Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Hardening your Android app Droidcon uk 2013
Search
Scott Alexander-Bown
October 25, 2013
Technology
1
480
Hardening your Android app Droidcon uk 2013
Scott Alexander-Bown
October 25, 2013
Tweet
Share
More Decks by Scott Alexander-Bown
See All by Scott Alexander-Bown
What's New In Android 15 Security
scottyab
0
120
Fundamentals of creating Android mobile apps
scottyab
0
61
What's 'Q' in Android Security
scottyab
0
260
Faster mobile debugging using a HTTP Proxy
scottyab
0
55
I <3 Charles Proxy
scottyab
0
63
What_s_new_from_Google_IO_2018.pdf
scottyab
0
110
Doppl, an intro!
scottyab
0
78
OMG What's new in Security
scottyab
0
64
What's New from Google I/O 2017
scottyab
0
110
Other Decks in Technology
See All in Technology
Snowflake Summit 2025 データエンジニアリング関連新機能紹介 / Snowflake Summit 2025 What's New about Data Engineering
tiltmax3
0
310
GeminiとNotebookLMによる金融実務の業務革新
abenben
0
230
AWS Summit Japan 2025 Community Stage - App workflow automation by AWS Step Functions
matsuihidetoshi
1
270
急成長を支える基盤作り〜地道な改善からコツコツと〜 #cre_meetup
stefafafan
0
120
OpenHands🤲にContributeしてみた
kotauchisunsun
1
440
プロダクトエンジニアリング組織への歩み、その現在地 / Our journey to becoming a product engineering organization
hiro_torii
0
130
Oracle Cloud Infrastructure:2025年6月度サービス・アップデート
oracle4engineer
PRO
2
240
LinkX_GitHubを基点にした_AI時代のプロジェクトマネジメント.pdf
iotcomjpadmin
0
170
HiMoR: Monocular Deformable Gaussian Reconstruction with Hierarchical Motion Representation
spatial_ai_network
0
110
Snowflake Summit 2025全体振り返り / Snowflake Summit 2025 Overall Review
mtpooh
2
400
Oracle Audit Vault and Database Firewall 20 概要
oracle4engineer
PRO
3
1.7k
Node-REDのFunctionノードでMCPサーバーの実装を試してみた / Node-RED × MCP 勉強会 vol.1
you
PRO
0
110
Featured
See All Featured
YesSQL, Process and Tooling at Scale
rocio
173
14k
Product Roadmaps are Hard
iamctodd
PRO
54
11k
Build The Right Thing And Hit Your Dates
maggiecrowley
36
2.8k
Facilitating Awesome Meetings
lara
54
6.4k
A Modern Web Designer's Workflow
chriscoyier
694
190k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
3.9k
StorybookのUI Testing Handbookを読んだ
zakiyama
30
5.8k
How GitHub (no longer) Works
holman
314
140k
Large-scale JavaScript Application Architecture
addyosmani
512
110k
Optimizing for Happiness
mojombo
379
70k
GitHub's CSS Performance
jonrohan
1031
460k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
17
940
Transcript
Hardening your app Scott Alexander-Bown @scottyab
Scott Alexander-Bown • Senior Developer @viaForensics • Co-author Android Security
Cookbook • Co-founder SWmobile meetup group ◦ meetup.com/swmobile
Hardening your Android App • Reverse engineering 101 • Encryption
• SSL • Tamper detection • Obfuscation
Not about… 100%
It’s on YOU!!! • Android is No.1 • Your role
== protect data • It’s your reputation
• Why? ◦ Easy / fun ◦ Lots of tools
◦ Replace Ads ◦ Trojanise app ◦ Software Piracy • Tools ◦ Apktool - bit.ly/apktool ◦ Dex2jar- bit.ly/dex2jar ◦ Apk to Java - bit.ly/apk2java Reverse engineering 101
Apktool: Let’s hack my app • Measure your social influence
with +1’s +Likes +retweet+mentions +recommendations +magic =Klout score
Apktool: Output $ apktool d myapp.apk
Santoku Linux • Pre-installed: ◦ platform SDKs ◦ decompilation tools
◦ hacking tools • Get it here: santoku-linux.com
VIA LAB viaforensics.com/products/vialab
Encryption
SpongyCastle • Consistent cryptology across os versions • Support ◦
AES-GCM ◦ Elliptic Curve Cryptography (ECC) • github.com/rtyley/spongycastle
Encryption: quick wins • SQLCipher ◦ 256-bit AES Encrypt SQLite
database ◦ sqlcipher.net/sqlcipher-for-android • IOCipher ◦ Virtual encrypted disk ◦ guardianproject.info/code/iocipher
Generate key per app
Ob-Secure Preferences • Library to ‘obscure’ your shared prefs •
Stops cheats • Quick win! • github.com/scottyab/secure-preferences
Password based encryption • Not store on the device, instead
is derived ◦ Use algorithm “PBKDF2WithHmacSHA1” ◦ User entered password/code ◦ salt (i.e package name) ◦ iteration count (1000+) ◦ =Derived encryption key • Tip: Ensure derivation method takes more than 100ms • github.com/nelenkov/android-pbe
Keystore provider • New in Android 4.3 • Hardware backed
keychain • github.com/nelenkov/android-keystore
SSL / TLS
OnionKit • StrongTrustManager ◦ Validate the whole cert chain and
root ◦ Debian cert store (not Android’s) • Use with Orbot • guardianproject.info/code/onionkit
Self signed SSL • Download certificate (openssl) • Embed in
app (/res/raw) • Load into Keystore • Custom TrustManager (Keystore based) • Init the SSL context with our TrustManager • Make SSL connection • bit.ly/anddevssl (Android developer blog)
Please don’t do this!! • Trust all
Tamper Protection • Licence Verification Library • Installer location
Environment verification • Emulator check ◦ System properties • Debuggable
check ◦ Package manager • Root check ◦ Root apps/utils ◦ System properties ◦ RW system
Validate signing key • Get SHA1 of signing cert (keytool)
• Embed in app • Get at signature at runtime • Compare
• Code Obfuscator • Older than Android! • Part of
the SDK • it’s FREE! • How to enable? ProGuard
ProGuard tips • Only applied on release builds ◦ Test
early! • Save your mapping.txt! • The good crashlytics services support ReTrace ◦ Critterism ◦ Bugsense ◦ HockeyApp ◦ Plus others...
Go pro-ProGuard = DexGuard
DexGuard • ProGuard’s bad ass brother • Same config as
ProGuard • Not free but 1 licence == ∞ apps • One line tamper check • wtf??? 囃$鷭.smali, Œ$鷭.smali • API hiding with String encryption == tough • Check out Eric Lafortune’s talk
Last but not least... • Code reviews ◦ Lint warnings
◦ OWASP Mobile security recommendations • Mobile app security certification ◦ bit.ly/androidcert
Thanks for listening
Q&A | Contact | Feedback • @scottyab • gplus.to/scottyab •
github/scottyab •
[email protected]