Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Android Security Tips
Search
Merab Tato Kutalia
May 15, 2019
Technology
1
40
Android Security Tips
Android Security Tips
Merab Tato Kutalia
May 15, 2019
Tweet
Share
More Decks by Merab Tato Kutalia
See All by Merab Tato Kutalia
What's new in Android 14?
tatocaster
0
160
Migrate to Gradle version catalog and convention plugins
tatocaster
3
1.9k
Make Codebases Secure with OWASP
tatocaster
0
190
Secure Coding Standards
tatocaster
0
150
ტანგო ანდროიდთან
tatocaster
0
250
Adopting Huawei Mobile Services
tatocaster
0
59
Android UI Testing & Challenges
tatocaster
1
100
Reverse & Inject - droidcon
tatocaster
3
290
mobile DevOps
tatocaster
1
130
Other Decks in Technology
See All in Technology
シークレット管理だけじゃない!HashiCorp Vault でデータ暗号化をしよう / Beyond Secret Management! Let's Encrypt Data with HashiCorp Vault
nnstt1
2
130
Grafana Meetup Japan Vol. 6
kaedemalu
1
190
モダンフロントエンド 開発研修
recruitengineers
PRO
9
6.1k
「守る」から「進化させる」セキュリティへ ~AWS re:Inforce 2025参加報告~ / AWS re:Inforce 2025 Participation Report
yuj1osm
1
180
退屈なことはDevinにやらせよう〜〜Devin APIを使ったVisual Regression Testの自動追加〜
kawamataryo
4
1.1k
Vault meets Kubernetes
mochizuki875
0
150
ヘブンバーンズレッドにおける、世界観を活かしたミニゲーム企画の作り方
gree_tech
PRO
0
420
LLM翻訳ツールの開発と海外のお客様対応等への社内導入事例
gree_tech
PRO
0
430
PRDの正しい使い方 ~AI時代にも効く思考・対話・成長ツールとして~
techtekt
PRO
0
310
DeNA での思い出 / Memories at DeNA
orgachem
PRO
6
1.9k
今!ソフトウェアエンジニアがハードウェアに手を出すには
mackee
1
230
エラーとアクセシビリティ
schktjm
0
140
Featured
See All Featured
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
131
19k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
tammyeverts
8
510
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
36
2.5k
Code Review Best Practice
trishagee
70
19k
It's Worth the Effort
3n
187
28k
Six Lessons from altMBA
skipperchong
28
4k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
18
1.1k
Building a Scalable Design System with Sketch
lauravandoore
462
33k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
BBQ
matthewcrist
89
9.8k
The Pragmatic Product Professional
lauravandoore
36
6.8k
How GitHub (no longer) Works
holman
315
140k
Transcript
Android App Security Tips Merabi Kutalia
Tato Kutalia tatocaster tatocaster.me github.com/tatocaster twitter.com/@TatoKutalia
None
Topics • data storage • app permissions • networking •
webview(javascript) • dynamically loaded code
data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17)
data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •
External Storage is globally readable
data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •
External Storage is globally readable • Scoped Storage(Android Q)
data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •
External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection)
data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •
External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection) • Shared preferences + leak
app permissions • data leak caused by misused permissions
networking • HTTPS (it’s 2019!)
networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352)
networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352) •
GCM/FCM/SMS (Sensitive Data)
webview • setJavascriptEnabled - No!
webview • setJavascriptEnabled - No!
webview • setJavascriptEnabled - No! • webkit
dynamically loaded code • Yes you can (https://stackoverflow.com/q/ 6857807/6845290 )
Proguard/R8
Proguard • rules
Tools • Apktool • Dex2Jar • JD-GUI
Nomrebi .com
Nomrebi .com
None
Thank you