Android Security

Leong Hean Hong2011-10-01

#geekcampsg

Who Am I?

• Name: Leong Hean Hong• Project manager in Stream Media Pte. Ltd.• Working on MoVend, an mobile commerce platform for

Android, WP7, BlackBerry• Member of CodeAndroid Malaysia/Singapore• Interested in software security, Android, web development

* Looking for passionate developers to work with

Why Am I Here?

• Raise awareness of Android security issues• Get developers to think about security before/during/after

development

Overview

• Why should I be concerned?• Possible attacks• Illustration: APK reverse engineering• Demo

How Are Apps Being Used?

• Mobile banking (transaction info, transfer $, pay bills)• mCommerce (pay for services, purchase virtual/physical

goods)• Access company resources (email, docs)• Access your data/services

Possible Issues

• Steal personal information• Steal money• Abuse service/system• Steal sensitive information

Possible Attacks

• Code modification• Social engineering• Monitor/tamper network packets• Monitor/tamper Android Intent• and much, much more

Illustration: Reverse Engineering

"process of discovering the technological principles of a device, object, or system through analysis of its structure, function, and operation." - http://bit.ly/qdBNOp

Tool:• android-apktool (http://bit.ly/r2AI5R)

o analyse APK, decode resource files, output smali (http://bit.ly/pj7P47) code

o generate APK from smali code + resource filesDemo Video:• http://vimeo.com/28746669