Don’t get stung by OWASP - An intro into writing code for greater Android Security
In this session, we will take a dive into OWASP's top threats for mobile security, the common Android security pitfalls we all succumb too and look how we may code in a more security-focused mindset going forwards.
I have enough time to cover • Introduction to some of the OWASP Top 10 • Address the most common mistakes in our apps • Look into securing data within Room / Shared Prefs • Q&A • Bonus: The time I was stung by 50 wasps IRL 🙈🐝
just in case someone goofs up later. • Anything you learn here is to be used for educational purposes ONLY • Do NOT test on apps you are not authorised to use • Please consider seeking your company’s security advice from someone that knows a lot more than me! • This talk is NOT associated with and/or endorsed by the OWASP Foundation or my employer!
attack surface is HUGE and growing • Mobile security is often neglected by organisations + devs • Growing financial incentives for malicious actors • Mobile security is not rocket science (as we shall see)! • Mobile’s own ‘Log4Shell’ is always right around the corner…
Web Application Security Project • Non-profit OWASP Foundation created in 2001 • Provides free security resources for developers & organisations alike • Also maintains ‘Top 10’ list(s) of the greatest security threats to application security
vulnerability • Apps can draw over other apps and monitor their contents • They can also pass spoofed touch events • Combined, this can be used maliciously to trick users into entering passwords, accepting permissions, etc • Permission required for these apps, but only recently
EncryptedSharedPreferences SQLCipher Stores data in plaintext (default) ✅ ✅ ✅ ❌ ❌ Provides encryption functionality ❌ ❌ ⚠ Not by default ✅ ✅ Min API 1 14 16 v1.0.0: 23 v1.1.0 (alpha): 21 16 First Party Support ✅ ✅ ❌ ✅ ❌ Note: DataStore omitted here, but at time of writing (Jan 2022) has no support for encryption
Only add user certificate allowances in the debug-overrides to --> <!-- ensure release builds are secure --> <debug-overrides> <trust-anchors> <certificates src="system" /> <certificates src="user" /> </trust-anchors> </debug-overrides> </network-security-config>
NOT use outdated algorithms • SHA-1, MD5, MD4, RC2 • Encoding != Hashing != Encrypting • BASE64-ing something is not cryptography • Don’t come up with your own solutions • (Unless you are a cryptographer)
Twitter @Sp4ghettiCode • More resources and links at spght.dev/talks • Please do reach out if you are interested in learning more or have knowledge to share with the community! • Questions and Answers to follow…