All Questions
48 questions
1
vote
0
answers
239
views
Insufficient SSL certificate pinning in an native Android app
I have implemented Certificate Pinning in a prototype of an android app. Here are the steps I followed:
Converted .crt file to .bks file
Added the .bks file to the asset folder in project structure
...
- 11
1
vote
1
answer
230
views
Deobfucate java code by running it
Can I deobfuscate java code (apk, that contains obfuscated code, or java bytecode), when running it?
If android gets able to run code, so he must get those keys, and get access to code which to run.
...
- 11
1
vote
1
answer
551
views
Short digital signature
I want to digitally sign messages with strict size limitations. I am looking for digital signature algorithm providing very short signatures. (as short as possible)
Which secure algorithms can I ...
- 111
1
vote
0
answers
117
views
Android: what attack vectors are introduced by calling native code from the web (JS)?
I work on a large e-commerce project, the app in question is written in Kotlin (legacy code in Java). Recently we got the following question from the web team which instantly triggered my alarm bells: ...
- 111
2
votes
1
answer
380
views
How to protect certificates and keys in peer to peer application
I'm making a peer-to-peer cross-platform application (in Java & Kotlin), and I want to encrypt conversations between tens of users, concurrently.
However, due to lack of knowledge in security good ...
- 23
1
vote
1
answer
912
views
Is this url verification with startsWith secure?
I would like to know if this code is secure to validate that a url is from my domain before loading it a webview in android :
if (!url.startsWith("https://www.example.com/test/")){
// don't load ...
- 394
1
vote
2
answers
1k
views
How to store ECDSA public key securely in Android
I am writing an Android application that needs to verify that a request is sent from a trusted party (me).
This is my current solution:
Storing keys:
Generate ECDSA public key / private key from a ...
- 13
1
vote
1
answer
462
views
Bank client android app authentication security
I'm currently developing an android bank client app. Obviously security is key here. The app sends requests over HTTPS TLSv1.2 to my java server.
What I currently have in mind
Login
The app asks ...
- 113
0
votes
1
answer
1k
views
How to ensure same BCrypt hash on different platforms?
Do I get it right that BCrypt hash depends on implementation? I'm using jBCrypt on client side (android) and spring-security-core BCryptPasswordEncoder on server side (with the same strength=10) and ...
5
votes
1
answer
7k
views
What is the process of finding deep links from an Android application?
I'm very curious on how to go about this the only solution i can think of is to decompile, modify the code to print when a deep link is clicked, and recompile, if you have any other suggestions i ...
- 53
1
vote
1
answer
159
views
Does License check response needs further obfuscation to make it more secure?
I have created an android app which is a paid app.The app utilizes google's licensing verification library for the license checks and implementing ServerManagedPolicy in it. As the ...
Albert Ritchie
6
votes
2
answers
463
views
Is breaking out of a Java binary serialized string possible?
During an assessment of an android application I discovered a file which contained serialized data from a standard call to ObjectOutputStream.writeObject(). A string serialized in the data is ...
- 208
1
vote
1
answer
2k
views
Android anti-tampering and SSL pinning bypass solid implementation [duplicate]
Is there any advance solution for Android application anti-tampering and bulletproof obfuscation implementation?
I have been already using following protections in my application:
Obsufcation using ...
- 329
0
votes
0
answers
822
views
Android: Can you exploit a broadcast Receiver that receives a custom object from the intent?
The app I am trying to attack (under a legitimate bug bounty program of course) has the following code for its broadcast receiver:
//From vulnerable app
public void onReceive(Context paramContext, ...
- 439
0
votes
1
answer
260
views
Best way to reduce encryption of the big files
I want to share a big file(All existing formats) with others.
As I'm using Android phones as client/server I want to reduces the CPU overhead and Time it takes to encrypt/decrypt.
My idea is to use a ...
- 165
0
votes
1
answer
419
views
What kind of attack vectors are made possible as a result of Java being hopelessly intertwined with Android? [closed]
"All the security of Linux … plus Java! “Java: The malware compatibility layer of choice” Android can be engineered for security, but when you’re done you have a hermetically sealed self contained ...
