Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Seguridad en las aplicaciones Android

Alvaro
April 26, 2016
Technology
0
56

Seguridad en las aplicaciones Android

Alvaro

April 26, 2016
Tweet

More Decks by Alvaro

See All by Alvaro
.NET Serialization: Detecting and defending vulnerable endpoints
pwntester
0
4k
JVM Deserialization Attacks: Separating the Truth from the Hype
pwntester
0
500
Attacking .NET Serialization
pwntester
6
28k
Friday the 13th: JSON Attacks
pwntester
0
7.5k
Friday the 13th: JSON Attacks
pwntester
0
230
Friday the 13th: JSON Attacks
pwntester
0
110
Surviving the Java Deserialization Apocalypse
pwntester
0
5.9k
A Journey From JNDI/LDAP Manipulation to Remote Code Execution Dream Land
pwntester
0
490
Serial Killer: Silently Pwning Your Java Endpoints
pwntester
0
800

Other Decks in Technology

See All in Technology
CloudWatchでバレる 「君、仕事中にyo〇tube観てたよね?」
kadogen_0527
1
310
IaCのCI/CDを考えよう / JAWS-UG_Okayama_IaC_CICD
taishin
1
180
組織一丸となってカスタマーサクセスを実現するための取り組みと悩み
zakiyama
0
150
ローカルAITuber勢の現在地と未来
sr2mg4
0
120
バクラクのAI-OCR機能の体験を支える良質なデータセット作成の仕組み / data-centric-ai-bakuraku-dataset
yuya4
1
510
Spring Boot 2 から 3 へバージョンアップしてみた
red_frasco
1
170
Autonomous Database - Dedicated 技術詳細 / adb-d_technical_detail_jp
oracle4engineer
PRO
1
2.7k
net/http/httptest.Server のアプローチをテスト戦略に活用する / Go Conference 2023
k1low
7
1.1k
Exadata Database Service on Dedicated Infrastructure X9M / Exadata Database Service on [email protected] X9M / Exadata Database Machine 比較
oracle4engineer
PRO
0
2.5k
Microsoft Build 2023 ふりかえり - IoT と AI 周りを中心に
mode86
0
160
Go1.20からサポートされるtree構造のerrの紹介と、treeを考慮した複数マッチができるライブラリを作った話/introduction of tree structure err added since go 1_20
convto
0
200
ChatGPTを活用した 便利ツールの紹介
hankehly
1
500

Featured

See All Featured
How To Stay Up To Date on Web Technology
chriscoyier
779
250k
GitHub's CSS Performance
jonrohan
1022
430k
From Idea to $5000 a Month in 5 Months
shpigford
374
45k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
16
5.8k
KATA
mclloyd
13
10k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
101
6.3k
Fontdeck: Realign not Redesign
paulrobertlloyd
74
4.5k
Optimizing for Happiness
mojombo
366
66k
Designing for Performance
lara
601
65k
What the flash - Photography Introduction
edds
64
10k
Learning to Love Humans: Emotional Interface Design
aarron
264
38k
jQuery: Nuts, Bolts and Bling
dougneiner
57
6.7k

Transcript

  1. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    Los smartphones nos han
    invadido, ¿y ahora qué?
    Seguridad en las
    aplicaciones Android
    Alvaro Muñoz | Software Security Consultant | @pwntester
    HP Enterprise Security Products

    View Slide

  2. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    2
    Familiar Model

    View Slide

  3. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    3
    Can’t We All Get Along?
    Your
    app
     Formal communication
    - Inter-application
    - Intra-application
    - With the OS
     A new trust boundary

    View Slide

  4. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    4
    Android Talk
    OS
    App 2
    App 1
    App 3
    Service 2
    Service 1
    Service
    Content Provider
    Broadcast Receiver
    Activity

    View Slide

  5. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    5
    Google Android Vulnerabilities
    1 Intent Hijacking
    2 Intent Spoofing
    3 Sticky Broadcast Tampering
    4 Insecure Storage
    5 Insecure Network Communication
    6 SQL Injection
    7 Promiscuous Privileges

    View Slide

  6. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    6
    Description: Malicious app intercepts an intent bound for another app to compromise data
    or alter behavior
    Cause: Implicit intents (do not require strong permissions to receive)
    Fix: Explicit intents and receiver permissions
    Google Android Vulnerabilities
    Intent Spoofing
    Sticky Broadcast
    Tampering
    Insecure Storage
    Insecure Network
    Communication
    SQL Injection
    Promiscuous
    Privileges
    Intent Hijacking

