SafetyNet: Google's tamper detection for Android

This post is part of a series: Inside SafetyNet part 1 (Oct 2015) Inside SafetyNet part 2 (Feb 2016) Inside SafetyNet part 3 (Nov 2016) How to implement Attestation securely using server-side checks (my blog, Cigital blog) SafetyNet Playground (POC server-side implementation) Play Store - Android source - PHP source What is SafetyNet The Android Pay application got released a few days ago. Some people using rooted devices discovered that it refused to work. »

Using ProGuard to remove logs

A couple of days ago the following two tweets appeared on my twitter feed: I had no idea you could remove code using proguard. neat. — Joshua J. Drake (@jduck) June 29, 2015 @jduck yep, I use this to remove debug code at run time — Justin Case (@jcase) June 29, 2015 These tweets reminded me of something: If you’re an Android developer and you want to use ProGuard’s code removal feature to remove your logs and use method renaming at the same time, be careful. »

Android M and the war on cleartext traffic

A week ago, during WWDC, Apple announced App Transport Security (ATS) for iOS 9. This feature will allow app developers to specify which domains their app needs to communicate with over HTTPS. In principle, for those domains, cleartext traffic will be automatically blocked by the system. What about Android? Google has not yet announced it officially, but the next Android version (codenamed Android M) has a “similar” feature. The code that includes this has actually been around for a while before Apple’s WWDC conference, but no-one seems to have picked it up. »

Same Origin Policy and the Android WebView

First of all, let me say that all that follows is public knowledge and is somewhat described in the Android docs. However, I haven’t seen much discussion, so I thought it’s a good idea to write a blog post. ####Same Origin Policy When a page is loaded into a WebView to be displayed, all code in this page runs “in the context” of that page (its origin). The Same Origin Policy (SOP) is a mechanism that restricts javascript running in the context of one origin to access objects from another origin. »