battle programming a forum for elite programmers with extreme will power to sharpen theire skills
 
HomeCalendarFAQSearchMemberlistUsergroupsRegisterLog in
Share
 

 mobil app security

Go down 
AuthorMessage
Moti Barski

Moti Barski

Posts : 311
Join date : 2011-08-02

mobil app security Empty
PostSubject: mobil app security   mobil app security EmptyTue Mar 05, 2019 8:46 am

mobil app security 2v8n91
bullet points :

/**************************/
Defensive logic
/**************************/
- Always built as much security layers as possible
- Remember the papers with holes


Example SQL injection
- Prepared statement with bound parameters
- Stored procedures
- Input validation
- Least privilege policy

/**************************/
Cryptography
/**************************/
- Encryption
- Made for security - to hide messages, data, information
- Symmetric encryption
The same private key is used to encrypt AND decrypt data
Ceaser cipher example with key (1)
"Hello world" -> "Ifmmp xpsme"

XORing with 2byte key
(01100001  01100010)

[01001000, 01100101,
01101100, 01101100,
01101111, 00100000]

[00101001, 00000111,
00001101, 00001110,
00001110, 01000010]


- Asymmetric encryption
Use two different keys one is for encryption ONLY
two keys for decryption
Best practice is to use encryption key as public
and second is private (never passed in the same communication channel)
RSA

Downside - performance

- Hashing
- Made for Authentication
- Good HASH function, is one that takes plaintext and creates
fixed size single representable data (integer, string)
that MUST NOT be reversed
SHOULD avoid collisions

- MD5 -> MD5("Hello") -> "8b1a9953c4611296a827abf8c47804d7"
- SHA1 -> SHA1("Hello") -> "f7ff9e8b7bb2e09b70935a5d785e0cc5d9d0abf0"
- SHA2 -> SHA256("Hello") -> "185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969"

- Encoding
- Made for data transportation
"a" ASCII dec -> 97
"a" ASCII hex -> 0x61
"a" ASCII binary -> 0b01100001
"a" base64 -> YQ==
"a" URL -> %61


- Salting
Combined with hashing and encryption  
- Example SHA1("plaintext"+salt)

- Digital Signature


/**************************/
Reverse engineering
/**************************/
1) Decompile using JADX
2) Open Manifest to find:
- packagename
- main activity
- any other context (Activity or Service)
- permissions

_________________
MB over and out emp it up
Back to top Go down
View user profile
Moti Barski

Moti Barski

Posts : 311
Join date : 2011-08-02

mobil app security Empty
PostSubject: decompiler   mobil app security EmptyTue Mar 05, 2019 9:27 am


putting the APK file of the app into a decompiler
makes all the codes and files inside visible, even the comments

http://www.javadecompilers.com/

:nekowhat:

_________________
MB over and out emp it up
Back to top Go down
View user profile
 
mobil app security
Back to top 
Page 1 of 1
 Similar topics
-
» Security testing with Selenium

Permissions in this forum:You cannot reply to topics in this forum
battle programmers alliance :: battle programming alliance :: battle programming-
Jump to: