Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Seguridad en las aplicaciones Android

Avatar for Alvaro Alvaro
April 26, 2016
Technology
0
120

Seguridad en las aplicaciones Android

Avatar for Alvaro

Alvaro

April 26, 2016
Tweet

More Decks by Alvaro

See All by Alvaro
.NET Serialization: Detecting and defending vulnerable endpoints
Avatar for Alvaro pwntester
0
5k
JVM Deserialization Attacks: Separating the Truth from the Hype
Avatar for Alvaro pwntester
0
780
Attacking .NET Serialization
Avatar for Alvaro pwntester
6
32k
Friday the 13th: JSON Attacks
Avatar for Alvaro pwntester
0
8.3k
Friday the 13th: JSON Attacks
Avatar for Alvaro pwntester
0
380
Friday the 13th: JSON Attacks
Avatar for Alvaro pwntester
0
190
Surviving the Java Deserialization Apocalypse
Avatar for Alvaro pwntester
0
6.6k
A Journey From JNDI/LDAP Manipulation to Remote Code Execution Dream Land
Avatar for Alvaro pwntester
0
720
Serial Killer: Silently Pwning Your Java Endpoints
Avatar for Alvaro pwntester
0
1.4k

Other Decks in Technology

See All in Technology
タイミーのデータモデリング事例と今後のチャレンジ
Avatar for Toshiki Tsuchikawa ttccddtoki
6
2.4k
高速なプロダクト開発を実現、創業期から掲げるエンタープライズアーキテクチャ
Avatar for かわうそ kawauso
2
9.4k
Glacierだからってコストあきらめてない? / JAWS Meet Glacier Cost
Avatar for sasaki taishin
1
160
【5分でわかる】セーフィー エンジニア向け会社紹介
Avatar for Safie safie_recruit
0
27k
Lazy application authentication with Tailscale
Avatar for Elliot Blackburn bluehatbrit
0
210
United airlines®️ USA Contact Numbers: Complete 2025 Support Guide
Avatar for heron31238 unitedflyhelp
0
310
Reach American Airlines®️ Instantly: 19 Calling Methods for Fast Support in the USA
Avatar for Bdsdigi@1234 flyamerican
1
170
生成AI活用の組織格差を解消する 〜ビジネス職のCursor導入が開発効率に与えた好循環〜 / Closing the Organizational Gap in AI Adoption
Avatar for upamune / Yu SERIZAWA upamune
7
5.3k
ビズリーチにおけるリアーキテクティング実践事例 / JJUG CCC 2025 Spring
Avatar for Visional Engineering & Design visional_engineering_and_design
1
130
Lakebaseを使ったAIエージェントを実装してみる
Avatar for camay kameitomohiro
0
130
Beyond Kaniko: Navigating Unprivileged Container Image Creation
Avatar for Felix Dreissig f30
0
130
怖くない!はじめてのClaude Code
Avatar for Shinya Masadome(東京AI祭) shinya337
0
400

Featured

See All Featured
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
Avatar for Kevin Liebholz kevinliebholz
34
5.9k
Put a Button on it: Removing Barriers to Going Fast.
Avatar for kastner kastner
60
3.9k
How to Think Like a Performance Engineer
Avatar for Harry Roberts csswizardry
25
1.7k
A designer walks into a library…
Avatar for Paul Jervis Heath pauljervisheath
207
24k
Optimising Largest Contentful Paint
Avatar for Harry Roberts csswizardry
37
3.3k
[RailsConf 2023] Rails as a piece of cake
Avatar for Vladimir Dementyev palkan
55
5.7k
Save Time (by Creating Custom Rails Generators)
Avatar for Garrett Dimon garrettdimon
PRO
31
1.3k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
Avatar for Vitaly Friedman smashingmag
251
21k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
Avatar for Eileen M. Uchitelle eileencodes
26
2.9k
10 Git Anti Patterns You Should be Aware of
Avatar for Lemi Orhan Ergin lemiorhan
PRO
656
60k
Code Reviewing Like a Champion
Avatar for maltzj maltzj
524
40k
Agile that works and the tools we love
Avatar for Rasmus Luckow-Nielsen rasmusluckow
329
21k

Transcript

  1. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Los smartphones nos han invadido, ¿y ahora qué? Seguridad en las aplicaciones Android Alvaro Muñoz | Software Security Consultant | @pwntester HP Enterprise Security Products

  2. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 2 Familiar Model

  3. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 3 Can’t We All Get Along? Your app  Formal communication - Inter-application - Intra-application - With the OS  A new trust boundary

  4. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 4 Android Talk OS App 2 App 1 App 3 Service 2 Service 1 Service Content Provider Broadcast Receiver Activity

  5. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 5 Google Android Vulnerabilities 1 Intent Hijacking 2 Intent Spoofing 3 Sticky Broadcast Tampering 4 Insecure Storage 5 Insecure Network Communication 6 SQL Injection 7 Promiscuous Privileges

  6. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 6 Description: Malicious app intercepts an intent bound for another app to compromise data or alter behavior Cause: Implicit intents (do not require strong permissions to receive) Fix: Explicit intents and receiver permissions Google Android Vulnerabilities Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  7. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 7 Google Android Vulnerabilities Showtime Search Results UI Handles Actions: willUpdateShowtimes, showtimesNoLocationError Implicit Intent Action: willUpdateShowtimes IMDb App Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  8. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 8 Google Android Vulnerabilities Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  9. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 9 Google Android Vulnerabilities Handles Actions: willUpdateShowtimes, showtimesNoLocationError Eavesdropping App Malicious Receiver Showtime Search Results UI Handles Actions: willUpdateShowtimes, showtimesNoLocationError Implicit Intent Action: willUpdateShowtimes IMDb App Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  10. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 10 Description: Malicious app spoofs a legitimate intent to inject data or alter behavior Cause: Public components (necessary to receive implicit intents) Fix: Explicit intents and receiver permissions Sensitive operations in private components Google Android Vulnerabilities Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  11. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 11 Google Android Vulnerabilities Malicious Component Action: showtimesNoLocationError Spoofing App Showtime Search Results UI Handles Actions: willUpdateShowtimes, showtimesNoLocationError IMDb App Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  12. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 12 Google Android Vulnerabilities Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  13. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 13 Description: Persistent intents can be accessed and removed by malicious apps Cause: BROADCAST_STICKY allows to full access to any sticky broadcasts Fix: Explicit, non-sticky broadcasts and receiver permissions Google Android Vulnerabilities Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  14. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 14 Google Android Vulnerabilities Requests BROADCAST_STICKY Permission Sticky Broadcasts (intents) Malicious App Victim App SB2 ? Receiver (expects SB2) SB1 SB3 Intent Spoofing Sticky Broadcast Tampering Insecure Storage Insecure Network Communication SQL Injection Promiscuous Privileges Intent Hijacking

  15. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 15 Empirical Results: DEFCON ‘11 Vulnerability Type % of Apps 1. Intent Hijacking 50% 2. Intent Spoofing 40% 3. Sticky Broadcast Tampering 6% 4. Insecure Storage 28% 5. Insecure Communication N/A 6. SQL Injection 17% 7. Promiscuous Privileges 31%

  16. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 16 Bonus: OWASP iGoat iGoat 1.0 documents 5 vulnerabilities We find 15+ iGoat 1.2 documents 7 vulnerabilities We find 20+

  17. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Gracias Alvaro Muñoz | Software Security Consultant | @pwntester HP Enterprise Security Products