SlideShare une entreprise Scribd logo

Droidcon secureyourapp fighttheleaks-samsung

O
ottot
Technologie
1  sur  27
Télécharger pour lire hors ligne
SECURE YOUR APP FIGHT THE LEAKS! DROIDCON PARIS 2013
EYAL LEZMY Slides http://bit.ly/droidcon-sec http://eyal.fr ANDROID PRESALES ENGINEER, SAMSUNG B2B TREASURER AT PARIS ANDROID USER GROUP ANDROID GOOGLE DEVELOPER EXPERT
DON'T LET HIM DOWN THE USER TRUSTS YOU Company
Copyright © 1995-2012 SAMSUNG All rights reserved APPS HAVE TO RESPECT THE DATA Different ways to unintentionally grant other apps access to the data inside your application : Exporting an unprotected component Storing personal data in a world readable file Logging personal data in logcat logs
Copyright © 1995-2012 SAMSUNG All rights reserved It declares accessible app components Activity, Service, Receive,... Adding <intent-filter> => your element is exported by default CHECK YOUR ANDROIDMANIFEST.XML ContentProvider is always exported by default, until android:targetSdkVersion="17"
Copyright © 1995-2012 SAMSUNG All rights reserved Don't export app components unless you want to share their content with other applications <application android:label="@string/app_name"> … <service android:name=".ServiceExample“ android:exported="false"> <intent-filter> … </intent-filter> </service> … </application> What is your legitimity to expose data? CHECK YOUR ANDROIDMANIFEST.XML
Copyright © 1995-2012 SAMSUNG All rights reserved There are different permission protection levels: normal Lower risk permission dangerous Higher risk, access to user private data, potential negative impact signature Needs the same certificate signature PERMISIONS
Copyright © 1995-2012 SAMSUNG All rights reserved Lets look at the code: <permission android:name="com.example.EXAMPLE_PERM“ android:label="@string/example_perm_l“ android:description="@string/example_perm_d“ android:icon="@drawable/example_perm_i“ android:protectionLevel="signature" /> ... <service android:name=".ServiceExample“ android:permission="com.example.EXAMPLE_PERM"> <intent-filter>...</intent-filter> </service> PERMISIONS
Copyright © 1995-2012 SAMSUNG All rights reserved Don't be the weakest link private boolean checkPermission(Context context) { String permission = "com.example.EXAMPLE_PERM"; int res = context.checkCallingPermission(permission); return (res == PackageManager.PERMISSION_GRANTED); } PERMISIONS Always check the permission of a caller if you use your permission
Copyright © 1995-2012 SAMSUNG All rights reserved DISABLE USELESS ACTIVITIES Fit your components lifecycle to your application's lifecycle If before configuration (login, account creation, ...) a service or activity is not useful, disable it If your application handles common implicit Intent's actions like ACTION_VIEW or ACTION_SEND consider disabling it by default
Copyright © 1995-2012 SAMSUNG All rights reserved PackageManager.setComponentEnabledSetting(componentName, newState, flags); DISABLE USELESS ACTIVITIES <activity android:name="com.example.Activity" android:label="@string/app_name" android:enabled="false"> </activity> Disabled: Enabled:
Copyright © 1995-2012 SAMSUNG All rights reserved STORING DATA WISELY Protect personal data using MODE_PRIVATE for data files, shared preferences, and databases: openFileOutput() openSharedPreferences() openOrCreateDatabase() External storage (sdcard) is shared storage
