Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Android Security Tips
Search
Merab Tato Kutalia
May 15, 2019
Technology
1
41
Android Security Tips
Android Security Tips
Merab Tato Kutalia
May 15, 2019
Tweet
Share
More Decks by Merab Tato Kutalia
See All by Merab Tato Kutalia
What's new in Android 14?
tatocaster
0
160
Migrate to Gradle version catalog and convention plugins
tatocaster
3
1.9k
Make Codebases Secure with OWASP
tatocaster
0
190
Secure Coding Standards
tatocaster
0
150
ტანგო ანდროიდთან
tatocaster
0
260
Adopting Huawei Mobile Services
tatocaster
0
62
Android UI Testing & Challenges
tatocaster
1
110
Reverse & Inject - droidcon
tatocaster
3
300
mobile DevOps
tatocaster
1
130
Other Decks in Technology
See All in Technology
激動の時代を爆速リチーミングで乗り越えろ
sansantech
PRO
1
170
会社を支える Pythonという言語戦略 ~なぜPythonを主要言語にしているのか?~
curekoshimizu
4
900
AI機能プロジェクト炎上の 3つのしくじりと学び
nakawai
0
150
SOTA競争から人間を超える画像認識へ
shinya7y
0
610
アウトプットから始めるOSSコントリビューション 〜eslint-plugin-vueの場合〜 #vuefes
bengo4com
3
1.8k
戦えるAIエージェントの作り方
iwiwi
2
830
ViteとTypeScriptのProject Referencesで 大規模モノレポのUIカタログのリリースサイクルを高速化する
shuta13
3
220
serverless team topology
_kensh
3
240
書籍『実践 Apache Iceberg』の歩き方
ishikawa_satoru
0
230
プレイドのユニークな技術とインターンのリアル
plaidtech
PRO
1
490
dbtとAIエージェントを組み合わせて見えたデータ調査の新しい形
10xinc
7
1.4k
もう外には出ない。より快適なフルリモート環境を目指して
mottyzzz
14
11k
Featured
See All Featured
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
359
30k
Rails Girls Zürich Keynote
gr2m
95
14k
Optimising Largest Contentful Paint
csswizardry
37
3.5k
How STYLIGHT went responsive
nonsquared
100
5.9k
Why You Should Never Use an ORM
jnunemaker
PRO
59
9.6k
Measuring & Analyzing Core Web Vitals
bluesmoon
9
640
Site-Speed That Sticks
csswizardry
13
930
Producing Creativity
orderedlist
PRO
348
40k
Reflections from 52 weeks, 52 projects
jeffersonlam
355
21k
Docker and Python
trallard
46
3.6k
Building Flexible Design Systems
yeseniaperezcruz
329
39k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
46
2.5k
Transcript
Android App Security Tips Merabi Kutalia
Tato Kutalia tatocaster tatocaster.me github.com/tatocaster twitter.com/@TatoKutalia
None
Topics • data storage • app permissions • networking •
webview(javascript) • dynamically loaded code
data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17)
data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •
External Storage is globally readable
data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •
External Storage is globally readable • Scoped Storage(Android Q)
data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •
External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection)
data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •
External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection) • Shared preferences + leak
app permissions • data leak caused by misused permissions
networking • HTTPS (it’s 2019!)
networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352)
networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352) •
GCM/FCM/SMS (Sensitive Data)
webview • setJavascriptEnabled - No!
webview • setJavascriptEnabled - No!
webview • setJavascriptEnabled - No! • webkit
dynamically loaded code • Yes you can (https://stackoverflow.com/q/ 6857807/6845290 )
Proguard/R8
Proguard • rules
Tools • Apktool • Dex2Jar • JD-GUI
Nomrebi .com
Nomrebi .com
None
Thank you
tatocaster
sansantech
curekoshimizu
nakawai
shinya7y
bengo4com
iwiwi
shuta13
_kensh
ishikawa_satoru
plaidtech
10xinc
mottyzzz
bermonpainter
gr2m
csswizardry
nonsquared
jnunemaker
bluesmoon
orderedlist
jeffersonlam
trallard
yeseniaperezcruz
bcantrill
