Android Security - Common Security Pitfalls in Android Applications

  • View

  • Download

Embed Size (px)


Aditya Gupta from Attify talking about what are the common security pitfalls in android apps

Text of Android Security - Common Security Pitfalls in Android Applications

  • 1.Common Security Pitfalls in Android Apps Aditya Gupta Attify

2. Who Am i Founder, AttifyMobile Security ResearcherDeveloping a secure BYOD solution for enterprisesCo-creator of AFE (Android Framework for Exploitation)Upcoming tool : DroidSESpeaker/Trainer at BlackHat, Toorcon, ClubHack, Nullcon, OWASP AppSec, Syscan etc. 3. AgendaSecurity Overview of Android AppsSome vulnerabilities in Android AppsSecure Coding 4. Android Security Model Based on LinuxSecurity features are derived mostly from LinuxApplication IsolationEach app in its own DVM 5. Security Overview of Android Apps Application SandboxingData stored in /data/data/[package-name]/AndroidManifest.xml plays an important rolePermissions while accessing activities, services, content providers 6. Hard Coding Sensitive Info Have seen some apps hardcode sensitive infoReversing applicationsEncrypting passwords : really commonUse protection to prevent apps from reversingDon't ever hardcode a sensitive info in an app. 7. Protecting against Reversing 8. Logging Sensitive Information 9. Logging Sensitive InformationLog.d("Facebook-authorize", "Login Success! access_token=" + getAccessToken() + " expires=" + getAccessExpires()); 10. Leaking Content Providers Content ProvidersWhat can one application do to anotherLeakage of content providersBy default exported 11. Leaking Content Providers 12. Dropbox 13. Insecure Data Storage 14. Android WebView vulnWhat's a Webview? 15. Android WebView vuln Framing Web components into applicationCould be really useful while building applicationsDoes it also allows Javascript? 16. Javascript in Webviews Javascript is allowed in WebviewsJavascript could be used to interact with the app's interfaceMalicious functions could be executed 17. Malicious functions with JS Could be used to send SMS or place callsOr to install another applicationGet a reverse shell to a remote locationModify le system or steal something from the device 18. Ad Libraries, anyone? InMobiList of Exposed methods : makeCallpostToSocialsendMailsendSMStakeCameraPicturegetGalleryImage 19. Ad Libraries, anyone? 20. Fix it setJavascriptEnabled(false) 21. SQLite Injection SQLite databases for storing application's dataStoring sensitive information in databasesDo you sanitize user input before applying SQL queries 22. Sample Code ! uname = (EditText) findViewById(; pword = (EditText) findViewById(;! ! String getSQL = "SELECT * FROM " + tableName + " WHERE " + username + " = '" + uname + "' AND " + password + " = '" + pword + "'";!Cursor cursor = dataBase.rawQuery(getSQL , null); 23. Insecure File PermissionsFile storing sensitive data need to have proper permissionsShould be accessible only by the application 24. Android Backup Vulnerability Allows backup of application's dataNo root needed in the deviceAttacker could read/modify app's data and restore it backDefault behaviour in AndroidManifest.xml 25. Preventing Backup vulnerabilityandroid:allowBackup="false" 26. Network Trac 27. Securing Android Applications 28. Activities 29. Services 30. Content Providers ! 31. If you don't need android:exported = "false" 32. Summary Avoid common mistakesStore data in encrypted formSending data through HTTP/insecure HTTPs 33. `Drop a mail at