The document discusses common security pitfalls in Android apps. It outlines vulnerabilities like hardcoding sensitive info, logging sensitive data, leaking content providers, insecure data storage, and vulnerabilities in webviews and ad libraries. It also discusses issues like SQLite injection, insecure file permissions, backup vulnerabilities, and insecure network traffic. The document provides recommendations for secure coding practices like using proper permissions for activities, services, and content providers, encrypting sensitive data, and avoiding exporting components unless needed.
2. Who Am i
•
Founder, Attify
•
Mobile Security Researcher
•
Developing a secure BYOD solution for enterprises
•
Co-creator of AFE (Android Framework for Exploitation)
•
Upcoming tool : DroidSE
•
Speaker/Trainer at BlackHat, Toorcon, ClubHack,
Nullcon, OWASP AppSec, Syscan etc.
4. Android Security Model
•
Based on Linux
•
Security features are derived mostly from Linux
•
Application Isolation
•
Each app in its own DVM
5. Security Overview of
Android Apps
•
Application Sandboxing
•
Data stored in /data/data/[package-name]/
•
AndroidManifest.xml plays an important role
•
Permissions while accessing activities, services,
content providers
6. Hard Coding Sensitive Info
•
Have seen some apps hardcode sensitive info
•
Reversing applications
•
Encrypting passwords : really common
•
Use protection to prevent apps from reversing
•
Don't ever hardcode a sensitive info in an app.
23. Android WebView vuln
•
Framing Web components into application
•
Could be really useful while building applications
•
Does it also allows Javascript?
24. Javascript in Webviews
•
Javascript is allowed in Webviews
•
Javascript could be used to interact with the app's
interface
•
Malicious functions could be executed
25. Malicious functions with JS
•
Could be used to send SMS or place calls
•
Or to install another application
•
Get a reverse shell to a remote location
•
Modify file system or steal something from the
device
31. SQLite Injection
•
SQLite databases for storing application's data
•
Storing sensitive information in databases
•
Do you sanitize user input before applying SQL
queries
33. Insecure File Permissions
•
File storing sensitive data need to have proper
permissions
•
Should be accessible only by the application
34.
35.
36.
37. Android Backup
Vulnerability
•
Allows backup of application's data
•
No root needed in the device
•
Attacker could read/modify app's data and restore
it back
•
Default behaviour in AndroidManifest.xml