secure android application development
play

Secure Android Application Development June 5th 2020 Sophie Tian - PowerPoint PPT Presentation

Nov 17, 2023 •865 likes •1.11k views

Guest Lecture Secure Android Application Development June 5th 2020 Sophie Tian shuxut@cs.washington.edu Slides from: Franziska (Franzi) Roesner Associate Professor, CSE franzi@cs.washington.edu Roadmap Part 1: What can go wrong?

  1. Guest Lecture Secure Android Application Development June 5th 2020 Sophie Tian shuxut@cs.washington.edu Slides from: Franziska (Franzi) Roesner Associate Professor, CSE franzi@cs.washington.edu

  2. Roadmap • Part 1: What can go wrong? • Part 2: How are mobile platforms (Android) designed for security? • Part 3: Best practices for mobile (Android) app developers 6/4/20 Franziska Roesner 2

  3. What can go wrong? “Threat Model” 1: Malicious applications 6/4/20 Franziska Roesner 3

  4. What can go wrong? “Threat Model” 1: Malicious applications Example attacks: – Premium SMS messages – Track location – Record phone calls – Log SMS – Steal data Tip: Don’t do these things! :) – Phishing 6/4/20 Franziska Roesner 4

  5. What can go wrong? “Threat Model” 2: Vulnerable applications Example concerns: – User data is leaked or stolen • (on phone, on network, on server) – Application is hijacked by an attacker 6/4/20 Franziska Roesner 5

  6. Mobile Platform Security Features Goal: Limit how much harm developers of malicious or buggy applications can do! A key feature: Application isolation Also: – Secure hardware – Full disk encryption – Modern memory protections (e.g., ASLR) – Application signing – App store review 6/4/20 Franziska Roesner 6

  7. Applications are Isolated • From each other – Run in separate processes – With separate UIDs Since 5.0: ART (Android runtime) replaces Dalvik VM to run apps natively Process.pid #=> 95291 Process.uid #=> 501 • And from the system – No shared accessible file system – No default access to devices 6/4/20 Franziska Roesner 7

  8. Permissions Prompts (time-of-use) Manifests (install-time) 6/4/20 Franziska Roesner 8

  9. Android 6.0: Prompts! • First-use prompts for sensitive permission (like iOS). • Big change! Now app developers needed to check for permissions or catch exceptions. 6/4/20 Franziska Roesner 9

  10. Best Practices for Mobile App Developers 1. Only ask for the permissions you need 2. Use “internal storage” for sensitive data 3. Validate input from external sources (incl. users) 4. Encrypt network communications 5. Don’t hard-code secrets in source code 6. Use existing cryptography support (carefully) 7. Be careful with inter-process communications 8. Be careful about libraries you include More: https://developer.android.com/training/articles/security-tips 6/4/20 Franziska Roesner 10

  11. [Felt et al.] 1. Only ask for permissions you need Apps are often “overprivileged”. Early (2011) study: 6/4/20 Franziska Roesner 11

  12. 2. Use “internal storage” for sensitive data Internal storage is: – Not accessible to other apps – Deleted when the app is uninstalled External storage (like SD cards) are globally readable and writable. Even better, encrypt data ( EncryptedFile ). Interesting tutorial: https://www.tutorialspoint.com/android/android_internal_storage.htm#:~:text=Int ernal%20storage%20is%20the%20storage,when%20user%20delete%20your%20applica tion. 6/4/20 Franziska Roesner 12

  13. 3. Validate input from external sources (including users) Check your assumptions about input! – From users, from other apps, from web – Length? Format? – Can cause issues like buffer overflow attacks (in native code, not Java) or SQL injections (when sent to server) – Be careful with WebViews 6/4/20 Franziska Roesner 13

