Author: Jérémy Matos (@SecuringApps)
Language: French or English
Number of participants: 4 to 16
Price: 750.- CHF
Date and time: Nov. 1 - 8:00-17:30
Providing a native Android application, whether it is for usability/performance/connectivity reasons, has far more security implications than it may seem. Very often the mobile integration moves logic from server to client side, but this code cannot be considered secret anymore.
We will see with the exploitation of real world Android application (app1) how it is possible to cause rather easily a loss of revenue. The techniques of static analysis (bytecode decompiling) and dynamic analysis (hooking) will be used in practice in a lab to get unlimited free coins in a game (app2). Bytecode patching will also be addressed to understand the threat of application repackaging.
OWASP Mobile Top 10 2016 will be presented, with clear examples from app1 and app2 of what not to do. Practical recommandations will be provided to fix the security of app1 and app2, in addition to an inventory of useful protection features provided by Android (e.g. SafetyNet)
Finally, another lab will use the Native Development Kit (NDK) to handle a cryptography use case.
Table of content:
- Introduction terrible application security with a real world Android case (app1)
- Static analysis of source code by decompiling bytecode
- Dynamic analysis via hooking
- Loss of revenue is easier than expected
- OWASP Mobile Top 10 2016 vs app1
- Lab 1: Get unlimited free coins in a popular game (app2)
- Static analysis in practice
- Hooking in practice
- Bytecode patching to be able to redistribute the game
- Practical recommandations to address OWASP Mobile Top 10 2016
- Fixing security of app1 and app2
- Inventory of useful protection features provided by Android (e.g. SafetyNet)
- Lab 2: Android Native Development Kit (NDK) in practice with an OpenSSL example
Developers with Android experience and following technical skills:
- Java: Intermediate
- Android: Intermediate
- C: Basic
Each participant should bring a laptop with Android Studio installed, and if possible an Android device.
Jeremy Matos has been working in building secure software over the last 10 years. With an initial academic background as a developer, he has a clear insight of what is a software development lifecycle in practice. It also enables him to gain the trust of other programmers by speaking the same language and understanding their day-to-day activities, providing an efficient channel to increase their security awareness.
Designing and developing for a two-factor authentication product during 6 years made him deal with challenging threat models, particularly when delivering a public mobile application. And also practice extensively secure coding guidelines, as the solution was regularly reviewed and penetration tested by 3rd parties. Being responsible for the integration and deployment with customers was for him a great opportunity to work with diverse production infrastructures and security providers, in critical sectors such as banking, health or industry. Understandting the various stakeholders constraints was key to reduce operational costs as much as possible.
His experience was used in both internal and external consulting roles. He helped in the security requirements definition and implementation, including cryptographic protocols, for applications where the insider is the enemy. He also led code reviews and security validation activities for companies exposed to reputation damage. In addition, he participated in research projects to mitigate Man-In-The-Browser and Man-In-The-Mobile attacks.