Upload
blrdroid
View
1.562
Download
8
Tags:
Embed Size (px)
DESCRIPTION
Aditya Gupta from Attify talking about what are the common security pitfalls in android apps
Citation preview
Common Security Pitfalls in
Android Apps
Aditya Gupta Attify
Who Am i
• Founder, Attify
• Mobile Security Researcher
• Developing a secure BYOD solution for enterprises
• Co-creator of AFE (Android Framework for Exploitation)
• Upcoming tool : DroidSE
• Speaker/Trainer at BlackHat, Toorcon, ClubHack, Nullcon, OWASP AppSec, Syscan etc.
Agenda
• Security Overview of Android Apps
• Some vulnerabilities in Android Apps
• Secure Coding
Android Security Model
• Based on Linux
• Security features are derived mostly from Linux
• Application Isolation
• Each app in its own DVM
Security Overview of Android Apps
• Application Sandboxing
• Data stored in /data/data/[package-name]/
• AndroidManifest.xml plays an important role
• Permissions while accessing activities, services, content providers
Hard Coding Sensitive Info
• Have seen some apps hardcode sensitive info
• Reversing applications
• Encrypting passwords : really common
• Use protection to prevent apps from reversing
• Don't ever hardcode a sensitive info in an app.
Protecting against Reversing
Logging Sensitive Information
Logging Sensitive Information
Log.d("Facebook-authorize", "Login Success! access_token=" + getAccessToken() + " expires=" + getAccessExpires());
Leaking Content Providers
• Content Providers
• What can one application do to another
• Leakage of content providers
• By default exported
Leaking Content Providers
Dropbox
Insecure Data Storage
Android WebView vuln
• What's a Webview?
• Framing Web components into application
• Could be really useful while building applications
• Does it also allows Javascript?
Android WebView vuln
Javascript in Webviews
• Javascript is allowed in Webviews
• Javascript could be used to interact with the app's interface
• Malicious functions could be executed
Malicious functions with JS
• Could be used to send SMS or place calls
• Or to install another application
• Get a reverse shell to a remote location
• Modify file system or steal something from the device
Ad Libraries, anyone?• InMobi
• List of Exposed methods :
• makeCall
• postToSocial
• sendMail
• sendSMS
• takeCameraPicture
• getGalleryImage
Ad Libraries, anyone?
Fix it
setJavascriptEnabled(false)
SQLite Injection
• SQLite databases for storing application's data
• Storing sensitive information in databases
• Do you sanitize user input before applying SQL queries
!uname = (EditText) findViewById(R.id.username); pword = (EditText) findViewById(R.id.password); !!String getSQL = "SELECT * FROM " + tableName + " WHERE " + username + " = '" + uname + "' AND " + password + " = '" + pword + "'"; !Cursor cursor = dataBase.rawQuery(getSQL , null);
Sample Code
Insecure File Permissions
• File storing sensitive data need to have proper permissions
• Should be accessible only by the application
Android Backup Vulnerability
• Allows backup of application's data
• No root needed in the device
• Attacker could read/modify app's data and restore it back
• Default behaviour in AndroidManifest.xml
android:allowBackup="false"
Preventing Backup vulnerability
Network Traffic
Securing Android
Applications
Activities
<activity android:name=".SecureActivity" android:permission="com.example.secure.permission.START_ACTIVITY1"> </activity>
Services
<service android:name=".SecureService" android:permission="com.example.secure.permission.SecurePerm" android:enabled="true" android:exported="true"> </service>
Content Providers
<provider android.name="com.example.secure.SecureProvider" android.authorities="com.example.secure.mailprovider" android.readPermission="com.example.testapps.test1.permission.READ_DATE" android.writePermission="com.example.secure.permission.WRITE_DATA" android:grantUriPermissions="true"> !</provider>
If you don't need
android:exported = "false"
Summary
• Avoid common mistakes
• Store data in encrypted form
• Sending data through HTTP/insecure HTTPs