SlideShare uma empresa Scribd logo

Apps, apis, third party services (Droidcon)

Ivo Jansch
Ivo Jansch

In this talk I talked about my experiences with Android security when it comes to storing secrets in apps on the device. It uses oauth as an example but contained practical hints on how to store any secret securely. Presented at DroidconNL in Amsterdam, November 23 2011.

TecnologiaNegócios
1 de 31
Baixar para ler offline
http://www.egeniq.com info@egeniq.com @egeniq Apps, APIs and third party services A Love Triangle Ivo Jansch - @ijansch Droidcon, 23 November 2011
About Me @ijansch Developer Author Entreprenerd iOS/Java/PHP 2
About Egeniq Startup Mobile Tech Knowledge Geeks Development 3
Tiqr - Learning about Android Security 1 6 3 2 5 4 http://www.tiqr.org 4
The Use Case API Android App Third Party Service 5
Timeline 6
OAuth Your Android Twitter Application 7
OAuth OAuth OAuth Consumer Provider 8
Why do you need to protect keys? OAuth Provider 8 9
The Android Security Model 10
Sandboxing ‣ Apps only have access to their own data ‣ Access is based on Linux user ID ‣ Further protected by application signature 11
Storage + Secure Storage ‣ USB Storage • External storage, sharable between apps ‣ Device Storage • Apps have their own location, within sandbox ‣ Secure Storage • Java KeyStores with strong encryption algorithms • Unfortunately no hardware encrypted storage like iPhone 12
The Main Problem ‣ How can I securely store secrets? • Is sandboxing a solution? -> Not when device is rooted • Is device storage a solution? -> Not when device is rooted • Is encryption a solution? ‣ Yes, but where do you store your encryption keys? 13
It’s a common question Stackoverflow search for ‘store secrets android’: 14
With common answers - Huh? - Don’t store secrets - Don’t use OAuth - Obfuscate - Encrypt 15
Know what? I’ll just use a library 16
Scribe https://github.com/fernandezpablo85/scribe-java 17
A Couple Of Solutions 18
Option 1 - Obfuscation 19
Option 2 - Encryption 20
Option 2 - Encryption 21
Option 2 - Encryption 22
Option 2 - Encryption 23
Option 3 - Using the KeyStore 24
Option 3 - Using the KeyStore 25
Option 4 - Retrieve key from API Your API ? OAuth Android App Provider 26
Option 5 - Transparent Proxy Proxy Android OAuth App Provider 27
Conclusion It’s all about awareness 28
Recommended Reading ‣ ISBN: 2147483647 ‣ Authors: • Himanshu Dwivedi • Chris Clark • David Thiel ‣ Covers: • Android • Apple • WinMo 29
http://www.egeniq.com info@egeniq.com @egeniq Thank you! Questions? http://www.egeniq.com ivo@egeniq.com @ijansch
Credits ‣ ‘Tege in Sandbox’ by Judi Cox - http://www.flickr.com/photos/madaise/3406217980/ ‣ ‘Locker (KHS up close) by Travis Hymas - http://www.flickr.com/photos/ travishasphotos/3481640534/ ‣ ‘Mask’ by Ben Fredericson - http://www.flickr.com/photos/xjrlokix/3932488768/

Recomendados

Social Media: join in or miss out
Social Media: join in or miss outSocial Media: join in or miss out
Social Media: join in or miss out
Jonathan Waddingham
 
Eva Todd: A wedding in Hluboka nad Vltavou, Czech Republic
Eva Todd: A wedding in Hluboka nad Vltavou, Czech RepublicEva Todd: A wedding in Hluboka nad Vltavou, Czech Republic
Eva Todd: A wedding in Hluboka nad Vltavou, Czech Republic
vinion
 
An introduction to (digital) fundraising - campaign bootcamp
An introduction to (digital) fundraising - campaign bootcampAn introduction to (digital) fundraising - campaign bootcamp
An introduction to (digital) fundraising - campaign bootcamp
Jonathan Waddingham
 
