Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Android Security Tips
Search
Merab Tato Kutalia
May 15, 2019
Technology
1
38
Android Security Tips
Android Security Tips
Merab Tato Kutalia
May 15, 2019
Tweet
Share
More Decks by Merab Tato Kutalia
See All by Merab Tato Kutalia
What's new in Android 14?
tatocaster
0
150
Migrate to Gradle version catalog and convention plugins
tatocaster
3
1.8k
Make Codebases Secure with OWASP
tatocaster
0
180
Secure Coding Standards
tatocaster
0
130
ტანგო ანდროიდთან
tatocaster
0
220
Adopting Huawei Mobile Services
tatocaster
0
55
Android UI Testing & Challenges
tatocaster
1
88
Reverse & Inject - droidcon
tatocaster
3
280
mobile DevOps
tatocaster
1
110
Other Decks in Technology
See All in Technology
250510 StepFunctionのテスト自動化始めました vol.1
east_takumi
1
230
AWSを利用する上で知っておきたい名前解決の話
nagisa53
6
820
分解し、導き、託す ログラスにおける“技術でリードする” 実践の記録
hryushm
0
230
クラウドネイティブ環境の脅威モデリング
kyohmizu
2
410
20 Years of Domain-Driven Design: What I’ve Learned About DDD
ewolff
1
360
正式リリースされた Semantic Kernel の Agent Framework 全部紹介!
okazuki
1
1.2k
"発信文化"をどうやって計測する?技術広報のKPI探索記/How do we measure communication culture?
bitkey
3
310
Azure & DevSecOps
kkamegawa
2
180
さくらのクラウド開発の裏側
metakoma
PRO
13
4.6k
Developer 以外にこそ使って欲しい Amazon Q Developer
mita
0
140
既存の開発資産を活かしながら、 《新規開発コスト抑制》と《開発体験向上》 を両立する拡張アーキテクチャ事例
kubell_hr
0
220
kernelvm-brain-net
raspython3
0
580
Featured
See All Featured
Fireside Chat
paigeccino
37
3.4k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
30
2k
Into the Great Unknown - MozCon
thekraken
38
1.8k
How STYLIGHT went responsive
nonsquared
100
5.5k
The Cost Of JavaScript in 2023
addyosmani
49
7.8k
Unsuck your backbone
ammeep
671
58k
Intergalactic Javascript Robots from Outer Space
tanoku
271
27k
Git: the NoSQL Database
bkeepers
PRO
430
65k
Gamification - CAS2011
davidbonilla
81
5.3k
Building Flexible Design Systems
yeseniaperezcruz
329
39k
GraphQLとの向き合い方2022年版
quramy
46
14k
Practical Orchestrator
shlominoach
187
11k
Transcript
Android App Security Tips Merabi Kutalia
Tato Kutalia tatocaster tatocaster.me github.com/tatocaster twitter.com/@TatoKutalia
None
Topics • data storage • app permissions • networking •
webview(javascript) • dynamically loaded code
data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17)
data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •
External Storage is globally readable
data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •
External Storage is globally readable • Scoped Storage(Android Q)
data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •
External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection)
data storage • Internal Storage(MODE_WORLD_WRITABLE (deprecated in API 17) •
External Storage is globally readable • Scoped Storage(Android Q) • Content Providers(Sql Injection) • Shared preferences + leak
app permissions • data leak caused by misused permissions
networking • HTTPS (it’s 2019!)
networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352)
networking • HTTPS (it’s 2019!) • localhost! (https://twitter.com/ fs0c131y/status/1085460755313508352) •
GCM/FCM/SMS (Sensitive Data)
webview • setJavascriptEnabled - No!
webview • setJavascriptEnabled - No!
webview • setJavascriptEnabled - No! • webkit
dynamically loaded code • Yes you can (https://stackoverflow.com/q/ 6857807/6845290 )
Proguard/R8
Proguard • rules
Tools • Apktool • Dex2Jar • JD-GUI
Nomrebi .com
Nomrebi .com
None
Thank you
tatocaster
east_takumi
nagisa53
hryushm
kyohmizu
ewolff
okazuki
bitkey
kkamegawa
metakoma
mita
kubell_hr
raspython3
paigeccino
marcduiker
thekraken
nonsquared
addyosmani
ammeep
tanoku
bkeepers
davidbonilla
yeseniaperezcruz
quramy
shlominoach
