bullet points :
/**************************/
Defensive logic
/**************************/
- Always built as much security layers as possible
- Remember the papers with holes
Example SQL injection
- Prepared statement with bound parameters
- Stored procedures
- Input validation
- Least privilege policy
/**************************/
Cryptography
/**************************/
- Encryption
- Made for security - to hide messages, data, information
- Symmetric encryption
The same private key is used to encrypt AND decrypt data
Ceaser cipher example with key (1)
"Hello world" -> "Ifmmp xpsme"
XORing with 2byte key
(01100001 01100010)
[01001000, 01100101,
01101100, 01101100,
01101111, 00100000]
[00101001, 00000111,
00001101, 00001110,
00001110, 01000010]
- Asymmetric encryption
Use two different keys one is for encryption ONLY
two keys for decryption
Best practice is to use encryption key as public
and second is private (never passed in the same communication channel)
RSA
Downside - performance
- Hashing
- Made for Authentication
- Good HASH function, is one that takes plaintext and creates
fixed size single representable data (integer, string)
that MUST NOT be reversed
SHOULD avoid collisions
- MD5 -> MD5("Hello") -> "8b1a9953c4611296a827abf8c47804d7"
- SHA1 -> SHA1("Hello") -> "f7ff9e8b7bb2e09b70935a5d785e0cc5d9d0abf0"
- SHA2 -> SHA256("Hello") -> "185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969"
- Encoding
- Made for data transportation
"a" ASCII dec -> 97
"a" ASCII hex -> 0x61
"a" ASCII binary -> 0b01100001
"a" base64 -> YQ==
"a" URL -> %61
- Salting
Combined with hashing and encryption
- Example SHA1("plaintext"+salt)
- Digital Signature
/**************************/
Reverse engineering
/**************************/
1) Decompile using JADX
2) Open Manifest to find:
- packagename
- main activity
- any other context (Activity or Service)
- permissions