Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Hardening your Android app Droidcon uk 2013
Search
Scott Alexander-Bown
October 25, 2013
Technology
1
480
Hardening your Android app Droidcon uk 2013
Scott Alexander-Bown
October 25, 2013
Tweet
Share
More Decks by Scott Alexander-Bown
See All by Scott Alexander-Bown
What's New In Android 15 Security
scottyab
0
140
Fundamentals of creating Android mobile apps
scottyab
0
65
What's 'Q' in Android Security
scottyab
0
270
Faster mobile debugging using a HTTP Proxy
scottyab
0
56
I <3 Charles Proxy
scottyab
0
76
What_s_new_from_Google_IO_2018.pdf
scottyab
0
120
Doppl, an intro!
scottyab
0
85
OMG What's new in Security
scottyab
0
67
What's New from Google I/O 2017
scottyab
0
110
Other Decks in Technology
See All in Technology
リモートワークで心掛けていること 〜AI活用編〜
naoki85
0
190
Rethinking Incident Response: Context-Aware AI in Practice - Incident Buddy Edition -
rrreeeyyy
0
120
Backlog AI アシスタントが切り開く未来
vvatanabe
1
170
僕たちが「開発しやすさ」を求め 模索し続けたアーキテクチャ #アーキテクチャ勉強会_findy
bengo4com
0
2.6k
Mackerel in さくらのクラウド
cubicdaiya
1
290
datadog-distribution-of-opentelemetry-collector-intro
tetsuya28
0
120
AIに頼りすぎない新人育成術
cuebic9bic
3
330
[OCI Technical Deep Dive] OracleのAI戦略(2025年8月5日開催)
oracle4engineer
PRO
1
250
Claude Codeは仕様駆動の夢を見ない
gotalab555
23
7.2k
LLM 機能を支える Langfuse / ClickHouse のサーバレス化
yuu26
9
2.6k
はじめての転職講座/The Guide of First Career Change
kwappa
5
4.4k
モノレポにおけるエラー管理 ~Runbook自動生成とチームメンションの最適化
biwashi
0
370
Featured
See All Featured
GraphQLとの向き合い方2022年版
quramy
49
14k
Fantastic passwords and where to find them - at NoRuKo
philnash
51
3.4k
Embracing the Ebb and Flow
colly
86
4.8k
It's Worth the Effort
3n
186
28k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
248
1.3M
The Art of Programming - Codeland 2020
erikaheidi
54
13k
Balancing Empowerment & Direction
lara
2
570
Become a Pro
speakerdeck
PRO
29
5.5k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
50k
KATA
mclloyd
32
14k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
34
6k
Transcript
Hardening your app Scott Alexander-Bown @scottyab
Scott Alexander-Bown • Senior Developer @viaForensics • Co-author Android Security
Cookbook • Co-founder SWmobile meetup group ◦ meetup.com/swmobile
Hardening your Android App • Reverse engineering 101 • Encryption
• SSL • Tamper detection • Obfuscation
Not about… 100%
It’s on YOU!!! • Android is No.1 • Your role
== protect data • It’s your reputation
• Why? ◦ Easy / fun ◦ Lots of tools
◦ Replace Ads ◦ Trojanise app ◦ Software Piracy • Tools ◦ Apktool - bit.ly/apktool ◦ Dex2jar- bit.ly/dex2jar ◦ Apk to Java - bit.ly/apk2java Reverse engineering 101
Apktool: Let’s hack my app • Measure your social influence
with +1’s +Likes +retweet+mentions +recommendations +magic =Klout score
Apktool: Output $ apktool d myapp.apk
Santoku Linux • Pre-installed: ◦ platform SDKs ◦ decompilation tools
◦ hacking tools • Get it here: santoku-linux.com
VIA LAB viaforensics.com/products/vialab
Encryption
SpongyCastle • Consistent cryptology across os versions • Support ◦
AES-GCM ◦ Elliptic Curve Cryptography (ECC) • github.com/rtyley/spongycastle
Encryption: quick wins • SQLCipher ◦ 256-bit AES Encrypt SQLite
database ◦ sqlcipher.net/sqlcipher-for-android • IOCipher ◦ Virtual encrypted disk ◦ guardianproject.info/code/iocipher
Generate key per app
Ob-Secure Preferences • Library to ‘obscure’ your shared prefs •
Stops cheats • Quick win! • github.com/scottyab/secure-preferences
Password based encryption • Not store on the device, instead
is derived ◦ Use algorithm “PBKDF2WithHmacSHA1” ◦ User entered password/code ◦ salt (i.e package name) ◦ iteration count (1000+) ◦ =Derived encryption key • Tip: Ensure derivation method takes more than 100ms • github.com/nelenkov/android-pbe
Keystore provider • New in Android 4.3 • Hardware backed
keychain • github.com/nelenkov/android-keystore
SSL / TLS
OnionKit • StrongTrustManager ◦ Validate the whole cert chain and
root ◦ Debian cert store (not Android’s) • Use with Orbot • guardianproject.info/code/onionkit
Self signed SSL • Download certificate (openssl) • Embed in
app (/res/raw) • Load into Keystore • Custom TrustManager (Keystore based) • Init the SSL context with our TrustManager • Make SSL connection • bit.ly/anddevssl (Android developer blog)
Please don’t do this!! • Trust all
Tamper Protection • Licence Verification Library • Installer location
Environment verification • Emulator check ◦ System properties • Debuggable
check ◦ Package manager • Root check ◦ Root apps/utils ◦ System properties ◦ RW system
Validate signing key • Get SHA1 of signing cert (keytool)
• Embed in app • Get at signature at runtime • Compare
• Code Obfuscator • Older than Android! • Part of
the SDK • it’s FREE! • How to enable? ProGuard
ProGuard tips • Only applied on release builds ◦ Test
early! • Save your mapping.txt! • The good crashlytics services support ReTrace ◦ Critterism ◦ Bugsense ◦ HockeyApp ◦ Plus others...
Go pro-ProGuard = DexGuard
DexGuard • ProGuard’s bad ass brother • Same config as
ProGuard • Not free but 1 licence == ∞ apps • One line tamper check • wtf??? 囃$鷭.smali, Œ$鷭.smali • API hiding with String encryption == tough • Check out Eric Lafortune’s talk
Last but not least... • Code reviews ◦ Lint warnings
◦ OWASP Mobile security recommendations • Mobile app security certification ◦ bit.ly/androidcert
Thanks for listening
Q&A | Contact | Feedback • @scottyab • gplus.to/scottyab •
github/scottyab •
[email protected]