Android app security

•

2 gostaram•448 visualizações

Positive Hack Days

Tecnologia

Android Application Security
Artem Chaykin
Lead Specialist, Web Application Security Team
Positive Technologies
Positive Hack Days 2013

What am I?
― As previous slide said, ptsecurity guy
― Mostly web and mobile applications security assessment
― SCADAStrangelove Team

Application
Resources Manifest
Intents
Activity Service Broadcast
Permissions
Content
providers
Native libs Classes

Hardcoded and forgotten
― Default/test credentials
― Test servers/ locals IPs
― Some cool info

File system
― One app – One UID
― 0600 mask for new files
― 0666 mask for new files (touch, echo, etc)

File system
― World readable files
― Even world writable..
― SD storage

File system
How to secure:
― Use MODE_PRIVATE for files
― Do not use system tools
― Do not save sensitive data on SD storage

logcat
// Delete before production release
Log.d(“Bank”,login+”::”+password);
^^aye, of course

logcat
android.permission.READ_LOGS
E/HttpUtil( 9509): >>Response: <?xml version='1.0'
encoding='UTF-8'?><result resultCode="200001033"
desc="[OSE(551)]http
error:http://10.10.10.10:7711/GET_BALANCE?LOGIN=833477&
amp;PASSWORD=222222" /><<

SQLite & content providers
SQLite3
/data/data/app.name/databases/
load_extension() disabled :(
SQLinj… will talk later
Private database

SQLite & content providers
Content provider:
API to public/semi-public your database
Exported and public by default
File access API
Examples:
content://sms

SQLite & content providers
How to secure:
android:exported=“false”
android:protectionLevel=“signature”
android:grantUriPermission=“true”

Intents
Intent
Activity Service Broadcast

Activity
This is a Facebook activity->
This is what you can interact with

Service
This is a Facebook service ->
Really, here it is.

Service
This is a Facebook service ->
Really, here it is.
Background work : sync, upload, download, etc

Broadcast
Battery low
System send broadcast:
ACTION_BATTERY_LOW
Application1:
Alerts “Battery low”
Application2:
Stop sync

Manifest
Look for android:debuggable=true
Intents “exported” = (true|false)
Intents with <intent-filter> - exported by default

Intents
Exported intents can be called from third-party apps
Activity
startActivity()
startActivityForResult()
Service
startService()
Broadcast
sendBroadcast()

Intents
Third-party apps can send “extra”“data://” to intents
extra
string integer long float boolean uri
component
name
data
wrapper://host/path?query

Intents
Set “exported” to false for all intents
Set permissions for broadcast receiving/delivering
Validate extra data sent to intents

Client-server, SSL, MiTM,
intercepting, sniffing,
spoofing, cats, and more
client vulns.

Client-server
JSON;
XML (SOAP);
Simpe POST;
Even query string;

Конец рассказа
Спасибо за внимание
Artem Chaykin
achaykin@ptsecurity.com
@a_chaykin

Mais conteúdo relacionado

Mais procurados

Spring Security 5

Jesus Perez Franco

SSO using CAS + two-factor authentication (PyGrunn 2014 talk)

Artur Barseghyan

Fun With Spring Security

Burt Beckwith

The adoption of Mobile and Cloud applications drives API traffic across domains. OAuth 2.0 is being implemented in complex enterprise environments where new authorization endpoints are combined with various existing identity components, in various configurations. Handshakes are federated to help provide a single sign-on experience across applications and enhance adoption. Mediation between tokens at the edge of each domain helps extend existing data to new channels. Core grant types, extension grant types, custom schemes, standards, patterns and use cases – let us count the ways in which API access control is applied. This presentation will examine the role of API management infrastructure in API Security, API Access Control and API Federation and its interaction with enterprise infrastructure, social identity and application developers.

API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...

CA API Management

Authentication and Single Sing on

guest648519

Secure Code Warrior - Issues with origins

Secure Code Warrior

Abusing Exploiting and Pwning with Firefox Addons

Ajin Abraham

Jasig Central Authentication Service in Ten Minutes

Andrew Petro

Samsung’s first Tizen-based devices are set to launch in the middle of 2015. This paper presents the research outcome on the security analysis of Tizen OS and it’s underlying security architecture. The paper begins with a quick introduction to Tizen architecture and explains the various components of Tizen OS. This will be followed by Tizen’s security model where application sandboxing and resource access control will be explained. Moving on, an overview of Tizen’s Content Security Framework which acts as an in-built malware detection API will be covered. Various vulnerabilities in Tizen will be discussed including issues like Tizen WebKit2 address spoofing and content injection, Tizen WebKit CSP bypass and issues in Tizen’s memory protection (ASLR and DEP).

Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015

Ajin Abraham

Presentation

Laxman Kumar

Authentication and Authorization in Asp.Net

Shivanand Arur

Authentication in microservice systems - fsto 2017

Dejan Glozic

Keycloak Single Sign-On

Ravi Yasas

Learn Apache Shiro

Smita Prasad

Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6

Kenneth Peeples

Javacro 2014 Spring Security 3 Speech

Fernando Redondo Ramírez

How to authenticate users in your apps using FI-WARE Account - Introduction

Javier Cerviño

Spring security4.x

Zeeshan Khan

Synapse india reviews on security for the share point developer

saritasingh19866

In this webinar, we focus specifically on how Apache SHIRO can help developers in providing better security architecture. You will also learn the following Application security is gaining critical attention due to increase in cyber-attacks and risks of business and financial losses. In the context of J2EE development and Java web application development, security concerns are addressed through multiple means. This informative 45 min session to understand approaches and strategies for building secure web applications. - Planning for Security: Authentication, Authorization, Session Management and Cryptography - Comparing Different Approaches for Security: JAAS, Spring, Grails - How to use the simplified universal approach of Apache SHIRO - A LIVE DEMO on using SHIRO to secure web applications If you have any query please write to us at inquiry@cygnet-infotech.com

J2EE Security with Apache SHIRO

Cygnet Infotech

Mais procurados (20)

Spring Security 5

SSO using CAS + two-factor authentication (PyGrunn 2014 talk)

Fun With Spring Security

API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...

