Android applications store your sensitive information. Therefore, app developers must do the needful to secure customer loyalty.
Over the weekend at Nullcon 2016, I had the opportunity to attend a training on Android Security to see how bugs in Android applications were exploited and how that information could be used by Android developers to be able to better protect their apps.The training was conducted by Anant Shrivastava, who is the regional director APAC at NotSoSecure and Anto Joseph, who is a security engineer at Citrix.
The training took a learn by doing approach, there was enough of an explanation given so that the basic concepts were understood after which all the participants actually got to try things for themselves. This resulted in the hands-on training making the concepts easier to remember.
The training used a virtualization system known as Genymotion to emulate an Android device while using Anant's Android Tamer to carry out attacks. Android Tamer is a Linux-based operating system specifically designed for Android security professionals and is based on Ubuntu. The operating system contains a set of tools that allow for Android development, penetration testing, malware analysis and Android forensics, amongst other things. The operating system is free and can be downloaded from https://androidtamer.com/
The training began with simple things like the fact that hackers can use decompilers to decompile Android apps and look at the source code. If they manage to find a serious bug in the source code, they could exploit that bug to be able to gain access to a user's Android phone that has that application. The kind of access the attacker can get depends on the permissions the App has. By seeing how easy it was, developers attending the training learned the importance of code obfuscation and how it plays a critical role in making it difficult for hackers to be able to access and understand the source code of Android applications.
Another major way by which information is leaked from an Android Application is called sniffing. This is a method by which a hacker, is able to monitor an application's internet communications. Encryption and implementation of the encryption plays an important role here. So that even if somebody is monitoring the traffic, with good encryption, the data the attacker will be able to get is meaningless.
Another important security aspect worth noting is one that deals with content and piracy. With the increasing popularity of app-based video content providers, it is imperative that developers perform root detection. Root detection is a process by which the application detects if the Android phone has been rooted. This is essential to content providers as rooted phones can save content in a manner that is accessible outside the application.
This content can then be distributed freely without the provider being able to control it. The end result without root detection is a lot of monetization lost.
To conclude, Android developers need to learn how to build in security from the planning phase of development. This will ensure that their customers are safe and hence continue to be their customers. Common attacks like the ones I have mentioned above can be learned without much difficulty and it is essential that applications should not be vulnerable to them. It is imperative that developers attend training like the one I attended so that security goes from just being a theory to something that becomes real through experience.
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
 "Representataional image")
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
)
){kind=small}
){kind=small}
)
)
)
)
)
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}