Defending your android app

RIIT 2015 - Proceedings of the 4th Annual ACM Conference on Research in Information Technology

Volumn , Issue , 2015, Pages 29-34

  Sierra, Felipe ^a   Ramirez, Anthony ^a  

^a ILLINOIS INSTITUTE OF TECHNOLOGY   (United States)

Author keywords

Certificate Pinning; Debugging Attacks; Dynamic Library Manipulation; Reverse Engineering

Indexed keywords

PERSONAL COMPUTING; REVERSE ENGINEERING;

ANDROID APPS; CERTIFICATE PINNING; GOOGLE PLAYS; SECURITY MEASURE; SSL/TLS;

ANDROID (OPERATING SYSTEM);

EID: 85019817426     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2808062.2808067     Document Type: Conference Paper

References (26)

1. Alexander-Brown, Scott. Android Security: Adding Tampering Detection to Your App. 2015. https://www.airpair.com/android/posts/adding-tamperingdetection-to-your-Android-App.
2. Android cracking: protection by checking for debuggers: 2011. http://androidcracking.blogspot.com/2011/06/protection-bychecking-for-debuggers.html.
3. Andzakovic, D. Bypassing SSL Pinning on Android via Reverse Engineering. 2014. Security-Assessment.com
4. Bommisetty, S. et al. Practical mobile forensics. Packt Pub, 2014.
5. Boxall, A. Developers reveal high piracy statistics for popular Android apps. Appindex, 2015.
6. Brady, P. Anatomy and Physiology of an Android. Google I/O Session (2008). 2008.
7. Dierks, T. and Allen, C. RFC 2246-The TLS Protocol Version 1.0. The Internet Engineering Task Force., 1999.
8. Diquet, A. and Osborne, J. When Security Gets in the Way: PenTesting Mobile Apps That Use Certificate Pinning. Las Vegas. Black Hat USA (2012).
9. Drake, J. et al. Android hacker's handbook. Wiley, 2014.
10. Eckersley, P. Iranian hackers obtain fraudulent HTTPS certificates: How close to a Web security meltdown did we get? Electronic Frontier Foundation, 2011.
11. Fuzion24/JustTrustMe: 2014. https://github.com/Fuzion24/JustTrustMe.
12. Intrinsec/intrinsec-Android-ssl-patch-Utility used to patch Android applications to circumvent HTTPS connections-Google Project Hosting: 2015. https://code.google.com/p/intrinsec-Android-ssl-patch/.
13. iSEC Partners/android-ssl-bypass: 2013. https://github.com/iSECPartners/android-ssl-bypass.
14. iSEC Partners/Android-SSL-TrustKiller: 2014. https://github.com/iSECPartners/Android-SSL-TrustKiller.
15. Java Debug Interface: 2010. https://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdi/.
16. Makan, K. Android Security Cookbook. Packt Publishing, 2013.
17. Marlinspike, M. Your app shouldn't suffer SSL's problems. 2011. http://www.thoughtcrime.org.
18. Menn, J. Key Internet operator VeriSign hit by hackers. Reuters, 2011.
19. OWASP. Certificate and Public Key Pinning-OWASP. 2015. https://www.owasp.org/index.php/Certificate-And-Public-K ey-Pinning.
20. Package Index | Android Developers: 2014. http://developer.android.com/reference/packages.html.
21. Rudrappa, N. Defeat SSL Certificate Validation for Google Android Application. McAfee, 2013.
22. Say Goodbye to Custom "Stock" Roms and Hello to Xposed Framework-XDA Forums: 2013. http://www.xdadevelopers. com/say-goodbye-to-custom-stock-roms-Andhello-to-xposed-framework/.
23. Schulz, P. and Matenaar, F. Android Reverse Engineering & Defenses. Bluebox Labs, 2013.
24. SSL ATTACKS-InfoSec Institute: 2013. http://resources.infosecinstitute.com/ssl-Attacks/.
25. Via Forensics. 42+ BEST PRACTICES: Secure mobile development for iOS and Android. 2012. https://viaforensics.com/resources/reports/best-practices-iosandroid-secure-mobile-development/41-certificate-pinning/
26. Zhou, R. 2014. Leave The App Alone!-Attack and Defense of Android App Hijack. RSA Conference 2014 Asia Pacific & Japan (2014).