SlideShare ist ein Scribd-Unternehmen logo

Droidcon secureyourapp fighttheleaks-samsung

O
ottot
Technologie
1 von 27
Downloaden Sie, um offline zu lesen
SECURE YOUR APP FIGHT THE LEAKS! DROIDCON PARIS 2013
EYAL LEZMY Slides http://bit.ly/droidcon-sec http://eyal.fr ANDROID PRESALES ENGINEER, SAMSUNG B2B TREASURER AT PARIS ANDROID USER GROUP ANDROID GOOGLE DEVELOPER EXPERT
DON'T LET HIM DOWN THE USER TRUSTS YOU Company
Copyright © 1995-2012 SAMSUNG All rights reserved APPS HAVE TO RESPECT THE DATA Different ways to unintentionally grant other apps access to the data inside your application : Exporting an unprotected component Storing personal data in a world readable file Logging personal data in logcat logs
Copyright © 1995-2012 SAMSUNG All rights reserved It declares accessible app components Activity, Service, Receive,... Adding <intent-filter> => your element is exported by default CHECK YOUR ANDROIDMANIFEST.XML ContentProvider is always exported by default, until android:targetSdkVersion="17"
Copyright © 1995-2012 SAMSUNG All rights reserved Don't export app components unless you want to share their content with other applications <application android:label="@string/app_name"> … <service android:name=".ServiceExample“ android:exported="false"> <intent-filter> … </intent-filter> </service> … </application> What is your legitimity to expose data? CHECK YOUR ANDROIDMANIFEST.XML
Copyright © 1995-2012 SAMSUNG All rights reserved There are different permission protection levels: normal Lower risk permission dangerous Higher risk, access to user private data, potential negative impact signature Needs the same certificate signature PERMISIONS
Copyright © 1995-2012 SAMSUNG All rights reserved Lets look at the code: <permission android:name="com.example.EXAMPLE_PERM“ android:label="@string/example_perm_l“ android:description="@string/example_perm_d“ android:icon="@drawable/example_perm_i“ android:protectionLevel="signature" /> ... <service android:name=".ServiceExample“ android:permission="com.example.EXAMPLE_PERM"> <intent-filter>...</intent-filter> </service> PERMISIONS
Copyright © 1995-2012 SAMSUNG All rights reserved Don't be the weakest link private boolean checkPermission(Context context) { String permission = "com.example.EXAMPLE_PERM"; int res = context.checkCallingPermission(permission); return (res == PackageManager.PERMISSION_GRANTED); } PERMISIONS Always check the permission of a caller if you use your permission
Copyright © 1995-2012 SAMSUNG All rights reserved DISABLE USELESS ACTIVITIES Fit your components lifecycle to your application's lifecycle If before configuration (login, account creation, ...) a service or activity is not useful, disable it If your application handles common implicit Intent's actions like ACTION_VIEW or ACTION_SEND consider disabling it by default
Copyright © 1995-2012 SAMSUNG All rights reserved PackageManager.setComponentEnabledSetting(componentName, newState, flags); DISABLE USELESS ACTIVITIES <activity android:name="com.example.Activity" android:label="@string/app_name" android:enabled="false"> </activity> Disabled: Enabled:
Copyright © 1995-2012 SAMSUNG All rights reserved STORING DATA WISELY Protect personal data using MODE_PRIVATE for data files, shared preferences, and databases: openFileOutput() openSharedPreferences() openOrCreateDatabase() External storage (sdcard) is shared storage
Copyright © 1995-2012 SAMSUNG All rights reserved PLEASE... SHUT THE FUCK UP! public static final boolean SHOW_LOG = BuildConfig.DEBUG; public static void d(final String tag, final String msg) { if (SHOW_LOG) Log.d(tag, msg); } Don't expose data through logcat on production Detect the build mode with BuildConfig.DEBUG Be careful about this subject and test it during QA
Copyright © 1995-2012 SAMSUNG All rights reserved PROTECTING APP FROM USERS No more android:debuggable on the manifest Don't leave this enabled in release code! ADT 8.0+ do it for you automatically
Copyright © 1995-2012 SAMSUNG All rights reserved $ adb shell shell@android:/ $ run-as com.android.example sh shell@android:/data/data/com.android.example $ id uid=10060(app_60) gid=10060(app_60) shell@android:/data/data/com.android.example $ ls files/secret_data.txt shell@android:/data/data/com.android.example $ cat files/secret_data.txt PROTECTING APP FROM USERS
IT'S NOT JUST ABOUT YOUR APP INSECURE NETWORK LOST OR STOLEN DEVICES
Copyright © 1995-2012 SAMSUNG All rights reserved Free certified SSL: https://www.startssl.com/ USE SAFE NETWORKING HTTPS and SSL can protect against Man in the Middle attacks and prevent casual snooping Server certificate validity must be correctly checked "15% of apps have weak or bad SSL implementation on the Play Store"
Copyright © 1995-2012 SAMSUNG All rights reserved ...but it may help discouraging curious. Use a peer-reviewed library like KeyCzar Take care of the key : Create it at first start, with true random Or grab a user key from your server Or ask the user for a passphrase you won't store DATA ENCRYPTION DOESN'T SOLVE ALL PROBLEMS
Copyright © 1995-2012 SAMSUNG All rights reserved On a corporate environment, device administration can be considered Password management Device encryption Disable camera Lock the device Remote wipe DEVICE ADMINISTRATION
Copyright © 1995-2012 SAMSUNG All rights reserved BEHIND THE STAGE The APK's content is always world readable, take care about what you put inside Sensitive files should be kept out of the APK Java is open source, your code too Using Proguard takes a single line of code Or... Dex encryption AAPT modified Logic on server
IT'S NOT JUST ABOUT SECURITY THINK ABOUT POLITICS...
Copyright © 1995-2012 SAMSUNG All rights reserved THE SECURITY PARADOX
Copyright © 1995-2012 SAMSUNG All rights reserved "The more secure you make something, the less secure it becomes" Level the security following the user acceptance or... Users will find workarounds Users won't use your service NEVER FORGET THE USER, NEVAAAAA!
Copyright © 1995-2012 SAMSUNG All rights reserved REFERENCES Google I/O 2012 Sessions Android Developpers Live Youtube channel Android Developement Android Developement: Using Cryptography The Commons Blog InformationWeek: Security Paradox ThreatPost: SLL implementation on Android apps StartSSL Free certificates
SAMSUNG SMART APP CHALLENGE 2013 SAMSUNG SMART APP CHALLENGE 2013 A Global app challenge Apps for the Galaxy S4 Use of Samsung Chord SDK Apply June 20 - August 31 www.smartappchallenge.com $800,000 for 10 winners
SAMSUNG DEVELOPERS SDKs and Documentation http://developer.samsung.com Samsung Chord SDK Bluetooth Low Energy SDK Remote Test Lab Test your applications on real devices through the internet Free 24H 365 Days S Pen & Multi Window SDK AllShare Framework Real Device, NOT emulator Multiple Devices
THANK YOU! Slides http://bit.ly/droidcon-sec http://eyal.fr