Copyright © 1995-2012 SAMSUNG All rights reserved PLEASE... SHUT THE FUCK UP! public static final boolean SHOW_LOG = BuildConfig.DEBUG; public static void d(final String tag, final String msg) { if (SHOW_LOG) Log.d(tag, msg); } Don't expose data through logcat on production Detect the build mode with BuildConfig.DEBUG Be careful about this subject and test it during QA
Copyright © 1995-2012 SAMSUNG All rights reserved PROTECTING APP FROM USERS No more android:debuggable on the manifest Don't leave this enabled in release code! ADT 8.0+ do it for you automatically
Copyright © 1995-2012 SAMSUNG All rights reserved $ adb shell shell@android:/ $ run-as com.android.example sh shell@android:/data/data/com.android.example $ id uid=10060(app_60) gid=10060(app_60) shell@android:/data/data/com.android.example $ ls files/secret_data.txt shell@android:/data/data/com.android.example $ cat files/secret_data.txt PROTECTING APP FROM USERS
IT'S NOT JUST ABOUT YOUR APP INSECURE NETWORK LOST OR STOLEN DEVICES
Copyright © 1995-2012 SAMSUNG All rights reserved Free certified SSL: https://www.startssl.com/ USE SAFE NETWORKING HTTPS and SSL can protect against Man in the Middle attacks and prevent casual snooping Server certificate validity must be correctly checked "15% of apps have weak or bad SSL implementation on the Play Store"
Copyright © 1995-2012 SAMSUNG All rights reserved ...but it may help discouraging curious. Use a peer-reviewed library like KeyCzar Take care of the key : Create it at first start, with true random Or grab a user key from your server Or ask the user for a passphrase you won't store DATA ENCRYPTION DOESN'T SOLVE ALL PROBLEMS
Copyright © 1995-2012 SAMSUNG All rights reserved On a corporate environment, device administration can be considered Password management Device encryption Disable camera Lock the device Remote wipe DEVICE ADMINISTRATION
Copyright © 1995-2012 SAMSUNG All rights reserved BEHIND THE STAGE The APK's content is always world readable, take care about what you put inside Sensitive files should be kept out of the APK Java is open source, your code too Using Proguard takes a single line of code Or... Dex encryption AAPT modified Logic on server
IT'S NOT JUST ABOUT SECURITY THINK ABOUT POLITICS...
Copyright © 1995-2012 SAMSUNG All rights reserved THE SECURITY PARADOX
Copyright © 1995-2012 SAMSUNG All rights reserved "The more secure you make something, the less secure it becomes" Level the security following the user acceptance or... Users will find workarounds Users won't use your service NEVER FORGET THE USER, NEVAAAAA!
Copyright © 1995-2012 SAMSUNG All rights reserved REFERENCES Google I/O 2012 Sessions Android Developpers Live Youtube channel Android Developement Android Developement: Using Cryptography The Commons Blog InformationWeek: Security Paradox ThreatPost: SLL implementation on Android apps StartSSL Free certificates
SAMSUNG SMART APP CHALLENGE 2013 SAMSUNG SMART APP CHALLENGE 2013 A Global app challenge Apps for the Galaxy S4 Use of Samsung Chord SDK Apply June 20 - August 31 www.smartappchallenge.com $800,000 for 10 winners
SAMSUNG DEVELOPERS SDKs and Documentation http://developer.samsung.com Samsung Chord SDK Bluetooth Low Energy SDK Remote Test Lab Test your applications on real devices through the internet Free 24H 365 Days S Pen & Multi Window SDK AllShare Framework Real Device, NOT emulator Multiple Devices
THANK YOU! Slides http://bit.ly/droidcon-sec http://eyal.fr