  14. 4. Encrypt network communications Use HTTPS! This means user data will not be readable over the network. URL url = new URL("https://www.yourserver.com"); HttpsURLConnection urlConnection = (HttpsURLConnection) url.openConnection(); urlConnection.connect(); InputStream in = urlConnection.getInputStream(); HttpsURLConnection extends HttpURLConnection with support for https-specific features. 6/4/20 Franziska Roesner 14

  15. 5. Don’t hard-code secrets in source code CryptoHelper.java private static String SECRET_KEY = "8badcafef00ddead"; GreatApp.apk CryptoHelper.smali const string v0, "8badcafef00ddead” sput-object v0, Ledu/washington/cs/cse484/simplenotepad/ CryptoHelper;->SECRET_KEY:Ljava/lang/String; 6/4/20 Franziska Roesner 15

  16. Instead, use Android Keystore Allows you to create and store secret values. Prevents extraction of keys by: 1. Making sure they never enter the application process 2. Use of secure hardware 6/4/20 Franziska Roesner 16

  17. 6. Use existing cryptography libraries (carefully) Do not write your own cryptography! Unless you are a cryptographer J Follow recommended best practices for parameter selections: https://developer.android.com/guide/topics/security/cryptography 6/4/20 Franziska Roesner 17

  18. 7. Be careful with inter-process communications • Primary mechanism in Android: Intents – Sent between application components • e.g., with startActivity(intent) – Explicit: specify component name • e.g., com.example.testApp.MainActivity (our best friend J ) – Implicit: specify action (e.g., ACTION_VIEW) and/or data (URI and MIME type) • Apps specify Intent Filters for their components. 6/4/20 Franziska Roesner 18

  19. [Chin et al.] Eavesdropping and Spoofing • Buggy apps might accidentally: – Expose their component-to-component messages publicly à eavesdropping – Act on unauthorized messages they receive à spoofing 6/4/20 Franziska Roesner 19

  20. [Felt et al.] Permission Re-Delegation • An application without a permission gains additional privileges through another application. Demo pressButton(0) malware • Settings application is deputy: has permissions, Settings toggleWifi() and accidentally exposes APIs that use those toggleWifi() permissions. Permission System API 6/4/20 Franziska Roesner 20

  21. 8. Be careful about libraries you include Libraries run in the context of the application –> they can use all the same permissions! 6/4/20 Franziska Roesner 21

  22. Best Practices for Mobile App Developers Questions? 1. Only ask for the permissions you need 2. Use “internal storage” for sensitive data 3. Validate input from external sources (incl. users) 4. Encrypt network communications 5. Don’t hard-code secrets in source code 6. Use existing cryptography libraries (carefully) 7. Be careful with inter-process communications 8. Be careful about libraries you include More: https://developer.android.com/training/articles/security-tips 6/4/20 Franziska Roesner 22

Recommend

Android Android Application Development - Ashwin Agenda Android Platform Overview

Android Android Application Development - Ashwin Agenda Android Platform Overview

Android Android Application Development - Ashwin Agenda Android Platform Overview Installation Building Blocks Application Development Development Tools Source walk through Introduction to Android Open software

978 views • 49 slides
Android UI Tools CS 4720 Mobile Application Development Resource: developer.android.com CS

Android UI Tools CS 4720 Mobile Application Development Resource: developer.android.com CS

Android UI Tools CS 4720 Mobile Application Development Resource: developer.android.com CS 4720 UI vs. UX An important distinction to make up front is the difference between UI and UX UI User Interface The components of a

659 views • 20 slides
Android Activity CS 4720 Mobile Application Development Source: developer.android.com CS

Android Activity CS 4720 Mobile Application Development Source: developer.android.com CS

Android Activity CS 4720 Mobile Application Development Source: developer.android.com CS 4720 Activity Conceptually, an Activity is a single screen of your application In other words, an App really is a collection of related

892 views • 16 slides
Android Architecture CS 4720 Mobile Application Development CS 4720 The Basics In

Android Architecture CS 4720 Mobile Application Development CS 4720 The Basics In

