SlideShare a Scribd company logo

Android Hacking

A
antitree

The document discusses tools and techniques related to analyzing Android applications. It provides an overview of the Android operating system architecture and outlines various static and dynamic analysis methods. These include decompiling applications with Apktool and Dex2jar, reviewing manifest files, monitoring network traffic with Wireshark, and using tools like Burp Suite and Mallory. The document also highlights common mobile security issues discovered through analysis and provides recommendations for securing Android devices and applications.

Technology
1 of 40
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
Most read
28
Most read
29
30
31
32
Most read
33
34
35
36
37
38
39
40
Tools and Techniques Related To 1
 RIT Alum  Intrepidus Group  Interlock Rochester  Rochester 2600  TOOOL  BSidesROC @antitree antitree.com 2
 Android Introduction  Tools For Hackers  Analysis Techniques  Examples  How to be “secure” 3
Other, Honeycomb Cupcake 1% Donut 6% 1% 2% Blackberry, 9% Eclair 15% Gingerbread 25% iOS, 28% Android, 56% Froyo 56% 4
Android Hacking
 Linux 2.6  Dalvik Virtual Machine – new instance for each app  DEX – Dalvik byte code  APK - zip  AndroidManifest.xml Dalvik Java APK Byte Code 6
Linux Angry Birds app_42 Dalvik VM Instances
 Intents – inter process communication  Activities - screen  Content Providers – sqlite3 database  Services – background processes  Broadcasts – send and receive info to other apps 8
• Dynamic Network Analysis • Static Code Review • File System Auditing 9
 Android SDK  ADB  DDMS  Emulator  Apktool  Smali/Baksmali  Dex2jar  Java Decompiler (e.g. JAD or JD-GUI)  Mallory  Burpsuite  Wireshark 10
 Java source code vs Smali files vs DEX vs jar vs pseudocode  Android development  Java  Linux 11
12
 Watch Traffic flow through a MITM  Things to look for:  Information being passed in the clear  SSL usage and whether it’s done correctly  Results of modifying requests and responses  Authentication process 13
Wireless Router Emulator PPTP server DDWRT/TOMATOE Android SDK PPTPD Usually need a clunky device Sometimes doesn’t act the Dedicated server way you want it 14
#!/bin/bash # firewall script to intercept all traffic from ppp0 and redirect to local port # all credit to the great algorythm echo 1 > /proc/sys/net/ipv4/ip_forward iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -t nat -A PREROUTING -j REDIRECT -i ppp0 -p tcp --dport 80 -m tcp --to-ports 8080 iptables -t nat -A PREROUTING -j REDIRECT -i ppp0 -p tcp --dport 443 -m tcp --to- ports 8080 15
 Wireshark  Initial traffic fingerprinting  Burpsuite  Great for HTTP/S traffic  Mallory  Great for nonspecific protocols 16
17
 Audit how data is stored  Things to look for:  Incorrect permissions  Storage location (data, sdcard, asec)  Tools  Adb shell  Standard linux commands  [Root exploit and busybox] 18
19
20
 See how the app works through pseudocode  Things to look for:  Overall understanding of the app  Cryptographic functions  Debug/Testing functions  Client side authentication 21
 Tools:  Apktool d com.antitree.app  Smali path/to/smali/files/  Dex2jar out.dex  Jd-gui out_dex2jar.jar APK DEX Jar Pseudocode Smali 22
Reverse engineering is neat
24
25
But what does it mean? 26
 Skype: 4/11  Permissions error allowed a malicious app to access contacts and personal information  Google: 6/11  Session information passed in the clear made it susceptible to hijacking  Dropbox: 8/11  An attempt to share data granted any app to the ability to make file public 27
 HTC: 10/11  Spyware Logging app found to be accessible to any app with the network connection permission ▪ GPS coordinates ▪ MEID, MDN ▪ phone logs ▪ MUCH more  *#*#HTCLOG#*#* 28
100,000 installations 29
 File System Permissions Set to 777  Access saved sessions  Modify included binaries  Why: Lazy permissions  How discovered: file system permission review 30
SSHUNTUNNEL
 Shares information  Controls permissions  Tool: Android Manifest Auditor Code Name: The Jaku 32
33
1. Insecure Data Storage 2. Weak Server Side Controls 3. Insufficient Transport Layer Protection 4. Client Side Injection 5. Poor Authorization and Authentication 6. Improper Session Handling 7. Security Decisions Via Untrusted Inputs 8. Side Channel Data Leakage 9. Broken Cryptography 10. Sensitive Information Disclosure 34
 Deploy mobile device management solution  Zenprise, MobileIron, (Google?)  Train your users – don’t give in  Audit your devices  Are users following best practices?  What apps are installed?  Require mobile security solution  Lookout, WaveSecure, NetQin 35
 Audit your apps!  Check permissions  Check source code  Analyze your traffic  Think before you Root  Security Software  Remote wipe  Malware detection 36
Coincidence? 37
Slides and app available at www.antitree.com 38
 http://www.intrepidusgroup.com/insight/  http://code.google.com/p/android-apktool/  http://code.google.com/p/smali/  http://code.google.com/p/dex2jar/  http://java.decompiler.free.fr/?q=jdgui  http://developer.android.com/sdk 39
40

