoLocationError Eavesdropping App Malicious Receiver Showtime Search Results UI Handles Actions: willUpdateShowtimes, showtimesNoLocationError Implicit Intent Action: willUpdateShowtimes IMDb App Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  10. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 10 Description: Malicious app spoofs a legitimate intent to inject data or alter behavior Cause: Public components (necessary to receive implicit intents) Fix: Explicit intents and receiver permissions Sensitive operations in private components Google Android Vulnerabilities Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  11. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 11 Google Android Vulnerabilities Malicious Component Action: showtimesNoLocationError Spoofing App Showtime Search Results UI Handles Actions: willUpdateShowtimes, showtimesNoLocationError IMDb App Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  12. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 12 Google Android Vulnerabilities Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  13. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 13 Description: Persistent intents can be accessed and removed by malicious apps Cause: BROADCAST_STICKY allows to full access to any sticky broadcasts Fix: Explicit, non-sticky broadcasts and receiver permissions Google Android Vulnerabilities Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  14. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 14 Google Android Vulnerabilities Requests BROADCAST_STICKY Permission Sticky Broadcasts (intents) Malicious App Victim App SB2 ? Receiver (expects SB2) SB1 SB3 Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  15. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 15 Empirical Results: DEFCON ‘11 Vulnerability Type % of Apps 1. Intent Hijacking 50% 2. Intent Spoofing 40% 3. Sticky Broadcast Tampering 6% 4. Insecure Storage 28% 5. Insecure Communication N/A 6. SQL Injection 17% 7. Promiscuous Privileges 31%

  16. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 16 Bonus: OWASP iGoat iGoat 1.0 documents 5 vulnerabilities We find 15+ iGoat 1.2 documents 7 vulnerabilities We find 20+

  17. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Gracias Alvaro Muñoz | Software Security Consultant | @pwntester HP Enterprise Security Products