1. SECURE YOUR APP
FIGHT THE LEAKS!
DROIDCON PARIS 2013

2. EYAL LEZMY
Slides http://bit.ly/droidcon-sec
http://eyal.fr
ANDROID PRESALES ENGINEER, SAMSUNG B2B
TREASURER AT PARIS ANDROID USER GROUP
ANDROID GOOGLE DEVELOPER EXPERT

3. DON'T LET HIM DOWN
THE USER TRUSTS YOU
Company

4. Copyright © 1995-2012 SAMSUNG All rights reserved
APPS HAVE TO RESPECT THE DATA
Different ways to unintentionally grant other apps access to the
data inside your application :
Exporting an unprotected component
Storing personal data in a world readable file
Logging personal data in logcat logs

5. Copyright © 1995-2012 SAMSUNG All rights reserved
It declares accessible app components
Activity, Service, Receive,...
Adding <intent-filter>
=> your element is exported by default
CHECK YOUR ANDROIDMANIFEST.XML
ContentProvider is always exported by default,
until android:targetSdkVersion="17"

6. Copyright © 1995-2012 SAMSUNG All rights reserved
Don't export app components unless you want to share their
content with other applications
<application android:label="@string/app_name">
…
<service android:name=".ServiceExample“
android:exported="false">
<intent-filter>
…
</intent-filter>
</service>
…
</application>
What is your legitimity to
expose data?
CHECK YOUR ANDROIDMANIFEST.XML

7. Copyright © 1995-2012 SAMSUNG All rights reserved
There are different permission protection levels:
normal Lower risk permission
dangerous Higher risk, access to user private data,
potential negative impact
signature Needs the same certificate signature
PERMISIONS

8. Copyright © 1995-2012 SAMSUNG All rights reserved
Lets look at the code:
<permission android:name="com.example.EXAMPLE_PERM“
android:label="@string/example_perm_l“
android:description="@string/example_perm_d“
android:icon="@drawable/example_perm_i“
android:protectionLevel="signature" />
...
<service android:name=".ServiceExample“
android:permission="com.example.EXAMPLE_PERM">
<intent-filter>...</intent-filter>
</service>
PERMISIONS

9. Copyright © 1995-2012 SAMSUNG All rights reserved
Don't be the weakest link
private boolean checkPermission(Context context)
{
String permission = "com.example.EXAMPLE_PERM";
int res = context.checkCallingPermission(permission);
return (res == PackageManager.PERMISSION_GRANTED);
}
PERMISIONS
Always check the permission of a caller if you use your permission

10. Copyright © 1995-2012 SAMSUNG All rights reserved
DISABLE USELESS ACTIVITIES
Fit your components lifecycle to your application's lifecycle
If before configuration (login, account creation, ...) a service or
activity is not useful, disable it
If your application handles common implicit Intent's actions like
ACTION_VIEW or ACTION_SEND consider disabling it by default

11. Copyright © 1995-2012 SAMSUNG All rights reserved
PackageManager.setComponentEnabledSetting(componentName,
newState, flags);
DISABLE USELESS ACTIVITIES
<activity
android:name="com.example.Activity"
android:label="@string/app_name"
android:enabled="false">
</activity>
Disabled:
Enabled:

12. Copyright © 1995-2012 SAMSUNG All rights reserved
STORING DATA WISELY
Protect personal data using MODE_PRIVATE for data files,
shared preferences, and databases:
openFileOutput()
openSharedPreferences()
openOrCreateDatabase()
External storage (sdcard) is shared storage

13. Copyright © 1995-2012 SAMSUNG All rights reserved
PLEASE... SHUT THE FUCK UP!
public static final boolean SHOW_LOG = BuildConfig.DEBUG;
public static void d(final String tag, final String msg) {
if (SHOW_LOG)
Log.d(tag, msg);
}
Don't expose data through logcat on production
Detect the build mode with BuildConfig.DEBUG
Be careful about this subject and test it during QA

14. Copyright © 1995-2012 SAMSUNG All rights reserved
PROTECTING APP FROM USERS
No more android:debuggable on the manifest
Don't leave this enabled in release code!
ADT 8.0+ do it for you automatically

15. Copyright © 1995-2012 SAMSUNG All rights reserved
$ adb shell
shell@android:/ $ run-as com.android.example sh
shell@android:/data/data/com.android.example $ id
uid=10060(app_60) gid=10060(app_60)
shell@android:/data/data/com.android.example $ ls
files/secret_data.txt
shell@android:/data/data/com.android.example $
cat files/secret_data.txt
PROTECTING APP FROM USERS

16. IT'S NOT JUST ABOUT YOUR APP
INSECURE NETWORK
LOST OR STOLEN DEVICES

17. Copyright © 1995-2012 SAMSUNG All rights reserved
Free certified SSL: https://www.startssl.com/
USE SAFE NETWORKING
HTTPS and SSL can protect against Man in the Middle attacks and
prevent casual snooping
Server certificate validity must be correctly checked
"15% of apps have weak or bad SSL implementation on the Play Store"

18. Copyright © 1995-2012 SAMSUNG All rights reserved
...but it may help discouraging curious.
Use a peer-reviewed library like KeyCzar
Take care of the key :
Create it at first start, with true random
Or grab a user key from your server
Or ask the user for a passphrase you won't store
DATA ENCRYPTION DOESN'T SOLVE ALL PROBLEMS

19. Copyright © 1995-2012 SAMSUNG All rights reserved
On a corporate environment, device administration can be
considered
Password management
Device encryption
Disable camera
Lock the device
Remote wipe
DEVICE ADMINISTRATION

20. Copyright © 1995-2012 SAMSUNG All rights reserved
BEHIND THE STAGE
The APK's content is always world readable, take care about
what you put inside
Sensitive files should be kept out of the APK
Java is open source, your code too
Using Proguard takes a single line of code
Or...
Dex encryption
AAPT modified
Logic on server

21. IT'S NOT JUST ABOUT SECURITY
THINK ABOUT POLITICS...

22. Copyright © 1995-2012 SAMSUNG All rights reserved
THE SECURITY PARADOX

23. Copyright © 1995-2012 SAMSUNG All rights reserved
"The more secure you make something,
the less secure it becomes"
Level the security following the user acceptance or...
Users will find workarounds
Users won't use your service
NEVER FORGET THE USER, NEVAAAAA!

24. Copyright © 1995-2012 SAMSUNG All rights reserved
REFERENCES
Google I/O 2012 Sessions
Android Developpers Live Youtube channel
Android Developement
Android Developement: Using Cryptography
The Commons Blog
InformationWeek: Security Paradox
ThreatPost: SLL implementation on Android apps
StartSSL Free certificates

25. SAMSUNG SMART APP CHALLENGE 2013
SAMSUNG SMART APP CHALLENGE 2013
A Global app challenge
Apps for the Galaxy S4
Use of Samsung Chord SDK
Apply June 20 - August 31
www.smartappchallenge.com
$800,000 for 10 winners

26. SAMSUNG DEVELOPERS
SDKs and Documentation
http://developer.samsung.com
Samsung Chord SDK
Bluetooth Low Energy SDK
Remote Test Lab
Test your applications on real devices through the internet
Free
24H 365 Days
S Pen & Multi Window SDK
AllShare Framework
Real Device,
NOT emulator
Multiple
Devices

27. THANK YOU!
Slides http://bit.ly/droidcon-sec
http://eyal.fr