More Related Content

PDF
Malware detection-using-machine-learning
Security Bootcamp
 
PPTX
Mobile security
priyanka pandey
 
PPT
Malware Detection using Machine Learning
Cysinfo Cyber Security Community
 
PPTX
Android security
Midhun P Gopi
 
PDF
Android Security & Penetration Testing
Subho Halder
 
PPTX
Malware Classification and Analysis
Prashant Chopra
 
PPTX
Android Security
Arqum Ahmad
 
PDF
Android Malware Detection Mechanisms
Talha Kabakus
 
Malware detection-using-machine-learning
Security Bootcamp
 
Mobile security
priyanka pandey
 
Malware Detection using Machine Learning
Cysinfo Cyber Security Community
 
Android security
Midhun P Gopi
 
Android Security & Penetration Testing
Subho Halder
 
Malware Classification and Analysis
Prashant Chopra
 
Android Security
Arqum Ahmad
 
Android Malware Detection Mechanisms
Talha Kabakus
 

What's hot (20)

PPTX
Malware- Types, Detection and Future
karanwayne
 
PPTX
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
PPTX
OWASP Top 10 2021 What's New
Michael Furman
 
PPTX
Basics of Denial of Service Attacks
Hansa Nidushan
 
PPTX
Cyber Security Introduction.pptx
ANIKETKUMARSHARMA3
 
PPTX
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
PPTX
Network Forensics Intro
Jake K.
 
PPTX
Mobile Application Security
Ishan Girdhar
 
PDF
Android Security
Lars Jacobs
 
PPTX
Cybersecurity 2 cyber attacks
sommerville-videos
 
PDF
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
apidays
 
PPTX
Mobile Application Security Testing (Static Code Analysis) of Android App
Abhilash Venkata
 
PPTX
Ethical Hacking
BugRaptors
 
PPTX
Computer Security 101
Progressive Integrations
 
PDF
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Edureka!
 
PPTX
Ransomware Attack.pptx
IkramSabir4
 
PDF
Application Security | Application Security Tutorial | Cyber Security Certifi...
Edureka!
 
PDF
Benefits of Web Application Firewall
davidjohnrace
 
PPTX
Computer Security
vishal purkuti
 
PPT
Application Threat Modeling
Marco Morana
 
Malware- Types, Detection and Future
karanwayne
 
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
OWASP Top 10 2021 What's New
Michael Furman
 
Basics of Denial of Service Attacks
Hansa Nidushan
 
Cyber Security Introduction.pptx
ANIKETKUMARSHARMA3
 
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
Network Forensics Intro
Jake K.
 
Mobile Application Security
Ishan Girdhar
 
Android Security
Lars Jacobs
 
Cybersecurity 2 cyber attacks
sommerville-videos
 
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
apidays
 
Mobile Application Security Testing (Static Code Analysis) of Android App
Abhilash Venkata
 
Ethical Hacking
BugRaptors
 
Computer Security 101
Progressive Integrations
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Edureka!
 
Ransomware Attack.pptx
IkramSabir4
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Edureka!
 
