SlideShare ist ein Scribd-Unternehmen logo

SECURE YOUR APP FIGHT THE LEAKS

Eyal Lezmy
Eyal Lezmy

You can consult the speaker's notes on the Google Drive presentation: http://bit.ly/droidcon-sec On the corporate environment, data is often more sensitive and strategic than the equipment. During this talk we will explore together the security issues that can occasionally cause leaks on an Android app and how to prevent them.

Technologie
1 von 28
Downloaden Sie, um offline zu lesen
SECURE YOUR APP FIGHT THE LEAKS! DROIDCON PARIS 2013
EYAL LEZMY ANDROID PRESALES ENGINEER, SAMSUNG B2B TREASURER AT PARIS ANDROID USER GROUP ANDROID GOOGLE DEVELOPER EXPERT Slides http://bit.ly/droidcon-sec http://eyal.fr
Company THE USER TRUSTS YOU DON'T LET HIM DOWN
APPS HAVE TO RESPECT THE DATA Different ways to unintentionally grant other apps access to the data inside your application : Exporting an unprotected component Storing personal data in a world readable file Logging personal data in logcat logs Copyright © 1995-2012 SAMSUNG All rights reserved
CHECK YOUR ANDROIDMANIFEST.XML It declares accessible app components Activity, Service, Receive,... Adding <intent-filter> => your element is exported by default ContentProvider is always exported by default, until android:targetSdkVersion="17" Copyright © 1995-2012 SAMSUNG All rights reserved
CHECK YOUR ANDROIDMANIFEST.XML Don't export app components unless you want to share their content with other applications <application android:label="@string/app_name"> … <service android:name=".ServiceExample“ android:exported="false"> <intent-filter> … </intent-filter> </service> … </application> Copyright © 1995-2012 SAMSUNG All rights reserved
CHECK YOUR ANDROIDMANIFEST.XML Don't export app components unless you want to share their content with other applications to <application android:label="@string/app_name"> ity itim … leg a? <service android:name=".ServiceExample“ ur at yo e d android:exported="false"> t is pos <intent-filter> ha ex … W </intent-filter> </service> … </application> Copyright © 1995-2012 SAMSUNG All rights reserved
PERMISIONS There are different permission protection levels: normal Lower risk permission dangerous Higher risk, access to user private data, potential negative impact signature Needs the same certificate signature Copyright © 1995-2012 SAMSUNG All rights reserved
PERMISIONS Lets look at the code: <permission android:name="com.example.EXAMPLE_PERM“ android:label="@string/example_perm_l“ android:description="@string/example_perm_d“ android:icon="@drawable/example_perm_i“ android:protectionLevel="signature" /> ... <service android:name=".ServiceExample“ android:permission="com.example.EXAMPLE_PERM"> <intent-filter>...</intent-filter> </service> Copyright © 1995-2012 SAMSUNG All rights reserved
PERMISIONS Don't be the weakest link Always check the permission of a caller if you use your permission private boolean checkPermission(Context context) { String permission = "com.example.EXAMPLE_PERM"; int res = context.checkCallingPermission(permission); return (res == PackageManager.PERMISSION_GRANTED); } Copyright © 1995-2012 SAMSUNG All rights reserved
DISABLE USELESS ACTIVITIES Fit your components lifecycle to your application's lifecycle If before configuration (login, account creation, ...) a service or activity is not useful, disable it If your application handles common implicit Intent's actions like ACTION_VIEW or ACTION_SEND consider disabling it by default Copyright © 1995-2012 SAMSUNG All rights reserved
DISABLE USELESS ACTIVITIES Disabled: <activity android:name="com.example.Activity" android:label="@string/app_name" android:enabled="false"> </activity> Enabled: PackageManager.setComponentEnabledSetting(componentName, newState, flags); Copyright © 1995-2012 SAMSUNG All rights reserved