Publizitate eta HHPP sarrera: 4. gaia
Publizitate eta HHPP sarrera: 4. gaiaPublizitate eta HHPP sarrera: 4. gaia
Publizitate eta HHPP sarrera: 4. gaia
katixa
 
Presentation1
Presentation1Presentation1
Presentation1
cuchano
 
Stories in a digital world
Stories in a digital worldStories in a digital world
Stories in a digital world
Jonathan Waddingham
 
心安平安
心安平安心安平安
心安平安
Cola Cat
 
The permanent revolution
The permanent revolutionThe permanent revolution
The permanent revolution
Philippe Deltenre
 

Recomendados

Social Media: join in or miss out
Social Media: join in or miss outSocial Media: join in or miss out
Social Media: join in or miss out
Jonathan Waddingham
 
Eva Todd: A wedding in Hluboka nad Vltavou, Czech Republic
Eva Todd: A wedding in Hluboka nad Vltavou, Czech RepublicEva Todd: A wedding in Hluboka nad Vltavou, Czech Republic
Eva Todd: A wedding in Hluboka nad Vltavou, Czech Republic
vinion
 
An introduction to (digital) fundraising - campaign bootcamp
An introduction to (digital) fundraising - campaign bootcampAn introduction to (digital) fundraising - campaign bootcamp
An introduction to (digital) fundraising - campaign bootcamp
Jonathan Waddingham
 
Publizitate eta HHPP sarrera: 4. gaia
Publizitate eta HHPP sarrera: 4. gaiaPublizitate eta HHPP sarrera: 4. gaia
Publizitate eta HHPP sarrera: 4. gaia
katixa
 
Presentation1
Presentation1Presentation1
Presentation1
cuchano
 
Stories in a digital world
Stories in a digital worldStories in a digital world
Stories in a digital world
Jonathan Waddingham
 
心安平安
心安平安心安平安
心安平安
Cola Cat
 
The permanent revolution
The permanent revolutionThe permanent revolution
The permanent revolution
Philippe Deltenre
 
Web 2.0 Introductie (Infosessie Vlaams Agentschap Ondernemers)
Web 2.0 Introductie (Infosessie Vlaams Agentschap Ondernemers)Web 2.0 Introductie (Infosessie Vlaams Agentschap Ondernemers)
Web 2.0 Introductie (Infosessie Vlaams Agentschap Ondernemers)
Ivo Jansch
 
Dynamic Languages In The Enterprise (4developers march 2009)
Dynamic Languages In The Enterprise (4developers march 2009)Dynamic Languages In The Enterprise (4developers march 2009)
Dynamic Languages In The Enterprise (4developers march 2009)
Ivo Jansch
 
Souper Bowl 2006
Souper Bowl 2006Souper Bowl 2006
Souper Bowl 2006
burnsc62
 
J2Me Il Micro Mondo Java
J2Me Il Micro Mondo JavaJ2Me Il Micro Mondo Java
J2Me Il Micro Mondo Java
Antonio Terreno
 
写给技术人员的产品指南
写给技术人员的产品指南写给技术人员的产品指南
写给技术人员的产品指南
easychen
 
JustGiving and Facebook - an appy love story
JustGiving and Facebook - an appy love storyJustGiving and Facebook - an appy love story
JustGiving and Facebook - an appy love story
Jonathan Waddingham
 
看图作文(三)
看图作文(三)看图作文(三)
看图作文(三)
Kwan Tuck Soon
 
trcc
trcctrcc
trcc
tjutel
 
Social media and local government
Social media and local governmentSocial media and local government
Social media and local government
simonwakeman
 
Ict4volunteering Mv
Ict4volunteering MvIct4volunteering Mv
Ict4volunteering Mv
havs
 
Baliospena 1. gaia
Baliospena 1. gaiaBaliospena 1. gaia
Baliospena 1. gaia
katixa
 