- 3
1
vote
3
answers
1k
views
Logging in to a website, We can use RSA to send password from client to server but what about the reverse?
I'm building an android banking app:
Part I
So while the user is signing in he would need to provide his email and password in a form inside the app. Okay, so we can encrypt the password by using RSA ...
- 11
0
votes
1
answer
206
views
Which functions should I hook to check if the app contains malicious code or use deprecated methods?
I am working on an Android project whose goal is to identify which Java or native functions should be hooked and monitored at runtime to check if the application contains malicious behaviour or weak ...
- 101
2
votes
2
answers
8k
views
How to correctly handle passwords for an Android app
So, some background. I am currently working on a social media app for Android. We are programming it in Java, and are using OKHTTP3 for a connection to the PHP backend, which will handle updating ...
- 121
7
votes
1
answer
4k
views
Diffie Hellman Key Exchange in a messaging application
I'm currently a student that is trying to develop a messaging application on android using java that will implement diffie hellman key exchange in order to ensure that they both will be able to ...
- 71
1
vote
0
answers
138
views
How to "stealthily" call a Java function to avoid text search?
Assume I am an attacker, I want to call an API function from an Android app, say Build.getRadioVersion(). But I want to keep this call stealthy, i.e., it cannot be searched through, e.g., grep ...
- 330
2
votes
3
answers
941
views
SSL Certificate in my hosting makes me change my java code?
Sorry for my stupid question. But I really want to know what is gonna happen..
I have a webservice hosted over the http protocol.
I wanna buy an SSL certificate to have my webservice hosting with ...
0
votes
1
answer
533
views
Java / Android Client-Server application. Digital certificates and CAs
I'm currently developing an application for Android that will allow users to back up their data on a server, which I am also developing in Java. I've pretty much completed the development of the ...
1
vote
2
answers
2k
views
encrypting data while in memory
What is the best way to protect sensitive text input and store it in memory until form submission is complete and then clear it out shortly thereafter?
I'm looking to protect sensitive information ...
- 11
2
votes
1
answer
285
views
What was the first version of Android to use OpenSSL (and what version was it)? What was used prior?
Android 1.6 source is the earliest I can find that references openssl
(i.e., has OPENSSL_VERSION[_TEXT] defined
The script I ran to get these versions was:
$ git clone https://android.googlesource....
- 207
2
votes
0
answers
694
views
What is the point of signature file in signed JAR/ZIP files
The way JAR signatures (or ZIP for Android) are designed is that they have a manifest file, containing digest for each file in the archive. Then there is a "signature file" that contains digest of ...
- 561
3
votes
1
answer
2k
views
How CERT.rsa is interrelated with PackageInfo signatures
I am a newbie in security and cryptography, but I am developing Android applications and now wanna to dive deeper into the Android security mechanisms. I am trying to understand how CERT.rsa (as I ...
- 31
1
vote
1
answer
1k
views
How does Memory Corruption apply to Android?
I have researched several DoS attacks within Android e.g.:
CVE-2015-1474
CVE-2013-5933
CVE-2013-4710
CVE-2012-6301
etc.
And although I found DoS attacks within Android difficult to understand at ...
user73487
0
votes
1
answer
709
views
What factors make Android app code vulnerable to Cross-Site Request Forgery attacks?
According to techtarget.com Cross-Site Request Forgery is:
a method of attacking a
Web site in which an intruder masquerades as a legitimate and trusted
user. An XSRF attack can be used to ...
user77088
1
vote
1
answer
3k
views
What makes an Android application vulnerable to Directory Traversal?
Definition of Directory Traversal
Directory traversal is a form of HTTP exploit in which a hacker uses the software on a Web server to access data in a directory other than the server's root ...
user77088
7
votes
3
answers
13k
views
What makes an Android application vulnerable to Cross-site scripting (XSS)?
Definition of XSS
If you search the web, there are many different ways to define a cross site scripting attack. Simply put, XSS vulnerabilities occur when a malicious attacker is permitted to inject ...
user77088
2
votes
2
answers
12k
views
What makes an Android application vulnerable to SQL Injection?