STORING DATA WISELY Protect personal data using MODE_PRIVATE for data files, shared preferences, and databases: openFileOutput() openSharedPreferences() openOrCreateDatabase() External storage (sdcard) is shared storage Copyright © 1995-2012 SAMSUNG All rights reserved
PLEASE... SHUT THE FUCK UP! Don't expose data through logcat on production Detect the build mode with BuildConfig.DEBUG public static final boolean SHOW_LOG = BuildConfig.DEBUG; public static void d(final String tag, final String msg) { if (SHOW_LOG) Log.d(tag, msg); } Be careful about this subject and test it during QA Copyright © 1995-2012 SAMSUNG All rights reserved
PROTECTING APP FROM USERS No more android:debuggable on the manifest Don't leave this enabled in release code! ADT 8.0+ do it for you automatically Copyright © 1995-2012 SAMSUNG All rights reserved
PROTECTING APP FROM USERS $ adb shell shell@android:/ $ run-as com.android.example sh shell@android:/data/data/com.android.example $ id uid=10060(app_60) gid=10060(app_60) shell@android:/data/data/com.android.example $ ls files/secret_data.txt shell@android:/data/data/com.android.example $ cat files/secret_data.txt Copyright © 1995-2012 SAMSUNG All rights reserved
IT'S NOT JUST ABOUT YOUR APP INSECURE NETWORK LOST OR STOLEN DEVICES
USE SAFE NETWORKING HTTPS and SSL can protect against Man in the Middle attacks and prevent casual snooping Server certificate validity must be correctly checked "15% of apps have weak or bad SSL implementation on the Play Store" Free certified SSL: https://www.startssl.com/ Copyright © 1995-2012 SAMSUNG All rights reserved
DATA ENCRYPTION DOESN'T SOLVE ALL PROBLEMS ...but it may help discouraging curious. Use a peer-reviewed library like KeyCzar Take care of the key : Create it at first start, with true random Or grab a user key from your server Or ask the user for a passphrase you won't store Copyright © 1995-2012 SAMSUNG All rights reserved
DEVICE ADMINISTRATION On a corporate environment, device administration can be considered Password management Device encryption Disable camera Lock the device Remote wipe Copyright © 1995-2012 SAMSUNG All rights reserved
BEHIND THE STAGE The APK's content is always world readable, take care about what you put inside Sensitive files should be kept out of the APK Java is open source, your code too Using Proguard takes a single line of code Or... Dex encryption AAPT modified Logic on server Copyright © 1995-2012 SAMSUNG All rights reserved
IT'S NOT JUST ABOUT SECURITY THINK ABOUT POLITICS...
THE SECURITY PARADOX Copyright © 1995-2012 SAMSUNG All rights reserved
NEVER FORGET THE USER, NEVAAAAA! "The more secure you make something, the less secure it becomes" Level the security following the user acceptance or... Users will find workarounds Users won't use your service Copyright © 1995-2012 SAMSUNG All rights reserved
REFERENCES Google I/O 2012 Sessions Android Developpers Live Youtube channel Android Developement Android Developement: Using Cryptography The Commons Blog InformationWeek: Security Paradox ThreatPost: SLL implementation on Android apps StartSSL Free certificates Copyright © 1995-2012 SAMSUNG All rights reserved
SAMSUNG SMART APP CHALLENGE 2013 SAMSUNG SMART APP CHALLENGE 2013 A Global app challenge Apps for the Galaxy S4 Use of Samsung Chord SDK Apply June 20 - August 31 $800,000 for 10 winners www.smartappchallenge.com
SAMSUNG DEVELOPERS http://developer.samsung.com SDKs and Documentation Samsung Chord SDK Bluetooth Low Energy SDK S Pen & Multi Window SDK AllShare Framework Remote Test Lab Test your applications on real devices through the internet Free 24H 365 Days Real Device, NOT emulator Multiple Devices
THANK YOU! Slides http://bit.ly/droidcon-sec http://eyal.fr

