![GETWINDOW().SETFLAGS(LAYOUTPARAMS.F
LAG_SECURE,
LAYOUTPARAMS.FLAG_SECURE);
It disable screen capture
• [POWER] + [VOL-DWN]
• OEM feature like SAMSUNG / HTC](https://image.slidesharecdn.com/androidsecuritydevelopment-141021010448-conversion-gate01/85/Android-Security-Development-16-320.jpg)
More Related Content
![Mobile Application Pentest [Fast-Track]](https://cdn.slidesharecdn.com/ss_thumbnails/mobile1337-140527083940-phpapp02-thumbnail.jpg?width=560&fit=bounds)
Similar to Android Security Development (20)
![[OWASP Poland Day] Saving private token](https://cdn.slidesharecdn.com/ss_thumbnails/pawelbochenskisecuretoken2-171003211501-thumbnail.jpg?width=560&fit=bounds)
Android Security Development
- 1. Android Security Development SEAN
- 4. Sean • Developer • Developer • Developer
- 5. Something you need to know • USB • Screen • Clipboard • Permission • Database • Network • Cryptography • API Management
- 6. USB
- 8. ANDROID:ALLOWBACKUP = "TRUE" It will allow someone can backup databases and preferences.
- 10. ANDROID:DEBUGGABLE = "TRUE" It will let someone can see log message and do something more …
- 11. IF ANDROID:DEBUGGABLE MAKE ERROR NOTIFICATION IN ECLIPSE, IT IS ALL ABOUT ADT LINT.
- 12. CLICK ON "PROBLEMS" TAB
- 13. RIGHT CLICK ON ITEM AND CHOOSE "QUICK FIX"
- 15. SCREEN
- 16. GETWINDOW().SETFLAGS(LAYOUTPARAMS.F LAG_SECURE, LAYOUTPARAMS.FLAG_SECURE); It disable screen capture • [POWER] + [VOL-DWN] • OEM feature like SAMSUNG / HTC
- 17. CLIPBOARD
- 18. SAVE THE STATE OF APPLICATION onResume => FOREGROUND onPause => BACKGROUND
- 19. USE RUNNABLE AND POSTDELAYED 500 MS when onPause is triggered
- 20. DETECT STATE AND SETPRIMARYCLIP If STATE equals BACKGROUND, execute BaseActivity.this.mClipboardManager .setPrimaryClip(ClipData.newPlainText("", ""));
- 21. PERMISSION
- 22. ONLY USE NECESSARY PERMISSIONS
- 23. GOOGLE CLOUD MESSAGING NEEDS ANDROID.PERMISSION.GET_ACCOUNTS
- 24. BUT
- 25. GOOGLE CLOUD MESSAGING NEEDS ANDROID.PERMISSION.GET_ACCOUNTS
- 26. Database
- 27. SQLITE
- 29. SQLite Encryption Extension http://www.sqlite.org/see/
- 30. NETWORK
- 31. USE HTTPS WITH SELF-SIGNED CERTIFICATE
- 32. BUT
- 34. HOSTNAME IS VALID ?
- 35. VERIFY HOSTNAME
- 36. CHECK CERT ?
- 37. CLEAR KEYSTORE AND IMPORT SERVER CERT
- 38. DOUBLE CHECK CERT ?
- 39. VERIFY BINARY CONTENT OF SERVER CERT Avoid Man-in-the-Middle attack
- 40. WHY ?
- 41. SSL MECHANISM IN OS MAY BE WRONG APPLE SSL / TLS Bug ( CVE-2014-1266 )
- 42. SSL TUNNEL KEEP DATA SAFE ?
- 43. NO
- 44. YOU STILL NEED ENCRYPT DATA
- 46. DO NOT DO THIS
- 48. CRYPTOGRAPHY
- 49. BY ANDROID SDK OR ANDROID NDK ?
- 50. ANDROID SDK: JAVA DECOMPILE EASY ANALYSIS EASY
- 51. ANDROID NDK: C AND C++ DISASSEMBLE EASY ANALYSIS HARD
- 52. ANDROID NDK OpenSSL Inside
- 53. ANDROID NDK Customize ?
- 54. ANDROID NDK PolarSSL https://polarssl.org
- 55. PolarSSL Chang SBOX of AES, ...
- 56. SO, ALL KEY GENERATION AND ENCRYPTION MUST BE DONE IN ANDROID NDK
- 58. GENERATE KEY ?
- 59. RANDOM KEY HARDWARE ID USER KEY
- 60. RANDOM KEY One Key – One Encryption
- 61. HARDWARE ID IMEI / MEID WIFI MAC Address Bluetooth Address
- 62. IMEI / MEID ANDROID.PERMISSION.READ_PHONE_STATE WIFI MAC Address ANDROID.PERMISSION.ACCESS_WIFI_STATE Bluetooth Address ANDROID.PERMISSION.BLUETOOTH
- 63. USER KEY Input from user Only exist in memory Just clear when exit
- 66. SCRAMBLE ?
- 67. MORE COMPLEX THAN BASE64 WIKI: Common Scrambling Algorithm http://goo.gl/eP6lXj
- 68. THEN ?
- 71. GG
- 72. API MANAGEMENT
- 73. ACCESS TOKEN REFRESH PERIODICALLY RANDOM GENERATE
- 74. ACCESS TOKEN
- 75. ACCESS TOKEN ↓ USER ID
- 76. ACCESS TOKEN ↓ USER ID ↓ HARDWARE ID
- 77. ACCESS TOKEN ↓ USER ID ↓ HARDWARE ID ↓ ENCRYPT OR DECRYPT
- 78. ALL API ACCESS MUST WITH ACCESS TOKEN