SlideShare uma empresa Scribd logo

Building secure android apps

Transferir como PPTX, PDF
Kaushal Bhavsar
Kaushal Bhavsar
Tecnologia
1 de 17
Building Secure Android Apps Kaushal Bhavsar
Who am I? • Kaushal Bhavsar • Founder & CEO, Pratikar Technologies • Visiting Faculty, Dept. of Computer Science, (Rollwala) – Network Security in MCA V • Pursuing PhD from CHARUSAT – Computer Security
Know this App??
Similar Apps Super Guitar Super History Falling Down Solo Eraser Super Ringtone Photo Editor Chess Maker Falling Ball 下坠滚球 Dodge _Falldown
Basics Vulnerability Risk Threat
Basics - II Attack Defense-in- Surface depth Least Privilege
Android Architecture Your Apps Application Framework Native Libraries Linux Kernel
Android Security Model Application Isolation Application Signing Filesystem Isolation
Application Isolation • When an app is installed, it gets a new UID. • All data stored by that application is assigned that same UID • All resources for that app are given full permissions for the app’s UID. • Different UIDs can not access each other’s data.
Filesystem Isolation • All data for the app is stored in /data/data/app_package_name • Only UID for specific app can access it • Apps with same UIDs can access each other’s data • Root UID can access all apps’ data! • SD Card data is not protected! • Files created using apps MUST be have appropriate permissions
Data Security Stored Data Mobile Data
Protecting Stored Data Cryptography Hashing Encryption Symmetric Asymmetric
Protecting Mobile Data Figure from http://technet.microsoft.com
Input Validation Accept Reject Known Good Known Bad
Command Injection SQLiteDatabase db = dbHelper.getWriteableDatabase(); String userQuery = "SELECT lastName FROM useraccounts WHERE userID = " + request.getParameter("userID"); SQLiteStatement prepStatement = db.compileStatement(userQuery); String userLastname = prepStatement.simpleQueryForString();
SQLiteDatabase db = dbHelper.getWriteableDatabase(); String userQuery = "SELECT lastName FROM useraccounts WHERE userID = ?"; SQLiteStatement prepStatement = db.compileStatement(userQuery); prepStatement.bindString(1, request.getParameter("userID")); String userLastname = prepStatement.simpleQueryForString();
Thank you! kaushal@pratikar.com

Recomendados

Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
Abdelhamid Limami
 
Android security
Android securityAndroid security
Android security
Mobile Rtpl
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development
Cheng-Yi Yu
 
Android Security
Android SecurityAndroid Security
Android Security
Suminda Gunawardhana
 
Android Device Hardening
Android Device HardeningAndroid Device Hardening
Android Device Hardening
anupriti
 
Android security
Android securityAndroid security
Android security
Midhun P Gopi
 
Android Security and Peneteration Testing
Android Security and Peneteration TestingAndroid Security and Peneteration Testing
Android Security and Peneteration Testing
Surabaya Blackhat
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security Threats
Sperasoft
 

Recomendados

Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
Abdelhamid Limami
 
Android security
Android securityAndroid security
Android security
Mobile Rtpl
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development
Cheng-Yi Yu
 
Android Security
Android SecurityAndroid Security
Android Security
Suminda Gunawardhana
 
Android Device Hardening
Android Device HardeningAndroid Device Hardening
Android Device Hardening
anupriti
 
Android security
Android securityAndroid security
Android security
Midhun P Gopi
 
Android Security and Peneteration Testing
Android Security and Peneteration TestingAndroid Security and Peneteration Testing
Android Security and Peneteration Testing
Surabaya Blackhat
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security Threats
Sperasoft
 
SharePoint Conference - Secure the data, not the device
SharePoint Conference - Secure the data, not the deviceSharePoint Conference - Secure the data, not the device
SharePoint Conference - Secure the data, not the device
Olav Tvedt
 
iOS Security - Secure-iOS-Guidelines - Apple | iOS | Swift
iOS Security - Secure-iOS-Guidelines - Apple | iOS | Swift iOS Security - Secure-iOS-Guidelines - Apple | iOS | Swift
iOS Security - Secure-iOS-Guidelines - Apple | iOS | Swift
Bunty Madan
 
