View
1.562
Download
8
Category
Tags:
Preview:
DESCRIPTION
Aditya Gupta from Attify talking about what are the common security pitfalls in android apps
Citation preview
Common Security Pitfalls in
Android Apps
Aditya Gupta Attify
Who Am i
• Founder, Attify
• Mobile Security Researcher
• Developing a secure BYOD solution for enterprises
• Co-creator of AFE (Android Framework for Exploitation)
• Upcoming tool : DroidSE
• Speaker/Trainer at BlackHat, Toorcon, ClubHack, Nullcon, OWASP AppSec, Syscan etc.
Agenda
• Security Overview of Android Apps
• Some vulnerabilities in Android Apps
• Secure Coding
Android Security Model
• Based on Linux
• Security features are derived mostly from Linux
• Application Isolation
• Each app in its own DVM
Security Overview of Android Apps
• Application Sandboxing
• Data stored in /data/data/[package-name]/
• AndroidManifest.xml plays an important role
• Permissions while accessing activities, services, content providers
Hard Coding Sensitive Info
• Have seen some apps hardcode sensitive info
• Reversing applications
• Encrypting passwords : really common
• Use protection to prevent apps from reversing
• Don't ever hardcode a sensitive info in an app.
Protecting against Reversing
Logging Sensitive Information
Logging Sensitive Information
Log.d("Facebook-authorize", "Login Success! access_token=" + getAccessToken() + " expires=" + getAccessExpires());
Leaking Content Providers
• Content Providers
• What can one application do to another
• Leakage of content providers
• By default exported
Leaking Content Providers
Dropbox
Insecure Data Storage
Android WebView vuln
• What's a Webview?
• Framing Web components into application
• Could be really useful while building applications
• Does it also allows Javascript?
Android WebView vuln
Javascript in Webviews
• Javascript is allowed in Webviews
• Javascript could be used to interact with the app's interface
• Malicious functions could be executed
Malicious functions with JS
• Could be used to send SMS or place calls
• Or to install another application
• Get a reverse shell to a remote location
• Modify file system or steal something from the device
Ad Libraries, anyone?• InMobi
• List of Exposed methods :
• makeCall
• postToSocial
• sendMail
• sendSMS
• takeCameraPicture
• getGalleryImage
Ad Libraries, anyone?
Fix it
setJavascriptEnabled(false)
SQLite Injection
• SQLite databases for storing application's data
• Storing sensitive information in databases
• Do you sanitize user input before applying SQL queries
!uname = (EditText) findViewById(R.id.username); pword = (EditText) findViewById(R.id.password); !!String getSQL = "SELECT * FROM " + tableName + " WHERE " + username + " = '" + uname + "' AND " + password + " = '" + pword + "'"; !Cursor cursor = dataBase.rawQuery(getSQL , null);
Sample Code
Insecure File Permissions
• File storing sensitive data need to have proper permissions
• Should be accessible only by the application
Android Backup Vulnerability
• Allows backup of application's data
• No root needed in the device
• Attacker could read/modify app's data and restore it back
• Default behaviour in AndroidManifest.xml
android:allowBackup="false"
Preventing Backup vulnerability
Network Traffic
Securing Android
Applications
Activities
<activity android:name=".SecureActivity" android:permission="com.example.secure.permission.START_ACTIVITY1"> </activity>
Services
<service android:name=".SecureService" android:permission="com.example.secure.permission.SecurePerm" android:enabled="true" android:exported="true"> </service>
Content Providers
<provider android.name="com.example.secure.SecureProvider" android.authorities="com.example.secure.mailprovider" android.readPermission="com.example.testapps.test1.permission.READ_DATE" android.writePermission="com.example.secure.permission.WRITE_DATA" android:grantUriPermissions="true"> !</provider>
If you don't need
android:exported = "false"
Summary
• Avoid common mistakes
• Store data in encrypted form
• Sending data through HTTP/insecure HTTPs
Recommended