Droidcon Eastern Europe 2013 - How secure is an Android app

H!w "#$%r#

IS AN ANDROID&'' ?

by

MARIUS MAILAT

W(! )"

MARIUS?

W(! )" Marius?

FOUNDER of DEV COMMUNITY - ANDROIDER1

2

3

4

ANDROID TRAINER - marakana, androider

PARTNER AND CTO - APPSELERATION

PARTNER AND CO-FOUNDER - APPSRISE.com

A*#+,&

A*#+,&

Last year message vs this year APPROACH1

2

3

4

How safe are your daily apps ?

Dissect the most popular RO banking apps

Security guidelines for Android ?

5 How to secure your Android apps ?

L&"- .#&r /#""&*#

VS-()" .#&r &''r!&$(

L&"- .#&r /#""&*# v" this year approach

L&"- .#&r /#""&*#

0)" .#&r &''r!&$(

You are a code artist!

Programming as an intellectual activity allows you to create interactive art.

You are a code artist but your art is stolen !

My code art was decompiled, repacked/altered with new code and was sold as genuine art !

I love my art, I hate thieves !

H!w "&f# &r#YOUR DAILY APPS ?

H!w safe &r# .!%r daily apps ?

M!b)1# threats !+ ANDROID

AdVERTISING OVER MALWARE1

2

3

4

Direct Payoff SMS

Destructive attacks ON SENSITIVE DATA

Information Scavengers

5 Premeditated Spy on location and INFO

BU HU HU

D)""#$- -(#

most POPULARA+,r!), b&+2)+* &''"

H!w -! SCOOP )+"),# !f &+ ANDROID APP ?

$ APKTool D BANK.Apk1

2

3

4

$ Jar xvf BANK.apk classes.dex

$ dex2jar.sh classes.dex

> OPEN JD-GUI

5 TRY ALTENATIVES: DARE, DED, DEXDUMP etc

D! w# (&v# ROMANIAN b&+2)+* &''" ?

F&$-" : ANDROID b&+2)+* &''" ?Downloads Comments RattingS Url

50,000-100,000 429 3,7 http://goo.gl/oV7Pl0

10,000-50,000 749 3,8 http://goo.gl/8AVwS

10,000-50,000 210 3,6 http://goo.gl/p8BRwK

10,000-50,000 270 4,0 http://goo.gl/FDN0ox

1,000-5,000 41 3,8 http://goo.gl/8FRN5q

1,000-5,000 39 3,1 http://goo.gl/oQWbsM

1,000-5,000 22 3,6 http://goo.gl/TLuHBk

500-1,000 27 4,1 http://goo.gl/zpWLkP

H!w I CALCULATE -(# BU HU HU "$!r# ?DB SSL PERSISTANCE PERMISSIONS SERVER WEIRD CODE

BU HU HU SCORE0-bad, 10-EXCELLENT

- - - + +- no fragments, old STYLE CODE Almost weird

- - HYBRID APP, WEBVIEW WITH PRE-JAVA-CODE TOTALLY WEIRD

- - - UNSECURE SERVER, PHP, KIND OF MIX OF WEIRD & COMPLEX

+ + OWN WEIRD CACHE MECHANISM, no loging class READABLE

- - XML PARSING DONE ON TABLE DANCE UGLY BUT NICE

- - - MANY LIBS, BUMP LIB :) , HYBRID AGAINHYBRID PSEUDO NATIVE

- - - - - AGAIN PHONEGAP load HTML?!

- - - - - A BAD OTP BANK CORDOVA STUFF

S#$%r)-. *%),#1)+#"For ANDROID ?

S#$%r)-. GUIDELINES f!r ANDROID &''" ?

ENCRYPT EVERyTHING - DB, Preferences ...1

2

3

4

PASSWORD - SALT

SECURE SERVER COMMUNICATION

DO NOT TRUST THE SERVER AND THE APP !

5 DO NOT ALLOW BACKUP

H!w -! "#$%r#your ANDROID APPS ?

H!w TO SECURE .!%r A+,r!), APPS

Y!%r "&f#r $!,# ART

Pr!-#$- -(# r#"!%r$#"

Y!%r $!,# ART

Pr!-#$- -(# 'r#f#r#+$#"

SECURITY & CODEguidelines

PROTECT THE APP

Pr!-#$- -(# ,&-&b&"#

SERIOUS PAINTING SKILLS WITH sensitve dataGUIDELINES PROTECT YOU ?

E+$r3- .!%r b)+&r.Bu huhu MAGIC via DEXJAR and CO

Thank youQ%#"-)!+"?

MARIUS MAILAT, /&r)%"./&)1&-@*/&)1.$!/