Empfohlen

Secure your Android app- fight the leaks!
Secure your Android app- fight the leaks!Secure your Android app- fight the leaks!
Secure your Android app- fight the leaks!
Eyal Lezmy
 
การศ กษาและค นคว_าอ_สละ
การศ กษาและค นคว_าอ_สละการศ กษาและค นคว_าอ_สละ
การศ กษาและค นคว_าอ_สละ
Nuumint
 
เทคน คการส บค_นบน google
เทคน คการส บค_นบน googleเทคน คการส บค_นบน google
เทคน คการส บค_นบน google
Nuumint
 
การศ กษาและค นคว_าอ_สละ (2)
การศ กษาและค นคว_าอ_สละ (2)การศ กษาและค นคว_าอ_สละ (2)
การศ กษาและค นคว_าอ_สละ (2)
Nuumint
 
Ge induccion comite coordinador v1
Ge induccion comite coordinador v1Ge induccion comite coordinador v1
Ge induccion comite coordinador v1
marcalema4
 
ประว ต ไมโครซอฟต_
ประว ต ไมโครซอฟต_ประว ต ไมโครซอฟต_
ประว ต ไมโครซอฟต_
Nuumint
 
Wonderful waves
Wonderful wavesWonderful waves
Wonderful waves
Frederick Green
 
ข นตอนการต_ดต__ง โปรแกรม windows 8 บน vmware
ข นตอนการต_ดต__ง โปรแกรม windows 8 บน vmwareข นตอนการต_ดต__ง โปรแกรม windows 8 บน vmware
ข นตอนการต_ดต__ง โปรแกรม windows 8 บน vmware
Nuumint
 

