Presentation made on Pixels Camp on the 7th of November in 2016.

8. URL url = new URL("https://pixels.camp");
URLConnection urlConnection = url.openConnection();

9. URL url = new URL("https://devpixels.local");
URLConnection urlConnection = url.openConnection();

11. SSLContext mySSLContext = SSLContext.getInstance("TLS");

12. SSLContext mySSLContext = SSLContext.getInstance("TLS");
mySSLContext.init(null, new TrustManager[] { mySuperCustomTrustManager
},new SecureRandom());

13. SSLContext mySSLContext = SSLContext.getInstance("TLS");
mySSLContext.init(null, new TrustManager[] { mySuperCustomTrustManager
},new SecureRandom());
URL url = new URL("https://devpixels.local");

14. SSLContext mySSLContext = SSLContext.getInstance("TLS");
mySSLContext.init(null, new TrustManager[] { mySuperCustomTrustManager
},new SecureRandom());
URL url = new URL("https://devpixels.local");
HttpsURLConnection urlConnection = HttpsURLConnection)url.openConnection();
urlConnection.setSSLSocketFactory(mySSLContext.getSocketFactory());

15. TrustManager mySuperCustomTrustManager = new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkServerTrusted(X509Certificate[] chain,String
authType) throws CertificateException {
}
public void checkClientTrusted(X509Certificate[] chain,String
authType) throws CertificateException {
}
};

16. URL url = new URL("https://devpixels.camp");
URLConnection urlConnection = url.openConnection();

17. HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String s, SSLSession sslSession) {
return true;
}
});
URL url = new URL("https://devpixels.camp");
URLConnection urlConnection = url.openConnection();

26. WebView myWebView = (WebView) findViewById(R.id.webview);
myWebView.loadUrl(“https://devpixels.local”);

27. WebView myWebView = (WebView) findViewById(R.id.webview);
myWebView.setWebViewClient(new WebViewClient() {
public void onReceivedSslError(WebView view, SslErrorHandler
handler, SslError error) {
handler.proceed();
}
});
myWebView.loadUrl(“https://devpixels.local”);

28. final class JavaScriptInterface {
@JavascriptInterface
public String getSomeString() {
return "string";
}
}
WebView myWebView = (WebView) findViewById(R.id.webview);
myWebView.getSettings().setJavaScriptEnabled(true);
myWebView.addJavascriptInterface(new JavaScriptInterface(), "jsinterface");

33. CertificateFactory cf = CertificateFactory.getInstance("X.509");
InputStream caInput = getResources().openRawResource(R.raw.pixels);
Certificate ca;
try {
ca = cf.generateCertificate(caInput);
} finally {
caInput.close();
}

34. CertificateFactory cf = CertificateFactory.getInstance("X.509");
InputStream caInput = getResources().openRawResource(R.raw.pixels);
Certificate ca;
try {
ca = cf.generateCertificate(caInput);
} finally {
caInput.close();
}
String keyStoreType = KeyStore.getDefaultType();
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("PixelsCampLeaf", ca);

35. String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);

36. String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, tmf.getTrustManagers(), null);

37. String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, tmf.getTrustManagers(), null);
URL url = new URL("https://pixels.camp");
HttpsURLConnection urlConnection = (HttpsURLConnection)url.openConnection();
urlConnection.setSSLSocketFactory(context.getSocketFactory());
InputStream in = urlConnection.getInputStream();

44. public class accessfile extends ContentProvider {

45. public class accessfile extends ContentProvider {
public static final String AUTHORITY = "pt.claudio.security";
public static final Uri CONTENT_URI = Uri.parse("content://" + AUTHORITY +
"/");
private static final HashMap<String, String> MIME_TYPES = new
HashMap<String, String>();
private static final UriMatcher sURIMatcher = new
UriMatcher(UriMatcher.NO_MATCH);
static {
sURIMatcher.addURI(AUTHORITY, "folder/", FOLDER);
sURIMatcher.addURI(AUTHORITY, "file/", FILE);
}

