Introduction to Android Security

Agenda:

1: Admin stuff

3: Android security model

2: Why this talk

4: “Best” practices

5: Reverse engineer an app

Admin stuff:

• You say what?

• .NET + Android + Web

• Independent contractor for DVT

• MSc Computer Science

• Toffie_cj@yahoo.com

• Give away

Why this talk:

• Get developers talking

• Android device increase

• Cybersecurity month

http://www.appbrain.com/stats/in-app-billing-android-applications

1 billion devices 2014

http://androidvulnerabilities.org/

Android security model:

Android framework

Android security model:

• Kernel security measures

• User based permissions

• Process isolation

• Secure IPC communication

“Best” practices:

• Data

• Internal data

• External data

• Content providers

• Permissions

• Demo

“Best” practices: Demo

• Network

• Https

• Telephony

• Check user input

• WebView

• Handling credentials

• Cryptography

• IPC

• Obfuscate

https://github.com/guardianproject/NetCipher

• https://github.com/rtyley/spongycastle/#downloads

• https://github.com/scottyab/secure-preferences

• Password-based encryption (PBE)

• SQLCipher • Device Management

• Fast IDentity Online (FIDO) Alliance (https://fidoalliance.org/)

Reverser engineer an app:

• Money….

• ?!

Reverser engineer an app:• Pull apk

• Rename .zip

• Unzip

• Classes.dex

• Apk tool

Reverser engineer an app:

• http://sourceforge.net/projects/paros/

• https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

https://nmap.org/

• Questions

References:

• developer.android.com/training/articles/security-tips.htm

• https://www.safaribooksonline.com/library/view/android-security-cookbook/9781782167167/

• https://www.coursera.org/course/mobilecloudsecurity

• http://eu.wiley.com/WileyCDA/WileyTitle/productCd-1118958500.html

Introduction to Android Security -...

Transcript of Introduction to Android Security -...

Introduction to Android Security -...

Documents

Transcript of Introduction to Android Security -...

Android Roo Security

Android Security Mechanisms

An Introduction to Android Application Security Testing · An Introduction to Android Application Security Testing Nikolay Elenkov Android Security Symposium, March 2017 Vienna

Android Security Overview for Android Developers

Avira Free Android Security - Avira Antivirus · Avira Free Android Security 2.0 (Status 08-20-2013) 4 1. Introduction Avira Free Android Security version 2.0 is an Android security

Android Security - Common Security Pitfalls in Android Applications

Android Applications Security

Testing Android Security

Android Taipei 2013 August - Android Apps Security

Android security architecture - usmile.at · Android’s security architecture Nikolay Elenkov Android Security Symposium, Sep 2015 Vienna

Android Security #1

Android security

Android Security Essentials

Android Security Development

Download This! - files.meetup.comfiles.meetup.com/19584652/Promoting Your Android... · Landing page for your Android apps Manage in Developer Console. Developer Page Example(s) Firebase

Security on android

Mike Arpaia Android Security Overview · Android Security Model Android is not the Java security model: - No Java Security Manager, no Java Sandbox - Dalvik NOT a security barrier

Android Security Overview _ Android Open Source

Android Security #1 Prabhaker Mateti A first lecture on Android Security, assuming familiarity with Android Internals.

Understanding Android Security