Empfohlen

Secure your Android app- fight the leaks!
Secure your Android app- fight the leaks!Secure your Android app- fight the leaks!
Secure your Android app- fight the leaks!
Eyal Lezmy
 
การศ กษาและค นคว_าอ_สละ
การศ กษาและค นคว_าอ_สละการศ กษาและค นคว_าอ_สละ
การศ กษาและค นคว_าอ_สละ
Nuumint
 
เทคน คการส บค_นบน google
เทคน คการส บค_นบน googleเทคน คการส บค_นบน google
เทคน คการส บค_นบน google
Nuumint
 
การศ กษาและค นคว_าอ_สละ (2)
การศ กษาและค นคว_าอ_สละ (2)การศ กษาและค นคว_าอ_สละ (2)
การศ กษาและค นคว_าอ_สละ (2)
Nuumint
 
Ge induccion comite coordinador v1
Ge induccion comite coordinador v1Ge induccion comite coordinador v1
Ge induccion comite coordinador v1
marcalema4
 
ประว ต ไมโครซอฟต_
ประว ต ไมโครซอฟต_ประว ต ไมโครซอฟต_
ประว ต ไมโครซอฟต_
Nuumint
 
Wonderful waves
Wonderful wavesWonderful waves
Wonderful waves
Frederick Green
 
ข นตอนการต_ดต__ง โปรแกรม windows 8 บน vmware
ข นตอนการต_ดต__ง โปรแกรม windows 8 บน vmwareข นตอนการต_ดต__ง โปรแกรม windows 8 บน vmware
ข นตอนการต_ดต__ง โปรแกรม windows 8 บน vmware
Nuumint
 
ว ธ สร_างบล_อกก_บ blogger
ว ธ สร_างบล_อกก_บ bloggerว ธ สร_างบล_อกก_บ blogger
ว ธ สร_างบล_อกก_บ blogger
Nuumint
 
SEO Training in Mahabubnagar
SEO Training in MahabubnagarSEO Training in Mahabubnagar
SEO Training in Mahabubnagar
Subhash Malgam
 
Digital marketing presentation
Digital marketing presentationDigital marketing presentation
Digital marketing presentation
Subhash Malgam
 
เทคน คการส บค_นบน google
เทคน คการส บค_นบน googleเทคน คการส บค_นบน google
เทคน คการส บค_นบน google
Nuumint
 
seo training in mahabubnagar
seo training in mahabubnagarseo training in mahabubnagar
seo training in mahabubnagar
Subhash Malgam
 
Introduction to Donaldson and Company
Introduction to Donaldson and CompanyIntroduction to Donaldson and Company
Introduction to Donaldson and Company
thaistartupreview
 
Ppt tekpen wiwin
Ppt tekpen wiwinPpt tekpen wiwin
Ppt tekpen wiwin
wiwin_dari
 
ข นตอนการต_ดต__ง โปรแกรม windows 8 บน vmware
ข นตอนการต_ดต__ง โปรแกรม windows 8 บน vmwareข นตอนการต_ดต__ง โปรแกรม windows 8 บน vmware
ข นตอนการต_ดต__ง โปรแกรม windows 8 บน vmware
Nuumint
 
2
22
2
Bank Supamoon
 
HospiX: The Hospital Exploring Application for Smart Devices
HospiX: The Hospital Exploring Application for Smart DevicesHospiX: The Hospital Exploring Application for Smart Devices
HospiX: The Hospital Exploring Application for Smart Devices
Vishvi Vidanapathirana
 
Narkoba
NarkobaNarkoba
Narkoba
yunirfaithful
 
e-commerse website
e-commerse websitee-commerse website
e-commerse website
Subhash Malgam
 
Blogger
BloggerBlogger
Blogger
Nuumint
 
Managementbijeenkomst ktv
Managementbijeenkomst ktvManagementbijeenkomst ktv
Managementbijeenkomst ktv
Julian Laan
 
Future tense
Future tenseFuture tense
Future tense
Isnaini22
 
Newton and feynman
Newton and feynmanNewton and feynman
Newton and feynman
Frederick Green
 
