Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Android Security Tips
Search
Merab Tato Kutalia
May 15, 2019
Technology
1
40
Android Security Tips
Android Security Tips
Merab Tato Kutalia
May 15, 2019
Tweet
Share
More Decks by Merab Tato Kutalia
See All by Merab Tato Kutalia
What's new in Android 14?
tatocaster
0
160
Migrate to Gradle version catalog and convention plugins
tatocaster
3
1.8k
Make Codebases Secure with OWASP
tatocaster
0
190
Secure Coding Standards
tatocaster
0
140
ტანგო ანდროიდთან
tatocaster
0
240
Adopting Huawei Mobile Services
tatocaster
0
56
Android UI Testing & Challenges
tatocaster
1
97
Reverse & Inject - droidcon
tatocaster
3
290
mobile DevOps
tatocaster
1
120
Other Decks in Technology
See All in Technology
MCPと認可まわりの話 / mcp_and_authorization
convto
2
160
20250719_JAWS_kobe
takuyay0ne
1
160
CSPヘッダー導入で実現するWebサイトの多層防御:今すぐ試せる設定例と運用知見
llamakko
1
220
RapidPen: AIエージェントによる高度なペネトレーションテスト自動化の研究開発
laysakura
1
390
Railsの限界を超えろ!「家族アルバム みてね」の画像・動画の大規模アップロードを支えるアーキテクチャの変遷
ojima_h
3
440
20150719_Amazon Nova Canvas Virtual try-onアプリ 作成裏話
riz3f7
0
140
生成AIによる情報システムへのインパクト
taka_aki
1
150
PHPからはじめるコンピュータアーキテクチャ / From Scripts to Silicon: A Journey Through the Layers of Computing
tomzoh
2
390
Building GoReleaser - from shell script to paid product
caarlos0
0
270
公開初日に個人環境で試した Gemini CLI 体験記など / Gemini CLI実験レポート
you
PRO
3
350
Snowflake のアーキテクチャは本当に筋がよかったのか / Data Engineering Study #30
indigo13love
0
260
少人数でも回る! DevinとPlaybookで支える運用改善
ishikawa_pro
3
590
Featured
See All Featured
A designer walks into a library…
pauljervisheath
207
24k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
45
7.5k
StorybookのUI Testing Handbookを読んだ
zakiyama
30
5.9k
Navigating Team Friction
lara
187
15k
A better future with KSS
kneath
238
17k
Building a Scalable Design System with Sketch
lauravandoore
462
33k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
7
760
Optimizing for Happiness
mojombo
379
70k
Adopting Sorbet at Scale
ufuk
77
9.5k
Optimising Largest Contentful Paint
csswizardry
37
3.3k
Thoughts on Productivity
jonyablonski
69
4.7k
Gamification - CAS2011
davidbonilla
81
5.4k
Transcript
Android App Security Tips Merabi Kutalia
Tato Kutalia tatocaster tatocaster.me github.com/tatocaster twitter.com/@TatoKutalia
None
Topics • data storage • app permissions • networking •
webview(javascript) • dynamically loaded code
data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17)
data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •
External Storage is globally readable
data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •
External Storage is globally readable • Scoped Storage(Android Q)
data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •
External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection)
data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •
External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection) • Shared preferences + leak
app permissions • data leak caused by misused permissions
networking • HTTPS (it’s 2019!)
networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352)
networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352) •
GCM/FCM/SMS (Sensitive Data)
webview • setJavascriptEnabled - No!
webview • setJavascriptEnabled - No!
webview • setJavascriptEnabled - No! • webkit
dynamically loaded code • Yes you can (https://stackoverflow.com/q/ 6857807/6845290 )
Proguard/R8
Proguard • rules
Tools • Apktool • Dex2Jar • JD-GUI
Nomrebi .com
Nomrebi .com
None
Thank you