Recommandé

Secure your Android app- fight the leaks!
Secure your Android app- fight the leaks!Secure your Android app- fight the leaks!
Secure your Android app- fight the leaks!Eyal Lezmy
 
การศ กษาและค นคว_าอ_สละ
การศ กษาและค นคว_าอ_สละการศ กษาและค นคว_าอ_สละ
การศ กษาและค นคว_าอ_สละNuumint
 
เทคน คการส บค_นบน google
เทคน คการส บค_นบน googleเทคน คการส บค_นบน google
เทคน คการส บค_นบน googleNuumint
 
การศ กษาและค นคว_าอ_สละ (2)
การศ กษาและค นคว_าอ_สละ (2)การศ กษาและค นคว_าอ_สละ (2)
การศ กษาและค นคว_าอ_สละ (2)Nuumint
 
Ge induccion comite coordinador v1
Ge induccion comite coordinador v1Ge induccion comite coordinador v1
Ge induccion comite coordinador v1marcalema4
 
ประว ต ไมโครซอฟต_
ประว ต ไมโครซอฟต_ประว ต ไมโครซอฟต_
ประว ต ไมโครซอฟต_Nuumint
 
Wonderful waves
Wonderful wavesWonderful waves
Wonderful wavesFrederick Green
 
ข นตอนการต_ดต__ง โปรแกรม windows 8 บน vmware
ข นตอนการต_ดต__ง โปรแกรม windows 8 บน vmwareข นตอนการต_ดต__ง โปรแกรม windows 8 บน vmware
ข นตอนการต_ดต__ง โปรแกรม windows 8 บน vmwareNuumint
 

Recommandé

Secure your Android app- fight the leaks!
Secure your Android app- fight the leaks!Secure your Android app- fight the leaks!
Secure your Android app- fight the leaks!Eyal Lezmy
 
การศ กษาและค นคว_าอ_สละ
การศ กษาและค นคว_าอ_สละการศ กษาและค นคว_าอ_สละ
การศ กษาและค นคว_าอ_สละNuumint
 
เทคน คการส บค_นบน google
เทคน คการส บค_นบน googleเทคน คการส บค_นบน google
เทคน คการส บค_นบน googleNuumint
 
การศ กษาและค นคว_าอ_สละ (2)
การศ กษาและค นคว_าอ_สละ (2)การศ กษาและค นคว_าอ_สละ (2)
การศ กษาและค นคว_าอ_สละ (2)Nuumint
 
Ge induccion comite coordinador v1
Ge induccion comite coordinador v1Ge induccion comite coordinador v1
Ge induccion comite coordinador v1marcalema4
 
ประว ต ไมโครซอฟต_
ประว ต ไมโครซอฟต_ประว ต ไมโครซอฟต_
ประว ต ไมโครซอฟต_Nuumint
 
Wonderful waves
Wonderful wavesWonderful waves
Wonderful wavesFrederick Green
 
ข นตอนการต_ดต__ง โปรแกรม windows 8 บน vmware
ข นตอนการต_ดต__ง โปรแกรม windows 8 บน vmwareข นตอนการต_ดต__ง โปรแกรม windows 8 บน vmware
ข นตอนการต_ดต__ง โปรแกรม windows 8 บน vmwareNuumint
 
ว ธ สร_างบล_อกก_บ blogger
ว ธ สร_างบล_อกก_บ bloggerว ธ สร_างบล_อกก_บ blogger
ว ธ สร_างบล_อกก_บ bloggerNuumint
 
SEO Training in Mahabubnagar
SEO Training in MahabubnagarSEO Training in Mahabubnagar
SEO Training in MahabubnagarSubhash Malgam
 
Digital marketing presentation
Digital marketing presentationDigital marketing presentation
Digital marketing presentationSubhash Malgam
 
เทคน คการส บค_นบน google
เทคน คการส บค_นบน googleเทคน คการส บค_นบน google
เทคน คการส บค_นบน googleNuumint
 
seo training in mahabubnagar
seo training in mahabubnagarseo training in mahabubnagar
seo training in mahabubnagarSubhash Malgam
 
Introduction to Donaldson and Company
Introduction to Donaldson and CompanyIntroduction to Donaldson and Company
Introduction to Donaldson and Companythaistartupreview
 
Ppt tekpen wiwin
Ppt tekpen wiwinPpt tekpen wiwin
Ppt tekpen wiwinwiwin_dari
 
ข นตอนการต_ดต__ง โปรแกรม windows 8 บน vmware
ข นตอนการต_ดต__ง โปรแกรม windows 8 บน vmwareข นตอนการต_ดต__ง โปรแกรม windows 8 บน vmware
ข นตอนการต_ดต__ง โปรแกรม windows 8 บน vmwareNuumint
 
2
22
2Bank Supamoon
 
HospiX: The Hospital Exploring Application for Smart Devices
HospiX: The Hospital Exploring Application for Smart DevicesHospiX: The Hospital Exploring Application for Smart Devices
HospiX: The Hospital Exploring Application for Smart DevicesVishvi Vidanapathirana
 
Narkoba
NarkobaNarkoba
Narkobayunirfaithful
 
e-commerse website
e-commerse websitee-commerse website
e-commerse websiteSubhash Malgam
 
