More Related Content Similar to Смирнов Александр, Security in Android Application (20) Смирнов Александр, Security in Android Application2. - 3+ years Android dev
- 6+ years commercial dev
- 1 year bank app dev
- BlackHat friends since 2007
- DC7499 member
WhoAmI
2
4. - Android Security Model
- Reality
- Vulnerabilities
- One more sentence
- Appendix
Agenda
4
7. Application Isolation
7
- isolate CPU, RAM, devices, files in
private directory
- every app run in own process
- every app has own UserID and
GroupID
- every app run in own instance of
Dalvik VM
9. - Is the parent of all App processes
- COW(Copy On Write) strategy
- /dev/socket/zygote
Zygote
9
App 1
App 2
App 3
Zygote
fork()
fork()
fork()
start new
App
10. - Before M
- After M
- Custom permissions
- Protection level
Permissions
10
11. - Protect user data
- Protect system resources
- Provide application isolation
Android Security Overview
11
16. - Memory Cache
- DB + SQLCipher
- SharedPreference +
MODE_PRIVATE + Cipher
- 21+ setStorageEncryption for
local files
- KeyStore
Data Storage
16
17. - MITM has you
- Check network – why?
- Diffie–Hellman key exchange
- Certificate Pinning == SSL Pinning
(okhttp 2.7.4 || 3.1.2)
Transport
17
18. - Use explicit intents
- Validate Input
- Manifest:
intent-filter = exported=«yes»
Intent
18
19. - Secure PUSH
- Mobile application
- SIMApplets
- DCV (Dynamic Code Verification)
2FA: SMS
19
20. - Custom keyboard
- Secure persistent datastore
- No EditText
- No immutable (Strings -> char[])
- Notify if root
Insecure Device
20
21. - Check debug
- Verify sign
- Emulator check
- Obfuscation
- JNI
Reverse Protection
21
23. - Convenience vs Security
- Socialization & Tools
- Layered Security
- Better than others
- OWASP TOP 10 Mobile Risks
One more sentence
23
25. - Cyber Risk Report: bit.ly/1MuoIDS
- OWASP Top 10 Mobile Risks: bit.ly/1FAIJiv
- DefCon Groups List: bit.ly/1JQlNgC
- Triada Malware: bit.ly/1qvyFqY
- Obfuscation tools list: bit.ly/1XiHf6Z
- Security Official Docs: bit.ly/1qvw1BK
- Diffie–Hellman Video: bit.ly/23jV7Se
- Tools for SA and Hacking: bit.ly/1qvxpUM
Additional Information
25