การศ กษาและค นคว_าอ_สละ
การศ กษาและค นคว_าอ_สละการศ กษาและค นคว_าอ_สละ
การศ กษาและค นคว_าอ_สละ
Nuumint
 
3 neomezená veřejná zakázka
3 neomezená veřejná zakázka3 neomezená veřejná zakázka
3 neomezená veřejná zakázka
ondrejbaarcz
 
Ppt uas admin maya
Ppt uas admin mayaPpt uas admin maya
Ppt uas admin maya
maya38
 
Using APEX to Create a Mobile User Interface for Enterprise Manager 12c
Using APEX to Create a Mobile User Interface for Enterprise Manager 12cUsing APEX to Create a Mobile User Interface for Enterprise Manager 12c
Using APEX to Create a Mobile User Interface for Enterprise Manager 12c
Gokhan Atil
 
Migrating JavaME Apps to Android
Migrating JavaME Apps to AndroidMigrating JavaME Apps to Android
Migrating JavaME Apps to Android
Motorola Mobility - MOTODEV
 
Java Solutions for Securing Edge-to-Enterprise
Java Solutions for Securing Edge-to-EnterpriseJava Solutions for Securing Edge-to-Enterprise
Java Solutions for Securing Edge-to-Enterprise
Eric Vétillard
 

Weitere ähnliche Inhalte

Andere mochten auch

ว ธ สร_างบล_อกก_บ blogger
ว ธ สร_างบล_อกก_บ bloggerว ธ สร_างบล_อกก_บ blogger
ว ธ สร_างบล_อกก_บ blogger
Nuumint
 
เทคน คการส บค_นบน google
เทคน คการส บค_นบน googleเทคน คการส บค_นบน google
เทคน คการส บค_นบน google
Nuumint
 
Ppt tekpen wiwin
Ppt tekpen wiwinPpt tekpen wiwin
Ppt tekpen wiwin
wiwin_dari
 
ข นตอนการต_ดต__ง โปรแกรม windows 8 บน vmware
ข นตอนการต_ดต__ง โปรแกรม windows 8 บน vmwareข นตอนการต_ดต__ง โปรแกรม windows 8 บน vmware
ข นตอนการต_ดต__ง โปรแกรม windows 8 บน vmware
Nuumint
 
Managementbijeenkomst ktv
Managementbijeenkomst ktvManagementbijeenkomst ktv
Managementbijeenkomst ktv
Julian Laan
 
Future tense
Future tenseFuture tense
Future tense
Isnaini22
 
การศ กษาและค นคว_าอ_สละ
การศ กษาและค นคว_าอ_สละการศ กษาและค นคว_าอ_สละ
การศ กษาและค นคว_าอ_สละ
Nuumint
 
3 neomezená veřejná zakázka
3 neomezená veřejná zakázka3 neomezená veřejná zakázka
3 neomezená veřejná zakázka
ondrejbaarcz
 
Ppt uas admin maya
Ppt uas admin mayaPpt uas admin maya
Ppt uas admin maya
maya38
 

Andere mochten auch (19)

ว ธ สร_างบล_อกก_บ blogger
ว ธ สร_างบล_อกก_บ bloggerว ธ สร_างบล_อกก_บ blogger
ว ธ สร_างบล_อกก_บ blogger
 
SEO Training in Mahabubnagar
SEO Training in MahabubnagarSEO Training in Mahabubnagar
SEO Training in Mahabubnagar
 
Digital marketing presentation
Digital marketing presentationDigital marketing presentation
Digital marketing presentation
 
เทคน คการส บค_นบน google
เทคน คการส บค_นบน googleเทคน คการส บค_นบน google
เทคน คการส บค_นบน google
 
seo training in mahabubnagar
seo training in mahabubnagarseo training in mahabubnagar
seo training in mahabubnagar
 
Introduction to Donaldson and Company
Introduction to Donaldson and CompanyIntroduction to Donaldson and Company
Introduction to Donaldson and Company
 
Ppt tekpen wiwin
Ppt tekpen wiwinPpt tekpen wiwin
Ppt tekpen wiwin
 
ข นตอนการต_ดต__ง โปรแกรม windows 8 บน vmware
ข นตอนการต_ดต__ง โปรแกรม windows 8 บน vmwareข นตอนการต_ดต__ง โปรแกรม windows 8 บน vmware
ข นตอนการต_ดต__ง โปรแกรม windows 8 บน vmware
 
