Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Android Security Tips

Sponsored · Ship Features Fearlessly Turn features on and off without deploys. Used by thousands of Ruby developers.
Avatar for Merab Tato Kutalia Merab Tato Kutalia
May 15, 2019
Technology
63
1

Android Security Tips

Android Security Tips

Avatar for Merab Tato Kutalia

Merab Tato Kutalia

May 15, 2019

More Decks by Merab Tato Kutalia

See All by Merab Tato Kutalia
What's new in Android 14?
Avatar for Merab Tato Kutalia tatocaster
0
210
Migrate to Gradle version catalog and convention plugins
Avatar for Merab Tato Kutalia tatocaster
3
1.9k
Make Codebases Secure with OWASP
Avatar for Merab Tato Kutalia tatocaster
0
220
Secure Coding Standards
Avatar for Merab Tato Kutalia tatocaster
0
180
ტანგო ანდროიდთან
Avatar for Merab Tato Kutalia tatocaster
0
330
Adopting Huawei Mobile Services
Avatar for Merab Tato Kutalia tatocaster
0
84
Android UI Testing & Challenges
Avatar for Merab Tato Kutalia tatocaster
1
130
Reverse & Inject - droidcon
Avatar for Merab Tato Kutalia tatocaster
3
330
mobile DevOps
Avatar for Merab Tato Kutalia tatocaster
1
160

Other Decks in Technology

See All in Technology
Android の公式 Skill / Android skills
Avatar for Yuki Anzai yanzm
0
140
Bedrock AgentCore RuntimeでAuth0 Changelog調査AIをアップグレードした話
Avatar for t.t t5u8a5a
1
110
2026TECHFRESH畢業分享會 - AI 時代的人生存檔點
Avatar for LINE Developers Taiwan line_developers_tw
PRO
0
940
機械学習を「社会実装」するということ 2026年夏版 / Social Implementation of Machine Learning June 2026 Version
Avatar for Moe Uchiike(内池 もえ) moepy_stats
5
1.9k
AmazonRoute 53ではじめてのドメイン取得!HTTPS化までの道のりを整理してみた
Avatar for usanchuu usanchuu
3
140
Kubernetesにおける学習基盤とLLMOpsの概要
Avatar for ry ry
1
270
自律型AIエージェントは何を破壊するのか
Avatar for kojira kojira
0
160
protovalidate-es を導入してみた
Avatar for 弁護士ドットコム bengo4com
0
180
人材育成分科会.pdf
Avatar for _awache _awache
1
150
チームで進めるAI駆動アジャイル×ウォーターフォール
Avatar for 熊井悠 kumaiu
0
160
Oracle AI Database@Google Cloud:サービス概要のご紹介
Avatar for oracle4engineer oracle4engineer
PRO
6
1.5k
新しいVibe Codingと”自走”について
Avatar for watany watany
6
310

Featured

See All Featured
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
Avatar for Kevin Liebholz kevinliebholz
37
6.5k
SEOcharity - Dark patterns in SEO and UX: How to avoid them and build a more ethical web
Avatar for Sara Fernández Carmona sarafernandez
0
200
Build your cross-platform service in a week with App Engine
Avatar for Jose L jlugia
234
18k
Deep Space Network (abreviated)
Avatar for Tony Rice tonyrice
0
170
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
Avatar for Eileen M. Uchitelle eileencodes
141
35k
The Language of Interfaces
Avatar for Des Traynor destraynor
162
27k
From Legacy to Launchpad: Building Startup-Ready Communities
Avatar for Dug Song dugsong
0
230
Done Done
Avatar for chrislema chrislema
186
16k
Leadership Guide Workshop - DevTernity 2021
Avatar for David Neal reverentgeek
1
300
Lightning Talk: Beautiful Slides for Beginners
Avatar for Ines Montani inesmontani
PRO
2
570
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
Avatar for Dan Newman danielanewman
231
23k
How to make the Groovebox
Avatar for あそなす asonas
2
2.2k

Transcript

  1. Android App Security Tips Merabi Kutalia

  2. Tato Kutalia tatocaster tatocaster.me github.com/tatocaster twitter.com/@TatoKutalia

  3. None

  4. Topics • data storage • app permissions • networking •

    webview(javascript) • dynamically loaded code

  5. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17)

  6. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable

  7. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q)

  8. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection)

  9. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection) • Shared preferences + leak

  10. app permissions • data leak caused by misused permissions

  11. networking • HTTPS (it’s 2019!)

  12. networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352)

  13. networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352) •

    GCM/FCM/SMS (Sensitive Data)

  14. webview • setJavascriptEnabled - No!

  15. webview • setJavascriptEnabled - No!

  16. webview • setJavascriptEnabled - No! • webkit

  17. dynamically loaded code • Yes you can (https://stackoverflow.com/q/ 6857807/6845290 )

  18. Proguard/R8

  19. Proguard • rules

  20. Tools • Apktool • Dex2Jar • JD-GUI

  21. Nomrebi .com

  22. Nomrebi .com

  23. None

  24. Thank you