Blogger
BloggerBlogger
BloggerNuumint
 
Managementbijeenkomst ktv
Managementbijeenkomst ktvManagementbijeenkomst ktv
Managementbijeenkomst ktvJulian Laan
 
Future tense
Future tenseFuture tense
Future tenseIsnaini22
 
Newton and feynman
Newton and feynmanNewton and feynman
Newton and feynmanFrederick Green
 
การศ กษาและค นคว_าอ_สละ
การศ กษาและค นคว_าอ_สละการศ กษาและค นคว_าอ_สละ
การศ กษาและค นคว_าอ_สละNuumint
 
3 neomezená veřejná zakázka
3 neomezená veřejná zakázka3 neomezená veřejná zakázka
3 neomezená veřejná zakázkaondrejbaarcz
 
Ppt uas admin maya
Ppt uas admin mayaPpt uas admin maya
Ppt uas admin mayamaya38
 
Using APEX to Create a Mobile User Interface for Enterprise Manager 12c
Using APEX to Create a Mobile User Interface for Enterprise Manager 12cUsing APEX to Create a Mobile User Interface for Enterprise Manager 12c
Using APEX to Create a Mobile User Interface for Enterprise Manager 12cGokhan Atil
 
Migrating JavaME Apps to Android
Migrating JavaME Apps to AndroidMigrating JavaME Apps to Android
Migrating JavaME Apps to AndroidMotorola Mobility - MOTODEV
 
Java Solutions for Securing Edge-to-Enterprise
Java Solutions for Securing Edge-to-EnterpriseJava Solutions for Securing Edge-to-Enterprise
Java Solutions for Securing Edge-to-EnterpriseEric Vétillard
 

Contenu connexe

En vedette

ว ธ สร_างบล_อกก_บ blogger
ว ธ สร_างบล_อกก_บ bloggerว ธ สร_างบล_อกก_บ blogger
ว ธ สร_างบล_อกก_บ bloggerNuumint
 
SEO Training in Mahabubnagar
SEO Training in MahabubnagarSEO Training in Mahabubnagar
SEO Training in MahabubnagarSubhash Malgam
 
Digital marketing presentation
Digital marketing presentationDigital marketing presentation
Digital marketing presentationSubhash Malgam
 
เทคน คการส บค_นบน google
เทคน คการส บค_นบน googleเทคน คการส บค_นบน google
เทคน คการส บค_นบน googleNuumint
 
seo training in mahabubnagar
seo training in mahabubnagarseo training in mahabubnagar
seo training in mahabubnagarSubhash Malgam
 
Introduction to Donaldson and Company
Introduction to Donaldson and CompanyIntroduction to Donaldson and Company
Introduction to Donaldson and Companythaistartupreview
 
Ppt tekpen wiwin
Ppt tekpen wiwinPpt tekpen wiwin
Ppt tekpen wiwinwiwin_dari
 
ข นตอนการต_ดต__ง โปรแกรม windows 8 บน vmware
ข นตอนการต_ดต__ง โปรแกรม windows 8 บน vmwareข นตอนการต_ดต__ง โปรแกรม windows 8 บน vmware
ข นตอนการต_ดต__ง โปรแกรม windows 8 บน vmwareNuumint
 
HospiX: The Hospital Exploring Application for Smart Devices
HospiX: The Hospital Exploring Application for Smart DevicesHospiX: The Hospital Exploring Application for Smart Devices
HospiX: The Hospital Exploring Application for Smart DevicesVishvi Vidanapathirana
 
Managementbijeenkomst ktv
Managementbijeenkomst ktvManagementbijeenkomst ktv
Managementbijeenkomst ktvJulian Laan
 
Future tense
Future tenseFuture tense
Future tenseIsnaini22
 
การศ กษาและค นคว_าอ_สละ
การศ กษาและค นคว_าอ_สละการศ กษาและค นคว_าอ_สละ
การศ กษาและค นคว_าอ_สละNuumint
 
3 neomezená veřejná zakázka
3 neomezená veřejná zakázka3 neomezená veřejná zakázka
3 neomezená veřejná zakázkaondrejbaarcz
 
