Embed Size (px)
DESCRIPTION
Insight in how safe are the european apps you use daily. My trips in the latest years brought me in contact with Russian and Chinese app market. I will do an analyse from Security point of view of some really popular european apps compared with the most popular Russian and Chinese apps. I will take a look at the Russian app vKontakte (10 million downloads) and also at WeChat (300 million downloads). Together we will audit the apps and decide together if these apps are secure or not. We will look afterwords in local european markets choosing some really popular and weak developed apps. No apps will be harmed in this process.
Citation preview
How secure are
our local ANDROIDapps ?
2014.09.18 Curious minds, Brasov, MARIUS MAILAT
Who is
MARIUS?
Who is Marius?
CTO/PARTNER - APPsrise1
2
3
4
trained over 500 developerS on android topics
FOUNDER of DEV COMMUNITY - ANDROIDER
STILL Romanian in mind and soul
Agenda
Agenda
Why security and why local apps ?1
2
3
4
How safe are your ANDROID apps ?
HOW about the Romanian banking apps ?
Are the french, Chinese or Russian apps much better ?
5 how to secure your android apps ?
Why security
andwhy local apps ?
We all know the risks to our privacy
Local approach works better
most of Android users knows the risks involved when they use an smartphone and apps.
Heck, we all know the german canceller had her phone listen by the CIA. How hard will be to replicate that ?
IF I WILL TELL YOU THAT bCR APP IS LEAKING YOUR USERNAME AND PASSWORD the effect will be much bigger as telling you that
whatsup is insecure!
We will analyse local android markets to find the local heroes defending our privacy !
Because I traveLED a lot :)
How safe areYOUR ANDROID APPS ?
How safe are your ANDROID apps ?
Mobile threats on ANDROID
AdVERTISING OVER MALWARE1
2
3
4
Direct Payoff SMS
Destructive attacks ON SENSITIVE DATA
Information Scavengers
5 Premeditated Spy on location and INFO
BU HU HU
How about the
ROMANIANbanking apps ?
Facts : ANDROID banking apps ?Downloads Comments RattingS Url
50,000-100,000 429 3,7 http://goo.gl/oV7Pl0
10,000-50,000 749 3,8 http://goo.gl/8AVwS
10,000-50,000 210 3,6 http://goo.gl/p8BRwK
10,000-50,000 270 4 http://goo.gl/FDN0ox
1,000-5,000 41 3,8 http://goo.gl/8FRN5q
1,000-5,000 39 3,1 http://goo.gl/oQWbsM
1,000-5,000 22 3,6 http://goo.gl/TLuHBk
500-1,000 27 4,1 http://goo.gl/zpWLkP
How I CALCULATE the BU HU HU score ?DB SSL PERSISTANCE PERMISSIONS SERVER WEIRD CODE
BU HU HU SCORE 0-bad, 10-EXCELLENT
- - - + +- no fragments, old STYLE CODE Almost weird
- - HYBRID APP, WEBVIEW WITH PRE-JAVA-CODE TOTALLY WEIRD
- - - UNSECURE SERVER, PHP, KIND OF MIX OF WEIRD & COMPLEX
+ + OWN WEIRD CACHE MECHANISM, no loging class READABLE
- - XML PARSING DONE ON TABLE DANCE UGLY BUT NICE
- - - MANY LIBS, BUMP LIB :) , HYBRID AGAIN HYBRID PSEUDO NATIVE
- - - - - AGAIN PHONEGAP load HTML?!
- - - - - A BAD OTP BANK CORDOVA STUFF
How about the
FRENCHheroes apps ?
