Hard coding Issues

Description : 

This is Security of Android Application
that Developer forget used sensitive information into code of application
in application development procress.

How to fix : 

Not should push sensitive information into Code of Application
or Protected by use Obfuscation code



Obfuscation is an encoding, class name or variable.

Strength
- when Decompile Application will see encoded text instead of plain-text
- Size of Apk file is smaller


Step 1 - Config (build.gradle) "minifyEnabled" == true

android {
buildTypes {
release {
   // Enables code shrinking, obfuscation, and optimization for only
   // your project’s release build type.
   minifyEnabled true

   // Enables resource shrinking, which is performed by the
   // Android Gradle plugin.
   shrinkResources true

   // Includes the default ProGuard rules files that are packaged with
   // the Android Gradle plugin. To learn more, go to the section about
   // R8 configuration files.
   proguardFiles getDefaultProguardFile(
      ‘proguard-android-optimize.txt’),
      ‘proguard-rules.pro’
   }
}
}


Step 2 - Create Empty Activity

[ MainActivity.kt ]

class MainActivity : AppCompatActivity() {

   override fun onCreate(savedInstanceState: Bundle?) {
      super.onCreate(savedInstanceState)
      setContentView(R.layout.activity_main)

      setName(User(“antdroid”, “1”))
   }

      private fun setName(user : User) {
      tvName.text = user.name
   }
}

[ User Model ]

data class User (
   val name : String,
   val age : String
)

Step 3 - Rebuild Project or Build apk file.
( There may be Eror let click "Scan" in build tab below )

Step 4 - go to : app/build/outputs/apk/debug/app-debug.apk.
           - double click : classes.dex 
           - model User : to see age , name variable. 
           - right click : User File to Ganerate Progroud keep rule.
             Result will avaliable to use can select you might use to all

-keep class com.example.trymyobfuscationcode.model.User { *; }

Or specific variable

-keep class com.example.trymyobfuscationcode.model.User { java.lang.String name; }
-keep class com.example.trymyobfuscationcode.model.User { java.lang.String age; }


Step 5 - Copy to : proguard-rules.pro.
           - Build Apk file.
           - New Apk File Path : app/build/outputs/apk/debug/app-release-unsigned.apk.
           - Double Click : classes.dex and See : package name is obfuscated.

Tips : Library that has in Github have ProGuard rules 
for you can use for work same.




ความคิดเห็น

แสดงความคิดเห็น

โพสต์ยอดนิยมจากบล็อกนี้

Access Control issues Part 1-3

Description : Caused by use Intent-filter inside Menifest files. Recomment :  Show an app chooser If the Implicit Intent can launch a second app on the user's device, make it an app chooser. This helps users transfer sensitive information to apps they trust. val intent = Intent(ACTION_SEND) val possibleActivitiesList: List<ResolveInfo> = queryIntentActivities(intent, PackageManager.MATCH_ALL) // Verify that an activity in at least two apps on the user's device // can handle the intent. Otherwise, start the intent only if an app // on the user's device can handle the intent. if (possibleActivitiesList.size > 1) {     // Create intent to show chooser.     // Title is something similar to "Share this photo with".     val chooser = resources.getString(R.string.chooser_title).let { title ->         Intent.createChooser(intent, title)     }     startActivity(chooser) } else if (intent.resolveActivity(packageManager) != null) {     startActivity(intent) } Mor
อ่านเพิ่มเติม

Insecure Data Stroage Part 1-4

รูปภาพ
Description :  This is problem of Developer that to do store sensitive information  such as Username Password into Share Preferences file is not have encode information. How to fix : If you whant store sensitive information There are some basic recommendations as follows. - Store data safely. - Store private data within internal storage. - Store personal information into : device internal storage (sanboxed separate app). - Your App no require request permission to see files. - Others App can not access file is new security furture. - When user uninstall app, device will delete all file in internal storage. // Creates a file with this name, or replaces an existing file that has the same name.  // Note that the file name cannot contain path separators. val FILE_NAME = "sensitive_info.txt" val fileContents = "This is some top-secret information!" openFileOutput(FILE_NAME, Context.MODE_PRIVATE).use { fos ->     fos.write(fileContents.toByteArray()) } - Use external s
อ่านเพิ่มเติม