Building secure android apps
-
Upload
kaushal-bhavsar -
Category
Technology
-
view
516 -
download
2
Transcript of Building secure android apps
![Page 1: Building secure android apps](https://reader035.fdocuments.net/reader035/viewer/2022062418/5549ab49b4c9050c738b5735/html5/thumbnails/1.jpg)
Building Secure Android AppsKaushal Bhavsar
![Page 2: Building secure android apps](https://reader035.fdocuments.net/reader035/viewer/2022062418/5549ab49b4c9050c738b5735/html5/thumbnails/2.jpg)
Who am I?
• Kaushal Bhavsar• Founder & CEO, Pratikar Technologies• Visiting Faculty, Dept. of Computer Science, (Rollwala) – Network Security in MCA V
• Pursuing PhD from CHARUSAT– Computer Security
![Page 3: Building secure android apps](https://reader035.fdocuments.net/reader035/viewer/2022062418/5549ab49b4c9050c738b5735/html5/thumbnails/3.jpg)
Know this App??
![Page 4: Building secure android apps](https://reader035.fdocuments.net/reader035/viewer/2022062418/5549ab49b4c9050c738b5735/html5/thumbnails/4.jpg)
Similar Apps
Falling Down Super Guitar Solo
Super History Eraser
Photo Editor Super Ringtone Maker Chess
下坠滚球_Falldown
Falling Ball Dodge
![Page 5: Building secure android apps](https://reader035.fdocuments.net/reader035/viewer/2022062418/5549ab49b4c9050c738b5735/html5/thumbnails/5.jpg)
Basics
Vulnerability
ThreatRisk
![Page 6: Building secure android apps](https://reader035.fdocuments.net/reader035/viewer/2022062418/5549ab49b4c9050c738b5735/html5/thumbnails/6.jpg)
Basics - II
Attack Surface
Defense-in-depth
Least Privilege
![Page 7: Building secure android apps](https://reader035.fdocuments.net/reader035/viewer/2022062418/5549ab49b4c9050c738b5735/html5/thumbnails/7.jpg)
Android Architecture
Linux Kernel
Native Libraries
Application Framework
Your Apps
![Page 8: Building secure android apps](https://reader035.fdocuments.net/reader035/viewer/2022062418/5549ab49b4c9050c738b5735/html5/thumbnails/8.jpg)
Android Security Model
Application Isolation
Application Signing
Filesystem Isolation
![Page 9: Building secure android apps](https://reader035.fdocuments.net/reader035/viewer/2022062418/5549ab49b4c9050c738b5735/html5/thumbnails/9.jpg)
Application Isolation
• When an app is installed, it gets a new UID.• All data stored by that application is assigned
that same UID• All resources for that app are given full
permissions for the app’s UID. • Different UIDs can not access each other’s
data.
![Page 10: Building secure android apps](https://reader035.fdocuments.net/reader035/viewer/2022062418/5549ab49b4c9050c738b5735/html5/thumbnails/10.jpg)
Filesystem Isolation
• All data for the app is stored in /data/data/app_package_name
• Only UID for specific app can access it• Apps with same UIDs can access each other’s
data• Root UID can access all apps’ data!• SD Card data is not protected!• Files created using apps MUST be have
appropriate permissions
![Page 11: Building secure android apps](https://reader035.fdocuments.net/reader035/viewer/2022062418/5549ab49b4c9050c738b5735/html5/thumbnails/11.jpg)
Data Security
Stored Data Mobile Data
![Page 12: Building secure android apps](https://reader035.fdocuments.net/reader035/viewer/2022062418/5549ab49b4c9050c738b5735/html5/thumbnails/12.jpg)
Protecting Stored Data
Cryptography
Hashing Encryption
Symmetric Asymmetric
![Page 13: Building secure android apps](https://reader035.fdocuments.net/reader035/viewer/2022062418/5549ab49b4c9050c738b5735/html5/thumbnails/13.jpg)
Protecting Mobile Data
Figure from http://technet.microsoft.com
![Page 14: Building secure android apps](https://reader035.fdocuments.net/reader035/viewer/2022062418/5549ab49b4c9050c738b5735/html5/thumbnails/14.jpg)
Input Validation
Accept
Known
Good
Reject Known Bad
![Page 15: Building secure android apps](https://reader035.fdocuments.net/reader035/viewer/2022062418/5549ab49b4c9050c738b5735/html5/thumbnails/15.jpg)
Command InjectionSQLiteDatabase db = dbHelper.getWriteableDatabase();
String userQuery = "SELECT lastName FROM useraccounts WHERE userID = " + request.getParameter("userID");
SQLiteStatement prepStatement = db.compileStatement(userQuery);
String userLastname = prepStatement.simpleQueryForString();
![Page 16: Building secure android apps](https://reader035.fdocuments.net/reader035/viewer/2022062418/5549ab49b4c9050c738b5735/html5/thumbnails/16.jpg)
SQLiteDatabase db = dbHelper.getWriteableDatabase();
String userQuery = "SELECT lastName FROM useraccounts WHERE userID = ?";
SQLiteStatement prepStatement = db.compileStatement(userQuery);
prepStatement.bindString(1, request.getParameter("userID"));
String userLastname = prepStatement.simpleQueryForString();