Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Android Security Tips

Avatar for Merab Tato Kutalia Merab Tato Kutalia
May 15, 2019
Technology
1
40

Android Security Tips

Android Security Tips
Avatar for Merab Tato Kutalia

Merab Tato Kutalia

May 15, 2019
Tweet

More Decks by Merab Tato Kutalia

See All by Merab Tato Kutalia
What's new in Android 14?
Avatar for Merab Tato Kutalia tatocaster
0
160
Migrate to Gradle version catalog and convention plugins
Avatar for Merab Tato Kutalia tatocaster
3
1.8k
Make Codebases Secure with OWASP
Avatar for Merab Tato Kutalia tatocaster
0
190
Secure Coding Standards
Avatar for Merab Tato Kutalia tatocaster
0
140
ტანგო ანდროიდთან
Avatar for Merab Tato Kutalia tatocaster
0
230
Adopting Huawei Mobile Services
Avatar for Merab Tato Kutalia tatocaster
0
55
Android UI Testing & Challenges
Avatar for Merab Tato Kutalia tatocaster
1
95
Reverse & Inject - droidcon
Avatar for Merab Tato Kutalia tatocaster
3
290
mobile DevOps
Avatar for Merab Tato Kutalia tatocaster
1
120

Other Decks in Technology

See All in Technology
Fabric + Databricks 2025.6 の最新情報ピックアップ
Avatar for Ryoma Nagata ryomaru0825
1
160
Model Mondays S2E03: SLMs & Reasoning
Avatar for Nitya Narasimhan, PhD nitya
0
240
AI導入の理想と現実~コストと浸透〜
Avatar for oprst oprstchn
0
150
mrubyと micro-ROSが繋ぐロボットの世界
Avatar for Katsuhiko Kageyama kishima
2
380
変化する開発、進化する体系時代に適応するソフトウェアエンジニアの知識と考え方(JaSST'25 Kansai)
Avatar for みずのり mizunori
1
260
登壇ネタの見つけ方 / How to find talk topics
Avatar for pinkumohikan pinkumohikan
5
580
使いたいMCPサーバーはWeb APIをラップして自分で作る #QiitaBash
Avatar for 弁護士ドットコム bengo4com
0
1.2k
Github Copilot エージェントモードで試してみた
Avatar for Ochtum ochtum
0
130
無意味な開発生産性の議論から抜け出すための予兆検知とお金とAI
Avatar for Masato Ishigaki / 石垣雅人 i35_267
0
860
SpringBoot x TestContainerで実現するポータブル自動結合テスト
Avatar for 株式会社出前館 demaecan
0
120
KubeCon + CloudNativeCon Japan 2025 に行ってきた! & containerd の新機能紹介
Avatar for Honahuku honahuku
0
120
Node-REDのFunctionノードでMCPサーバーの実装を試してみた / Node-RED × MCP 勉強会 vol.1
Avatar for you(@youtoy) you
PRO
0
130

Featured

See All Featured
What’s in a name? Adding method to the madness
Avatar for Product Marketing Alliance productmarketing
PRO
23
3.5k
Why Our Code Smells
Avatar for Brandon Keepers bkeepers
PRO
337
57k
ReactJS: Keep Simple. Everything can be a component!
Avatar for Pedro Nauck pedronauck
667
120k
Keith and Marios Guide to Fast Websites
Avatar for Keith Pitt keithpitt
411
22k
The Language of Interfaces
Avatar for Des Traynor destraynor
158
25k
For a Future-Friendly Web
Avatar for Brad Frost brad_frost
179
9.8k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
Avatar for Vitaly Friedman smashingmag
252
21k
Stop Working from a Prison Cell
Avatar for Chris Michel hatefulcrawdad
270
20k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
Avatar for Addy Osmani addyosmani
7
720
Designing Dashboards & Data Visualisations in Web Apps
Avatar for Des Traynor destraynor
231
53k
Distributed Sagas: A Protocol for Coordinating Microservices
Avatar for Caitie McCaffrey caitiem20
331
22k
It's Worth the Effort
Avatar for 3n 3n
185
28k

Transcript

  1. Android App Security Tips Merabi Kutalia

  2. Tato Kutalia tatocaster tatocaster.me github.com/tatocaster twitter.com/@TatoKutalia

  3. None

  4. Topics • data storage • app permissions • networking •

    webview(javascript) • dynamically loaded code

  5. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17)

  6. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable

  7. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q)

  8. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection)

  9. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection) • Shared preferences + leak

  10. app permissions • data leak caused by misused permissions

  11. networking • HTTPS (it’s 2019!)

  12. networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352)

  13. networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352) •

    GCM/FCM/SMS (Sensitive Data)

  14. webview • setJavascriptEnabled - No!

  15. webview • setJavascriptEnabled - No!

  16. webview • setJavascriptEnabled - No! • webkit

  17. dynamically loaded code • Yes you can (https://stackoverflow.com/q/ 6857807/6845290 )

  18. Proguard/R8

  19. Proguard • rules

  20. Tools • Apktool • Dex2Jar • JD-GUI

  21. Nomrebi .com

  22. Nomrebi .com

  23. None

  24. Thank you