![Page 1: Смирнов Александр, Security in Android Application](https://reader034.vdocuments.site/reader034/viewer/2022051504/58f1bace1a28abe00d8b45c7/html5/thumbnails/1.jpg)
SECURITYIN ANDROID APPLICATION
22/04/2016ALEXANDER SMIRNOV
![Page 2: Смирнов Александр, Security in Android Application](https://reader034.vdocuments.site/reader034/viewer/2022051504/58f1bace1a28abe00d8b45c7/html5/thumbnails/2.jpg)
- 3+ years Android dev- 6+ years commercial dev- 1 year bank app dev- BlackHat friends since 2007- DC7499 member
WhoAmI
2
![Page 3: Смирнов Александр, Security in Android Application](https://reader034.vdocuments.site/reader034/viewer/2022051504/58f1bace1a28abe00d8b45c7/html5/thumbnails/3.jpg)
Why?
3
![Page 4: Смирнов Александр, Security in Android Application](https://reader034.vdocuments.site/reader034/viewer/2022051504/58f1bace1a28abe00d8b45c7/html5/thumbnails/4.jpg)
- Android Security Model- Reality- Vulnerabilities- One more sentence- Appendix
Agenda
4
![Page 5: Смирнов Александр, Security in Android Application](https://reader034.vdocuments.site/reader034/viewer/2022051504/58f1bace1a28abe00d8b45c7/html5/thumbnails/5.jpg)
Security
• I •
Android Security Model
5
![Page 6: Смирнов Александр, Security in Android Application](https://reader034.vdocuments.site/reader034/viewer/2022051504/58f1bace1a28abe00d8b45c7/html5/thumbnails/6.jpg)
6
![Page 7: Смирнов Александр, Security in Android Application](https://reader034.vdocuments.site/reader034/viewer/2022051504/58f1bace1a28abe00d8b45c7/html5/thumbnails/7.jpg)
Application Isolation
7
- isolate CPU, RAM, devices, files in private directory
- every app run in own process- every app has own UserID and
GroupID- every app run in own instance of
Dalvik VM
![Page 8: Смирнов Александр, Security in Android Application](https://reader034.vdocuments.site/reader034/viewer/2022051504/58f1bace1a28abe00d8b45c7/html5/thumbnails/8.jpg)
Application Isolation
8
![Page 9: Смирнов Александр, Security in Android Application](https://reader034.vdocuments.site/reader034/viewer/2022051504/58f1bace1a28abe00d8b45c7/html5/thumbnails/9.jpg)
- Is the parent of all App processes- COW(Copy On Write) strategy- /dev/socket/zygote
Zygote
9
App 1
App 2
App 3
Zygote
fork()
fork()
fork()
start newApp
![Page 10: Смирнов Александр, Security in Android Application](https://reader034.vdocuments.site/reader034/viewer/2022051504/58f1bace1a28abe00d8b45c7/html5/thumbnails/10.jpg)
- Before M- After M- Custom permissions- Protection level
Permissions
10
![Page 11: Смирнов Александр, Security in Android Application](https://reader034.vdocuments.site/reader034/viewer/2022051504/58f1bace1a28abe00d8b45c7/html5/thumbnails/11.jpg)
- Protect user data- Protect system resources- Provide application isolation
Android Security Overview
11
![Page 12: Смирнов Александр, Security in Android Application](https://reader034.vdocuments.site/reader034/viewer/2022051504/58f1bace1a28abe00d8b45c7/html5/thumbnails/12.jpg)
• II •
Android Security ModelReality
Security
12
![Page 13: Смирнов Александр, Security in Android Application](https://reader034.vdocuments.site/reader034/viewer/2022051504/58f1bace1a28abe00d8b45c7/html5/thumbnails/13.jpg)
13
Root
![Page 14: Смирнов Александр, Security in Android Application](https://reader034.vdocuments.site/reader034/viewer/2022051504/58f1bace1a28abe00d8b45c7/html5/thumbnails/14.jpg)
14
TRIADA