Empfohlen

Droidcon secureyourapp fighttheleaks-samsung
Droidcon secureyourapp fighttheleaks-samsungDroidcon secureyourapp fighttheleaks-samsung
Droidcon secureyourapp fighttheleaks-samsungottot
 
Instrumentation 101
Instrumentation 101Instrumentation 101
Instrumentation 101Apkudo
 
Testing Sucks, But It Doesn't Have To
Testing Sucks, But It Doesn't Have ToTesting Sucks, But It Doesn't Have To
Testing Sucks, But It Doesn't Have ToApkudo
 
PlayStore bashing: learn from the biggest fails on the Google Play Store
PlayStore bashing: learn from the biggest fails on the Google Play StorePlayStore bashing: learn from the biggest fails on the Google Play Store
PlayStore bashing: learn from the biggest fails on the Google Play StoreEyal Lezmy
 
Gradle plugin, take control of the build
Gradle plugin, take control of the buildGradle plugin, take control of the build
Gradle plugin, take control of the buildEyal Lezmy
 
Android, the life of your app
Android, the life of your appAndroid, the life of your app
Android, the life of your appEyal Lezmy
 
Build a user experience on Android
Build a user experience on AndroidBuild a user experience on Android
Build a user experience on AndroidEyal Lezmy
 
Android mit Google Befreiung, PlayStore Apps im eigenen Repo
Android mit Google Befreiung, PlayStore Apps im eigenen RepoAndroid mit Google Befreiung, PlayStore Apps im eigenen Repo
Android mit Google Befreiung, PlayStore Apps im eigenen RepoB1 Systems GmbH
 

Empfohlen

Droidcon secureyourapp fighttheleaks-samsung
Droidcon secureyourapp fighttheleaks-samsungDroidcon secureyourapp fighttheleaks-samsung
Droidcon secureyourapp fighttheleaks-samsungottot
 
Instrumentation 101
Instrumentation 101Instrumentation 101
Instrumentation 101Apkudo
 
Testing Sucks, But It Doesn't Have To
Testing Sucks, But It Doesn't Have ToTesting Sucks, But It Doesn't Have To
Testing Sucks, But It Doesn't Have ToApkudo
 
PlayStore bashing: learn from the biggest fails on the Google Play Store
PlayStore bashing: learn from the biggest fails on the Google Play StorePlayStore bashing: learn from the biggest fails on the Google Play Store
PlayStore bashing: learn from the biggest fails on the Google Play StoreEyal Lezmy
 
Gradle plugin, take control of the build
Gradle plugin, take control of the buildGradle plugin, take control of the build
Gradle plugin, take control of the buildEyal Lezmy
 
Android, the life of your app
Android, the life of your appAndroid, the life of your app
Android, the life of your appEyal Lezmy
 
Build a user experience on Android
Build a user experience on AndroidBuild a user experience on Android
Build a user experience on AndroidEyal Lezmy
 
Android mit Google Befreiung, PlayStore Apps im eigenen Repo
Android mit Google Befreiung, PlayStore Apps im eigenen RepoAndroid mit Google Befreiung, PlayStore Apps im eigenen Repo
Android mit Google Befreiung, PlayStore Apps im eigenen RepoB1 Systems GmbH
 
Security Tips for Android App - iTrobes
Security Tips for Android App - iTrobesSecurity Tips for Android App - iTrobes
Security Tips for Android App - iTrobesiTrobes
 
Migrating JavaME Apps to Android
Migrating JavaME Apps to AndroidMigrating JavaME Apps to Android
Migrating JavaME Apps to AndroidMotorola Mobility - MOTODEV
 
Security - Part II.pdf
Security - Part II.pdfSecurity - Part II.pdf
Security - Part II.pdfShaiAlmog1
 
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015Codemotion
 
MobilizeUrApps - Android Application Development
MobilizeUrApps - Android Application DevelopmentMobilizeUrApps - Android Application Development
MobilizeUrApps - Android Application Developmentmobilizeurapps
 
