Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Hardening your Android app Droidcon uk 2013
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
Scott Alexander-Bown
October 25, 2013
Technology
500
1
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Hardening your Android app Droidcon uk 2013
Scott Alexander-Bown
October 25, 2013
More Decks by Scott Alexander-Bown
See All by Scott Alexander-Bown
What's New In Android 15 Security
scottyab
0
260
Fundamentals of creating Android mobile apps
scottyab
0
100
What's 'Q' in Android Security
scottyab
0
360
Faster mobile debugging using a HTTP Proxy
scottyab
0
85
I <3 Charles Proxy
scottyab
0
120
What_s_new_from_Google_IO_2018.pdf
scottyab
0
180
Doppl, an intro!
scottyab
0
130
OMG What's new in Security
scottyab
0
86
What's New from Google I/O 2017
scottyab
0
150
Other Decks in Technology
See All in Technology
Claude Code 珍プレー好プレー
shinyasaita
0
280
実装だけじゃない! CCA-F取得エンジニアが教えるClaude Code開発プロセス活用術
diggymo
2
400
金融の未来を考える / Thinking About the Future of Finance
ks91
PRO
0
180
Road to SRE NEXTの今までとこれから
hiroyaonoe
0
180
初めてのDatabricks勉強会
taka_aki
2
240
GuardrailからGovernanceへ~AIエージェント運用の次の課題~
sbspsy
1
220
事業価値を⽣み出すSREへ SREが担うべき意思決定の5層
kenta_hi
1
1.5k
地域 SRE コミュニティ最前線 / SRE NEXT 2026 Discussion Night Track C
muziyoshiz
0
130
End-to-Endで考える信頼性 —LINEアプリにおけるクライアント開発×SRE連携の実践
maruloop
3
2.4k
認証認可だけじゃない! ID管理の構成要素と ライフサイクルを意識しよう
ritou
1
520
SRE依存からの脱却 運用を開 発チームへ移す、 フルサイ クル開 発体制の実践
joooee0000
0
1.3k
プライバシー保護の理論と実践
lycorptech_jp
PRO
1
250
Featured
See All Featured
Leading Effective Engineering Teams in the AI Era
addyosmani
9
2.1k
Tips & Tricks on How to Get Your First Job In Tech
honzajavorek
1
550
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
49
10k
Leveraging Curiosity to Care for An Aging Population
cassininazir
1
310
Site-Speed That Sticks
csswizardry
13
1.2k
How to audit for AI Accessibility on your Front & Back End
davetheseo
0
460
Mind Mapping
helmedeiros
PRO
1
280
Principles of Awesome APIs and How to Build Them.
keavy
128
18k
HDC tutorial
michielstock
2
730
Visual Storytelling: How to be a Superhuman Communicator
reverentgeek
2
590
A designer walks into a library…
pauljervisheath
211
24k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
123
22k
Transcript
Hardening your app Scott Alexander-Bown @scottyab
Scott Alexander-Bown • Senior Developer @viaForensics • Co-author Android Security
Cookbook • Co-founder SWmobile meetup group ◦ meetup.com/swmobile
Hardening your Android App • Reverse engineering 101 • Encryption
• SSL • Tamper detection • Obfuscation
Not about… 100%
It’s on YOU!!! • Android is No.1 • Your role
== protect data • It’s your reputation
• Why? ◦ Easy / fun ◦ Lots of tools
◦ Replace Ads ◦ Trojanise app ◦ Software Piracy • Tools ◦ Apktool - bit.ly/apktool ◦ Dex2jar- bit.ly/dex2jar ◦ Apk to Java - bit.ly/apk2java Reverse engineering 101
Apktool: Let’s hack my app • Measure your social influence
with +1’s +Likes +retweet+mentions +recommendations +magic =Klout score
Apktool: Output $ apktool d myapp.apk
Santoku Linux • Pre-installed: ◦ platform SDKs ◦ decompilation tools
◦ hacking tools • Get it here: santoku-linux.com
VIA LAB viaforensics.com/products/vialab
Encryption
SpongyCastle • Consistent cryptology across os versions • Support ◦
AES-GCM ◦ Elliptic Curve Cryptography (ECC) • github.com/rtyley/spongycastle
Encryption: quick wins • SQLCipher ◦ 256-bit AES Encrypt SQLite
database ◦ sqlcipher.net/sqlcipher-for-android • IOCipher ◦ Virtual encrypted disk ◦ guardianproject.info/code/iocipher
Generate key per app
Ob-Secure Preferences • Library to ‘obscure’ your shared prefs •
Stops cheats • Quick win! • github.com/scottyab/secure-preferences
Password based encryption • Not store on the device, instead
is derived ◦ Use algorithm “PBKDF2WithHmacSHA1” ◦ User entered password/code ◦ salt (i.e package name) ◦ iteration count (1000+) ◦ =Derived encryption key • Tip: Ensure derivation method takes more than 100ms • github.com/nelenkov/android-pbe
Keystore provider • New in Android 4.3 • Hardware backed
keychain • github.com/nelenkov/android-keystore
SSL / TLS
OnionKit • StrongTrustManager ◦ Validate the whole cert chain and
root ◦ Debian cert store (not Android’s) • Use with Orbot • guardianproject.info/code/onionkit
Self signed SSL • Download certificate (openssl) • Embed in
app (/res/raw) • Load into Keystore • Custom TrustManager (Keystore based) • Init the SSL context with our TrustManager • Make SSL connection • bit.ly/anddevssl (Android developer blog)
Please don’t do this!! • Trust all
Tamper Protection • Licence Verification Library • Installer location
Environment verification • Emulator check ◦ System properties • Debuggable
check ◦ Package manager • Root check ◦ Root apps/utils ◦ System properties ◦ RW system
Validate signing key • Get SHA1 of signing cert (keytool)
• Embed in app • Get at signature at runtime • Compare
• Code Obfuscator • Older than Android! • Part of
the SDK • it’s FREE! • How to enable? ProGuard
ProGuard tips • Only applied on release builds ◦ Test
early! • Save your mapping.txt! • The good crashlytics services support ReTrace ◦ Critterism ◦ Bugsense ◦ HockeyApp ◦ Plus others...
Go pro-ProGuard = DexGuard
DexGuard • ProGuard’s bad ass brother • Same config as
ProGuard • Not free but 1 licence == ∞ apps • One line tamper check • wtf??? 囃$鷭.smali, Œ$鷭.smali • API hiding with String encryption == tough • Check out Eric Lafortune’s talk
Last but not least... • Code reviews ◦ Lint warnings
◦ OWASP Mobile security recommendations • Mobile app security certification ◦ bit.ly/androidcert
Thanks for listening
Q&A | Contact | Feedback • @scottyab • gplus.to/scottyab •
github/scottyab •
[email protected]