Ppt uas admin maya
Ppt uas admin mayaPpt uas admin maya
Ppt uas admin mayamaya38
 

En vedette (19)

ว ธ สร_างบล_อกก_บ blogger
ว ธ สร_างบล_อกก_บ bloggerว ธ สร_างบล_อกก_บ blogger
ว ธ สร_างบล_อกก_บ blogger
 
SEO Training in Mahabubnagar
SEO Training in MahabubnagarSEO Training in Mahabubnagar
SEO Training in Mahabubnagar
 
Digital marketing presentation
Digital marketing presentationDigital marketing presentation
Digital marketing presentation
 
เทคน คการส บค_นบน google
เทคน คการส บค_นบน googleเทคน คการส บค_นบน google
เทคน คการส บค_นบน google
 
seo training in mahabubnagar
seo training in mahabubnagarseo training in mahabubnagar
seo training in mahabubnagar
 
Introduction to Donaldson and Company
Introduction to Donaldson and CompanyIntroduction to Donaldson and Company
Introduction to Donaldson and Company
 
Ppt tekpen wiwin
Ppt tekpen wiwinPpt tekpen wiwin
Ppt tekpen wiwin
 
ข นตอนการต_ดต__ง โปรแกรม windows 8 บน vmware
ข นตอนการต_ดต__ง โปรแกรม windows 8 บน vmwareข นตอนการต_ดต__ง โปรแกรม windows 8 บน vmware
ข นตอนการต_ดต__ง โปรแกรม windows 8 บน vmware
 
2
22
2
 
HospiX: The Hospital Exploring Application for Smart Devices
HospiX: The Hospital Exploring Application for Smart DevicesHospiX: The Hospital Exploring Application for Smart Devices
HospiX: The Hospital Exploring Application for Smart Devices
 
Narkoba
NarkobaNarkoba
Narkoba
 
e-commerse website
e-commerse websitee-commerse website
e-commerse website
 
Blogger
BloggerBlogger
Blogger
 
Managementbijeenkomst ktv
Managementbijeenkomst ktvManagementbijeenkomst ktv
Managementbijeenkomst ktv
 
Future tense
Future tenseFuture tense
Future tense
 
Newton and feynman
Newton and feynmanNewton and feynman
Newton and feynman
 
การศ กษาและค นคว_าอ_สละ
การศ กษาและค นคว_าอ_สละการศ กษาและค นคว_าอ_สละ
การศ กษาและค นคว_าอ_สละ
 
3 neomezená veřejná zakázka
3 neomezená veřejná zakázka3 neomezená veřejná zakázka
3 neomezená veřejná zakázka
 
Ppt uas admin maya
Ppt uas admin mayaPpt uas admin maya
Ppt uas admin maya
 

Similaire à Droidcon secureyourapp fighttheleaks-samsung

Using APEX to Create a Mobile User Interface for Enterprise Manager 12c
Using APEX to Create a Mobile User Interface for Enterprise Manager 12cUsing APEX to Create a Mobile User Interface for Enterprise Manager 12c
Using APEX to Create a Mobile User Interface for Enterprise Manager 12cGokhan Atil
 
Java Solutions for Securing Edge-to-Enterprise
Java Solutions for Securing Edge-to-EnterpriseJava Solutions for Securing Edge-to-Enterprise
Java Solutions for Securing Edge-to-EnterpriseEric Vétillard
 
First Steps with Java Card
First Steps with Java CardFirst Steps with Java Card
First Steps with Java CardEric Vétillard
 
Security - Part II.pdf
Security - Part II.pdfSecurity - Part II.pdf
Security - Part II.pdfShaiAlmog1
 
Introduction to JavaFX on Raspberry Pi
Introduction to JavaFX on Raspberry PiIntroduction to JavaFX on Raspberry Pi
Introduction to JavaFX on Raspberry PiBruno Borges
 
MobilizeUrApps - Android Application Development
MobilizeUrApps - Android Application DevelopmentMobilizeUrApps - Android Application Development
MobilizeUrApps - Android Application Developmentmobilizeurapps
 
Security Tips for Android App - iTrobes
Security Tips for Android App - iTrobesSecurity Tips for Android App - iTrobes
Security Tips for Android App - iTrobesiTrobes
 