Sightly_techInsight
Sightly_techInsightSightly_techInsight
Sightly_techInsightPurnendra Pratap Singh
 
Using APEX to Create a Mobile User Interface for Enterprise Manager 12c
Using APEX to Create a Mobile User Interface for Enterprise Manager 12cUsing APEX to Create a Mobile User Interface for Enterprise Manager 12c
Using APEX to Create a Mobile User Interface for Enterprise Manager 12cGokhan Atil
 
X Means Y
X Means YX Means Y
X Means YCommonsWare
 
Delivering Mobile Apps to the Field with Oracle JET
Delivering Mobile Apps to the Field with Oracle JETDelivering Mobile Apps to the Field with Oracle JET
Delivering Mobile Apps to the Field with Oracle JETSimon Haslam
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
Sst hackathon express
Sst hackathon expressSst hackathon express
Sst hackathon expressAeshan Wijetunge
 
JMP102 Extending Your App Arsenal With OpenSocial
JMP102 Extending Your App Arsenal With OpenSocialJMP102 Extending Your App Arsenal With OpenSocial
JMP102 Extending Your App Arsenal With OpenSocialRyan Baxter
 
Oracle mcs overview 1029
Oracle mcs overview 1029Oracle mcs overview 1029
Oracle mcs overview 1029Oracle Corporation
 
Introduction to JavaFX on Raspberry Pi
Introduction to JavaFX on Raspberry PiIntroduction to JavaFX on Raspberry Pi
Introduction to JavaFX on Raspberry PiBruno Borges
 
Securing Containers - Sathyajit Bhat - Adobe
Securing Containers - Sathyajit Bhat - AdobeSecuring Containers - Sathyajit Bhat - Adobe
Securing Containers - Sathyajit Bhat - AdobeCodeOps Technologies LLP
 
Iphone client-server app with Rails backend (v3)
Iphone client-server app with Rails backend (v3)Iphone client-server app with Rails backend (v3)
Iphone client-server app with Rails backend (v3)Sujee Maniyam
 
Android - Open Source Bridge 2011
Android - Open Source Bridge 2011Android - Open Source Bridge 2011
Android - Open Source Bridge 2011sullis
 
Lesson 10
Lesson 10Lesson 10
Lesson 10CITSimon
 
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...Codemotion
 
Building Mobile Apps: A PhoneGap Enterprise Introduction for Developers
Building Mobile Apps: A PhoneGap Enterprise Introduction for DevelopersBuilding Mobile Apps: A PhoneGap Enterprise Introduction for Developers
Building Mobile Apps: A PhoneGap Enterprise Introduction for Developersarumsey
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 

Weitere ähnliche Inhalte

Ähnlich wie SECURE YOUR APP FIGHT THE LEAKS

Security Tips for Android App - iTrobes
Security Tips for Android App - iTrobesSecurity Tips for Android App - iTrobes
Security Tips for Android App - iTrobesiTrobes
 
Security - Part II.pdf
Security - Part II.pdfSecurity - Part II.pdf
Security - Part II.pdfShaiAlmog1
 
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015Codemotion
 
MobilizeUrApps - Android Application Development
MobilizeUrApps - Android Application DevelopmentMobilizeUrApps - Android Application Development
MobilizeUrApps - Android Application Developmentmobilizeurapps
 
Using APEX to Create a Mobile User Interface for Enterprise Manager 12c
Using APEX to Create a Mobile User Interface for Enterprise Manager 12cUsing APEX to Create a Mobile User Interface for Enterprise Manager 12c
Using APEX to Create a Mobile User Interface for Enterprise Manager 12cGokhan Atil
 
Delivering Mobile Apps to the Field with Oracle JET
Delivering Mobile Apps to the Field with Oracle JETDelivering Mobile Apps to the Field with Oracle JET
Delivering Mobile Apps to the Field with Oracle JETSimon Haslam
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
JMP102 Extending Your App Arsenal With OpenSocial
JMP102 Extending Your App Arsenal With OpenSocialJMP102 Extending Your App Arsenal With OpenSocial
JMP102 Extending Your App Arsenal With OpenSocialRyan Baxter
 
