17
Building Secure Android Apps Kaushal Bhavsar

Building secure android apps

Embed Size (px)

Citation preview

Page 1: Building secure android apps

Building Secure Android AppsKaushal Bhavsar

Page 2: Building secure android apps

Who am I?

• Kaushal Bhavsar• Founder & CEO, Pratikar Technologies• Visiting Faculty, Dept. of Computer Science, (Rollwala) – Network Security in MCA V

• Pursuing PhD from CHARUSAT– Computer Security

Page 3: Building secure android apps

Know this App??

Page 4: Building secure android apps

Similar Apps

Falling Down Super Guitar Solo

Super History Eraser

Photo Editor Super Ringtone Maker Chess

下坠滚球_Falldown

Falling Ball Dodge

Page 5: Building secure android apps

Basics

Vulnerability

ThreatRisk

Page 6: Building secure android apps

Basics - II

Attack Surface

Defense-in-depth

Least Privilege

Page 7: Building secure android apps

Android Architecture

Linux Kernel

Native Libraries

Application Framework

Your Apps

Page 8: Building secure android apps

Android Security Model

Application Isolation

Application Signing

Filesystem Isolation

Page 9: Building secure android apps

Application Isolation

• When an app is installed, it gets a new UID.• All data stored by that application is assigned

that same UID• All resources for that app are given full

permissions for the app’s UID. • Different UIDs can not access each other’s

data.

Page 10: Building secure android apps

Filesystem Isolation

• All data for the app is stored in /data/data/app_package_name

• Only UID for specific app can access it• Apps with same UIDs can access each other’s

data• Root UID can access all apps’ data!• SD Card data is not protected!• Files created using apps MUST be have

appropriate permissions

Page 11: Building secure android apps

Data Security

Stored Data Mobile Data

Page 12: Building secure android apps

Protecting Stored Data

Cryptography

Hashing Encryption

Symmetric Asymmetric

Page 13: Building secure android apps

Protecting Mobile Data

Figure from http://technet.microsoft.com

Page 14: Building secure android apps

Input Validation

Accept

Known

Good

Reject Known Bad

Page 15: Building secure android apps

Command InjectionSQLiteDatabase db = dbHelper.getWriteableDatabase();

String userQuery = "SELECT lastName FROM useraccounts WHERE userID = " + request.getParameter("userID");

SQLiteStatement prepStatement = db.compileStatement(userQuery);

String userLastname = prepStatement.simpleQueryForString();

Page 16: Building secure android apps

SQLiteDatabase db = dbHelper.getWriteableDatabase();

String userQuery = "SELECT lastName FROM useraccounts WHERE userID = ?";

SQLiteStatement prepStatement = db.compileStatement(userQuery);

prepStatement.bindString(1, request.getParameter("userID"));

String userLastname = prepStatement.simpleQueryForString();

Page 17: Building secure android apps

Thank you!

[email protected]


Writing Android Apps

Writing Android Apps

Documents
Health System MobileIron Installation for Android … System MobileIron Installation for Android Devices ... Android devices are required to be encrypted. ... To begin the Secure Apps

Health System MobileIron Installation for Android … System MobileIron Installation for Android Devices ... Android devices are required to be encrypted. ... To begin the Secure Apps

Documents
Favorite android apps

Favorite android apps

Technology
Kristian Monsen Software Engineer Google Android for Work ... · 3 Developing Secure Applications for Android Tips for developing secure Android apps Overview of Google Play Services

Kristian Monsen Software Engineer Google Android for Work ... · 3 Developing Secure Applications for Android Tips for developing secure Android apps Overview of Google Play Services

Documents
Videocon Android Apps

Videocon Android Apps

Documents
Android Apps Development

Android Apps Development

Documents
Pentesting Android Apps

Pentesting Android Apps

Technology
Top android apps

Top android apps

Devices & Hardware
Android apps

Android apps

Technology
Digicorp Android Apps

Digicorp Android Apps

Mobile
Developing Android Apps

Developing Android Apps

Software
Apps for android

Apps for android

Technology
Architecting Android Apps

Architecting Android Apps

Documents
Android Apps|Zappcash

Android Apps|Zappcash

Entertainment & Humor
Secure!Android!Applicaons! The!OWASP!Way!Android Crash Course- Essentials!! Permissions! Some!developers!go!overboard!! Ques/onable!apps!oqen!requestridiculous!permissions!too!

Secure!Android!Applicaons! The!OWASP!Way!Android Crash Course- Essentials!! Permissions! Some!developers!go!overboard!! Ques/onable!apps!oqen!requestridiculous!permissions!too!

Documents
Android Apps Development

Android Apps Development

Documents
Developing Apps Android

Developing Apps Android

Documents
Matematika android apps

Matematika android apps

Education
EZcall Android apps

EZcall Android apps

Devices & Hardware
Mobile Android Apps

Mobile Android Apps

Documents
Testable android apps

Testable android apps

Technology
English android apps

English android apps

Education
Apps Android

Apps Android

Documents
Best Android Apps

Best Android Apps

Documents
How to make Android apps secure: dos and don’ts

How to make Android apps secure: dos and don’ts

Technology
Secure Android Apps- nVisium Security

Secure Android Apps- nVisium Security

Documents
Apps Marathon - Financial apps for Android

Apps Marathon - Financial apps for Android

Technology
SpanDex: Secure Password Tracking for Androidlpcox/spandex.pdfSpanDex: Secure Password Tracking for Android Landon P. Cox ... droid’s Dalvik virtual machine that ensures apps

SpanDex: Secure Password Tracking for Androidlpcox/spandex.pdfSpanDex: Secure Password Tracking for Android Landon P. Cox ... droid’s Dalvik virtual machine that ensures apps

Documents
Secure Apps

Secure Apps

Documents
DroidCon 2015 - Building Secure Android Apps For The Enterprise

DroidCon 2015 - Building Secure Android Apps For The Enterprise

Technology