Benefits of Web Application Firewall
davidjohnrace
 
Computer Security
vishal purkuti
 
Application Threat Modeling
Marco Morana
 

Viewers also liked (20)

PDF
Mobile Hacking
Novizul Evendi
 
PPTX
Hacking ppt
giridhar_sadasivuni
 
PPT
Mobile phone Data Hacking
Md Abu Syeem Dipu
 
PDF
Hacking Android OS
Jimmy Software
 
PDF
Growth Hacking For Mobile - Hack 2 Validate & Hack 2 Grow
andreehuk
 
PPTX
Android Hacking + Pentesting
Sina Manavi
 
PPTX
Android– forensics and security testing
Santhosh Kumar
 
PDF
The art of android hacking
Abhinav Mishra
 
PDF
Android Forensics: Exploring Android Internals and Android Apps
Moe Tanabian
 
PDF
Stealing sensitive data from android phones the hacker way
n|u - The Open Security Community
 
PPT
WhatsApp Forensic
Animesh Shaw
 
PPTX
Hacking Mobile Apps
Sophos Benelux
 
PDF
Learning by hacking - android application hacking tutorial
Landice Fu
 
PPTX
ethical hacking in the modern times
jeshin jose
 
PPTX
Introduction To Ethical Hacking
Neel Kamal
 
PPTX
Ethical hacking presentation
Suryansh Srivastava
 
PDF
Booting Android: bootloaders, fastboot and boot images
Chris Simmonds
 
PPTX
Hacking & its types
Sai Sakoji
 
PDF
ZaCon 4 (2012) - Game Hacking
HypnZA
 
PPT
Viruses
/ /
 
Mobile Hacking
Novizul Evendi
 
Hacking ppt
giridhar_sadasivuni
 
Mobile phone Data Hacking
Md Abu Syeem Dipu
 
Hacking Android OS
Jimmy Software
 
Growth Hacking For Mobile - Hack 2 Validate & Hack 2 Grow
andreehuk
 
Android Hacking + Pentesting
Sina Manavi
 
Android– forensics and security testing
Santhosh Kumar
 
The art of android hacking
Abhinav Mishra
 
Android Forensics: Exploring Android Internals and Android Apps
Moe Tanabian
 
Stealing sensitive data from android phones the hacker way
n|u - The Open Security Community
 
WhatsApp Forensic
Animesh Shaw
 
Hacking Mobile Apps
Sophos Benelux
 
Learning by hacking - android application hacking tutorial
Landice Fu
 
ethical hacking in the modern times
jeshin jose
 
Introduction To Ethical Hacking
Neel Kamal
 
Ethical hacking presentation
Suryansh Srivastava
 
Booting Android: bootloaders, fastboot and boot images
Chris Simmonds
 
Hacking & its types
Sai Sakoji
 
ZaCon 4 (2012) - Game Hacking
HypnZA
 
Viruses
/ /
 

Similar to Android Hacking (20)

PDF
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
Felipe Prado
 
PDF
Droidcon it-2014-marco-grassi-viaforensics
viaForensics
 
PPTX
SecTor '09 - When Web 2.0 Attacks!
Rafal Los
 
PDF
Luiz eduardo. introduction to mobile snitch
Yury Chemerkin
 
PPTX
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
EC-Council
 
PDF
Android malware presentation
Sandeep Joshi
 
PDF
Deep Dive Into Android Security
Marakana Inc.
 
PDF
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
Katie Nickels
 
PDF
Android : How Do I Code Thee?
Viswanath J
 
PDF
Smart Bombs: Mobile Vulnerability and Exploitation
SecureState
 
PDF
PRO TALK - Kubernetes Security Workshop.pdf
AvinashDesireddy
 
PDF
Kubernetes Security Workshop
Mirantis
 
PPTX
2022 APIsecure_Are your APIs Rugged Enough?
APIsecure_ Official
 
PPT
Toward a Mobile Data Commons
kingsBSD
 
PDF
Insider Threat Visualization - HITB 2007, Kuala Lumpur
Raffael Marty
 
PDF
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
nullowaspmumbai
 
PDF
Insider Threat Visualization - HackInTheBox 2007
Raffael Marty
 
PPTX
Mobile security
Stefaan
 
PDF
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Adam Pennington
 
PPT
Securely Deploying Android Device - ISSA (Ireland)
Angelill0
 
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
Felipe Prado
 
Droidcon it-2014-marco-grassi-viaforensics
viaForensics
 
SecTor '09 - When Web 2.0 Attacks!
Rafal Los
 
Luiz eduardo. introduction to mobile snitch
Yury Chemerkin
 
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
EC-Council
 
Android malware presentation
Sandeep Joshi
 
Deep Dive Into Android Security
Marakana Inc.
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
Katie Nickels
 
