Download as PDF, PPTX
![GETWINDOW().SETFLAGS(LAYOUTPARAMS.FL
AG_SECURE, LAYOUTPARAMS.FLAG_SECURE);
It disable all screen capture (except rooted device)
• [POWER] + [VOL-DWN]
• OEM feature like SAMSUNG / HTC](https://image.slidesharecdn.com/androidsecuritydevelopment-141024153506-conversion-gate01/85/2015-04-24-Updated-Android-Security-Development-Part-1-App-Development-15-320.jpg)
![GETWINDOW().SETFLAGS(LAYOUTPARAMS.FL
AG_SECURE, LAYOUTPARAMS.FLAG_SECURE);
It disable all screen capture (except rooted device)
• [POWER] + [VOL-DWN]
• OEM feature like SAMSUNG / HTC](https://image.slidesharecdn.com/androidsecuritydevelopment-141024153506-conversion-gate01/75/2015-04-24-Updated-Android-Security-Development-Part-1-App-Development-15-2048.jpg)
Uploaded byCheng-Yi Yu
2015.04.24 Updated > Android Security Development - Part 1: App Development
This document discusses various aspects of securing Android app development, including: - Setting debuggable and backup permissions to false to prevent unauthorized access. - Clearing the clipboard when leaving an app to avoid content being copied elsewhere. - Only requesting necessary permissions and removing unneeded ones over time. - Encrypting databases using SQLCipher or the SQLite Encryption Extension. - Verifying SSL certificates and encrypting network traffic using HTTPS. - Performing cryptography in C/C++ via the Android NDK for increased security. - Generating secure access tokens, passwords, and keys using techniques like hardware IDs and scrambling. - Validating user input through secure hashing algorithms.
More Related Content
![[Wroclaw #1] Android Security Workshop](https://cdn.slidesharecdn.com/ss_thumbnails/owaspplwroclaw1-160225150939-thumbnail.jpg?width=600ounds&width=560&fit=bounds)
![Mobile Application Pentest [Fast-Track]](https://cdn.slidesharecdn.com/ss_thumbnails/mobile1337-140527083940-phpapp02-thumbnail.jpg?width=600ounds&width=560&fit=bounds)
Similar to 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development
- 1. Android Security Development PART 1– App Development SEAN
- 2. Sean • Developer • erinus.startup@gmail.com •https://www.facebook.com/erinus
- 3. Something you needto know • USB • Screen • Clipboard • Permission • Database • Network • Cryptography • API Management • Validation
- 4.
- 5.
- 6. DANGEROUS ANDROID:ALLOWBACKUP = "TRUE" Itwill allow someone can backup databases and preferences.
- 7.
- 8. DANGEROUS ANDROID:DEBUGGABLE = "TRUE" Itwill let someone can see logcat messages and do something more …
- 9. WHY ? If youdo not set android:debuggable="false", debug mode will depend on system settings.
- 10. IF ERROR NOTIFICATIONSHOWS IN ECLIPSE WHEN SET ANDROID:DEBUGGABLE, IT IS ALL ABOUT ADT LINT.
- 11.
- 12. RIGHT CLICK ONITEM AND CHOOSE "QUICK FIX"
- 13.
- 14.
- 15. GETWINDOW().SETFLAGS(LAYOUTPARAMS.FL AG_SECURE, LAYOUTPARAMS.FLAG_SECURE); It disableall screen capture (except rooted device) • [POWER] + [VOL-DWN] • OEM feature like SAMSUNG / HTC
- 16.
- 17. WHEN USER LEAVEAPP You want to clear clipboard
- 18. YOU WANT TOALLOW User can use something copied from other apps in your app
- 19. ALSO WANT TOREJECT User can not use something copied from your app in other apps
- 20.
- 21. SAVE THE STATEOF APPLICATION onResume => FOREGROUND onPause => BACKGROUND
- 22.
- 23. USE RUNNABLE ANDPOSTDELAYED 500 MS When onPause is triggered, you can detect the state of application after ~500ms.