Introduction to JavaFX on Raspberry Pi
Introduction to JavaFX on Raspberry PiIntroduction to JavaFX on Raspberry Pi
Introduction to JavaFX on Raspberry PiBruno Borges
 
Securing Containers - Sathyajit Bhat - Adobe
Securing Containers - Sathyajit Bhat - AdobeSecuring Containers - Sathyajit Bhat - Adobe
Securing Containers - Sathyajit Bhat - AdobeCodeOps Technologies LLP
 
Iphone client-server app with Rails backend (v3)
Iphone client-server app with Rails backend (v3)Iphone client-server app with Rails backend (v3)
Iphone client-server app with Rails backend (v3)Sujee Maniyam
 
Android - Open Source Bridge 2011
Android - Open Source Bridge 2011Android - Open Source Bridge 2011
Android - Open Source Bridge 2011sullis
 
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...Codemotion
 
Building Mobile Apps: A PhoneGap Enterprise Introduction for Developers
Building Mobile Apps: A PhoneGap Enterprise Introduction for DevelopersBuilding Mobile Apps: A PhoneGap Enterprise Introduction for Developers
Building Mobile Apps: A PhoneGap Enterprise Introduction for Developersarumsey
 

Ähnlich wie SECURE YOUR APP FIGHT THE LEAKS (20)

Security Tips for Android App - iTrobes
Security Tips for Android App - iTrobesSecurity Tips for Android App - iTrobes
Security Tips for Android App - iTrobes
 
Migrating JavaME Apps to Android
Migrating JavaME Apps to AndroidMigrating JavaME Apps to Android
Migrating JavaME Apps to Android
 
Security - Part II.pdf
Security - Part II.pdfSecurity - Part II.pdf
Security - Part II.pdf
 
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015
 
MobilizeUrApps - Android Application Development
MobilizeUrApps - Android Application DevelopmentMobilizeUrApps - Android Application Development
MobilizeUrApps - Android Application Development
 
Sightly_techInsight
Sightly_techInsightSightly_techInsight
Sightly_techInsight
 
Using APEX to Create a Mobile User Interface for Enterprise Manager 12c
Using APEX to Create a Mobile User Interface for Enterprise Manager 12cUsing APEX to Create a Mobile User Interface for Enterprise Manager 12c
Using APEX to Create a Mobile User Interface for Enterprise Manager 12c
 
X Means Y
X Means YX Means Y
X Means Y
 
Delivering Mobile Apps to the Field with Oracle JET
Delivering Mobile Apps to the Field with Oracle JETDelivering Mobile Apps to the Field with Oracle JET
Delivering Mobile Apps to the Field with Oracle JET
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 
Sst hackathon express
Sst hackathon expressSst hackathon express
Sst hackathon express
 
JMP102 Extending Your App Arsenal With OpenSocial
JMP102 Extending Your App Arsenal With OpenSocialJMP102 Extending Your App Arsenal With OpenSocial
JMP102 Extending Your App Arsenal With OpenSocial
 
Oracle mcs overview 1029
Oracle mcs overview 1029Oracle mcs overview 1029
Oracle mcs overview 1029
 
Introduction to JavaFX on Raspberry Pi
Introduction to JavaFX on Raspberry PiIntroduction to JavaFX on Raspberry Pi
Introduction to JavaFX on Raspberry Pi
 
Securing Containers - Sathyajit Bhat - Adobe
Securing Containers - Sathyajit Bhat - AdobeSecuring Containers - Sathyajit Bhat - Adobe
Securing Containers - Sathyajit Bhat - Adobe
 
Iphone client-server app with Rails backend (v3)
Iphone client-server app with Rails backend (v3)Iphone client-server app with Rails backend (v3)
Iphone client-server app with Rails backend (v3)
 
Android - Open Source Bridge 2011
Android - Open Source Bridge 2011Android - Open Source Bridge 2011
Android - Open Source Bridge 2011
 
Lesson 10
Lesson 10Lesson 10
Lesson 10
 
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...
 
