Introduction to Android Security

Agenda:

1: Admin stuff

3: Android security model

2: Why this talk

4: “Best” practices

5: Reverse engineer an app

6: QA

Admin stuff:

• You say what?

• .NET + Android + Web

• Independent contractor for DVT

• MSc Computer Science

• [email protected]

• Give away

Why this talk:

• Get developers talking

• Android device increase

• Cybersecurity month

http://www.appbrain.com/stats/in-app-billing-android-applications

1 billion devices 2014

http://androidvulnerabilities.org/

Android security model:

Android framework


• Kernel security measures

• User based permissions

• Process isolation

• Secure IPC communication

“Best” practices:

• Data

• Internal data

• External data

• Content providers


• Permissions

• Demo

“Best” practices: Demo


• Network

• Https

• Telephony

• Check user input

• WebView

• Handling credentials

• Cryptography

• IPC

• Obfuscate


https://github.com/guardianproject/NetCipher

• https://github.com/rtyley/spongycastle/#downloads

• https://github.com/scottyab/secure-preferences

• Password-based encryption (PBE)

• SQLCipher • Device Management

• Fast IDentity Online (FIDO) Alliance (https://fidoalliance.org/)

Reverser engineer an app:

• Money….

• ?!

Reverser engineer an app:• Pull apk

• Rename .zip

• Unzip

• Classes.dex

• Apk tool

Reverser engineer an app:

• http://sourceforge.net/projects/paros/

• https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

https://nmap.org/

QA:

• Questions

References:

• developer.android.com/training/articles/security-tips.htm

• https://www.safaribooksonline.com/library/view/android-security-cookbook/9781782167167/

• https://www.coursera.org/course/mobilecloudsecurity

• http://eu.wiley.com/WileyCDA/WileyTitle/productCd-1118958500.html

Introduction to Android Security -...

Documents

Transcript of Introduction to Android Security -...