droidcon eastern europe 2013 - how secure is an android app
DESCRIPTION
Insight in how safe are the romanian banking apps you use daily. Even this is meant to be a presentation Marius will show you how you can secure your apps for curious eyes. The short presentation was presented at IMworld 2013 and at Droidcon 2013 was backed up with a workshop.TRANSCRIPT
H!w "#$%r#
IS AN ANDROID&'' ?
by
MARIUS MAILAT
W(! )"
MARIUS?
W(! )" Marius?
FOUNDER of DEV COMMUNITY - ANDROIDER1
2
3
4
ANDROID TRAINER - marakana, androider
PARTNER AND CTO - APPSELERATION
PARTNER AND CO-FOUNDER - APPSRISE.com
A*#+,&
A*#+,&
Last year message vs this year APPROACH1
2
3
4
How safe are your daily apps ?
Dissect the most popular RO banking apps
Security guidelines for Android ?
5 How to secure your Android apps ?
L&"- .#&r /#""&*#
VS-()" .#&r &''r!&$(
L&"- .#&r /#""&*# v" this year approach
L&"- .#&r /#""&*#
0)" .#&r &''r!&$(
You are a code artist!
Programming as an intellectual activity allows you to create interactive art.
You are a code artist but your art is stolen !
My code art was decompiled, repacked/altered with new code and was sold as genuine art !
I love my art, I hate thieves !
H!w "&f# &r#YOUR DAILY APPS ?
H!w safe &r# .!%r daily apps ?
M!b)1# threats !+ ANDROID
AdVERTISING OVER MALWARE1
2
3
4
Direct Payoff SMS
Destructive attacks ON SENSITIVE DATA
Information Scavengers
5 Premeditated Spy on location and INFO
BU HU HU
D)""#$- -(#
most POPULARA+,r!), b&+2)+* &''"
H!w -! SCOOP )+"),# !f &+ ANDROID APP ?
$ APKTool D BANK.Apk1
2
3
4
$ Jar xvf BANK.apk classes.dex
$ dex2jar.sh classes.dex
> OPEN JD-GUI
5 TRY ALTENATIVES: DARE, DED, DEXDUMP etc
D! w# (&v# ROMANIAN b&+2)+* &''" ?
F&$-" : ANDROID b&+2)+* &''" ?Downloads Comments RattingS Url
50,000-100,000 429 3,7 http://goo.gl/oV7Pl0
10,000-50,000 749 3,8 http://goo.gl/8AVwS
10,000-50,000 210 3,6 http://goo.gl/p8BRwK
10,000-50,000 270 4,0 http://goo.gl/FDN0ox
1,000-5,000 41 3,8 http://goo.gl/8FRN5q
1,000-5,000 39 3,1 http://goo.gl/oQWbsM
1,000-5,000 22 3,6 http://goo.gl/TLuHBk
500-1,000 27 4,1 http://goo.gl/zpWLkP
H!w I CALCULATE -(# BU HU HU "$!r# ?DB SSL PERSISTANCE PERMISSIONS SERVER WEIRD CODE
BU HU HU SCORE0-bad, 10-EXCELLENT
- - - + +- no fragments, old STYLE CODE Almost weird
- - HYBRID APP, WEBVIEW WITH PRE-JAVA-CODE TOTALLY WEIRD
- - - UNSECURE SERVER, PHP, KIND OF MIX OF WEIRD & COMPLEX
+ + OWN WEIRD CACHE MECHANISM, no loging class READABLE
- - XML PARSING DONE ON TABLE DANCE UGLY BUT NICE
- - - MANY LIBS, BUMP LIB :) , HYBRID AGAINHYBRID PSEUDO NATIVE
- - - - - AGAIN PHONEGAP load HTML?!
- - - - - A BAD OTP BANK CORDOVA STUFF
S#$%r)-. *%),#1)+#"For ANDROID ?
S#$%r)-. GUIDELINES f!r ANDROID &''" ?
ENCRYPT EVERyTHING - DB, Preferences ...1
2
3
4
PASSWORD - SALT
SECURE SERVER COMMUNICATION
DO NOT TRUST THE SERVER AND THE APP !
5 DO NOT ALLOW BACKUP
H!w -! "#$%r#your ANDROID APPS ?
H!w TO SECURE .!%r A+,r!), APPS
Y!%r "&f#r $!,# ART
Pr!-#$- -(# r#"!%r$#"
Y!%r $!,# ART
Pr!-#$- -(# 'r#f#r#+$#"
SECURITY & CODEguidelines
PROTECT THE APP
Pr!-#$- -(# ,&-&b&"#
SERIOUS PAINTING SKILLS WITH sensitve dataGUIDELINES PROTECT YOU ?
E+$r3- .!%r b)+&r.Bu huhu MAGIC via DEXJAR and CO
Thank youQ%#"-)!+"?
MARIUS MAILAT, /&r)%"./&)1&-@*/&)1.$!/