    View Slide

  7. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    7
    Google Android Vulnerabilities
    Showtime
    Search
    Results UI Handles Actions:
    willUpdateShowtimes,
    showtimesNoLocationError
    Implicit Intent
    Action: willUpdateShowtimes
    IMDb App
    Intent Spoofing
    Sticky Broadcast
    Tampering
    Insecure Storage
    Insecure Network
    Communication
    SQL Injection
    Promiscuous
    Privileges
    Intent Hijacking

    View Slide

  8. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    8
    Google Android Vulnerabilities
    Intent Spoofing
    Sticky Broadcast
    Tampering
    Insecure Storage
    Insecure Network
    Communication
    SQL Injection
    Promiscuous
    Privileges
    Intent Hijacking

    View Slide

  9. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    9
    Google Android Vulnerabilities
    Handles Actions:
    willUpdateShowtimes,
    showtimesNoLocationError
    Eavesdropping App
    Malicious
    Receiver
    Showtime
    Search
    Results UI Handles Actions:
    willUpdateShowtimes,
    showtimesNoLocationError
    Implicit Intent
    Action: willUpdateShowtimes
    IMDb App
    Intent Spoofing
    Sticky Broadcast
    Tampering
    Insecure Storage
    Insecure Network
    Communication
    SQL Injection
    Promiscuous
    Privileges
    Intent Hijacking

    View Slide

  10. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    10
    Description: Malicious app spoofs a legitimate intent to inject data or alter behavior
    Cause: Public components (necessary to receive implicit intents)
    Fix: Explicit intents and receiver permissions
    Sensitive operations in private components
    Google Android Vulnerabilities
    Intent Spoofing
    Sticky Broadcast
    Tampering
    Insecure Storage
    Insecure Network
    Communication
    SQL Injection
    Promiscuous
    Privileges
    Intent Hijacking

    View Slide

  11. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    11
    Google Android Vulnerabilities
    Malicious
    Component
    Action: showtimesNoLocationError
    Spoofing App
    Showtime
    Search
    Results UI Handles Actions:
    willUpdateShowtimes,
    showtimesNoLocationError
    IMDb App
    Intent Spoofing
    Sticky Broadcast
    Tampering
    Insecure Storage
    Insecure Network
    Communication
    SQL Injection
    Promiscuous
    Privileges
    Intent Hijacking

    View Slide

  12. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    12
    Google Android Vulnerabilities
    Intent Spoofing
    Sticky Broadcast
    Tampering
    Insecure Storage
    Insecure Network
    Communication
    SQL Injection
    Promiscuous
    Privileges
    Intent Hijacking

    View Slide

  13. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    13
    Description: Persistent intents can be accessed and removed by malicious apps
    Cause: BROADCAST_STICKY allows to full access to any sticky broadcasts
    Fix: Explicit, non-sticky broadcasts and receiver permissions
    Google Android Vulnerabilities
    Intent Spoofing
    Sticky Broadcast
    Tampering
    Insecure Storage
    Insecure Network
    Communication
    SQL Injection
    Promiscuous
    Privileges
    Intent Hijacking

    View Slide

  14. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    14
    Google Android Vulnerabilities
    Requests
    BROADCAST_STICKY
    Permission
    Sticky Broadcasts (intents) Malicious App
    Victim App
    SB2 ?
    Receiver
    (expects SB2)
    SB1
    SB3
    Intent Spoofing
    Sticky Broadcast
    Tampering
    Insecure Storage
    Insecure Network
    Communication
    SQL Injection
    Promiscuous
    Privileges
    Intent Hijacking

    View Slide

  15. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    15
    Empirical Results: DEFCON ‘11
    Vulnerability Type % of Apps
    1. Intent Hijacking 50%
    2. Intent Spoofing 40%
    3. Sticky Broadcast Tampering 6%
    4. Insecure Storage 28%
    5. Insecure Communication N/A
    6. SQL Injection 17%
    7. Promiscuous Privileges 31%

    View Slide

  16. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    16
    Bonus: OWASP iGoat
    iGoat 1.0 documents 5 vulnerabilities
    We find 15+
    iGoat 1.2 documents 7 vulnerabilities
    We find 20+

    View Slide

  17. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    Gracias
    Alvaro Muñoz | Software Security Consultant | @pwntester
    HP Enterprise Security Products

    View Slide