Presentatie masterclass Lizzy Jongma
Presentatie masterclass Lizzy JongmaPresentatie masterclass Lizzy Jongma
Presentatie masterclass Lizzy Jongma
Kennisland
 
Best fRiends of 07
Best fRiends of 07Best fRiends of 07
Best fRiends of 07
roxyluvin
 
Own Your Apps
Own Your Apps Own Your Apps
Own Your Apps
Ivo Jansch
 
PHP Development In The Cloud (php|tek edition)
PHP Development In The Cloud (php|tek edition)PHP Development In The Cloud (php|tek edition)
PHP Development In The Cloud (php|tek edition)
Ivo Jansch
 
Mobile for PHP developers
Mobile for PHP developersMobile for PHP developers
Mobile for PHP developers
Ivo Jansch
 
Building an SSO platform in PHP (Zend Webinar Edition)
Building an SSO platform in PHP (Zend Webinar Edition)Building an SSO platform in PHP (Zend Webinar Edition)
Building an SSO platform in PHP (Zend Webinar Edition)
Ivo Jansch
 
The Business Case For Telecommuting
The Business Case For TelecommutingThe Business Case For Telecommuting
The Business Case For Telecommuting
Ivo Jansch
 
Php Development In The Cloud
Php Development In The CloudPhp Development In The Cloud
Php Development In The Cloud
Ivo Jansch
 
PHP in a mobile ecosystem
PHP in a mobile ecosystem PHP in a mobile ecosystem
PHP in a mobile ecosystem
Ivo Jansch
 
27 Ways To Be A Better Developer (PHPBenelux 2011)
27 Ways To Be A Better Developer (PHPBenelux 2011)27 Ways To Be A Better Developer (PHPBenelux 2011)
27 Ways To Be A Better Developer (PHPBenelux 2011)
Ivo Jansch
 
Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)
Ivo Jansch
 

Mais conteúdo relacionado

Destaque

Souper Bowl 2006
Souper Bowl 2006Souper Bowl 2006
Souper Bowl 2006
burnsc62
 
Presentatie masterclass Lizzy Jongma
Presentatie masterclass Lizzy JongmaPresentatie masterclass Lizzy Jongma
Presentatie masterclass Lizzy Jongma
Kennisland
 

Destaque (13)

Web 2.0 Introductie (Infosessie Vlaams Agentschap Ondernemers)
Web 2.0 Introductie (Infosessie Vlaams Agentschap Ondernemers)Web 2.0 Introductie (Infosessie Vlaams Agentschap Ondernemers)
Web 2.0 Introductie (Infosessie Vlaams Agentschap Ondernemers)
 
Dynamic Languages In The Enterprise (4developers march 2009)
Dynamic Languages In The Enterprise (4developers march 2009)Dynamic Languages In The Enterprise (4developers march 2009)
Dynamic Languages In The Enterprise (4developers march 2009)
 
Souper Bowl 2006
Souper Bowl 2006Souper Bowl 2006
Souper Bowl 2006
 
J2Me Il Micro Mondo Java
J2Me Il Micro Mondo JavaJ2Me Il Micro Mondo Java
J2Me Il Micro Mondo Java
 
写给技术人员的产品指南
写给技术人员的产品指南写给技术人员的产品指南
写给技术人员的产品指南
 
JustGiving and Facebook - an appy love story
JustGiving and Facebook - an appy love storyJustGiving and Facebook - an appy love story
JustGiving and Facebook - an appy love story
 
看图作文(三)
看图作文(三)看图作文(三)
看图作文(三)
 
trcc
trcctrcc
trcc
 
Social media and local government
Social media and local governmentSocial media and local government
Social media and local government
 
