Developing Security Mobile Applications for Android Presenter, Joel Elixson Author, Jesse Burns of iSEC Partners.

Slides:



Advertisements
Similar presentations
Operating-System Structures
Advertisements

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Android Security. N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Software Security Goes Mobile Jacob.
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.
Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.
Security Awareness: Applying Practical Security in Your World
Security of Mobile Applications Vitaly Shmatikov CS 6431.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.
Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.
Introduction Our Topic: Mobile Security Why is mobile security important?
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
박 종 혁 컴퓨터 보안 및 운영체제 연구실 MobiSys '11 Proceedings of the 9th international conference on Mobile systems, applications,
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
Byron Alleman Will Galloway Jesse McCall. Permission Based Security Model Users can only use features for which their permissions grant them access Abstracts.
© Keren Kalif Intro to Android Development Written by Keren Kalif, Edited by Liron Blecher Contains slides from Google I/O presentation.
All Your Droid Are Belong To Us: A Survey of Current Android Attacks 단국대학교 컴퓨터 보안 및 OS 연구실 김낙영
1 NETE4631 Mobile Cloud Computing Lecture Notes #10.
Software Architecture of Android Yaodong Bi, Ph.D. Department of Computing Sciences University of Scranton.
W. Sliwinski – eLTC – 7March08 1 LSA & Safety – Integration of RBAC and MCS in the LHC control system.
Using Intents to Broadcast Events Intents Can be used to broadcast messages anonymously Between components via the sendBroadcast method As a result Broadcast.
Android ICC Part II Inter-component communication.
Mobile Application Development using Android Lecture 2.
Erika Chin Adrienne Porter Felt Kate Greenwood David Wagner University of California Berkeley MobiSys 2011.
DUE Hello World on the Android Platform.
CS378 - Mobile Computing Intents.
16 Services and Broadcast Receivers CSNB544 Mobile Application Development Thanks to Utexas Austin.
Developing Secure Mobile Applications for Android CS 595 James Zachary Howland.
CS378 - Mobile Computing Intents. Allow us to use applications and components that are part of Android System – start activities – start services – deliver.
Lemonade Requirements for Server to Client Notifications draft-ietf-lemonade-server-to-client-notifications-00.txt S. H. Maes C. Wilson Lemonade Intermediate.
COMP 365 Android Development.  Every android application has a manifest file called AndroidManifest.xml  Found in the Project folder  Contains critical.
1 AGRIDES Walk-through. 2 AGRIDES - File Content AGRIDES allows to upload one file per transaction:  File –Message 1 Document A –Message 2 Document B.
ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.
Mobile Application Security on Android Originally presented by Jesse Burns at Black Hat
CSE 332: Design Patterns Review: Design Pattern Structure A design pattern has a name –So when someone says “Adapter” you know what they mean –So you can.
Android System Security Xinming Ou. Android System Basics An open-source operating system for mobile devices (AOSP, led by Google) – Consists of a base.
Digital Citizenship Project Created By: Celeste Jackson ED 505-Dr. Martha Hocutt.
Interfaces About Interfaces Interfaces and abstract classes provide more structured way to separate interface from implementation
Lecture 4 Page 1 CS 111 Online Modularity and Virtualization CS 111 On-Line MS Program Operating Systems Peter Reiher.
Serving the Public. Regulating the Profession. CANADA’S ANTI-SPAM LEGISLATION (CASL) Training for Chapters Based on Guidelines for Chapters First published.
L10: Model-View-Controller General application structure. User Interface: Role, Requirements, Problems Design patterns: Model – View – Controller, Observer/Observable.
Role Of Network IDS in Network Perimeter Defense.
Intro to Distributed Systems Hank Levy. 23/20/2016 Distributed Systems Nearly all systems today are distributed in some way, e.g.: –they use –they.
Nguyen Thi Thanh Nha HMCL by Roelof Kemp, Nicholas Palmer, Thilo Kielmann, and Henri Bal MOBICASE 2010, LNICST 2012 Cuckoo: A Computation Offloading Framework.
DeepDroid Dynamically Enforcing Enterprise Policy Manwoong (Andy) Choi
START Application Spencer Johnson Jonathan Barella Cohner Marker.
Android and IOS Permissions Why are they here and what do they want from me?
The Ingredients of Android Applications. A simple application in a process In a classical programming environment, the OS would load the program code.
ANDROID ACCESS CONTROL Presented by: Justin Williams Masters of Computer Science Candidate.
Routers and Redundancy
SE-1021 Software Engineering II
Modularity Most useful abstractions an OS wants to offer can’t be directly realized by hardware Modularity is one technique the OS uses to provide better.
Understanding Android Security
Talia ringer, dan grossman and Franziska roesner
Reactive Android Development
Android System Security
Routers and Redundancy
AUDACIOUS: USER DRIVEN ACCESS CONTROL WITH UNMODIFIED OPERATING SYSTEM
Outline What does the OS protect? Authentication for operating systems
ARP and RARP Objectives Chapter 7 Upon completion you will be able to:
Server Concepts Dr. Charles W. Kann.
Outline What does the OS protect? Authentication for operating systems
Encryption The Good kind of obscurity
Understanding Android Security
Android Developer Fundamentals V2 Lesson 5
Presentation transcript:

Developing Security Mobile Applications for Android Presenter, Joel Elixson Author, Jesse Burns of iSEC Partners

Approach Discuss the appropriate contextual use for particular Android Components and security-specific features Discuss other guidelines, dos-and-don’ts, what have you

Permissions Create new permissions sparingly Make new permissions easily understood – e.g., SEND_LOCATION_MESSAGE obviously sends a GPS location using SMS Use cleverness as an alternative whenever possible – e.g., Confirm any data changes with the user (UI)

Intent Filters Intent Filters can be bypassed via Intent.setComponent() They don’t make any guarantees about the message itself Bad data can easily sneak through; always check and sanitize Intent data Intent Filters are device-public; if you’re certain your Activity/Service doesn’t need to be exposed, consider calling it directly

Intents Don’t put sensitive information into an Intent that starts an Activity It’s susceptible to interception techniques that “squat” using the same IntentFilter (but with a higher priority) as the intended target

Broadcast Receivers (BRs) Prefer broadcasting for inter-process communication Receiving and sending broadcasts implements an easy-to-use, permissions-checking scheme to ensure a broadcast or BR is trusted Again, the message a BR receives could still be malicious (in the case of an unwary and too-eager user installing apps all willy-nilly), so data should still be screened in the BR

Broadcast Receivers: Exception Sticky broadcasts can’t require a BR have permission to receive it Obviously, don’t use a sticky broadcast for sensitive information

Services and Binders Validate your Service connections before use Can check the Service’s package name or explicitly call the exact Service your want (not ideal) Check the permissions of anyone accessing your application through a Binder interface – no exceptions

Pending Intents Prefer Pending Intents as the better message format in inter-process communication Pending Intents address the issue of “Intent Reflection,” which is the act of tricking another Component (Binder or Service, usually) into sending (successfully) an Intent they wouldn’t normally be able to send Pending Intent is always sent as the process that created it

Content Providers and SQL Content Providers might not be appropriate for all occasions (even when made private) Sanitize SQL to avoid SQL-Injection attacks; SQLiteQueryBuilder does some of this for you

File System Generally, it isn’t a good idea to make shared preferences or local files world-writable (a malicious writer could fill up your device memory) When using mass storage, understand that data written to it is world-readable

Questions Have any?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.