safety first – best practices in app security
TRANSCRIPT
signingConfigs { release { storeFile file("myapp.keystore") storePassword "password123" keyAlias "keyAlias" keyPassword "password789" } }
DO NOT!
try { storeFile file("myapp.keystore") storePassword KEYSTORE_PASSWORD keyAlias "keyAlias" keyPassword KEY_PASSWORD
} catch (ex) { throw new InvalidUserDataException(“…”) }
release { minifyEnabled true
proguardFiles getDefaultProguardFile( 'proguard-android.txt'), ‘proguard-rules.txt' signingConfig signingConfigs.release}
public abstract class e { private int a = -1; private String b = null; protected boolean k = false; public abstract void a(Intent var1); public void run() { this.a((Intent)null); } protected final void a(String var1) { this.b = var1; } public final void c() { this.a = -1; this.b = null; } public final boolean d() { return this.k; }}
TAMPERING DETECTION
Verify signing certificate at runtime
Verify the installercontext.getPackageManager().getInstallerPackageName(context.getPackageName()).startsWith("com.android.vending")
Check if app is debuggable (or run on emulator)
<provider android:name="com.example.android.datasync.provider.StubProvider" android:authorities="com.example.android.datasync.provider" android:exported="false"/>
android:protectionLevel="signature"
private readable safe
Internal storage yes yes yes
External storage no yes no
Content providers depends yes yes
Shared prefs. yes yes yes
android:usesCleartextTraffic="false"
ANDROID M
StrictMode.setVmPolicy(new StrictMode.VmPolicy.Builder().detectCleartextNetwork().penaltyLog().build());
okhttpbuilder .pinClientCertificate(resources, R.raw.client_cert, "pass".toCharArray(), “PKCS12”) .pinServerCertificates(resources, R.raw.server_cert, "pass".toCharArray(), "BKS") .build();
return new OkClient(client);
INCLUDE THE CLIENT IN THE PROCESS
Keep them up-to-dateHelp them understand risks and advise themInsist on updates and security patches
THINGS TO REMEMBER
Use internal storage if applicableEncrypt dataUse HTTPSPin certificatesBe aware of the update cycle
REFERENCES• Gradle configuration
• http://developer.android.com/guide/topics/data/data-storage.html#db
• https://codahale.com/how-to-safely-store-a-password/
• http://www.developereconomics.com/android-cryptography-tools-for-beginners/
• https://www.airpair.com/android/posts/adding-tampering-detection-to-your-android-app
REFERENCES
• https://www.ssllabs.com/
• http://developer.android.com/preview/features/security-config.html
• https://www.ionic.com/mitm-attacks-ssl-pinning-what-is-it-and-why-you-should-care/
Thank you!
Questions?
Visit www.infinum.co or find us on social networks:
infinum.co infinumco infinumco infinum
[email protected]@ABAOTIC