DDS + Android = OpenSplice Mobile
DDS + Android = OpenSplice MobileDDS + Android = OpenSplice Mobile
DDS + Android = OpenSplice MobileAngelo Corsaro
 
Iphone client-server app with Rails backend (v3)
Iphone client-server app with Rails backend (v3)Iphone client-server app with Rails backend (v3)
Iphone client-server app with Rails backend (v3)Sujee Maniyam
 
MySQL Administration and Monitoring
MySQL Administration and MonitoringMySQL Administration and Monitoring
MySQL Administration and MonitoringMark Leith
 
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...CA API Management
 
EBsSDKForJavaWithOracleADF_ppt.ppt
EBsSDKForJavaWithOracleADF_ppt.pptEBsSDKForJavaWithOracleADF_ppt.ppt
EBsSDKForJavaWithOracleADF_ppt.pptSudhirSinghShakyaVan
 
Delivering Mobile Apps to the Field with Oracle JET
Delivering Mobile Apps to the Field with Oracle JETDelivering Mobile Apps to the Field with Oracle JET
Delivering Mobile Apps to the Field with Oracle JETSimon Haslam
 
A Importância do JavaFX no Mercado Embedded
A Importância do JavaFX no Mercado EmbeddedA Importância do JavaFX no Mercado Embedded
A Importância do JavaFX no Mercado EmbeddedBruno Borges
 
MySQL para Desenvolvedores de Games
MySQL para Desenvolvedores de GamesMySQL para Desenvolvedores de Games
MySQL para Desenvolvedores de GamesMySQL Brasil
 
Java Card, 15 years later
Java Card, 15 years laterJava Card, 15 years later
Java Card, 15 years laterEric Vétillard
 

Similaire à Droidcon secureyourapp fighttheleaks-samsung (20)

Using APEX to Create a Mobile User Interface for Enterprise Manager 12c
Using APEX to Create a Mobile User Interface for Enterprise Manager 12cUsing APEX to Create a Mobile User Interface for Enterprise Manager 12c
Using APEX to Create a Mobile User Interface for Enterprise Manager 12c
 
Migrating JavaME Apps to Android
Migrating JavaME Apps to AndroidMigrating JavaME Apps to Android
Migrating JavaME Apps to Android
 
Java Solutions for Securing Edge-to-Enterprise
Java Solutions for Securing Edge-to-EnterpriseJava Solutions for Securing Edge-to-Enterprise
Java Solutions for Securing Edge-to-Enterprise
 
First Steps with Java Card
First Steps with Java CardFirst Steps with Java Card
First Steps with Java Card
 
Security - Part II.pdf
Security - Part II.pdfSecurity - Part II.pdf
Security - Part II.pdf
 
Introduction to JavaFX on Raspberry Pi
Introduction to JavaFX on Raspberry PiIntroduction to JavaFX on Raspberry Pi
Introduction to JavaFX on Raspberry Pi
 
MobilizeUrApps - Android Application Development
MobilizeUrApps - Android Application DevelopmentMobilizeUrApps - Android Application Development
MobilizeUrApps - Android Application Development
 
Security Tips for Android App - iTrobes
Security Tips for Android App - iTrobesSecurity Tips for Android App - iTrobes
Security Tips for Android App - iTrobes
 
Lesson 10
Lesson 10Lesson 10
Lesson 10
 
DDS + Android = OpenSplice Mobile
DDS + Android = OpenSplice MobileDDS + Android = OpenSplice Mobile
DDS + Android = OpenSplice Mobile
 
Iphone client-server app with Rails backend (v3)
Iphone client-server app with Rails backend (v3)Iphone client-server app with Rails backend (v3)
Iphone client-server app with Rails backend (v3)
 
Sightly_techInsight
Sightly_techInsightSightly_techInsight
Sightly_techInsight
 
MySQL Administration and Monitoring
MySQL Administration and MonitoringMySQL Administration and Monitoring
MySQL Administration and Monitoring
 