Andriod Pentesting and Malware Analysis
Andriod Pentesting and Malware AnalysisAndriod Pentesting and Malware Analysis
Andriod Pentesting and Malware Analysis
n|u - The Open Security Community
 
Session Fixation
Session FixationSession Fixation
Session Fixation
Aung Khant
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Development
hackstuff
 
Android Security
Android SecurityAndroid Security
Android Security
Mehrnaz Amoon
 
Importance of Azure infrastructure?-Microsoft Azure security infrastructure
Importance of Azure infrastructure?-Microsoft Azure security infrastructure Importance of Azure infrastructure?-Microsoft Azure security infrastructure
Importance of Azure infrastructure?-Microsoft Azure security infrastructure
Zabeel Institute
 
Security threats in Android OS + App Permissions
Security threats in Android OS + App PermissionsSecurity threats in Android OS + App Permissions
Security threats in Android OS + App Permissions
Hariharan Ganesan
 
Getting started with android
Getting started with androidGetting started with android
Getting started with android
Vandana Verma
 
Understanding Android Security
Understanding Android SecurityUnderstanding Android Security
Understanding Android Security
Asanka Dilruk
 
Introduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration TestingIntroduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration Testing
Ammar WK
 
Android Security
Android SecurityAndroid Security
Android Security
Arqum Ahmad
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentesting
Minali Arora
 
Handout infosec defense-mechanism-y3dips
Handout infosec defense-mechanism-y3dipsHandout infosec defense-mechanism-y3dips
Handout infosec defense-mechanism-y3dips
Ammar WK
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam edition
Jose Manuel Ortega Candel
 
Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS
Brent Muir
 
Android App Security
Android App SecurityAndroid App Security
Android App Security
The Software House
 
Top 18 azure security fails and how to avoid them
Top 18 azure security fails and how to avoid themTop 18 azure security fails and how to avoid them
Top 18 azure security fails and how to avoid them
Karl Ots
 
Yadav 1(2)
Yadav 1(2)Yadav 1(2)
Yadav 1(2)
jeremargwapo
 
Cloud Security Demo
Cloud Security DemoCloud Security Demo
Cloud Security Demo
Cheah Eng Soon
 
Landing page optimization techniques
Landing page optimization techniquesLanding page optimization techniques
Landing page optimization techniques
priyal parikh
 
The power of one slideshow
The power of one slideshowThe power of one slideshow
The power of one slideshow
Jennipha-Lauren Nielsen
 

Mais conteúdo relacionado

Mais procurados

Session Fixation
Session FixationSession Fixation
Session Fixation
Aung Khant
 

Mais procurados (20)

SharePoint Conference - Secure the data, not the device
SharePoint Conference - Secure the data, not the deviceSharePoint Conference - Secure the data, not the device
SharePoint Conference - Secure the data, not the device
 
iOS Security - Secure-iOS-Guidelines - Apple | iOS | Swift
iOS Security - Secure-iOS-Guidelines - Apple | iOS | Swift iOS Security - Secure-iOS-Guidelines - Apple | iOS | Swift
iOS Security - Secure-iOS-Guidelines - Apple | iOS | Swift
 
Andriod Pentesting and Malware Analysis
Andriod Pentesting and Malware AnalysisAndriod Pentesting and Malware Analysis
Andriod Pentesting and Malware Analysis
 
Session Fixation
Session FixationSession Fixation
Session Fixation
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Development
 
Android Security
Android SecurityAndroid Security
Android Security
 
Importance of Azure infrastructure?-Microsoft Azure security infrastructure
Importance of Azure infrastructure?-Microsoft Azure security infrastructure Importance of Azure infrastructure?-Microsoft Azure security infrastructure
Importance of Azure infrastructure?-Microsoft Azure security infrastructure
 
Security threats in Android OS + App Permissions
Security threats in Android OS + App PermissionsSecurity threats in Android OS + App Permissions
Security threats in Android OS + App Permissions
 
Getting started with android
Getting started with androidGetting started with android
Getting started with android
 