- 24.
- 25. DETECT STATE ANDSETPRIMARYCLIP If STATE equals BACKGROUND, executes BaseActivity.this.mClipboardManager .setPrimaryClip(ClipData.newPlainText("", ""));
- 26. THE TOP ITEMWILL BE EMPTY IN CLIPBOARD STACK Android only lets app access the top item in clipboard stack on non-rooted device.
- 27.
- 28. ONLY USE NECESSARYPERMISSIONS
- 29. IT IS COMMONSENSE
- 30.
- 31.
- 32.
- 33.
- 34.
- 35. YOU SHOULD REMOVE"GET_ACCOUNTS" When you do not support Android 4.0.3 and older version
- 36.
- 37.
- 38. RECOMMENDED SQLCipher Support iOS /Android https://www.zetetic.net/sqlcipher/open-source
- 39.
- 40.
- 41. USE HTTPS WITHSELF-SIGNED CERTIFICATE
- 42.
- 43.
- 44. DO YOU CHECK HOSTNAMEIS VALID ?
- 45.
- 46. DO YOU AVOID IMPORTINGMALICIOUS CERT ?
- 47. CREATE BRAND NEWKEYSTORE AND IMPORT SERVER CERT
- 48. DOUBLE CHECK THE BINARYCONTENT OF CERT ?
- 49. VERIFY BINARY CONTENTOF SERVER CERT Avoid Man-in-the-Middle attack
- 50.
- 52. SSL MECHANISM INOS MAY BE WRONG APPLE SSL / TLS Bug ( CVE-2014-1266 )
- 53. Chinese MITM Attackon iCloud
- 54.
- 55.
- 56.
- 57. SSL TUNNEL KEEPDATA SAFE ?
- 58.
- 59. YOU STILL NEEDENCRYPT DATA
- 60.
- 61. DO NOT PUTKEY IN YOUR DATA
- 62.
- 63. USE ANDROID SDKOR ANDROID NDK ?
- 64. ANDROID SDK: JAVA DECOMPILEEASY ANALYSIS EASY
- 65. ANDROID NDK: CAND C++ DISASSEMBLE EASY ANALYSIS HARD
- 66.
- 67. ANDROID NDK Can Icustomize ?
- 68.
- 69. PolarSSL You can changeSBOX of AES, ...
- 70. AES AES-256 / CBC/ PKCS7Padding
- 71.
- 72. ALL KEY GENERATIONAND ENCRYPTION MUST BE DONE IN ANDROID NDK
- 73.
- 74.
- 75. HOW TO GENERATEKEY ?
- 76.
- 77. RANDOM KEY One Key– One Encryption
- 78. HARDWARE ID IMEI /MEID WIFI MAC Address Bluetooth Address
- 79. IMEI / MEID ANDROID.PERMISSION.READ_PHONE_STATE WIFIMAC Address ANDROID.PERMISSION.ACCESS_WIFI_STATE Bluetooth Address ANDROID.PERMISSION.BLUETOOTH
- 80. USER KEY Input fromuser Only exist in memory Just clear when exit
- 81.
- 82. SCRAMBLE YOUR CIPHERTEXT WEPcan be cracked by collecting large amount packet and analyzing ciphertext.
- 83.
- 84.
- 85. MORE COMPLEX THANBASE64 WIKI: Common Scrambling Algorithm http://goo.gl/eP6lXj
- 86. IF ALL KEYLOST ?
- 87.
- 88.
- 89. Security on APIMANAGEMENT
- 90.
- 91. HOW TO USEACCESS TOKEN ?
- 92.
- 93.
- 94. ACCESS TOKEN ↓ USER ID ↓ HARDWAREID ↓ ENCRYPT OR DECRYPT
- 95. ALL API ACCESSMUST USE ACCESS TOKEN
- 96.
- 97.
- 98.
- 99.
- 100.
- 101.
- 102.
- 103. Malicious Android App DynamicAnalyzing System