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
 
EBsSDKForJavaWithOracleADF_ppt.ppt
EBsSDKForJavaWithOracleADF_ppt.pptEBsSDKForJavaWithOracleADF_ppt.ppt
EBsSDKForJavaWithOracleADF_ppt.ppt
 
Delivering Mobile Apps to the Field with Oracle JET
Delivering Mobile Apps to the Field with Oracle JETDelivering Mobile Apps to the Field with Oracle JET
Delivering Mobile Apps to the Field with Oracle JET
 
A Importância do JavaFX no Mercado Embedded
A Importância do JavaFX no Mercado EmbeddedA Importância do JavaFX no Mercado Embedded
A Importância do JavaFX no Mercado Embedded
 
MySQL para Desenvolvedores de Games
MySQL para Desenvolvedores de GamesMySQL para Desenvolvedores de Games
MySQL para Desenvolvedores de Games
 
X Means Y
X Means YX Means Y
X Means Y
 
Java Card, 15 years later
Java Card, 15 years laterJava Card, 15 years later
Java Card, 15 years later
 

Dernier

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 

Dernier (20)

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 

Droidcon secureyourapp fighttheleaks-samsung

  • 1. SECURE YOUR APP FIGHT THE LEAKS! DROIDCON PARIS 2013
  • 2. EYAL LEZMY Slides http://bit.ly/droidcon-sec http://eyal.fr ANDROID PRESALES ENGINEER, SAMSUNG B2B TREASURER AT PARIS ANDROID USER GROUP ANDROID GOOGLE DEVELOPER EXPERT
  • 3. DON'T LET HIM DOWN THE USER TRUSTS YOU Company
  • 4. Copyright © 1995-2012 SAMSUNG All rights reserved APPS HAVE TO RESPECT THE DATA Different ways to unintentionally grant other apps access to the data inside your application : Exporting an unprotected component Storing personal data in a world readable file Logging personal data in logcat logs
  • 5. Copyright © 1995-2012 SAMSUNG All rights reserved It declares accessible app components Activity, Service, Receive,... Adding <intent-filter> => your element is exported by default CHECK YOUR ANDROIDMANIFEST.XML ContentProvider is always exported by default, until android:targetSdkVersion="17"
  • 6. Copyright © 1995-2012 SAMSUNG All rights reserved Don't export app components unless you want to share their content with other applications <application android:label="@string/app_name"> … <service android:name=".ServiceExample“ android:exported="false"> <intent-filter> … </intent-filter> </service> … </application> What is your legitimity to expose data? CHECK YOUR ANDROIDMANIFEST.XML
  • 7. Copyright © 1995-2012 SAMSUNG All rights reserved There are different permission protection levels: normal Lower risk permission dangerous Higher risk, access to user private data, potential negative impact signature Needs the same certificate signature PERMISIONS
  • 8. Copyright © 1995-2012 SAMSUNG All rights reserved Lets look at the code: <permission android:name="com.example.EXAMPLE_PERM“ android:label="@string/example_perm_l“ android:description="@string/example_perm_d“ android:icon="@drawable/example_perm_i“ android:protectionLevel="signature" /> ... <service android:name=".ServiceExample“ android:permission="com.example.EXAMPLE_PERM"> <intent-filter>...</intent-filter> </service> PERMISIONS
  • 9. Copyright © 1995-2012 SAMSUNG All rights reserved Don't be the weakest link private boolean checkPermission(Context context) { String permission = "com.example.EXAMPLE_PERM"; int res = context.checkCallingPermission(permission); return (res == PackageManager.PERMISSION_GRANTED); } PERMISIONS Always check the permission of a caller if you use your permission
  • 10. Copyright © 1995-2012 SAMSUNG All rights reserved DISABLE USELESS ACTIVITIES Fit your components lifecycle to your application's lifecycle If before configuration (login, account creation, ...) a service or activity is not useful, disable it If your application handles common implicit Intent's actions like ACTION_VIEW or ACTION_SEND consider disabling it by default