2
22
2
 
HospiX: The Hospital Exploring Application for Smart Devices
HospiX: The Hospital Exploring Application for Smart DevicesHospiX: The Hospital Exploring Application for Smart Devices
HospiX: The Hospital Exploring Application for Smart Devices
 
Narkoba
NarkobaNarkoba
Narkoba
 
e-commerse website
e-commerse websitee-commerse website
e-commerse website
 
Blogger
BloggerBlogger
Blogger
 
Managementbijeenkomst ktv
Managementbijeenkomst ktvManagementbijeenkomst ktv
Managementbijeenkomst ktv
 
Future tense
Future tenseFuture tense
Future tense
 
Newton and feynman
Newton and feynmanNewton and feynman
Newton and feynman
 
การศ กษาและค นคว_าอ_สละ
การศ กษาและค นคว_าอ_สละการศ กษาและค นคว_าอ_สละ
การศ กษาและค นคว_าอ_สละ
 
3 neomezená veřejná zakázka
3 neomezená veřejná zakázka3 neomezená veřejná zakázka
3 neomezená veřejná zakázka
 
Ppt uas admin maya
Ppt uas admin mayaPpt uas admin maya
Ppt uas admin maya
 

Ähnlich wie Droidcon secureyourapp fighttheleaks-samsung

Introduction to JavaFX on Raspberry Pi
Introduction to JavaFX on Raspberry PiIntroduction to JavaFX on Raspberry Pi
Introduction to JavaFX on Raspberry Pi
Bruno Borges
 
DDS + Android = OpenSplice Mobile
DDS + Android = OpenSplice MobileDDS + Android = OpenSplice Mobile
DDS + Android = OpenSplice Mobile
Angelo Corsaro
 
MySQL Administration and Monitoring
MySQL Administration and MonitoringMySQL Administration and Monitoring
MySQL Administration and Monitoring
Mark Leith
 
A Importância do JavaFX no Mercado Embedded
A Importância do JavaFX no Mercado EmbeddedA Importância do JavaFX no Mercado Embedded
A Importância do JavaFX no Mercado Embedded
Bruno Borges
 

Ähnlich wie Droidcon secureyourapp fighttheleaks-samsung (20)

Using APEX to Create a Mobile User Interface for Enterprise Manager 12c
Using APEX to Create a Mobile User Interface for Enterprise Manager 12cUsing APEX to Create a Mobile User Interface for Enterprise Manager 12c
Using APEX to Create a Mobile User Interface for Enterprise Manager 12c
 
Migrating JavaME Apps to Android
Migrating JavaME Apps to AndroidMigrating JavaME Apps to Android
Migrating JavaME Apps to Android
 
Java Solutions for Securing Edge-to-Enterprise
Java Solutions for Securing Edge-to-EnterpriseJava Solutions for Securing Edge-to-Enterprise
Java Solutions for Securing Edge-to-Enterprise
 
First Steps with Java Card
First Steps with Java CardFirst Steps with Java Card
First Steps with Java Card
 
Security - Part II.pdf
Security - Part II.pdfSecurity - Part II.pdf
Security - Part II.pdf
 
Introduction to JavaFX on Raspberry Pi
Introduction to JavaFX on Raspberry PiIntroduction to JavaFX on Raspberry Pi
Introduction to JavaFX on Raspberry Pi
 
MobilizeUrApps - Android Application Development
MobilizeUrApps - Android Application DevelopmentMobilizeUrApps - Android Application Development
MobilizeUrApps - Android Application Development
 
Security Tips for Android App - iTrobes
Security Tips for Android App - iTrobesSecurity Tips for Android App - iTrobes
Security Tips for Android App - iTrobes
 
Lesson 10
Lesson 10Lesson 10
Lesson 10
 
DDS + Android = OpenSplice Mobile
DDS + Android = OpenSplice MobileDDS + Android = OpenSplice Mobile
DDS + Android = OpenSplice Mobile
 
Iphone client-server app with Rails backend (v3)
Iphone client-server app with Rails backend (v3)Iphone client-server app with Rails backend (v3)
Iphone client-server app with Rails backend (v3)
 
