Android App Security Fundamentals

While building a commercial Android application, security is often an afterthought and not built into the application's architecture from the beginning.

While professional security is a complex and advanced topic, some techniques can sharply increase software protection against non-targeted attacks, and still be comparatively straightforward to implement.

In this talk, we'll examine the most common and well-known attack vectors that apps face out in the wild, and the available defensive techniques you can put in place, focusing on:

- Threat model identification
- Antipiracy countermeasures
- Compile time / Runtime tampering protection
- Application metadata analysis & self-checking
- Operating system status assessment
- Internal / In-transit data encryption
- Code obfuscation & reverse engineering protection
- Modern security best practices and guidelines

We will explore in-house solutions, available open source frameworks, as well as professional solutions (e.g. Play Integrity APIs): how they work, pros and cons, which one might be best for your app, and how to implement and scale them.

This talk is targeted at developers that aren't security experts and would like to explore the spectrum of available attacks and defenses.
After this talk, you will have learned the fundamental aspects of application security on Android, with a focus on threat model detection and defensive approaches.