Building Mobile Apps: A PhoneGap Enterprise Introduction for Developers
Building Mobile Apps: A PhoneGap Enterprise Introduction for DevelopersBuilding Mobile Apps: A PhoneGap Enterprise Introduction for Developers
Building Mobile Apps: A PhoneGap Enterprise Introduction for Developers
 

Kürzlich hochgeladen

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 

Kürzlich hochgeladen (20)

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 

SECURE YOUR APP FIGHT THE LEAKS

  • 1. SECURE YOUR APP FIGHT THE LEAKS! DROIDCON PARIS 2013
  • 2. EYAL LEZMY ANDROID PRESALES ENGINEER, SAMSUNG B2B TREASURER AT PARIS ANDROID USER GROUP ANDROID GOOGLE DEVELOPER EXPERT Slides http://bit.ly/droidcon-sec http://eyal.fr
  • 4. APPS HAVE TO RESPECT THE DATA Different ways to unintentionally grant other apps access to the data inside your application : Exporting an unprotected component Storing personal data in a world readable file Logging personal data in logcat logs Copyright © 1995-2012 SAMSUNG All rights reserved
  • 5. CHECK YOUR ANDROIDMANIFEST.XML It declares accessible app components Activity, Service, Receive,... Adding <intent-filter> => your element is exported by default ContentProvider is always exported by default, until android:targetSdkVersion="17" Copyright © 1995-2012 SAMSUNG All rights reserved
  • 6. CHECK YOUR ANDROIDMANIFEST.XML Don't export app components unless you want to share their content with other applications <application android:label="@string/app_name"> … <service android:name=".ServiceExample“ android:exported="false"> <intent-filter> … </intent-filter> </service> … </application> Copyright © 1995-2012 SAMSUNG All rights reserved
  • 7. CHECK YOUR ANDROIDMANIFEST.XML Don't export app components unless you want to share their content with other applications to <application android:label="@string/app_name"> ity itim … leg a? <service android:name=".ServiceExample“ ur at yo e d android:exported="false"> t is pos <intent-filter> ha ex … W </intent-filter> </service> … </application> Copyright © 1995-2012 SAMSUNG All rights reserved
  • 8. PERMISIONS There are different permission protection levels: normal Lower risk permission dangerous Higher risk, access to user private data, potential negative impact signature Needs the same certificate signature Copyright © 1995-2012 SAMSUNG All rights reserved
  • 9. PERMISIONS Lets look at the code: <permission android:name="com.example.EXAMPLE_PERM“ android:label="@string/example_perm_l“ android:description="@string/example_perm_d“ android:icon="@drawable/example_perm_i“ android:protectionLevel="signature" /> ... <service android:name=".ServiceExample“ android:permission="com.example.EXAMPLE_PERM"> <intent-filter>...</intent-filter> </service> Copyright © 1995-2012 SAMSUNG All rights reserved
  • 10. PERMISIONS Don't be the weakest link Always check the permission of a caller if you use your permission private boolean checkPermission(Context context) { String permission = "com.example.EXAMPLE_PERM"; int res = context.checkCallingPermission(permission); return (res == PackageManager.PERMISSION_GRANTED); } Copyright © 1995-2012 SAMSUNG All rights reserved
  • 11. DISABLE USELESS ACTIVITIES Fit your components lifecycle to your application's lifecycle If before configuration (login, account creation, ...) a service or activity is not useful, disable it If your application handles common implicit Intent's actions like ACTION_VIEW or ACTION_SEND consider disabling it by default Copyright © 1995-2012 SAMSUNG All rights reserved
