Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Android Security Tips

Avatar for Merab Tato Kutalia Merab Tato Kutalia
May 15, 2019
Technology
1
50

Android Security Tips

Android Security Tips

Avatar for Merab Tato Kutalia

Merab Tato Kutalia

May 15, 2019
Tweet

More Decks by Merab Tato Kutalia

See All by Merab Tato Kutalia
What's new in Android 14?
Avatar for Merab Tato Kutalia tatocaster
0
180
Migrate to Gradle version catalog and convention plugins
Avatar for Merab Tato Kutalia tatocaster
3
1.9k
Make Codebases Secure with OWASP
Avatar for Merab Tato Kutalia tatocaster
0
210
Secure Coding Standards
Avatar for Merab Tato Kutalia tatocaster
0
160
ტანგო ანდროიდთან
Avatar for Merab Tato Kutalia tatocaster
0
290
Adopting Huawei Mobile Services
Avatar for Merab Tato Kutalia tatocaster
0
72
Android UI Testing & Challenges
Avatar for Merab Tato Kutalia tatocaster
1
120
Reverse & Inject - droidcon
Avatar for Merab Tato Kutalia tatocaster
3
310
mobile DevOps
Avatar for Merab Tato Kutalia tatocaster
1
140

Other Decks in Technology

See All in Technology
Introduction to Sansan for Engineers / エンジニア向け会社紹介
Avatar for Sansan, Inc. sansan33
PRO
6
71k
ソフトウェアアーキテクトのための意思決定術: Create Decision Readiness—The Real Skill Behind Architectural Decision
Avatar for Koji SHIMADA snoozer05
PRO
26
7.4k
Sansan Engineering Unit 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
1
4k
LINEアプリ開発のための Claude Code活用基盤の構築
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
1
1.1k
大規模な組織におけるAI Agent活用の促進と課題
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
4
6.4k
チームメンバー迷わないIaC設計
Avatar for hayama hayama17
4
3k
【SLO】"多様な期待値" と向き合ってみた
Avatar for kaita z63d
2
240
WBCの解説は生成AIにやらせよう - 生成AIで野球解説者AI Agentを実現する / Baseball Commentator AI Agent for Gemini
Avatar for Shinichi Nakagawa shinyorke
PRO
0
290
[続・営業向け 誰でも話せるOCI セールストーク] AWSよりOCIの優位性が分からない編(2026年2月20日開催)
Avatar for oracle4engineer oracle4engineer
PRO
0
140
バニラVisaギフトカードを棄てるのは結構大変
Avatar for meow meow_noisy
0
160
トラブルの大半は「言ってない」x「言ってない」じゃねーか!!
Avatar for nakamichi ichimichi
0
190
男(監査)はつらいよ - Policy as CodeからAIエージェントへ
Avatar for Kengo Suzuki ken5scal
4
620

Featured

See All Featured
A Soul's Torment
Avatar for Nat Ma seathinner
5
2.4k
Six Lessons from altMBA
Avatar for Skipper Chong Warson skipperchong
29
4.2k
Designing for Performance
Avatar for Lara Hogan lara
611
70k
Why You Should Never Use an ORM
Avatar for John Nunemaker jnunemaker
PRO
61
9.8k
Design of three-dimensional binary manipulators for pick-and-place task avoiding obstacles (IECON2024)
Avatar for konakalab konakalab
0
370
Information Architects: The Missing Link in Design Systems
Avatar for Michelle Chin soysaucechin
0
810
The Mindset for Success: Future Career Progression
Avatar for Greg Gifford greggifford
PRO
0
260
Building Experiences: Design Systems, User Experience, and Full Site Editing
Avatar for Michelle Schulp Hunt marktimemedia
0
420
The Director’s Chair: Orchestrating AI for Truly Effective Learning
Avatar for Mike Taylor tmiket
1
110
End of SEO as We Know It (SMX Advanced Version)
Avatar for Michael King ipullrank
3
4k
What Being in a Rock Band Can Teach Us About Real World SEO
Avatar for Ade Holder 427marketing
0
180
Between Models and Reality
Avatar for mayunak mayunak
1
210

Transcript

  1. Android App Security Tips Merabi Kutalia

  2. Tato Kutalia tatocaster tatocaster.me github.com/tatocaster twitter.com/@TatoKutalia

  3. None

  4. Topics • data storage • app permissions • networking •

    webview(javascript) • dynamically loaded code

  5. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17)

  6. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable

  7. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q)

  8. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection)

  9. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection) • Shared preferences + leak

  10. app permissions • data leak caused by misused permissions

  11. networking • HTTPS (it’s 2019!)

  12. networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352)

  13. networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352) •

    GCM/FCM/SMS (Sensitive Data)

  14. webview • setJavascriptEnabled - No!

  15. webview • setJavascriptEnabled - No!

  16. webview • setJavascriptEnabled - No! • webkit

  17. dynamically loaded code • Yes you can (https://stackoverflow.com/q/ 6857807/6845290 )

  18. Proguard/R8

  19. Proguard • rules

  20. Tools • Apktool • Dex2Jar • JD-GUI

  21. Nomrebi .com

  22. Nomrebi .com

  23. None

  24. Thank you