Authentication and Single Sing on

Secure Code Warrior - Issues with origins

Abusing Exploiting and Pwning with Firefox Addons

Jasig Central Authentication Service in Ten Minutes

Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015

Presentation

Authentication and Authorization in Asp.Net

Authentication in microservice systems - fsto 2017

Keycloak Single Sign-On

Learn Apache Shiro

Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6

Javacro 2014 Spring Security 3 Speech

How to authenticate users in your apps using FI-WARE Account - Introduction

Spring security4.x

Synapse india reviews on security for the share point developer

J2EE Security with Apache SHIRO

Destaque

Ведущий: Ольга Зиненко Уральский центр систем безопасности проводит независимое тестирование мобильных антивирусов, разработанных для платформы Android (в том числе Dr.Web, Kaspersky, Norton, ESET). Доклад посвящен результатам исследования. Показатели, которые оцениваются в первую очередь: выполнение заявленных функций, уровень защиты, возможности обхода, наличие уязвимостей, полезность и значимость дополнительных функций.

Вирусы есть? А если найду?

Positive Hack Days

Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...

DefconRussia

Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases

Positive Hack Days

1. Проблемы автоматизации классификации слабо формализуемых (нечётких) данных. 2. Нечёткие множества и нечёткие измерительные шкалы. 3. Моделирование нейронной сети для классификации данных. 4. Инструмент FuzzyClassificator и его внедрение в Компании. 5. Автоматизация классификации данных на базе TeamCity.

Нейронечёткая классификация слабо формализуемых данных | Тимур Гильмуллин

Positive Hack Days

1. Что такое сервер отладочных символов, его предназначение. 2. Отладочная информация (отладочные символы) – информация, которую генерирует компилятор на основе исходных кодов. Содержит информацию об именах файлов исходников, переменных, процедур, функций. 3. Сервер отладочной информации – сервер, основное предназначение которого – хранение отладочной информации, ее индексирование и предоставления доступа.

Интеграция TeamCity и сервера символов | Алексей Соловьев

Positive Hack Days

Инструменты для проведения конкурентного анализа программных продуктов | Вла...

Positive Hack Days

Пакетный менеджер CrossPM: упрощаем сложные зависимости | Александр Ковалев

Positive Hack Days

1. Смотрим по сторонам - обычный процесс авто-тестирования 2. Убираем лишнее - реалистичный целевой процесс 3. DataDrivenTesting - создание спец. инструментов для конкретных сценариев 4. RobotFramework - что делать, если простых сценариев слишком много

От простого к сложному: автоматизируем ручные тест-планы | Сергей Тимченко

Positive Hack Days

TeamPass - управление разграничением доступа к сервисным паролям в команде | ...

Positive Hack Days

1. Описание старого процесса сбора данных о тестах: как было до, что хорошего, что плохого 2. Influxdb, как хранилище time-series данных, 3. Zabbix - мониторинг нагрузочных стендов: windows и linux агенты, активный сбор данных, autodiscovery виртуальных машин в esx 4. Grafana, как способ превратить графики и дашборды в конфетку 5. Автоматизация нагрузки от пользователей через web-UI при помощи Jmeter, отображение статистики в реальном времени, CI в Teamcity

Автоматизация нагрузочного тестирования в связке JMeter + TeamСity + Grafana ...

Positive Hack Days

1. Система мониторинга ресурсов различных отделов 2. Шаблоны и роли серверов, разграничение доступа и зон ответственности 3. ptzabbixtools - конфигурация мониторинга на целевых серверах 4. Пример встраивания системы мониторинга в процессы разработки/тестирования

Система мониторинга Zabbix в процессах разработки и тестирования | Алексей Буров

Positive Hack Days

Практические рекомендации по использованию системы TestRail | Дмитрий Рыльцов...

Positive Hack Days

vSphereTools - инструмент для автоматизации работы с vSphere | Тимур Гильмуллин

Positive Hack Days

Speakers: Alexander Timorin, Alexander Tlyapov, Gleb Gritsai This talk will feature a technical description and a detailed analysis of such popular industrial protocols as Profinet DCP, IEC 61850-8-1 (MMS), IEC 61870-5-101/104, based on case studies. We will disclose potential opportunities that those protocols provide to attackers, as well as the authentication mechanism of the Siemens proprietary protocol called S7. Besides protocols, the results of the research called Siemens Simatic WinCC will be presented. The overall component interaction architecture, HTTP protocols and interaction mechanisms, authorization and internal logic vulnerabilities will be shown. The talk will be concluded with a methodological approach to network protocol analysis, recommendation, and script release.

SCADA deep inside:protocols and software architecture

qqlan

Сообщество DevOpsHQ: идеология и инструменты | Александр Паздников

Positive Hack Days

Destaque (15)