Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Android Security Tips

Avatar for Merab Tato Kutalia Merab Tato Kutalia
May 15, 2019
Technology
1
46

Android Security Tips

Android Security Tips

Avatar for Merab Tato Kutalia

Merab Tato Kutalia

May 15, 2019
Tweet

More Decks by Merab Tato Kutalia

See All by Merab Tato Kutalia
What's new in Android 14?
Avatar for Merab Tato Kutalia tatocaster
0
170
Migrate to Gradle version catalog and convention plugins
Avatar for Merab Tato Kutalia tatocaster
3
1.9k
Make Codebases Secure with OWASP
Avatar for Merab Tato Kutalia tatocaster
0
200
Secure Coding Standards
Avatar for Merab Tato Kutalia tatocaster
0
160
ტანგო ანდროიდთან
Avatar for Merab Tato Kutalia tatocaster
0
280
Adopting Huawei Mobile Services
Avatar for Merab Tato Kutalia tatocaster
0
70
Android UI Testing & Challenges
Avatar for Merab Tato Kutalia tatocaster
1
110
Reverse & Inject - droidcon
Avatar for Merab Tato Kutalia tatocaster
3
310
mobile DevOps
Avatar for Merab Tato Kutalia tatocaster
1
140

Other Decks in Technology

See All in Technology
AWS Network Firewall Proxyで脱Squid運用⁈
Avatar for hr0hr57 nnydtmg
1
150
Introduction to Sansan for Engineers / エンジニア向け会社紹介
Avatar for Sansan, Inc. sansan33
PRO
6
64k
Exadata Database Service ソフトウェアのアップデートとアップグレードの概要
Avatar for oracle4engineer oracle4engineer
PRO
1
1.2k
研究開発部メンバーの働き⽅ / Sansan R&D Profile
Avatar for Sansan, Inc. sansan33
PRO
4
22k
Claude in Chromeで始める自律的フロントエンド開発
Avatar for morimorikochan diggymo
1
240
ビジュアルプログラミングIoTLT vol.22
Avatar for 1ft-seabass 1ftseabass
PRO
0
110
ソフトとハード両方いけるデータ人材の育て方
Avatar for Yuta Ozaki waiwai2111
1
550
The Engineer with a Three-Year Cycle
Avatar for YAMADA Nobuko e99h2121
0
160
Riverpod3.xで実現する実践的UI実装
Avatar for Fumiya Sakai fumiyasac0921
1
270
ファインディにおけるフロントエンド技術選定の歴史
Avatar for puku0x puku0x
2
1.6k
純粋なイミュータブルモデルを設計してからイベントソーシングと組み合わせるDeciderの実践方法の紹介 /Introducing Decider Pattern with Event Sourcing
Avatar for Tomohisa Takaoka tomohisa
1
1.3k
スクラムを一度諦めたチームにアジャイルコーチが入ってどう変化したか / A Team's Second Try at Scrum with an Agile Coach
Avatar for 株式会社カオナビ kaonavi
0
280

Featured

See All Featured
Hiding What from Whom? A Critical Review of the History of Programming languages for Music
Avatar for Tomoya Matsuura tomoyanonymous
2
370
jQuery: Nuts, Bolts and Bling
Avatar for Doug Neiner dougneiner
65
8.4k
Technical Leadership for Architectural Decision Making
Avatar for Kenny Baas-Schwegler baasie
1
220
Let's Do A Bunch of Simple Stuff to Make Websites Faster
Avatar for Chris Coyier chriscoyier
508
140k
How To Speak Unicorn (iThemes Webinar)
Avatar for Michelle Schulp Hunt marktimemedia
1
370
Put a Button on it: Removing Barriers to Going Fast.
Avatar for kastner kastner
60
4.1k
Building an army of robots
Avatar for Kyle Neath kneath
306
46k
Making the Leap to Tech Lead
Avatar for Ryan Cromwell cromwellryan
135
9.7k
Building a Scalable Design System with Sketch
Avatar for Laura Van Doore lauravandoore
463
34k
Avoiding the “Bad Training, Faster” Trap in the Age of AI
Avatar for Mike Taylor tmiket
0
59
Building a A Zero-Code AI SEO Workflow
Avatar for Ian Lurie portentint
PRO
0
260
Reality Check: Gamification 10 Years Later
Avatar for Sebastian Deterding codingconduct
0
2k

Transcript

  1. Android App Security Tips Merabi Kutalia

  2. Tato Kutalia tatocaster tatocaster.me github.com/tatocaster twitter.com/@TatoKutalia

  3. None

  4. Topics • data storage • app permissions • networking •

    webview(javascript) • dynamically loaded code

  5. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17)

  6. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable

  7. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q)

  8. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection)

  9. data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •

    External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection) • Shared preferences + leak

  10. app permissions • data leak caused by misused permissions

  11. networking • HTTPS (it’s 2019!)

  12. networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352)

  13. networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352) •

    GCM/FCM/SMS (Sensitive Data)

  14. webview • setJavascriptEnabled - No!

  15. webview • setJavascriptEnabled - No!

  16. webview • setJavascriptEnabled - No! • webkit

  17. dynamically loaded code • Yes you can (https://stackoverflow.com/q/ 6857807/6845290 )

  18. Proguard/R8

  19. Proguard • rules

  20. Tools • Apktool • Dex2Jar • JD-GUI

  21. Nomrebi .com

  22. Nomrebi .com

  23. None

  24. Thank you