Understanding Android Security
Understanding Android SecurityUnderstanding Android Security
Understanding Android Security
 
Introduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration TestingIntroduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration Testing
 
Android Security
Android SecurityAndroid Security
Android Security
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentesting
 
Handout infosec defense-mechanism-y3dips
Handout infosec defense-mechanism-y3dipsHandout infosec defense-mechanism-y3dips
Handout infosec defense-mechanism-y3dips
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam edition
 
Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS
 
Android App Security
Android App SecurityAndroid App Security
Android App Security
 
Top 18 azure security fails and how to avoid them
Top 18 azure security fails and how to avoid themTop 18 azure security fails and how to avoid them
Top 18 azure security fails and how to avoid them
 
Yadav 1(2)
Yadav 1(2)Yadav 1(2)
Yadav 1(2)
 
Cloud Security Demo
Cloud Security DemoCloud Security Demo
Cloud Security Demo
 

Destaque

Destaque (6)

Landing page optimization techniques
Landing page optimization techniquesLanding page optimization techniques
Landing page optimization techniques
 
The power of one slideshow
The power of one slideshowThe power of one slideshow
The power of one slideshow
 
Womens report final_for_print
Womens report final_for_printWomens report final_for_print
Womens report final_for_print
 
Research on Artistic Development
Research on Artistic DevelopmentResearch on Artistic Development
Research on Artistic Development
 
How to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & TricksHow to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & Tricks
 
Getting Started With SlideShare
Getting Started With SlideShareGetting Started With SlideShare
Getting Started With SlideShare
 

Semelhante a Building secure android apps

Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
GTestClub
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
Denim Group
 
Cyber security-briefing-presentation
Cyber security-briefing-presentationCyber security-briefing-presentation
Cyber security-briefing-presentation
sathiyamaha
 
JS Fest 2019. Анастасия Войтова. "Defense in depth": trench warfare principle...
JS Fest 2019. Анастасия Войтова. "Defense in depth": trench warfare principle...JS Fest 2019. Анастасия Войтова. "Defense in depth": trench warfare principle...
JS Fest 2019. Анастасия Войтова. "Defense in depth": trench warfare principle...
JSFestUA
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on android
Ravishankar Kumar
 
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...Xylos Clients Day - Public cloud and security go hand in hand, if you approac...
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...
Karim Vaes
 

Semelhante a Building secure android apps (20)

Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
 
Invited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open SourceInvited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open Source
 
Secure the modern Enterprise
Secure the modern EnterpriseSecure the modern Enterprise
Secure the modern Enterprise
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security models
 
Cyber security-briefing-presentation
Cyber security-briefing-presentationCyber security-briefing-presentation
Cyber security-briefing-presentation
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android Security
 
JS Fest 2019. Анастасия Войтова. "Defense in depth": trench warfare principle...
JS Fest 2019. Анастасия Войтова. "Defense in depth": trench warfare principle...JS Fest 2019. Анастасия Войтова. "Defense in depth": trench warfare principle...
JS Fest 2019. Анастасия Войтова. "Defense in depth": trench warfare principle...
 
Transforming Risky Mobile Apps into Self Defending Apps
Transforming Risky Mobile Apps into Self Defending AppsTransforming Risky Mobile Apps into Self Defending Apps
Transforming Risky Mobile Apps into Self Defending Apps
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
Webinar on Enterprise Security & android
Webinar on Enterprise Security & androidWebinar on Enterprise Security & android
Webinar on Enterprise Security & android
 
Are Your Mobile Apps Secure? (Part I)
Are Your Mobile Apps Secure? (Part I)Are Your Mobile Apps Secure? (Part I)
Are Your Mobile Apps Secure? (Part I)
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on android
 
Content Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputra
Content Disarm Reconstruction and Cyber Kill Chain - Muhammad SahputraContent Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputra
Content Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputra
 
Mobile security
Mobile securityMobile security
Mobile security
 
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...Xylos Clients Day - Public cloud and security go hand in hand, if you approac...
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...
 