Android Architecture CS 4720 Mobile Application Development CS 4720 The Basics In general, all apps are written in Java (this is not always the case as there are third-party conversion tools) A compiled Android app is an .apk

208 views • 17 slides
Android Services CS 4720 Mobile Application Development Resource: developer.android.com CS

Android Services CS 4720 Mobile Application Development Resource: developer.android.com CS

Android Services CS 4720 Mobile Application Development Resource: developer.android.com CS 4720 The Android Architecture CS 4720 2 The Service A Service is a process running the background It does not have a UI A Service

264 views • 9 slides
Xcode and Swift CS 4720 Mobile Application Development CS 4720 Why Java for Android?

Xcode and Swift CS 4720 Mobile Application Development CS 4720 Why Java for Android?

Xcode and Swift CS 4720 Mobile Application Development CS 4720 Why Java for Android? Lets first recap: why do you think Android uses Java? CS 4720 2 Why Java for Android? Some good reasons: You cant find a CS major

385 views • 19 slides
Introduction to Android Development What is Android? Android is the customizable, easy to

Introduction to Android Development What is Android? Android is the customizable, easy to

Introduction to Android Development What is Android? Android is the customizable, easy to use operating system that powers more than a billion devices across the globe - from phones and tablets to watches, TV, cars and more to come.

464 views • 21 slides
Android update June 2010 David Melgar david@broadreachsoftware.com Android application

Android update June 2010 David Melgar david@broadreachsoftware.com Android application

Android update June 2010 David Melgar david@broadreachsoftware.com Android application development Agenda Google I/O Froyo Future Other Device updates Google I/O Googles developer conference May 2010, San Francisco

594 views • 24 slides
Android Application Development Lecture Notes INDEX Lesson 1. Introduction 1-2 Mobile Phone

Android Application Development Lecture Notes INDEX Lesson 1. Introduction 1-2 Mobile Phone

Android Application Development Lecture Notes INDEX Lesson 1. Introduction 1-2 Mobile Phone Evolution 1-3 Hardware: What is inside a Smart Cellular Phone? 1-4 Hardware: Reusing Cell Phone Frequencies 1-5 Software: What is Android?

82 views • 7 slides
CS378 - Mobile Computing Android Overview and Android Development Environment What is Android?

CS378 - Mobile Computing Android Overview and Android Development Environment What is Android?

CS378 - Mobile Computing Android Overview and Android Development Environment What is Android? A software stack for mobile devices that includes An operating system Middleware Key Applications Uses Linux to provide core

583 views • 31 slides
CS371m - Mobile Computing Android Overview and Android Development Environment What is Android?

CS371m - Mobile Computing Android Overview and Android Development Environment What is Android?

CS371m - Mobile Computing Android Overview and Android Development Environment What is Android? A software stack for mobile devices that includes An operating system Middleware Key Applications Uses Linux to provide core

1.49k views • 70 slides
CuriousDroid: Automated User Interface Interaction for Android Application Analysis

CuriousDroid: Automated User Interface Interaction for Android Application Analysis

CuriousDroid: Automated User Interface Interaction for Android Application Analysis Sandboxes Patrick Carter, Collin Mulliner, Martina Lindorfer, William Robertson, Engin Kirda 02/23/2016 Android 2015 Q3 Market Share Android iOS

774 views • 26 slides
Secure application development with AOP Nils Durner <ndurner@web.de> 1 Outline of the

Secure application development with AOP Nils Durner <ndurner@web.de> 1 Outline of the

Secure application development with AOP Nils Durner <ndurner@web.de> 1 Outline of the talk Introduction to Aspect Oriented Programming Examples for uses of AOP for security AOP & Memory safety Future work 2 What is

870 views • 59 slides
2.) Modify the Layout of your Fragment The Layout of the Fragment contains a ListView (hence we

2.) Modify the Layout of your Fragment The Layout of the Fragment contains a ListView (hence we

