Смирнов Александр, Security in Android Application
•
0 likes•379 views
Рассмотрим best practices в обеспечении безопасности мобильных приложений, модель безопасности Android, ключевые уязвимости и способы защиты от них.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Смирнов Александр, Security in Android Application
Similar to Смирнов Александр, Security in Android Application (20)
More from SECON
More from SECON (20)
Recently uploaded
Recently uploaded (6)
Смирнов Александр, Security in Android Application
- 2. - 3+ years Android dev - 6+ years commercial dev - 1 year bank app dev - BlackHat friends since 2007 - DC7499 member WhoAmI 2
- 3. Why? 3
- 4. - Android Security Model - Reality - Vulnerabilities - One more sentence - Appendix Agenda 4
- 5. Security • I • Android Security Model 5
- 6. 6
- 7. Application Isolation 7 - isolate CPU, RAM, devices, files in private directory - every app run in own process - every app has own UserID and GroupID - every app run in own instance of Dalvik VM
- 9. - Is the parent of all App processes - COW(Copy On Write) strategy - /dev/socket/zygote Zygote 9 App 1 App 2 App 3 Zygote fork() fork() fork() start new App
- 10. - Before M - After M - Custom permissions - Protection level Permissions 10
- 11. - Protect user data - Protect system resources - Provide application isolation Android Security Overview 11
- 12. • II • Android Security Model Reality Security 12
- 13. 13 Root
- 14. 14 TRIADA
- 16. - Memory Cache - DB + SQLCipher - SharedPreference + MODE_PRIVATE + Cipher - 21+ setStorageEncryption for local files - KeyStore Data Storage 16
- 17. - MITM has you - Check network – why? - Diffie–Hellman key exchange - Certificate Pinning == SSL Pinning (okhttp 2.7.4 || 3.1.2) Transport 17
- 18. - Use explicit intents - Validate Input - Manifest: intent-filter = exported=«yes» Intent 18
- 19. - Secure PUSH - Mobile application - SIMApplets - DCV (Dynamic Code Verification) 2FA: SMS 19
- 20. - Custom keyboard - Secure persistent datastore - No EditText - No immutable (Strings -> char[]) - Notify if root Insecure Device 20
- 21. - Check debug - Verify sign - Emulator check - Obfuscation - JNI Reverse Protection 21
- 22. Security 22 • IV • One more sentence
- 23. - Convenience vs Security - Socialization & Tools - Layered Security - Better than others - OWASP TOP 10 Mobile Risks One more sentence 23
- 25. - Cyber Risk Report: bit.ly/1MuoIDS - OWASP Top 10 Mobile Risks: bit.ly/1FAIJiv - DefCon Groups List: bit.ly/1JQlNgC - Triada Malware: bit.ly/1qvyFqY - Obfuscation tools list: bit.ly/1XiHf6Z - Security Official Docs: bit.ly/1qvw1BK - Diffie–Hellman Video: bit.ly/23jV7Se - Tools for SA and Hacking: bit.ly/1qvxpUM Additional Information 25
- 26. - Android Security Model - Reality - Vulnerabilities - One more sentence Result 26