Android Taipei 2013 August - Android Apps Security

  • View
    2.771

  • Download
    1

Embed Size (px)

DESCRIPTION

OWASP Mobile Top 10 Risk  •Android 客戶端安全   –Android App 架構   –Android 應用程式包  •APK, DEX與JAR  •Manifest.xml   –權限控制  •APK 分析 傳輸層安全 儲存安全 基礎密碼學認識

Text of Android Taipei 2013 August - Android Apps Security

  • Android Apps Security

    2013.08.22 @ Android Taipei

    Taien Wang

  • About Taien

    ,

    ,

    2012 Node.js Knockout ,

    2011 Microsoft MVP

    2011 , ,

    5th ,

    5th ,

    2009 , ,

    13th ,

    2th ,

    2012

    2010 Microsoft Technet

    2010

    2010

    2009 Net-Hack

    2009

    2008 Net-Hack

  • OWASP Mobile Top 10 Risk

    Android

    Android App

    Android

    APK, DEXJAR

    Manifest.xml

    APK

  • OWASP Mobile Top 10 Risk

  • ,

    ,

    ,

    ,

    , , ,

    NSI/IEEE Standard 729

  • OWASP Mobile Security Project - Top Ten Mobile Risks

  • OWASP Mobile Top Ten Mobile Risks (1/2)

    M1. (Insecure Data Storage)

    SQLite, Log, Plist, XML, Manifest

    , Cookie, SD,

    M2. (Weak Server Side Controls)

    OWASP Cloud Top 10 Risks, OWASP Web Top 10 Risk

    M3. (Insufficient Transport Layer Protection)

    : Wi-Fi, NFC, Ethernet,

    (SSL, , WS-Security)

    M4. (Client Side Injection)

    : SQLite Injection, XSS, Fuzzing

    M5. (Poor Authorization and Authentication)

    IMEI, IMSI, UUID, Device ID, MAC

    https://www.owasp.org/index.php/Mobile_Top_10_2012-M1https://www.owasp.org/index.php/Mobile_Top_10_2012-M2https://www.owasp.org/index.php/Category:OWASP_Cloud_%E2%80%90_10_Projecthttps://www.owasp.org/index.php/Category:OWASP_Cloud_%E2%80%90_10_Projecthttps://www.owasp.org/index.php/Top_10_2013-Top_10https://www.owasp.org/index.php/Mobile_Top_10_2012-M3https://www.owasp.org/index.php/Mobile_Top_10_2012-M4https://www.owasp.org/index.php/Mobile_Top_10_2012-M5
  • OWASP Mobile Top Ten Mobile Risks (2/2)

    M6. (Improper Session Handling)

    Session, Cookie, Token

    M7. (Security Decisions Via Untrusted Inputs)

    M8. (Side Channel Data Leakage)

    , ,

    M9. (Broken Cryptography)

    , , ,

    M10. (Sensitive Informaiton Disclosure)

    https://www.owasp.org/index.php/Mobile_Top_10_2012-M6https://www.owasp.org/index.php/Mobile_Top_10_2012-M7https://www.owasp.org/index.php/Mobile_Top_10_2012-M8https://www.owasp.org/index.php/Mobile_Top_10_2012-M9https://www.owasp.org/index.php/Mobile_Top_10_2012-M10https://www.owasp.org/index.php/Mobile_Top_10_2012-M10https://www.owasp.org/index.php/Mobile_Top_10_2012-M10https://www.owasp.org/index.php/Mobile_Top_10_2012-M10
  • Android

  • Android

    : Android Apps Security, Sheran A. Gunasekera, 2012

  • Android Radio Interface Layer

    : Android Platform Development Kit, Radio Layer Interface

    http://www.netmite.com/android/mydroid/development/pdk/docs/telephony.html
  • Android