Ict4volunteering Mv
Ict4volunteering MvIct4volunteering Mv
Ict4volunteering Mv
 
Baliospena 1. gaia
Baliospena 1. gaiaBaliospena 1. gaia
Baliospena 1. gaia
 
Presentatie masterclass Lizzy Jongma
Presentatie masterclass Lizzy JongmaPresentatie masterclass Lizzy Jongma
Presentatie masterclass Lizzy Jongma
 
Best fRiends of 07
Best fRiends of 07Best fRiends of 07
Best fRiends of 07
 

Mais de Ivo Jansch

Mais de Ivo Jansch (20)

Own Your Apps
Own Your Apps Own Your Apps
Own Your Apps
 
PHP Development In The Cloud (php|tek edition)
PHP Development In The Cloud (php|tek edition)PHP Development In The Cloud (php|tek edition)
PHP Development In The Cloud (php|tek edition)
 
Mobile for PHP developers
Mobile for PHP developersMobile for PHP developers
Mobile for PHP developers
 
Building an SSO platform in PHP (Zend Webinar Edition)
Building an SSO platform in PHP (Zend Webinar Edition)Building an SSO platform in PHP (Zend Webinar Edition)
Building an SSO platform in PHP (Zend Webinar Edition)
 
The Business Case For Telecommuting
The Business Case For TelecommutingThe Business Case For Telecommuting
The Business Case For Telecommuting
 
Php Development In The Cloud
Php Development In The CloudPhp Development In The Cloud
Php Development In The Cloud
 
PHP in a mobile ecosystem
PHP in a mobile ecosystem PHP in a mobile ecosystem
PHP in a mobile ecosystem
 
27 Ways To Be A Better Developer (PHPBenelux 2011)
27 Ways To Be A Better Developer (PHPBenelux 2011)27 Ways To Be A Better Developer (PHPBenelux 2011)
27 Ways To Be A Better Developer (PHPBenelux 2011)
 
Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)
 
PHP in a Mobile Ecosystem (Zendcon 2010)
PHP in a Mobile Ecosystem (Zendcon 2010)PHP in a Mobile Ecosystem (Zendcon 2010)
PHP in a Mobile Ecosystem (Zendcon 2010)
 
PHP and the Cloud (phpbenelux conference)
PHP and the Cloud (phpbenelux conference)PHP and the Cloud (phpbenelux conference)
PHP and the Cloud (phpbenelux conference)
 
Content Management Selection and Strategy
Content Management Selection and StrategyContent Management Selection and Strategy
Content Management Selection and Strategy
 
PHP and the Cloud
PHP and the CloudPHP and the Cloud
PHP and the Cloud
 
PHP in the Real World
PHP in the Real WorldPHP in the Real World
PHP in the Real World
 
Enterprise PHP (php|works 2008)
Enterprise PHP (php|works 2008)Enterprise PHP (php|works 2008)
Enterprise PHP (php|works 2008)
 
Enterprise PHP Development - ZendCon 2008
Enterprise PHP Development - ZendCon 2008Enterprise PHP Development - ZendCon 2008
Enterprise PHP Development - ZendCon 2008
 
Enterprise PHP Development (Dutch PHP Conference 2008)
Enterprise PHP Development (Dutch PHP Conference 2008)Enterprise PHP Development (Dutch PHP Conference 2008)
Enterprise PHP Development (Dutch PHP Conference 2008)
 
Hello Enterprise, my name is PHP
Hello Enterprise, my name is PHPHello Enterprise, my name is PHP
Hello Enterprise, my name is PHP
 
Introduction to PHP (Casino Affiliate Convention 2008)
Introduction to PHP (Casino Affiliate Convention 2008)Introduction to PHP (Casino Affiliate Convention 2008)
Introduction to PHP (Casino Affiliate Convention 2008)
 
Enterprise PHP (PHP London Conference 2008)
Enterprise PHP (PHP London Conference 2008)Enterprise PHP (PHP London Conference 2008)
Enterprise PHP (PHP London Conference 2008)
 

Último

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Último (20)

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 

Apps, apis, third party services (Droidcon)