PEM (Android) WS 2015/16 Assignment 01 Assignment 01 First Steps Prepare the Android development environment and create your first test app to check all involved components Download the Android development IDE Android Studio from

577 views • 4 slides
Android AsyncTask AsyncTask Android AsyncTask is an abstract class provided by Android

Android AsyncTask AsyncTask Android AsyncTask is an abstract class provided by Android

Android AsyncTask AsyncTask Android AsyncTask is an abstract class provided by Android which gives us the liberty to perform heavy tasks in the background and keep the UI thread light thus making the application more responsive. Basic

240 views • 5 slides
Android Security CS 4720 Mobile Application Development CS 4720 Security through Obscurity

Android Security CS 4720 Mobile Application Development CS 4720 Security through Obscurity

Android Security CS 4720 Mobile Application Development CS 4720 Security through Obscurity It used to be that phones had so little connectivity to devices other than the phone network that security wasn't a huge deal Phone number

660 views • 15 slides
What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4

What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4

What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4 Development, Meier, Ch 11, pg 437 Speech recognition: Accept inputs as speech (instead of typing) e.g. dragon dictate app? Note: Google

333 views • 16 slides
Services Android Services A Service is an application component that runs in the background, not

Services Android Services A Service is an application component that runs in the background, not

Lesson 22 Lesson 22 Android Android Services Victor Matos Cleveland State University Cleveland State University Notes are based on: Android Developers http://developer.android.com/index.html Portions of this page are reproduced from work

692 views • 26 slides
Mobile Development Workshop ANDROID REFRESHER Overview The Android operating system Views,

Mobile Development Workshop ANDROID REFRESHER Overview The Android operating system Views,

Mobile Development Workshop ANDROID REFRESHER Overview The Android operating system Views, Layouts and Activities Event listeners Using Intents to request actions First up Start a new project in Android Studio Call it Before and After

4.96k views • 19 slides
Android Application Development: Hands- On Dr. Jogesh K. Muppala muppala@cse.ust.hk Wi-Fi Access

Android Application Development: Hands- On Dr. Jogesh K. Muppala muppala@cse.ust.hk Wi-Fi Access

Android Application Development: Hands- On Dr. Jogesh K. Muppala muppala@cse.ust.hk Wi-Fi Access Wi-Fi Access Account Name: aadc201312 AAD: Hands-On Introduction 2 (Muppala) The Android Wave! AAD: Hands-On Introduction 3 (Muppala)

410 views • 30 slides
Android App Development Rameel Sethi Relevance of Android App to LFEV Would be useful for

Android App Development Rameel Sethi Relevance of Android App to LFEV Would be useful for

Android App Development Rameel Sethi Relevance of Android App to LFEV Would be useful for technician at Formula EV race course to monitor vehicle conditions on cellphone Can serve as useful demo of LFEV software for prospective

272 views • 13 slides
Outline Introduction of Android System Four primary application components

Outline Introduction of Android System Four primary application components

Xin Pan CSCI5448 2011 Fall Outline Introduction of Android System Four primary application components AndroidManifest.xml Introduction of Android Sensor Framework Package Interface Classes Examples of Using

434 views • 42 slides
Sensors CS 4720 Mobile Application Development CS 4720 Sensor Categories Android

Sensors CS 4720 Mobile Application Development CS 4720 Sensor Categories Android

Sensors CS 4720 Mobile Application Development CS 4720 Sensor Categories Android sensors as separated into one of three broad categories: Motion sensors measure force and rotation Environmental sensors measure

274 views • 26 slides
HELLO WORLD ON ANDROID Create a new Android Project Open File->New->Android

HELLO WORLD ON ANDROID Create a new Android Project Open File->New->Android

HELLO WORLD ON ANDROID Create a new Android Project Open File->New->Android project Application name Company domain Project location Hello World Project Target Android Devices Hello World Project Add an

213 views • 18 slides

More recommend