  • Android Package Kit

    Android Packge Kit(APK) ZIP

    DEX, , AndroidManifest.xml

    : Building and Running, Android Developers

    http://developer.android.com/tools/building/index.html
  • JAR DEX

    : Android Apps Security, Sheran A. Gunasekera, 2012

    : Building and Running, Android Developers

    http://developer.android.com/tools/building/index.html
  • JAR DEX

  • APK

  • AndroidManifest.xml

    Android

    , , ,

    activities, services, broadcast receivers, content providers

    ,

    ,

  • Android

    Linux

  • Android

    Android Linux

    uid gid

    Manifest.xml

    Normal

    Dangerous

    Signature

    SignatureOrSystem

  • android.permission.INTERNET

    android.permission.ACCESS_GPS

    android.permission.ACCESS_FINE_LOCATION

    android.permission.ACCESS_COARSE_LOCATION

    android.permission.ACCESS_NETWORK_STATE

    android.permission.CAMERA

    android.permission.READ_PHONE_STATE

    android.permission.WRITE_EXTERNAL_STORAGE

    android.permission.WAKE_LOCK

    android.permission.GET_ACCOUNTS

    android.permission.USE_CREDENTIALS

    android.permission.VIBRATE

    android.permission.LIGHTS

    android.permission.SOUND

    android.permission.ACCESS_MOCK_LOCATION

    com.google.android.c2dm.permission.RECEIVE

  • AndroidManifest.xml (1/3)

    AXMLPrinter2.jar

    java -jar AXMLPrinter2.jar AndroidManifest.xml >

    AndroidManifest_decode.xml

    https://code.google.com/p/android4me/downloads/list
  • AndroidManifest.xml (2/3)

  • AndroidManifest.xml (3/3)

  • APK

    :

    dex2jar

    dex jar

    jd-gui, DJ Java Decompiler

    jd-gui

    DJ Java Decompiler .class .java

    :

    Apktool

    , smali

    :

    IDA Pro(6.1 Android)

    http://java.decompiler.free.fr/?q=jdguihttp://java.decompiler.free.fr/?q=jdguihttp://java.decompiler.free.fr/?q=jdguihttp://www.neshkov.com/http://www.neshkov.com/https://code.google.com/p/android-apktool/
  • Live Demo1:

    OWASP Mobile

    M9.

    M10.

  • ProGuard - APK

    ProGuard

    Java

    Android SDK

    project.properties

    proguard.config=${sdk.dir}/tools/proguard/proguard-

    android.txt:proguard-project.txt

    http://proguard.sourceforge.net/http://proguard.sourceforge.net/
  • HTTP

    HTTPS

    Socket

    SMS

    BlueTooth

  • HTTP

    Charles

    Zed Attack Proxy(ZAP)

  • API

  • Live Demo2:

    OWASP Mobile

    M3.

    M5.

    M6.

  • Android

    SQLite

    SQLite Injection

    SharedPreferences

    App

    SD

  • - SharedPreferences

  • - SP SQLite

  • salt

    ECB, CBC, CFB

    OFB, CTR

  • XXX

  • OWASP Mobile Top 10

    Building Security In

    SDLC

  • Projects/OWASP Mobile Security Project - Top Ten Mobile Risks,

    OWASP

    OWASP Top 10 Mobile Risks, Jack Mannino

    Top 10 Cloud Risks That Will Keep You Awake at Night, Shankar

    Babu Chebrolu, Cisco

    , Android Developers

    Manifest.permission, Android Developers

    https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Riskshttp://www.slideshare.net/JackMannino/owasp-top-10-mobile-riskshttps://www.owasp.org/images/4/47/Cloud-Top10-Security-Risks.pdfhttps://www.owasp.org/images/4/47/Cloud-Top10-Security-Risks.pdfhttps://www.owasp.org/images/4/47/Cloud-Top10-Security-Risks.pdfhttp://developer.android.com/guide/topics/manifest/permission-element.htmlhttp://developer.android.com/reference/android/Manifest.permission.html