Introduction to Android Security -...
Transcript of Introduction to Android Security -...
![Page 1: Introduction to Android Security - files.meetup.comfiles.meetup.com/17583942/AndroidDevGroupSecurity101.pdf · Agenda: 1: Admin stuff 3: Android security model 2: Why this talk 4:](https://reader034.fdocuments.us/reader034/viewer/2022051811/60286839bba83c2e034616fc/html5/thumbnails/1.jpg)
Introduction to Android Security
![Page 2: Introduction to Android Security - files.meetup.comfiles.meetup.com/17583942/AndroidDevGroupSecurity101.pdf · Agenda: 1: Admin stuff 3: Android security model 2: Why this talk 4:](https://reader034.fdocuments.us/reader034/viewer/2022051811/60286839bba83c2e034616fc/html5/thumbnails/2.jpg)
Agenda:
1: Admin stuff
3: Android security model
2: Why this talk
4: “Best” practices
5: Reverse engineer an app
6: QA
![Page 3: Introduction to Android Security - files.meetup.comfiles.meetup.com/17583942/AndroidDevGroupSecurity101.pdf · Agenda: 1: Admin stuff 3: Android security model 2: Why this talk 4:](https://reader034.fdocuments.us/reader034/viewer/2022051811/60286839bba83c2e034616fc/html5/thumbnails/3.jpg)
Admin stuff:
• You say what?
• .NET + Android + Web
• Independent contractor for DVT
• MSc Computer Science
• Give away
![Page 4: Introduction to Android Security - files.meetup.comfiles.meetup.com/17583942/AndroidDevGroupSecurity101.pdf · Agenda: 1: Admin stuff 3: Android security model 2: Why this talk 4:](https://reader034.fdocuments.us/reader034/viewer/2022051811/60286839bba83c2e034616fc/html5/thumbnails/4.jpg)
Why this talk:
• Get developers talking
• Android device increase
• Cybersecurity month
http://www.appbrain.com/stats/in-app-billing-android-applications
1 billion devices 2014
http://androidvulnerabilities.org/
![Page 5: Introduction to Android Security - files.meetup.comfiles.meetup.com/17583942/AndroidDevGroupSecurity101.pdf · Agenda: 1: Admin stuff 3: Android security model 2: Why this talk 4:](https://reader034.fdocuments.us/reader034/viewer/2022051811/60286839bba83c2e034616fc/html5/thumbnails/5.jpg)
Android security model:
Android framework
![Page 6: Introduction to Android Security - files.meetup.comfiles.meetup.com/17583942/AndroidDevGroupSecurity101.pdf · Agenda: 1: Admin stuff 3: Android security model 2: Why this talk 4:](https://reader034.fdocuments.us/reader034/viewer/2022051811/60286839bba83c2e034616fc/html5/thumbnails/6.jpg)
Android security model:
![Page 7: Introduction to Android Security - files.meetup.comfiles.meetup.com/17583942/AndroidDevGroupSecurity101.pdf · Agenda: 1: Admin stuff 3: Android security model 2: Why this talk 4:](https://reader034.fdocuments.us/reader034/viewer/2022051811/60286839bba83c2e034616fc/html5/thumbnails/7.jpg)
Android security model:
• Kernel security measures
• User based permissions
• Process isolation
• Secure IPC communication
![Page 8: Introduction to Android Security - files.meetup.comfiles.meetup.com/17583942/AndroidDevGroupSecurity101.pdf · Agenda: 1: Admin stuff 3: Android security model 2: Why this talk 4:](https://reader034.fdocuments.us/reader034/viewer/2022051811/60286839bba83c2e034616fc/html5/thumbnails/8.jpg)
“Best” practices:
• Data
• Internal data
• External data
• Content providers
![Page 9: Introduction to Android Security - files.meetup.comfiles.meetup.com/17583942/AndroidDevGroupSecurity101.pdf · Agenda: 1: Admin stuff 3: Android security model 2: Why this talk 4:](https://reader034.fdocuments.us/reader034/viewer/2022051811/60286839bba83c2e034616fc/html5/thumbnails/9.jpg)
“Best” practices:
• Permissions
• Demo
![Page 10: Introduction to Android Security - files.meetup.comfiles.meetup.com/17583942/AndroidDevGroupSecurity101.pdf · Agenda: 1: Admin stuff 3: Android security model 2: Why this talk 4:](https://reader034.fdocuments.us/reader034/viewer/2022051811/60286839bba83c2e034616fc/html5/thumbnails/10.jpg)
“Best” practices: Demo
![Page 11: Introduction to Android Security - files.meetup.comfiles.meetup.com/17583942/AndroidDevGroupSecurity101.pdf · Agenda: 1: Admin stuff 3: Android security model 2: Why this talk 4:](https://reader034.fdocuments.us/reader034/viewer/2022051811/60286839bba83c2e034616fc/html5/thumbnails/11.jpg)
“Best” practices: Demo
![Page 12: Introduction to Android Security - files.meetup.comfiles.meetup.com/17583942/AndroidDevGroupSecurity101.pdf · Agenda: 1: Admin stuff 3: Android security model 2: Why this talk 4:](https://reader034.fdocuments.us/reader034/viewer/2022051811/60286839bba83c2e034616fc/html5/thumbnails/12.jpg)
“Best” practices: Demo