  • 11. Copyright © 1995-2012 SAMSUNG All rights reserved PackageManager.setComponentEnabledSetting(componentName, newState, flags); DISABLE USELESS ACTIVITIES <activity android:name="com.example.Activity" android:label="@string/app_name" android:enabled="false"> </activity> Disabled: Enabled:
  • 12. Copyright © 1995-2012 SAMSUNG All rights reserved STORING DATA WISELY Protect personal data using MODE_PRIVATE for data files, shared preferences, and databases: openFileOutput() openSharedPreferences() openOrCreateDatabase() External storage (sdcard) is shared storage
  • 13. Copyright © 1995-2012 SAMSUNG All rights reserved PLEASE... SHUT THE FUCK UP! public static final boolean SHOW_LOG = BuildConfig.DEBUG; public static void d(final String tag, final String msg) { if (SHOW_LOG) Log.d(tag, msg); } Don't expose data through logcat on production Detect the build mode with BuildConfig.DEBUG Be careful about this subject and test it during QA
  • 14. Copyright © 1995-2012 SAMSUNG All rights reserved PROTECTING APP FROM USERS No more android:debuggable on the manifest Don't leave this enabled in release code! ADT 8.0+ do it for you automatically
  • 15. Copyright © 1995-2012 SAMSUNG All rights reserved $ adb shell shell@android:/ $ run-as com.android.example sh shell@android:/data/data/com.android.example $ id uid=10060(app_60) gid=10060(app_60) shell@android:/data/data/com.android.example $ ls files/secret_data.txt shell@android:/data/data/com.android.example $ cat files/secret_data.txt PROTECTING APP FROM USERS
  • 16. IT'S NOT JUST ABOUT YOUR APP INSECURE NETWORK LOST OR STOLEN DEVICES
  • 17. Copyright © 1995-2012 SAMSUNG All rights reserved Free certified SSL: https://www.startssl.com/ USE SAFE NETWORKING HTTPS and SSL can protect against Man in the Middle attacks and prevent casual snooping Server certificate validity must be correctly checked "15% of apps have weak or bad SSL implementation on the Play Store"
  • 18. Copyright © 1995-2012 SAMSUNG All rights reserved ...but it may help discouraging curious. Use a peer-reviewed library like KeyCzar Take care of the key : Create it at first start, with true random Or grab a user key from your server Or ask the user for a passphrase you won't store DATA ENCRYPTION DOESN'T SOLVE ALL PROBLEMS
  • 19. Copyright © 1995-2012 SAMSUNG All rights reserved On a corporate environment, device administration can be considered Password management Device encryption Disable camera Lock the device Remote wipe DEVICE ADMINISTRATION
  • 20. Copyright © 1995-2012 SAMSUNG All rights reserved BEHIND THE STAGE The APK's content is always world readable, take care about what you put inside Sensitive files should be kept out of the APK Java is open source, your code too Using Proguard takes a single line of code Or... Dex encryption AAPT modified Logic on server
  • 21. IT'S NOT JUST ABOUT SECURITY THINK ABOUT POLITICS...
  • 22. Copyright © 1995-2012 SAMSUNG All rights reserved THE SECURITY PARADOX
  • 23. Copyright © 1995-2012 SAMSUNG All rights reserved "The more secure you make something, the less secure it becomes" Level the security following the user acceptance or... Users will find workarounds Users won't use your service NEVER FORGET THE USER, NEVAAAAA!
  • 24. Copyright © 1995-2012 SAMSUNG All rights reserved REFERENCES Google I/O 2012 Sessions Android Developpers Live Youtube channel Android Developement Android Developement: Using Cryptography The Commons Blog InformationWeek: Security Paradox ThreatPost: SLL implementation on Android apps StartSSL Free certificates
  • 25. SAMSUNG SMART APP CHALLENGE 2013 SAMSUNG SMART APP CHALLENGE 2013 A Global app challenge Apps for the Galaxy S4 Use of Samsung Chord SDK Apply June 20 - August 31 www.smartappchallenge.com $800,000 for 10 winners
  • 26. SAMSUNG DEVELOPERS SDKs and Documentation http://developer.samsung.com Samsung Chord SDK Bluetooth Low Energy SDK Remote Test Lab Test your applications on real devices through the internet Free 24H 365 Days S Pen & Multi Window SDK AllShare Framework Real Device, NOT emulator Multiple Devices