Presentation Materials: Android Summit 2020

If you are reading this page, you probabaly attended the Android Summit 2020 and Mark Murphy’s presentation from that event. Or, you got the URL to this page from someone who did. Or, perhaps you got the URL to this page from a kindly murder hornet, who brought it to you on a tiny slip of paper.

Regardless of how you got here, here’s what you are looking for!

Defending Your Users

Presentation Slides

Slides are in HTML format. Use the spacebar or arrow keys to advance and go back!

The slides are available under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 license. For the purposes of these materials, “NonCommercial” means “you cannot charge for access to the materials”.

Related Resources

Here are some articles, videos, sample apps, and other materials related to the topic of app security.

Software Supply Chain and DevSecOps

• Secure at every step: What is software supply chain security and why does it matter?
• Achieving DevSecOps maturity with a developer-first, community-driven approach

Security Problems… In Your Own Code

• Firefox for Android LAN-Based Intent Triggering
  • covers the Firefox network Intent bug
• Best Practices for Mobile App Security Testing
  • covers the setInvalidatedByBiometricEnrollment() problem
• OWASP: Open Source Foundation for App Security

FLAG_SECURE

• PSA: FLAG_SECURE Window Leaks

• Compose UI and FLAG_SECURE bugs for Popup and Dialog

Autofill Security

• Autofill Services and Security: Update
• Securing Apps From Android 8.0 Autofill
• FLAG_SECURE and Android O Autofill

ExifInterface Security

• Dealing with the ExifInterface Security Flaw

Mitigation Resources

• android-security-awesome
  • “awesome”-style list of security tools

• OWASP Source Code Analysis Tools

• Android Security Reference

• IPC Signature Check Example
  • covered in The Busy Coder’s Guide to Android Development
• Safe unzip() Implementation
  • handles directory traversals and ZIP bombs, based on OWASP recommended algorithm

Free/Open Source Mitigation Tools

• Insider
  • open source static source analysis tool
• MobSF
  • Mobile Security Framework open source static source/APK analysis tool
• QARK
  • open source static source/APK analysis tool from LinkedIn, 2 years since last update
• SUPER
  • open source static APK analysis tool, 2 years since last update
• Oversecured
  • commercial hosted APK scanner, with free tier

Security Problems… from Dependencies

• Data Access Auditing Example

• Xavier: An Information-Stealing Ad Library on Android

• A Confusing Dependency
  • covers malware dependencies stemming from other repositories

• Supply-chain attack hits RubyGems repository with 725 malicious packages

• Gradle: Verifying dependencies
  • documentation on verifying dependency signatures and checksums
• OWASP dependency-check-gradle
  • checks dependencies against NIST CVE database
• Dependency verification: checksum vs PGP
  • covers checksum-dependency-plugin, a precursor to Gradle’s dependency verification logic
• Gradle Witness
  • early approach to automated dependency validation, from Signal
• Data Access Auditing Sample
  • covered in Elements of Android R

Security Problems… from the Development Process

• XCodeGhost

• Android Studio and distributionSha256Sum

• Crashes When Encountering Invalid Gradle Wrapper SHA256 Hash
  • ticket from 2016 for adding distributionSha256Sum support to Android Studio
• Invalid distributionSha256Sum Ignored
  • recent ticket about distributionSha256Sum being ignored in a canary build of Android Studio 4.2

Security Problems… from Google

• Uncomfortable Questions About App Signing

• diffoscope
  • tool for determining differences between binaries, including APKs
• Diffuse
  • tool for determining differences between APKs, AABs, AARs, and JARs

Nation-State App Attacks

• Protecting Civilians in Cyberspace: Ideas for the Road Ahead
• North Korea-tied hackers used Google Play and Facebook to infect defectors