![Page 15: Смирнов Александр, Security in Android Application](https://reader034.vdocuments.site/reader034/viewer/2022051504/58f1bace1a28abe00d8b45c7/html5/thumbnails/15.jpg)
Security
15
• III•
Vulnerabilities
![Page 16: Смирнов Александр, Security in Android Application](https://reader034.vdocuments.site/reader034/viewer/2022051504/58f1bace1a28abe00d8b45c7/html5/thumbnails/16.jpg)
- Memory Cache- DB + SQLCipher- SharedPreference +
MODE_PRIVATE + Cipher- 21+ setStorageEncryption for
local files- KeyStore
Data Storage
16
![Page 17: Смирнов Александр, Security in Android Application](https://reader034.vdocuments.site/reader034/viewer/2022051504/58f1bace1a28abe00d8b45c7/html5/thumbnails/17.jpg)
- MITM has you- Check network – why?- Diffie–Hellman key exchange- Certificate Pinning == SSL Pinning
(okhttp 2.7.4 || 3.1.2)
Transport
17
![Page 18: Смирнов Александр, Security in Android Application](https://reader034.vdocuments.site/reader034/viewer/2022051504/58f1bace1a28abe00d8b45c7/html5/thumbnails/18.jpg)
- Use explicit intents- Validate Input- Manifest:
intent-filter = exported=«yes»
Intent
18
![Page 19: Смирнов Александр, Security in Android Application](https://reader034.vdocuments.site/reader034/viewer/2022051504/58f1bace1a28abe00d8b45c7/html5/thumbnails/19.jpg)
- Secure PUSH- Mobile application- SIMApplets- DCV (Dynamic Code Verification)
2FA: SMS
19
![Page 20: Смирнов Александр, Security in Android Application](https://reader034.vdocuments.site/reader034/viewer/2022051504/58f1bace1a28abe00d8b45c7/html5/thumbnails/20.jpg)
- Custom keyboard- Secure persistent datastore- No EditText- No immutable (Strings -> char[])- Notify if root
Insecure Device
20
![Page 21: Смирнов Александр, Security in Android Application](https://reader034.vdocuments.site/reader034/viewer/2022051504/58f1bace1a28abe00d8b45c7/html5/thumbnails/21.jpg)
- Check debug- Verify sign- Emulator check- Obfuscation- JNI
Reverse Protection
21
![Page 22: Смирнов Александр, Security in Android Application](https://reader034.vdocuments.site/reader034/viewer/2022051504/58f1bace1a28abe00d8b45c7/html5/thumbnails/22.jpg)
Security
22
• IV •
One more sentence
![Page 23: Смирнов Александр, Security in Android Application](https://reader034.vdocuments.site/reader034/viewer/2022051504/58f1bace1a28abe00d8b45c7/html5/thumbnails/23.jpg)
- Convenience vs Security- Socialization & Tools- Layered Security- Better than others- OWASP TOP 10 Mobile Risks
One more sentence
23
![Page 24: Смирнов Александр, Security in Android Application](https://reader034.vdocuments.site/reader034/viewer/2022051504/58f1bace1a28abe00d8b45c7/html5/thumbnails/24.jpg)
Security
24
• V •
Appendix
![Page 25: Смирнов Александр, Security in Android Application](https://reader034.vdocuments.site/reader034/viewer/2022051504/58f1bace1a28abe00d8b45c7/html5/thumbnails/25.jpg)
- Cyber Risk Report: bit.ly/1MuoIDS- OWASP Top 10 Mobile Risks: bit.ly/1FAIJiv- DefCon Groups List: bit.ly/1JQlNgC- Triada Malware: bit.ly/1qvyFqY- Obfuscation tools list: bit.ly/1XiHf6Z- Security Official Docs: bit.ly/1qvw1BK- Diffie–Hellman Video: bit.ly/23jV7Se- Tools for SA and Hacking: bit.ly/1qvxpUM
Additional Information
25
![Page 26: Смирнов Александр, Security in Android Application](https://reader034.vdocuments.site/reader034/viewer/2022051504/58f1bace1a28abe00d8b45c7/html5/thumbnails/26.jpg)
- Android Security Model- Reality- Vulnerabilities- One more sentence
Result
26