![Page 13: Introduction to Android Security - files.meetup.comfiles.meetup.com/17583942/AndroidDevGroupSecurity101.pdf · Agenda: 1: Admin stuff 3: Android security model 2: Why this talk 4:](https://reader034.fdocuments.us/reader034/viewer/2022051811/60286839bba83c2e034616fc/html5/thumbnails/13.jpg)
“Best” practices:
• Network
• Https
• Telephony
• Check user input
• WebView
• Handling credentials
• Cryptography
• IPC
• Obfuscate
![Page 14: Introduction to Android Security - files.meetup.comfiles.meetup.com/17583942/AndroidDevGroupSecurity101.pdf · Agenda: 1: Admin stuff 3: Android security model 2: Why this talk 4:](https://reader034.fdocuments.us/reader034/viewer/2022051811/60286839bba83c2e034616fc/html5/thumbnails/14.jpg)
“Best” practices:
![Page 15: Introduction to Android Security - files.meetup.comfiles.meetup.com/17583942/AndroidDevGroupSecurity101.pdf · Agenda: 1: Admin stuff 3: Android security model 2: Why this talk 4:](https://reader034.fdocuments.us/reader034/viewer/2022051811/60286839bba83c2e034616fc/html5/thumbnails/15.jpg)
“Best” practices:
![Page 16: Introduction to Android Security - files.meetup.comfiles.meetup.com/17583942/AndroidDevGroupSecurity101.pdf · Agenda: 1: Admin stuff 3: Android security model 2: Why this talk 4:](https://reader034.fdocuments.us/reader034/viewer/2022051811/60286839bba83c2e034616fc/html5/thumbnails/16.jpg)
“Best” practices:
![Page 17: Introduction to Android Security - files.meetup.comfiles.meetup.com/17583942/AndroidDevGroupSecurity101.pdf · Agenda: 1: Admin stuff 3: Android security model 2: Why this talk 4:](https://reader034.fdocuments.us/reader034/viewer/2022051811/60286839bba83c2e034616fc/html5/thumbnails/17.jpg)
“Best” practices:
![Page 18: Introduction to Android Security - files.meetup.comfiles.meetup.com/17583942/AndroidDevGroupSecurity101.pdf · Agenda: 1: Admin stuff 3: Android security model 2: Why this talk 4:](https://reader034.fdocuments.us/reader034/viewer/2022051811/60286839bba83c2e034616fc/html5/thumbnails/18.jpg)
“Best” practices:
![Page 19: Introduction to Android Security - files.meetup.comfiles.meetup.com/17583942/AndroidDevGroupSecurity101.pdf · Agenda: 1: Admin stuff 3: Android security model 2: Why this talk 4:](https://reader034.fdocuments.us/reader034/viewer/2022051811/60286839bba83c2e034616fc/html5/thumbnails/19.jpg)
“Best” practices:
https://github.com/guardianproject/NetCipher
• https://github.com/rtyley/spongycastle/#downloads
• https://github.com/scottyab/secure-preferences
• Password-based encryption (PBE)
• SQLCipher • Device Management
• Fast IDentity Online (FIDO) Alliance (https://fidoalliance.org/)
![Page 20: Introduction to Android Security - files.meetup.comfiles.meetup.com/17583942/AndroidDevGroupSecurity101.pdf · Agenda: 1: Admin stuff 3: Android security model 2: Why this talk 4:](https://reader034.fdocuments.us/reader034/viewer/2022051811/60286839bba83c2e034616fc/html5/thumbnails/20.jpg)
Reverser engineer an app:
• Money….
• ?!
![Page 21: Introduction to Android Security - files.meetup.comfiles.meetup.com/17583942/AndroidDevGroupSecurity101.pdf · Agenda: 1: Admin stuff 3: Android security model 2: Why this talk 4:](https://reader034.fdocuments.us/reader034/viewer/2022051811/60286839bba83c2e034616fc/html5/thumbnails/21.jpg)
Reverser engineer an app:• Pull apk
• Rename .zip
• Unzip
• Classes.dex
• Apk tool
![Page 22: Introduction to Android Security - files.meetup.comfiles.meetup.com/17583942/AndroidDevGroupSecurity101.pdf · Agenda: 1: Admin stuff 3: Android security model 2: Why this talk 4:](https://reader034.fdocuments.us/reader034/viewer/2022051811/60286839bba83c2e034616fc/html5/thumbnails/22.jpg)
Reverser engineer an app:
• http://sourceforge.net/projects/paros/
• https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
https://nmap.org/
![Page 23: Introduction to Android Security - files.meetup.comfiles.meetup.com/17583942/AndroidDevGroupSecurity101.pdf · Agenda: 1: Admin stuff 3: Android security model 2: Why this talk 4:](https://reader034.fdocuments.us/reader034/viewer/2022051811/60286839bba83c2e034616fc/html5/thumbnails/23.jpg)
QA:
• Questions
![Page 24: Introduction to Android Security - files.meetup.comfiles.meetup.com/17583942/AndroidDevGroupSecurity101.pdf · Agenda: 1: Admin stuff 3: Android security model 2: Why this talk 4:](https://reader034.fdocuments.us/reader034/viewer/2022051811/60286839bba83c2e034616fc/html5/thumbnails/24.jpg)
References:
• developer.android.com/training/articles/security-tips.htm
• https://www.safaribooksonline.com/library/view/android-security-cookbook/9781782167167/
• https://www.coursera.org/course/mobilecloudsecurity
• http://eu.wiley.com/WileyCDA/WileyTitle/productCd-1118958500.html