Android : How Do I Code Thee?
Viswanath J
 
Smart Bombs: Mobile Vulnerability and Exploitation
SecureState
 
PRO TALK - Kubernetes Security Workshop.pdf
AvinashDesireddy
 
Kubernetes Security Workshop
Mirantis
 
2022 APIsecure_Are your APIs Rugged Enough?
APIsecure_ Official
 
Toward a Mobile Data Commons
kingsBSD
 
Insider Threat Visualization - HITB 2007, Kuala Lumpur
Raffael Marty
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
nullowaspmumbai
 
Insider Threat Visualization - HackInTheBox 2007
Raffael Marty
 
Mobile security
Stefaan
 
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Adam Pennington
 
Securely Deploying Android Device - ISSA (Ireland)
Angelill0
 

More from antitree (20)

ODP
Hardening ssh configurations
antitree
 
ODP
State of wifi_2016
antitree
 
PDF
Just Mouse Jack Init
antitree
 
ODP
Introduction to ethereum_public
antitree
 
PPTX
Docker Security
antitree
 
PPTX
Reinventing anon email
antitree
 
PPTX
0x20 hack
antitree
 
PPTX
Laverna vs etherpad
antitree
 
PPTX
Meek and domain fronting public
antitree
 
PPTX
Nsa and vpn
antitree
 
PPTX
Salander v bond 2600
antitree
 
PPTX
Salander v bond b sides detroit final v3
antitree
 
PPTX
Pentesting embedded
antitree
 
PPTX
Tor
antitree
 
PPTX
Corporate Intelligence: Bridging the security and intelligence community
antitree
 
PPTX
28c3 in 15
antitree
 
PPTX
Lock picking barcamp
antitree
 
PPTX
Lock picking 2600
antitree
 
PPTX
Anti tree firesheep
antitree
 
PPTX
Image based automation
antitree
 
Hardening ssh configurations
antitree
 
State of wifi_2016
antitree
 
Just Mouse Jack Init
antitree
 
Introduction to ethereum_public
antitree
 
Docker Security
antitree
 
Reinventing anon email
antitree
 
0x20 hack
antitree
 
Laverna vs etherpad
antitree
 
Meek and domain fronting public
antitree
 
Nsa and vpn
antitree
 
Salander v bond 2600
antitree
 
Salander v bond b sides detroit final v3
antitree
 
Pentesting embedded
antitree
 
Tor
antitree
 
Corporate Intelligence: Bridging the security and intelligence community
antitree
 
28c3 in 15
antitree
 
Lock picking barcamp
antitree
 
Lock picking 2600
antitree
 
Anti tree firesheep
antitree
 
Image based automation
antitree
 

Recently uploaded (20)

PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Cloud computing and distributed systems.
kkkkkhan
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Teaching material agriculture food technology
LiaRayya
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
A Presentation on Artificial Intelligence
memembruh336
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 