Definition of SQL Injection
SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g....
user77088
9
votes
2
answers
2k
views
How can the Android GraphicBuffer::unflatten() vulnerability (CVE-2015-1474) be exploited remotely?
I've been reading up-on DoS (denial-of-service) attacks within android and although I understand attacks like the below, which make use of regular programming functions etc.
(Android Web Browser) ...
user76779
3
votes
1
answer
970
views
Simple way to secure a webservice used by mobile clients
I am currently working on a RESTful webservice with Java that is used by mobile devices, namely Android and iOS, using a framework that allows me to abstract from both. I'm adding this information ...
- 133
-1
votes
1
answer
2k
views
Use openssl key to decrypt file in android/java [closed]
I want to decrypt file encrypted in openssl in java.
File is encrypted with private key using openssl and on java side i want to decrypt it using public key.
The code:
public void testRSA() throws ...
- 101
3
votes
1
answer
1k
views
Java org.xmlpull.v1.XmlPullParser and XML External Entity (XXE) Processing Attacks
I'm evaluating the security of an Android application and the application is using the XmlPullParser included with Android.
I'm having some difficulty getting any common attacks to work, but I want ...
- 505
2
votes
3
answers
6k
views
(Android) hacking server by a simple socket
I have written an Android game. Now, I want to connect the marks of the players.
The code below is the client side program, which send their names, countries and marks to the server. Basically, I use ...
- 21
1
vote
1
answer
340
views
Storing encryption passphrases in memory in Dalvik?
Given KeePassDroid, I'm considering some of the security implications of accessing KeePass databases on an Android device.
In the native applications for Windows, OSX, and Linux, whenever the ...
- 6,843
1
vote
2
answers
5k
views
Share and store RSA - public key in java server and vice versa
My requirements are:
Requirement 1: Share public key to java server.
Steps:
Generate public-private keys in iOS app.
Store the generated keys in keychain.
Send generated public key to java server.
...
- 161
7
votes
3
answers
3k
views
Android and FIPS
I've recently been tasked with a research project to write a "secure messaging application" using "government approved protocols" (the government being the USA). I'm taking this to mean asymmetric ...
- 191
4
votes
1
answer
954
views
What are the major vulns that affect the Dalvik VM of Android?
I frequently hear about the security risks of using Android. But few people who write articles on this subject ever identify what parts of Android are at fault, nor do they identify design flaws. Can ...
- 153
13
votes
1
answer
12k
views
Android Runtime Code Injection
I'm doing research for a static analysis tool to help detect malware in Android applications. I'm wondering if it is possible to perform code injection on Android without using a class loader. I ...
- 505
9
votes
1
answer
16k
views
Encrypting data for Android mobile app
I am creating a mobile app for Android. This is my first mobile app by the way.
I have decided to store data used in my app in a SQLite database in the target Android device.
The data I am storing ...
- 193
9
votes
1
answer
8k
views
How to select /dev/random or dev/urandom in the code in Android?
When generating randomness using SecureRandom in Android, I want to select /dev/random or /dev/urandom as the seed source. It can be done in java.security file on Linux and Windows systems but there's ...
- 93
3
votes
1
answer
1k
views
Sip call Developing in android with secure data transfer
I would like to make an application similar to RedPhone on android. I took a look at SipDemo from developer.android.com and at the android.net.sip package.
My question is, when you make/receive a ...
- 133
5
votes
1
answer
3k
views
How can I store downloaded video securely to device's sd card?
I want to save videos in my android mobile's SD card securely such no other application or user can use it, outside the application or on any other devices.
So for this what can I do? I think about ...
- 153
4
votes
1
answer
3k
views
how to secure Android Market public key
Android's security manual says that it is not safe to keep market public key just as a string and it should be hidden/encoded somehow. I am new to android Can somebody please provide me with example ...
- 143
9
votes
4
answers
9k
views
Any useful tools for Android source code review? [closed]
I'm wondering if anyone has some recommendations for Android source code review which is Java based. For example, reviewing an Android app for security issues. Bonus for being F/OSS.
Fortify seems ...
- 757