  • 13. STORING DATA WISELY Protect personal data using MODE_PRIVATE for data files, shared preferences, and databases: openFileOutput() openSharedPreferences() openOrCreateDatabase() External storage (sdcard) is shared storage Copyright © 1995-2012 SAMSUNG All rights reserved
  • 14. PLEASE... SHUT THE FUCK UP! Don't expose data through logcat on production Detect the build mode with BuildConfig.DEBUG public static final boolean SHOW_LOG = BuildConfig.DEBUG; public static void d(final String tag, final String msg) { if (SHOW_LOG) Log.d(tag, msg); } Be careful about this subject and test it during QA Copyright © 1995-2012 SAMSUNG All rights reserved
  • 15. PROTECTING APP FROM USERS No more android:debuggable on the manifest Don't leave this enabled in release code! ADT 8.0+ do it for you automatically Copyright © 1995-2012 SAMSUNG All rights reserved
  • 16. PROTECTING APP FROM USERS $ adb shell shell@android:/ $ run-as com.android.example sh shell@android:/data/data/com.android.example $ id uid=10060(app_60) gid=10060(app_60) shell@android:/data/data/com.android.example $ ls files/secret_data.txt shell@android:/data/data/com.android.example $ cat files/secret_data.txt Copyright © 1995-2012 SAMSUNG All rights reserved
  • 17. IT'S NOT JUST ABOUT YOUR APP INSECURE NETWORK LOST OR STOLEN DEVICES
  • 18. USE SAFE NETWORKING HTTPS and SSL can protect against Man in the Middle attacks and prevent casual snooping Server certificate validity must be correctly checked "15% of apps have weak or bad SSL implementation on the Play Store" Free certified SSL: https://www.startssl.com/ Copyright © 1995-2012 SAMSUNG All rights reserved
  • 19. DATA ENCRYPTION DOESN'T SOLVE ALL PROBLEMS ...but it may help discouraging curious. Use a peer-reviewed library like KeyCzar Take care of the key : Create it at first start, with true random Or grab a user key from your server Or ask the user for a passphrase you won't store Copyright © 1995-2012 SAMSUNG All rights reserved
  • 20. DEVICE ADMINISTRATION On a corporate environment, device administration can be considered Password management Device encryption Disable camera Lock the device Remote wipe Copyright © 1995-2012 SAMSUNG All rights reserved
  • 21. BEHIND THE STAGE The APK's content is always world readable, take care about what you put inside Sensitive files should be kept out of the APK Java is open source, your code too Using Proguard takes a single line of code Or... Dex encryption AAPT modified Logic on server Copyright © 1995-2012 SAMSUNG All rights reserved
  • 22. IT'S NOT JUST ABOUT SECURITY THINK ABOUT POLITICS...
  • 23. THE SECURITY PARADOX Copyright © 1995-2012 SAMSUNG All rights reserved
  • 24. NEVER FORGET THE USER, NEVAAAAA! "The more secure you make something, the less secure it becomes" Level the security following the user acceptance or... Users will find workarounds Users won't use your service Copyright © 1995-2012 SAMSUNG All rights reserved
  • 25. REFERENCES Google I/O 2012 Sessions Android Developpers Live Youtube channel Android Developement Android Developement: Using Cryptography The Commons Blog InformationWeek: Security Paradox ThreatPost: SLL implementation on Android apps StartSSL Free certificates Copyright © 1995-2012 SAMSUNG All rights reserved
  • 26. SAMSUNG SMART APP CHALLENGE 2013 SAMSUNG SMART APP CHALLENGE 2013 A Global app challenge Apps for the Galaxy S4 Use of Samsung Chord SDK Apply June 20 - August 31 $800,000 for 10 winners www.smartappchallenge.com
  • 27. SAMSUNG DEVELOPERS http://developer.samsung.com SDKs and Documentation Samsung Chord SDK Bluetooth Low Energy SDK S Pen & Multi Window SDK AllShare Framework Remote Test Lab Test your applications on real devices through the internet Free 24H 365 Days Real Device, NOT emulator Multiple Devices