Mais de Kaushal Bhavsar

Introduction to Cloud Computing and Windows Azure
Introduction to Cloud Computing and Windows AzureIntroduction to Cloud Computing and Windows Azure
Introduction to Cloud Computing and Windows Azure
Kaushal Bhavsar
 

Mais de Kaushal Bhavsar (14)

The vibrant startup challenge entry by Pratikar
The vibrant startup challenge entry by PratikarThe vibrant startup challenge entry by Pratikar
The vibrant startup challenge entry by Pratikar
 
Introduction to IP telephony & VoIP
Introduction to IP telephony & VoIP Introduction to IP telephony & VoIP
Introduction to IP telephony & VoIP
 
Introduction to Cloud Computing and Windows Azure
Introduction to Cloud Computing and Windows AzureIntroduction to Cloud Computing and Windows Azure
Introduction to Cloud Computing and Windows Azure
 
The Copycat Monkeys
The Copycat MonkeysThe Copycat Monkeys
The Copycat Monkeys
 
Satark
SatarkSatark
Satark
 
Azure mobile services
Azure mobile servicesAzure mobile services
Azure mobile services
 
Presentation zen
Presentation zenPresentation zen
Presentation zen
 
Marketing 2.0 - Targeting mobile users using QR codes
Marketing 2.0 - Targeting mobile users using QR codesMarketing 2.0 - Targeting mobile users using QR codes
Marketing 2.0 - Targeting mobile users using QR codes
 
Web security
Web security Web security
Web security
 
Education 2.0
Education 2.0Education 2.0
Education 2.0
 
Beautiful data
Beautiful dataBeautiful data
Beautiful data
 
Developing the Windows Phone User Experience
Developing the Windows Phone User ExperienceDeveloping the Windows Phone User Experience
Developing the Windows Phone User Experience
 
Net canine
Net canineNet canine
Net canine
 
Effective Search via Google.
Effective Search via Google. Effective Search via Google.
Effective Search via Google.
 

Último

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Último (20)

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 

Building secure android apps

  • 1. Building Secure Android Apps Kaushal Bhavsar
  • 2. Who am I? • Kaushal Bhavsar • Founder & CEO, Pratikar Technologies • Visiting Faculty, Dept. of Computer Science, (Rollwala) – Network Security in MCA V • Pursuing PhD from CHARUSAT – Computer Security
  • 4. Similar Apps Super Guitar Super History Falling Down Solo Eraser Super Ringtone Photo Editor Chess Maker Falling Ball 下坠滚球 Dodge _Falldown
  • 5. Basics Vulnerability Risk Threat
  • 6. Basics - II Attack Defense-in- Surface depth Least Privilege
  • 7. Android Architecture Your Apps Application Framework Native Libraries Linux Kernel
  • 8. Android Security Model Application Isolation Application Signing Filesystem Isolation
  • 9. Application Isolation • When an app is installed, it gets a new UID. • All data stored by that application is assigned that same UID • All resources for that app are given full permissions for the app’s UID. • Different UIDs can not access each other’s data.
  • 10. Filesystem Isolation • All data for the app is stored in /data/data/app_package_name • Only UID for specific app can access it • Apps with same UIDs can access each other’s data • Root UID can access all apps’ data! • SD Card data is not protected! • Files created using apps MUST be have appropriate permissions
  • 12. Protecting Stored Data Cryptography Hashing Encryption Symmetric Asymmetric
  • 13. Protecting Mobile Data Figure from http://technet.microsoft.com
  • 14. Input Validation Accept Reject Known Good Known Bad
  • 15. Command Injection SQLiteDatabase db = dbHelper.getWriteableDatabase(); String userQuery = "SELECT lastName FROM useraccounts WHERE userID = " + request.getParameter("userID"); SQLiteStatement prepStatement = db.compileStatement(userQuery); String userLastname = prepStatement.simpleQueryForString();
  • 16. SQLiteDatabase db = dbHelper.getWriteableDatabase(); String userQuery = "SELECT lastName FROM useraccounts WHERE userID = ?"; SQLiteStatement prepStatement = db.compileStatement(userQuery); prepStatement.bindString(1, request.getParameter("userID")); String userLastname = prepStatement.simpleQueryForString();