15. don’t trust your app
u process on the backend as web developers do
u move critical business logic to native code
u use SSL
u no plain text data
u minimize data stored on the device
16. proguard is essential
open source
http://proguard.sourceforge.net/
u shrinks and optimizes the code
u renames classes, methods, etc
17.
18. Security and Design, http://developer.android.com/google/play/billing/billing_best_practices.html
20. protection goals
u Have bytecode as hard to reverse engineer as possible.
u Have strong integrity protection mechanism in order to block
repackaging ability.
u Have data and resources encrypted.
22. mobile security market
u
u class encryption
u resource encryption
u hiding of API calls
u integrity protection
u tamper detection
u clone protection
u root detection
u mobile
application/device
management
u rich policy control
u custom business
requirements
u fingerprinting
u integration with fraud
monitoring systems
u …
basic professional enterprise
23.
24. 1. unzip your app_1.2.3.apk from
2. copy some picture.png to assets
3. zip & sign it back
4. works?
quick check
25. next steps
u include security into your development workflow
u do not trust your own app
u use cryptography standards
u stay informed: books, sessions, hacker tools
contacts
@dexprotector
dexprotector@licelus.com
// And my own
@kalabro
marshalkina@licelus.com