Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Hardening your Android app Droidcon uk 2013
Search
Scott Alexander-Bown
October 25, 2013
Technology
1
480
Hardening your Android app Droidcon uk 2013
Scott Alexander-Bown
October 25, 2013
Tweet
Share
More Decks by Scott Alexander-Bown
See All by Scott Alexander-Bown
What's New In Android 15 Security
scottyab
0
130
Fundamentals of creating Android mobile apps
scottyab
0
64
What's 'Q' in Android Security
scottyab
0
270
Faster mobile debugging using a HTTP Proxy
scottyab
0
56
I <3 Charles Proxy
scottyab
0
74
What_s_new_from_Google_IO_2018.pdf
scottyab
0
110
Doppl, an intro!
scottyab
0
82
OMG What's new in Security
scottyab
0
67
What's New from Google I/O 2017
scottyab
0
110
Other Decks in Technology
See All in Technology
FAST導入1年間のふりかえり〜現実を直視し、さらなる進化を求めて〜 / Review of the first year of FAST implementation
wooootack
1
210
Gemini in Android Studio - Google I/O Bangkok '25
akexorcist
0
100
経理出身PdMがAIプロダクト開発を_ハンズオンで学んだ話.pdf
shunsukenarita
1
250
「手を動かした者だけが世界を変える」ソフトウェア開発だけではない開発者人生
onishi
15
7.8k
TypeScript 上達の道
ysknsid25
23
4.9k
完璧を目指さない小さく始める信頼性向上
kakehashi
PRO
0
120
少人数でも回る! DevinとPlaybookで支える運用改善
ishikawa_pro
4
1.9k
[TechNight #91] Oracle Database 最新パフォーマンス分析手法
oracle4engineer
PRO
3
280
メモ整理が苦手な者による頑張らないObsidian活用術
optim
1
160
Microsoft Learn MCP/Fabric データエージェント/Fabric MCP/Copilot Studio-簡単・便利なAIエージェント作ってみた -"Building Simple and Powerful AI Agents with Microsoft Learn MCP, Fabric Data Agent, Fabric MCP, and Copilot Studio"-
reireireijinjin6
1
180
From Live Coding to Vibe Coding with Firebase Studio
firebasethailand
1
330
【2025 Japan AWS Jr. Champions Ignition】点から線、線から面へ〜僕たちが起こすコラボレーション・ムーブメント〜
amixedcolor
1
110
Featured
See All Featured
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
8
860
Producing Creativity
orderedlist
PRO
346
40k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
667
120k
The Power of CSS Pseudo Elements
geoffreycrofte
77
5.9k
Typedesign – Prime Four
hannesfritz
42
2.7k
Designing for Performance
lara
610
69k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
60k
Agile that works and the tools we love
rasmusluckow
329
21k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
44
2.4k
Optimizing for Happiness
mojombo
379
70k
Code Review Best Practice
trishagee
69
19k
The Language of Interfaces
destraynor
158
25k
Transcript
Hardening your app Scott Alexander-Bown @scottyab
Scott Alexander-Bown • Senior Developer @viaForensics • Co-author Android Security
Cookbook • Co-founder SWmobile meetup group ◦ meetup.com/swmobile
Hardening your Android App • Reverse engineering 101 • Encryption
• SSL • Tamper detection • Obfuscation
Not about… 100%
It’s on YOU!!! • Android is No.1 • Your role
== protect data • It’s your reputation
• Why? ◦ Easy / fun ◦ Lots of tools
◦ Replace Ads ◦ Trojanise app ◦ Software Piracy • Tools ◦ Apktool - bit.ly/apktool ◦ Dex2jar- bit.ly/dex2jar ◦ Apk to Java - bit.ly/apk2java Reverse engineering 101
Apktool: Let’s hack my app • Measure your social influence
with +1’s +Likes +retweet+mentions +recommendations +magic =Klout score
Apktool: Output $ apktool d myapp.apk
Santoku Linux • Pre-installed: ◦ platform SDKs ◦ decompilation tools
◦ hacking tools • Get it here: santoku-linux.com
VIA LAB viaforensics.com/products/vialab
Encryption
SpongyCastle • Consistent cryptology across os versions • Support ◦
AES-GCM ◦ Elliptic Curve Cryptography (ECC) • github.com/rtyley/spongycastle
Encryption: quick wins • SQLCipher ◦ 256-bit AES Encrypt SQLite
database ◦ sqlcipher.net/sqlcipher-for-android • IOCipher ◦ Virtual encrypted disk ◦ guardianproject.info/code/iocipher
Generate key per app
Ob-Secure Preferences • Library to ‘obscure’ your shared prefs •
Stops cheats • Quick win! • github.com/scottyab/secure-preferences
Password based encryption • Not store on the device, instead
is derived ◦ Use algorithm “PBKDF2WithHmacSHA1” ◦ User entered password/code ◦ salt (i.e package name) ◦ iteration count (1000+) ◦ =Derived encryption key • Tip: Ensure derivation method takes more than 100ms • github.com/nelenkov/android-pbe
Keystore provider • New in Android 4.3 • Hardware backed
keychain • github.com/nelenkov/android-keystore
SSL / TLS
OnionKit • StrongTrustManager ◦ Validate the whole cert chain and
root ◦ Debian cert store (not Android’s) • Use with Orbot • guardianproject.info/code/onionkit
Self signed SSL • Download certificate (openssl) • Embed in
app (/res/raw) • Load into Keystore • Custom TrustManager (Keystore based) • Init the SSL context with our TrustManager • Make SSL connection • bit.ly/anddevssl (Android developer blog)
Please don’t do this!! • Trust all
Tamper Protection • Licence Verification Library • Installer location
Environment verification • Emulator check ◦ System properties • Debuggable
check ◦ Package manager • Root check ◦ Root apps/utils ◦ System properties ◦ RW system
Validate signing key • Get SHA1 of signing cert (keytool)
• Embed in app • Get at signature at runtime • Compare
• Code Obfuscator • Older than Android! • Part of
the SDK • it’s FREE! • How to enable? ProGuard
ProGuard tips • Only applied on release builds ◦ Test
early! • Save your mapping.txt! • The good crashlytics services support ReTrace ◦ Critterism ◦ Bugsense ◦ HockeyApp ◦ Plus others...
Go pro-ProGuard = DexGuard
DexGuard • ProGuard’s bad ass brother • Same config as
ProGuard • Not free but 1 licence == ∞ apps • One line tamper check • wtf??? 囃$鷭.smali, Œ$鷭.smali • API hiding with String encryption == tough • Check out Eric Lafortune’s talk
Last but not least... • Code reviews ◦ Lint warnings
◦ OWASP Mobile security recommendations • Mobile app security certification ◦ bit.ly/androidcert
Thanks for listening
Q&A | Contact | Feedback • @scottyab • gplus.to/scottyab •
github/scottyab •
[email protected]