Post on 06-May-2015
Building Secure Android AppsKaushal Bhavsar
Who am I?
• Kaushal Bhavsar• Founder & CEO, Pratikar Technologies• Visiting Faculty, Dept. of Computer Science, (Rollwala) – Network Security in MCA V
• Pursuing PhD from CHARUSAT– Computer Security
Know this App??
Similar Apps
Falling Down Super Guitar Solo
Super History Eraser
Photo Editor Super Ringtone Maker Chess
下坠滚球_Falldown
Falling Ball Dodge
Basics
Vulnerability
ThreatRisk
Basics - II
Attack Surface
Defense-in-depth
Least Privilege
Android Architecture
Linux Kernel
Native Libraries
Application Framework
Your Apps
Android Security Model
Application Isolation
Application Signing
Filesystem Isolation
Application Isolation
• When an app is installed, it gets a new UID.• All data stored by that application is assigned
that same UID• All resources for that app are given full
permissions for the app’s UID. • Different UIDs can not access each other’s
data.
Filesystem Isolation
• All data for the app is stored in /data/data/app_package_name
• Only UID for specific app can access it• Apps with same UIDs can access each other’s
data• Root UID can access all apps’ data!• SD Card data is not protected!• Files created using apps MUST be have
appropriate permissions
Data Security
Stored Data Mobile Data
Protecting Stored Data
Cryptography
Hashing Encryption
Symmetric Asymmetric
Protecting Mobile Data
Figure from http://technet.microsoft.com
Input Validation
Accept
Known
Good
Reject Known Bad
Command InjectionSQLiteDatabase db = dbHelper.getWriteableDatabase();
String userQuery = "SELECT lastName FROM useraccounts WHERE userID = " + request.getParameter("userID");
SQLiteStatement prepStatement = db.compileStatement(userQuery);
String userLastname = prepStatement.simpleQueryForString();
SQLiteDatabase db = dbHelper.getWriteableDatabase();
String userQuery = "SELECT lastName FROM useraccounts WHERE userID = ?";
SQLiteStatement prepStatement = db.compileStatement(userQuery);
prepStatement.bindString(1, request.getParameter("userID"));
String userLastname = prepStatement.simpleQueryForString();
Thank you!
kaushal@pratikar.com