Hero of the day: IOTEOCAM
beautiful France
working with certified ITSECURITY COMPANIES
CLAIMSOrigin DESCRIPTIONioteoCam revolutionisesVIDEO SURVEILANCE
Leak in logs THE USERNAME AND PASSSinIOTEOCAM sins
04-03 12:42:55.196: I/zz | Common(12978): url:https://api.ioteo.net/main/login | post dict: [[email protected], password=9872#3?4615-02@, protocol_version=1, app_version=1.0, platf_version={"device":"hammerhead","product":"hammerhead","api":"19","model":"Nexus 5","android":"4.4.2","manufacturer":"LGE"}, errmsg_lan=en] | request:org.apache.http.client.methods.HttpPost@42ac11d804-03 12:42:55.896: I/zz | Common(12978): done in 705ms | url: https://api.ioteo.net/main/login04-03 12:42:55.906: I/zz | global(12978): login response: {04-03 12:42:55.906: I/zz | global(12978): "success": false,04-03 12:42:55.906: I/zz | global(12978): "err_msg": "Wrong username and\/or password",04-03 12:42:55.906: I/zz | global(12978): "err_code": 100404-03 12:42:55.906: I/zz | global(12978): }
The stream encodet/decoder IS EXPOSEDSinIOTEOCAM sins
public final class UlawEncoderInputStream extends InputStream{ public static void encode(byte[] paramArrayOfByte1, int paramInt1, byte[] paramArrayOfByte2, int paramInt2, int paramInt3, int paramInt4) { int i = 536870912 / paramInt4; ... if (i2 <= 30) i3 = 240 + (30 - i2 >> 1); else if (i2 <= 94) i3 = 224 + (94 - i2 >> 2); else if (i2 <= 222) i3 = 208 + (222 - i2 >> 3); else if (i2 <= 478)
How about the
RUSSIANheroes apps ?
Hero of the day: VKONTAKTE
beautiful RUSSIA
240 million ACCOUNTS
CLAIMSOrigin DESCRIPTION50 Million installations FOR THE RUSSIAN FACEBOOK
Chat messages are unsafe SAVED IN DBSinIOTEOCAM sins
How about the
CHINESSE heroes apps ?
Hero of the day: MEIZU MX3 DEVICE
amazing CHINA
8 Million PREORDERS
CLAIMSOrigin DESCRIPTIONpopular Android phone BASED on FLYME OS
The phone is sniffing THE WEB TRAFFICSinMEIZU MX APPS sins
XXX: https://member.meizu.com/oauth/access_tokenXXX: x_auth_sn=351BBJJWLZW3&x_auth_mode=sn_authXXX: oauth_token=2d736772c19b250f28dad1090e9b761013089651489596881& oauth_token_secret=86b4a5920134018a52e00814e2303d51&user_id=323817928371&user_name=MariusMailat&new_user=true&flyme=null&isWeak=falseXXX: { "reply":[{"categoryType":0,"id":40002,"imageURL":"http://music.res.meizu.com/fileserver/music_category/12/a1131fd54d174297af1b9ae4a2282546.png","isLeaf":0,"layout":5,"name":"Top Show","numPer":null,"order":100,"resType":1,"resURL":null,"subCategoryCount":0},{"categoryType":0,"id":40013,"imageURL":"http://
XXX: http://open.duomi.com/open/library/suggestion?query=Metal&lc=B9D2DCFA01526C54&conn=wifiXXX: {"dm_error":0,"error_msg":"操作成功","s":["metallica","metallica fade to black",XXX: http://collect.music.meizu.com/service/api/syncPlayList.jsonp updateNanoTime=0&playlist=%5B%5DXXX: { "reply":{"code":200,"message":null,"redirect":null,"value":[{"bigCoverUrl":null,"coverUrl":null,"createTime":new Date(1401834057906),“descriptor":"","entityLastUpdate":0,"hot":0,"id":1521299, „lastPublishTime“:null,"midCoverUrl":null,"name":"我的爱", „nickName":"MariusMailat"
How to secureyour ANDROID APPS ?
How to SCOOP inside of an ANDROID APP ?
$ APKTool D BANK.Apk1
2
3
4
$ Jar xvf BANK.apk classes.dex
$ dex2jar.sh classes.dex
> OPEN JD-GUI
5 TRY ALTENATIVES: DARE, DED, DEXDUMP etc
Security GUIDELINES for ANDROID apps ?
ENCRYPT EVERyTHING - DB, Preferences ...1
2
3
4
PASSWORD - SALT
SECURE SERVER COMMUNICATION
DO NOT TRUST THE SERVER AND THE APP !
5 DO NOT ALLOW BACKUP
How TO SECURE your Android APPS
Your safer code ART
Protect the resources
Your code ART
Protect the preferences
SECURITY & CODE guidelines
PROTECT THE APP
Protect the database
SERIOUS PAINTING SKILLS WITH sensitive dataGUIDELINES PROTECT YOU ?
Encrypt your binaryBu huhu MAGIC via dexguard & co
![[meetup] Docker Brasov #2files.meetup.com/19590550/BRASOV - Up Securing the... · [meetup] Docker Brasov #2 Securing the Software Supply Chain with Docker June 2016. ... Swarm HACK](https://img.pdfslide.us/doc/110x75/5ec57ebe3750743bd40087e2/meetup-docker-brasov-up-securing-the-meetup-docker-brasov-2-securing.jpg)
