I am developing a tool which scans android apps and shows the vulnerabilites found in it.I am stuck at one of OWASP vulnerability i.e Insufficient Transport layer protection. I am not able to find vulnerable code to create a pattern so that i can cross check it with any app. Please if you have any vulnerable code related to this vulnerability please tell me.
Thanks in advance
Basically what you have to check is, wether encryption is used for operations on the network.
For example: Is SSL/TLS enabled for Login-Requests? Is there any other sensitive information which is transferred in clear-text over the network? Is SSL configured in a secure way (e.g. no SSLv2)? and so on.
You can find a list on https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet what you have to consider while preventing this specific vulnerability.
However I think it's pretty hard to check if something isn't there...
I am not familiar with Android programming but I would look for any unencrypted socket creation or request, as this possibly is this kind of vulnerability.
Good luck ;-)
Related
before asking this question i searched hole internet about security of android and i know maybe proguard and obfuscation help me...
I have wrote a class that decrypt server response data and convert it to a map.
if anyone can decompile my java class or move my decryptor class to him app.he can cheat in my game and harmful financial damages.
if we cross "This is an stupid question!!!" then
is there any way to secure my code with 100% security?
what reference's you suggest me?
thanks alot
I think there are multiple facets to this issue. Security is not just about android or java abstraction, you want your entire system to be strong enough. For starters I will suggest you can develop an apiKey system that will add another layer of security, the apikey is linked to the email id of the downloading user, so even if someone were to decompile your app they would need an api key to access your services. But api keys are for basic authorisation purposes.You could also opt for OAuth2.0 tokens which are time based and are much more robust.
These links can help:
https://hueniverse.com/introducing-oauth-2-0-b5681da60ce2
https://www.scribd.com/document/33655/How-to-Design-a-Good-API-and-Why-it-Matters
I'm creating an Android App which connects to a server through an API. I'm worried about a security issue, as far as I'm concerned, anyone can decompile your .apk and take a look or modify your code.
Knowing that, where do I need to save the API Keys inside the app in order to avoid some bad guy stealing it and access the server, for example, to modify my database?
Thanks
Understand how an attacker will go after your application, 95% of the time in this order:
Inspect traffic between your application and the server by using an intercepting proxy like Burp -- very easy to do. See how I did it on Words With Friends here (this was for iOS device but same concept works with Android).
You can stop traffic inspection with certificate pinning, but they can break that by rooting the device and using some hacker tools on Android. So you need Android root detection.
The other attack is scanning your binary. You will need to obfuscate it with a tool like DexGuard.
None of these methods are bullet-proof: generally trying to hide secrets in client code is a losing game. Don't put more effort into it than it is worth.
I know CAPTCHA verification is required on web applications so that people don't write scripts to trigger form submissions over and over again.
But is there a need for this on native android apps? I mean I don't think someone will be able to write scripts to trigger android form submissions from a thrid party app, would they? If not, IS using CAPTCHA really recommended?
Note: I am not asking this randomly, I have been asked to build CAPTCHA verification on the client side on my current project. However, I do not see the point in this.
There is a point to it. The specific attack scenario that can I envision is someone reverse-engineering the application to find out what underlying protocol is used, and then use that protocol to automate the operation that is supposed to be done manually. If the message also contains an answer to a CAPTCHA, this will be harder.
The question is whether or not such a scenario is likely enough (and severe enough) to cause the extra burden on the user. Keep in mind that having a CAPTCHA is a very effective way to make your users dislike the application.
It's impossible to say whether the tradeoff is worth it. In most cases though, it's not. Especially given that that CAPTCHA's are not actually very effective.
I am using confidential data(like URL's, secret code etc) in my android application.
I want to protect my confidential data to access from the outside world (some thing like decompiling my class files etc.)
Please let me know what I need to do so that It can not be hacked by hackers.
Thanks.
By using encryption and decryption you can protect your data. This is - sample example
Content generated by an app that is deployed on a user's device cannot be 100% secure, but you can make attacker's life difficult. The idea is to make it difficult enough for cracking not to be worthwhile.
This article (and linked related articles) is about using cryptography. This is a good way to get started in securing generated or exchanged contents.
This article (and linked related articles, too) is about obfuscating your application code. The purpose of obfuscation is to make the reverse-engineering of your app more difficult once decompiled.
And this SO post can also be helpful to get started but the proposed implementation has an issue and needs revisiting (It works but has a hole. I've put an EDIT note in the post itself to explain that further).
That is not possible. If it is inside the app, it is vulnerable to attackers.
I am planing to create a android application for doing some banking operations like fund transfer and all, but I fear the security of the application. Doing some research I found that "128-bit SSL protection" is the best way to protect mobile application. But I dont know any thing about that 128-bit SSL protection. Can any one tell me how I can implement this? and what are the other perfect ways to ensure the security of the transactions. Please give your valuable suggestions.
You need to implement SSL(HTTPS) to your App.
You need to follow this doc : http://developer.android.com/training/articles/security-ssl.html
Also,i hope this may help :
Android application with SSL