Mais conteúdo relacionado
Semelhante a Security in Android Application, Александр Смирнов, RedMadRobot, Москва (20)
Security in Android Application, Александр Смирнов, RedMadRobot, Москва
- 2. - 3+ years Android dev
- 6+ years commercial dev
- 1 year bank app dev
- BlackHat friends since 2007
- DC7499 member
WhoAmI
2
- 4. - Android Security Model
- Reality
- Vulnerabilities
- One more sentence
- Appendix
Agenda
4
- 8. - Is the parent of all App processes
- COW(Copy On Write) strategy
- /dev/socket/zygote
Zygote
8
App 1
App 2
App 3
Zygote
fork()
fork()
fork()
start new
App
- 9. - Before M
- After M
- Custom permissions
- Protection level
Permissions
9
- 10. - Protect user data
- Protect system resources
- Provide application isolation
Android Security Overview
10
- 15. - Memory Cache
- DB + SQLCipher
- SharedPreference +
MODE_PRIVATE + Cipher
- 21+ setStorageEncryption for
local files
- KeyStore
Data Storage
15
- 16. - MITM has you
- Check network – why?
- Diffie–Hellman key exchange
- Certificate Pinning == SSL Pinning
(okhttp 2.7.4 || 3.1.2)
Transport
16
- 17. - Use explicit intents
- Validate Input
- Manifest:
intent-filter = exported=«yes»
Intent
17
- 18. - Secure PUSH
- Mobile application
- SIMApplets
- DCV (Dynamic Code Verification)
2FA: SMS
18
- 19. - Custom keyboard
- Secure persistent datastore
- No EditText
- No immutable (Strings -> char[])
- Notify if root
Insecure Device
19
- 20. - Check debug
- Verify sign
- Emulator check
- Obfuscation
- JNI
Reverse Protection
20
- 22. - Convenience vs Security
- Socialization & Tools
- Layered Security
- Better than others
- OWASP TOP 10 Mobile Risks
One more sentence
22
- 24. - Cyber Risk Report: bit.ly/1MuoIDS
- OWASP Top 10 Mobile Risks: bit.ly/1FAIJiv
- DefCon Groups List: bit.ly/1JQlNgC
- Triada Malware: bit.ly/1qvyFqY
- Obfuscation tools list: bit.ly/1XiHf6Z
- Security Official Docs: bit.ly/1qvw1BK
- Diffie–Hellman Video: bit.ly/23jV7Se
- Tools for SA and Hacking: bit.ly/1qvxpUM
Additional Information
24