46. public class accessfile extends ContentProvider {
public static final String AUTHORITY = "pt.claudio.security";
public static final Uri CONTENT_URI = Uri.parse("content://" + AUTHORITY +
"/");
private static final HashMap<String, String> MIME_TYPES = new
HashMap<String, String>();
private static final UriMatcher sURIMatcher = new
UriMatcher(UriMatcher.NO_MATCH);
static {
sURIMatcher.addURI(AUTHORITY, "folder/", FOLDER);
sURIMatcher.addURI(AUTHORITY, "file/", FILE);
}
…
public ParcelFileDescriptor openFile(Uri uri, String mode){

47. public class accessfile extends ContentProvider {
public static final String AUTHORITY = "pt.claudio.security";
public static final Uri CONTENT_URI = Uri.parse("content://" + AUTHORITY +
"/");
private static final HashMap<String, String> MIME_TYPES = new
HashMap<String, String>();
private static final UriMatcher sURIMatcher = new
UriMatcher(UriMatcher.NO_MATCH);
static {
sURIMatcher.addURI(AUTHORITY, "folder/", FOLDER);
sURIMatcher.addURI(AUTHORITY, "file/", FILE);
}
…
public ParcelFileDescriptor openFile(Uri uri, String mode){
…
File f = new File(getContext().getString(R.string._sdcard), uri.getPath());

49. Uri targURI =
Uri.parse("content://pt.claudio.security/../../../../../data/data/p
t.claudio.security.pixelscamp_content/files/mysecretfile.txt");

57. public Cursor query(Uri uri, String[] projection, String
selection,String[] selectionArgs, String sortOrder) {

58. public Cursor query(Uri uri, String[] projection, String
selection,String[] selectionArgs, String sortOrder) {
SELECT _id, description FROM notes WHERE _id = 1{
{
Projection Selection

59. public Cursor query(Uri uri, String[] projection, String
selection,String[] selectionArgs, String sortOrder) {
SQLiteQueryBuilder queryBuilder = new SQLiteQueryBuilder();
queryBuilder.setTables(Table.TABLE_NOTE)
SQLiteDatabase db = database.getWritableDatabase();

60. public Cursor query(Uri uri, String[] projection, String
selection,String[] selectionArgs, String sortOrder) {
SQLiteQueryBuilder queryBuilder = new SQLiteQueryBuilder();
queryBuilder.setTables(Table.TABLE_NOTE)
SQLiteDatabase db = database.getWritableDatabase();
Cursor cursor = queryBuilder.query(db, projection,
selection,selectionArgs, null, null, sortOrder);

62. String[] selectionArgs = { "first string", "second@string.com" };
String selection = "name=? AND email=?";
Cursor cursor = db.query("TABLE_NAME", null,selection,
selectionArgs, null);

70. /res/xml/excludes.xml

71. /res/xml/excludes.xml
<application>
android:fullBackupContent="@xml/excludes"
</application>

72. /res/xml/excludes.xml
<application>
android:fullBackupContent="@xml/excludes"
</application>
<?xml version="1.0" encoding="utf-8"?>
<full-backup-content>
<exclude domain="sharedpref" path="MyPrefsFile.xml"/>
</full-backup-content>

73. <full-backup-content>
<include domain=["file" | "database" | "sharedpref" | "external" | "root"]
path="string" />
<exclude domain=["file" | "database" | "sharedpref" | "external" | "root"]
path="string" />
</full-backup-content>

80. /res/xml/network_security_config.xml

81. /res/xml/network_security_config.xml
<application>
android:networkSecurityConfig="@xml/network_security_config"
</application>

82. /res/xml/network_security_config.xml
<application>
android:networkSecurityConfig="@xml/network_security_config"
</application>
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<domain-config cleartextTrafficPermitted="false">
<domain includeSubdomains="true">http.badssl.com</domain>
</domain-config>
</network-security-config>

84. security.claudio.pt @clviper github.com/clviper
Q&A