Explore a novel approach to securing sensitive data in Android applications through this AppSecUSA 2017 conference talk. Learn about Androsia, a tool that uses static program analysis techniques to identify and clear security-critical objects from memory immediately after their last use. Discover how this method provides defense in depth, protecting sensitive information even after a potential app compromise. Delve into the intricacies of data flow analysis, bytecode transformation, and the implementation of flow functions to detect Last Usage Points (LUP) of objects. Gain insights into leveraging the Soot framework for Java bytecode analysis and understand the inter-procedural summary-based analysis approach. Follow along as the speaker demonstrates the practical application of Androsia on Android apps, showcasing its potential to enhance mobile application security.
Androsia - A Tool for Securing In Memory Sensitive Data
Overview
Syllabus
Intro
Agenda
Main Takeaway
Garbage Collector
destroy API
static secret
background
simple
dalvik to simple
flow droid
dummy main method
design overview
stringbuilder objects
instance fields
demo
static field
method bar
output format
power method
last users point
DEF set
Dataflow equations
Recap
Instance Field Approach
Reset Methods
Github repo
Taught by
OWASP Foundation