Sightly_techInsight
Sightly_techInsightSightly_techInsight
Sightly_techInsight
 
MySQL Administration and Monitoring
MySQL Administration and MonitoringMySQL Administration and Monitoring
MySQL Administration and Monitoring
 
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
 
EBsSDKForJavaWithOracleADF_ppt.ppt
EBsSDKForJavaWithOracleADF_ppt.pptEBsSDKForJavaWithOracleADF_ppt.ppt
EBsSDKForJavaWithOracleADF_ppt.ppt
 
Delivering Mobile Apps to the Field with Oracle JET
Delivering Mobile Apps to the Field with Oracle JETDelivering Mobile Apps to the Field with Oracle JET
Delivering Mobile Apps to the Field with Oracle JET
 
A Importância do JavaFX no Mercado Embedded
A Importância do JavaFX no Mercado EmbeddedA Importância do JavaFX no Mercado Embedded
A Importância do JavaFX no Mercado Embedded
 
MySQL para Desenvolvedores de Games
MySQL para Desenvolvedores de GamesMySQL para Desenvolvedores de Games
MySQL para Desenvolvedores de Games
 
X Means Y
X Means YX Means Y
X Means Y
 
Java Card, 15 years later
Java Card, 15 years laterJava Card, 15 years later
Java Card, 15 years later
 

Kürzlich hochgeladen

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Kürzlich hochgeladen (20)