Android Hacking

  • 1. Tools and Techniques Related To 1
  • 2. RIT Alum  Intrepidus Group  Interlock Rochester  Rochester 2600  TOOOL  BSidesROC @antitree antitree.com 2
  • 3. Android Introduction  Tools For Hackers  Analysis Techniques  Examples  How to be “secure” 3
  • 4. Other, Honeycomb Cupcake 1% Donut 6% 1% 2% Blackberry, 9% Eclair 15% Gingerbread 25% iOS, 28% Android, 56% Froyo 56% 4
  • 6. Linux 2.6  Dalvik Virtual Machine – new instance for each app  DEX – Dalvik byte code  APK - zip  AndroidManifest.xml Dalvik Java APK Byte Code 6
  • 7. Linux Angry Birds app_42 Dalvik VM Instances
  • 8. Intents – inter process communication  Activities - screen  Content Providers – sqlite3 database  Services – background processes  Broadcasts – send and receive info to other apps 8
  • 9. Dynamic Network Analysis • Static Code Review • File System Auditing 9
  • 10. Android SDK  ADB  DDMS  Emulator  Apktool  Smali/Baksmali  Dex2jar  Java Decompiler (e.g. JAD or JD-GUI)  Mallory  Burpsuite  Wireshark 10
  • 11. Java source code vs Smali files vs DEX vs jar vs pseudocode  Android development  Java  Linux 11
  • 12. 12
  • 13. Watch Traffic flow through a MITM  Things to look for:  Information being passed in the clear  SSL usage and whether it’s done correctly  Results of modifying requests and responses  Authentication process 13
  • 14. Wireless Router Emulator PPTP server DDWRT/TOMATOE Android SDK PPTPD Usually need a clunky device Sometimes doesn’t act the Dedicated server way you want it 14
  • 15. #!/bin/bash # firewall script to intercept all traffic from ppp0 and redirect to local port # all credit to the great algorythm echo 1 > /proc/sys/net/ipv4/ip_forward iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -t nat -A PREROUTING -j REDIRECT -i ppp0 -p tcp --dport 80 -m tcp --to-ports 8080 iptables -t nat -A PREROUTING -j REDIRECT -i ppp0 -p tcp --dport 443 -m tcp --to- ports 8080 15
  • 16. Wireshark  Initial traffic fingerprinting  Burpsuite  Great for HTTP/S traffic  Mallory  Great for nonspecific protocols 16
  • 17. 17
  • 18. Audit how data is stored  Things to look for:  Incorrect permissions  Storage location (data, sdcard, asec)  Tools  Adb shell  Standard linux commands  [Root exploit and busybox] 18
  • 19. 19
  • 20. 20
  • 21. See how the app works through pseudocode  Things to look for:  Overall understanding of the app  Cryptographic functions  Debug/Testing functions  Client side authentication 21
  • 22. Tools:  Apktool d com.antitree.app  Smali path/to/smali/files/  Dex2jar out.dex  Jd-gui out_dex2jar.jar APK DEX Jar Pseudocode Smali 22
  • 24. 24
  • 25. 25
  • 26. But what does it mean? 26
  • 27. Skype: 4/11  Permissions error allowed a malicious app to access contacts and personal information  Google: 6/11  Session information passed in the clear made it susceptible to hijacking  Dropbox: 8/11  An attempt to share data granted any app to the ability to make file public 27
  • 28. HTC: 10/11  Spyware Logging app found to be accessible to any app with the network connection permission ▪ GPS coordinates ▪ MEID, MDN ▪ phone logs ▪ MUCH more  *#*#HTCLOG#*#* 28
  • 30. File System Permissions Set to 777  Access saved sessions  Modify included binaries  Why: Lazy permissions  How discovered: file system permission review 30
  • 32. Shares information  Controls permissions  Tool: Android Manifest Auditor Code Name: The Jaku 32
  • 33. 33
  • 34. 1. Insecure Data Storage 2. Weak Server Side Controls 3. Insufficient Transport Layer Protection 4. Client Side Injection 5. Poor Authorization and Authentication 6. Improper Session Handling 7. Security Decisions Via Untrusted Inputs 8. Side Channel Data Leakage 9. Broken Cryptography 10. Sensitive Information Disclosure 34
  • 35. Deploy mobile device management solution  Zenprise, MobileIron, (Google?)  Train your users – don’t give in  Audit your devices  Are users following best practices?  What apps are installed?  Require mobile security solution  Lookout, WaveSecure, NetQin 35
  • 36. Audit your apps!  Check permissions  Check source code  Analyze your traffic  Think before you Root  Security Software  Remote wipe  Malware detection 36
  • 38. Slides and app available at www.antitree.com 38
  • 39. http://www.intrepidusgroup.com/insight/  http://code.google.com/p/android-apktool/  http://code.google.com/p/smali/  http://code.google.com/p/dex2jar/  http://java.decompiler.free.fr/?q=jdgui  http://developer.android.com/sdk 39
  • 40. 40