Common Security Pitfalls in

Android Apps

Aditya Gupta Attify

Who Am i

• Founder, Attify

• Mobile Security Researcher

• Developing a secure BYOD solution for enterprises

• Co-creator of AFE (Android Framework for Exploitation)

• Upcoming tool : DroidSE

• Speaker/Trainer at BlackHat, Toorcon, ClubHack, Nullcon, OWASP AppSec, Syscan etc.

Agenda

• Security Overview of Android Apps

• Some vulnerabilities in Android Apps

• Secure Coding

Android Security Model

• Based on Linux

• Security features are derived mostly from Linux

• Application Isolation

• Each app in its own DVM

Security Overview of Android Apps

• Application Sandboxing

• Data stored in /data/data/[package-name]/

• AndroidManifest.xml plays an important role

• Permissions while accessing activities, services, content providers

Hard Coding Sensitive Info

• Have seen some apps hardcode sensitive info

• Reversing applications

• Encrypting passwords : really common

• Use protection to prevent apps from reversing

• Don't ever hardcode a sensitive info in an app.

Protecting against Reversing

Logging Sensitive Information

Logging Sensitive Information

Log.d("Facebook-authorize", "Login Success! access_token=" + getAccessToken() + " expires=" + getAccessExpires());

Leaking Content Providers

• Content Providers

• What can one application do to another

• Leakage of content providers

• By default exported

Leaking Content Providers

Dropbox

Insecure Data Storage

Android WebView vuln

• What's a Webview?

• Framing Web components into application

• Could be really useful while building applications

• Does it also allows Javascript?

Android WebView vuln

Javascript in Webviews

• Javascript is allowed in Webviews

• Javascript could be used to interact with the app's interface

• Malicious functions could be executed

Malicious functions with JS

• Could be used to send SMS or place calls

• Or to install another application

• Get a reverse shell to a remote location

• Modify file system or steal something from the device

Ad Libraries, anyone?• InMobi

• List of Exposed methods :

• makeCall

• postToSocial

• sendMail

• sendSMS

• takeCameraPicture

• getGalleryImage

Ad Libraries, anyone?

Fix it

setJavascriptEnabled(false)

SQLite Injection

• SQLite databases for storing application's data

• Storing sensitive information in databases

• Do you sanitize user input before applying SQL queries

!uname = (EditText) findViewById(R.id.username); pword = (EditText) findViewById(R.id.password); !!String getSQL = "SELECT * FROM " + tableName + " WHERE " + username + " = '" + uname + "' AND " + password + " = '" + pword + "'"; !Cursor cursor = dataBase.rawQuery(getSQL , null);

Sample Code

Insecure File Permissions

• File storing sensitive data need to have proper permissions

• Should be accessible only by the application

Android Backup Vulnerability

• Allows backup of application's data

• No root needed in the device

• Attacker could read/modify app's data and restore it back

• Default behaviour in AndroidManifest.xml

android:allowBackup="false"

Preventing Backup vulnerability

Network Traffic

Securing Android

Applications

Activities

<activity android:name=".SecureActivity" android:permission="com.example.secure.permission.START_ACTIVITY1"> </activity>

Services

<service android:name=".SecureService" android:permission="com.example.secure.permission.SecurePerm" android:enabled="true" android:exported="true"> </service>

Content Providers

<provider android.name="com.example.secure.SecureProvider" android.authorities="com.example.secure.mailprovider" android.readPermission="com.example.testapps.test1.permission.READ_DATE" android.writePermission="com.example.secure.permission.WRITE_DATA" android:grantUriPermissions="true"> !</provider>

If you don't need

android:exported = "false"

Summary

• Avoid common mistakes

• Store data in encrypted form

• Sending data through HTTP/insecure HTTPs

`

• Drop a mail at adi@attify.com