A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

Droidcon secureyourapp fighttheleaks-samsung

  • 1. SECURE YOUR APP FIGHT THE LEAKS! DROIDCON PARIS 2013
  • 2. EYAL LEZMY Slides http://bit.ly/droidcon-sec http://eyal.fr ANDROID PRESALES ENGINEER, SAMSUNG B2B TREASURER AT PARIS ANDROID USER GROUP ANDROID GOOGLE DEVELOPER EXPERT
  • 3. DON'T LET HIM DOWN THE USER TRUSTS YOU Company
  • 4. Copyright © 1995-2012 SAMSUNG All rights reserved APPS HAVE TO RESPECT THE DATA Different ways to unintentionally grant other apps access to the data inside your application : Exporting an unprotected component Storing personal data in a world readable file Logging personal data in logcat logs
  • 5. Copyright © 1995-2012 SAMSUNG All rights reserved It declares accessible app components Activity, Service, Receive,... Adding <intent-filter> => your element is exported by default CHECK YOUR ANDROIDMANIFEST.XML ContentProvider is always exported by default, until android:targetSdkVersion="17"
  • 6. Copyright © 1995-2012 SAMSUNG All rights reserved Don't export app components unless you want to share their content with other applications <application android:label="@string/app_name"> … <service android:name=".ServiceExample“ android:exported="false"> <intent-filter> … </intent-filter> </service> … </application> What is your legitimity to expose data? CHECK YOUR ANDROIDMANIFEST.XML
  • 7. Copyright © 1995-2012 SAMSUNG All rights reserved There are different permission protection levels: normal Lower risk permission dangerous Higher risk, access to user private data, potential negative impact signature Needs the same certificate signature PERMISIONS
  • 8. Copyright © 1995-2012 SAMSUNG All rights reserved Lets look at the code: <permission android:name="com.example.EXAMPLE_PERM“ android:label="@string/example_perm_l“ android:description="@string/example_perm_d“ android:icon="@drawable/example_perm_i“ android:protectionLevel="signature" /> ... <service android:name=".ServiceExample“ android:permission="com.example.EXAMPLE_PERM"> <intent-filter>...</intent-filter> </service> PERMISIONS
  • 9. Copyright © 1995-2012 SAMSUNG All rights reserved Don't be the weakest link private boolean checkPermission(Context context) { String permission = "com.example.EXAMPLE_PERM"; int res = context.checkCallingPermission(permission); return (res == PackageManager.PERMISSION_GRANTED); } PERMISIONS Always check the permission of a caller if you use your permission
  • 10. Copyright © 1995-2012 SAMSUNG All rights reserved DISABLE USELESS ACTIVITIES Fit your components lifecycle to your application's lifecycle If before configuration (login, account creation, ...) a service or activity is not useful, disable it If your application handles common implicit Intent's actions like ACTION_VIEW or ACTION_SEND consider disabling it by default
  • 11. Copyright © 1995-2012 SAMSUNG All rights reserved PackageManager.setComponentEnabledSetting(componentName, newState, flags); DISABLE USELESS ACTIVITIES <activity android:name="com.example.Activity" android:label="@string/app_name" android:enabled="false"> </activity> Disabled: Enabled:
  • 12. Copyright © 1995-2012 SAMSUNG All rights reserved STORING DATA WISELY Protect personal data using MODE_PRIVATE for data files, shared preferences, and databases: openFileOutput() openSharedPreferences() openOrCreateDatabase() External storage (sdcard) is shared storage
  • 13. Copyright © 1995-2012 SAMSUNG All rights reserved PLEASE... SHUT THE FUCK UP! public static final boolean SHOW_LOG = BuildConfig.DEBUG; public static void d(final String tag, final String msg) { if (SHOW_LOG) Log.d(tag, msg); } Don't expose data through logcat on production Detect the build mode with BuildConfig.DEBUG Be careful about this subject and test it during QA
  • 14. Copyright © 1995-2012 SAMSUNG All rights reserved PROTECTING APP FROM USERS No more android:debuggable on the manifest Don't leave this enabled in release code! ADT 8.0+ do it for you automatically
  • 15. Copyright © 1995-2012 SAMSUNG All rights reserved $ adb shell shell@android:/ $ run-as com.android.example sh shell@android:/data/data/com.android.example $ id uid=10060(app_60) gid=10060(app_60) shell@android:/data/data/com.android.example $ ls files/secret_data.txt shell@android:/data/data/com.android.example $ cat files/secret_data.txt PROTECTING APP FROM USERS
  • 16. IT'S NOT JUST ABOUT YOUR APP INSECURE NETWORK LOST OR STOLEN DEVICES
  • 17. Copyright © 1995-2012 SAMSUNG All rights reserved Free certified SSL: https://www.startssl.com/ USE SAFE NETWORKING HTTPS and SSL can protect against Man in the Middle attacks and prevent casual snooping Server certificate validity must be correctly checked "15% of apps have weak or bad SSL implementation on the Play Store"
  • 18. Copyright © 1995-2012 SAMSUNG All rights reserved ...but it may help discouraging curious. Use a peer-reviewed library like KeyCzar Take care of the key : Create it at first start, with true random Or grab a user key from your server Or ask the user for a passphrase you won't store DATA ENCRYPTION DOESN'T SOLVE ALL PROBLEMS
  • 19. Copyright © 1995-2012 SAMSUNG All rights reserved On a corporate environment, device administration can be considered Password management Device encryption Disable camera Lock the device Remote wipe DEVICE ADMINISTRATION
  • 20. Copyright © 1995-2012 SAMSUNG All rights reserved BEHIND THE STAGE The APK's content is always world readable, take care about what you put inside Sensitive files should be kept out of the APK Java is open source, your code too Using Proguard takes a single line of code Or... Dex encryption AAPT modified Logic on server
  • 21. IT'S NOT JUST ABOUT SECURITY THINK ABOUT POLITICS...
  • 22. Copyright © 1995-2012 SAMSUNG All rights reserved THE SECURITY PARADOX
  • 23. Copyright © 1995-2012 SAMSUNG All rights reserved "The more secure you make something, the less secure it becomes" Level the security following the user acceptance or... Users will find workarounds Users won't use your service NEVER FORGET THE USER, NEVAAAAA!
  • 24. Copyright © 1995-2012 SAMSUNG All rights reserved REFERENCES Google I/O 2012 Sessions Android Developpers Live Youtube channel Android Developement Android Developement: Using Cryptography The Commons Blog InformationWeek: Security Paradox ThreatPost: SLL implementation on Android apps StartSSL Free certificates
  • 25. SAMSUNG SMART APP CHALLENGE 2013 SAMSUNG SMART APP CHALLENGE 2013 A Global app challenge Apps for the Galaxy S4 Use of Samsung Chord SDK Apply June 20 - August 31 www.smartappchallenge.com $800,000 for 10 winners
  • 26. SAMSUNG DEVELOPERS SDKs and Documentation http://developer.samsung.com Samsung Chord SDK Bluetooth Low Energy SDK Remote Test Lab Test your applications on real devices through the internet Free 24H 365 Days S Pen & Multi Window SDK AllShare Framework Real Device, NOT emulator Multiple Devices