droidcon Berlin 2019
| Tweet |
|
droidcon News
I have no idea what my app is doing ¯\_(ツ)_/¯ - Protecting your application from unintended side effects
By
Nicola Corti, Yelp
droidcon Berlin 2019
Do you exactly know what's your app doing when you deliver it to your users? Are you 100% sure? Would you bet on this? You're probably confident with the code you wrote and you know what is doing. But what about the code that others wrote? We pull dependencies from the online repositories every day. Our applications strongly rely on external libraries that are hosted on public Maven repositories. What if one of those library contains some malicious code? Imagine a library that starts harvesting your user data without you knowing it. In this talk we will see how to monitor and protect your application from malicious dependency on the web that might end up in your final compiled App.
Transcript
English
00:06
can I start okay
00:10
hi everyone thank you for coming to this
00:12
session my name is Nicola today we're
00:14
going to talk about I have no idea what
00:16
my app is doing so first mandatory slide
00:20
about me so I work as Android engineer
00:25
at Yelp Yap is an American company we
00:29
are based in San Francisco although I
00:30
work for the German office in Hamburg I
00:33
love to call myself a community lover
00:35
I run a couple of communities in Italy
00:37
and in Germany and those are my passions
00:40
but today this torque is not endorsed by
00:43
my company this is stuff that I love to
00:45
talk about so it's not yet related so I
00:50
have no idea what my app is doing the
00:54
title is catchy and I would love to say
00:58
that this is not a classical technical
01:01
session we can call it like maybe 50
01:03
percent technical at 50 percent
01:05
inspirational I want to raise awareness
01:07
I want to tell a little bit about my
01:10
experience onboarding big code bases and
01:13
actually understanding what my Android
01:16
application was doing and giving that
01:19
I'm from Italy I think we're gonna use
01:23
some metaphors to make sure that the
01:24
concepts are easy to understand and now
01:27
we're gonna talk about something that we
01:29
as Italian I really enjoy there is food
01:32
so whenever I go around especially
01:35
Germany I really enjoy to get like pizza
01:38
and try like what are a cultural thing
01:42
that Pizza actually is but you know I
01:45
always want to know like what what's
01:48
inside methods I want to get mine get to
01:50
know my pizza I really like I don't like
01:53
a white bits or stuff like that
01:54
so I really want to get to know what I'm
01:57
working on I really want to get to know
01:58
my my codebase so how do you actually
02:03
start so how do you start eating a pizza
02:05
how do you start onboarding on code
02:08
bases they are not aware of so if you
02:10
are like if you're lucky you maybe start
02:12
a project from scratch so you set up the
02:14
foundation you
02:15
create everything but in the majority of
02:17
the cases you just on board on code
02:18
bases that you're not the first author
02:20
so you need first to understand exactly
02:22
what their app is doing so they start
02:25
first one byte at a time
02:27
you can't expect to learn I've like got
02:30
the entire code base immediately
02:32
it takes time obviously try to start
02:36
with small changes especially if you're
02:37
a junior like try 225 there are like
02:39
sections of the code base there you can
02:41
touch try to change them and see how
02:44
your changes impact that and then
02:47
another source of that is really useful
02:50
from boarding is get in touch with you
02:52
with tests tests if they're good written
02:55
they tend to be a relief informative
02:57
part of the code base and they can tell
03:00
you a lot about what the app is supposed
03:02
to do one thing I learned the hard way
03:05
is you can't eat everything
03:07
also with pizzas so don't expect to read
03:10
the old code base that's probably like
03:13
sounds obvious maybe but when I was
03:15
junior and my first job the first thing
03:18
that I did is like I will spend some
03:21
days reading everything just because I
03:23
want to know what's going on and that
03:24
took me a lot of time I was kinda
03:27
useless so I would say try to understand
03:31
your module boundaries like you will end
03:33
up working on some modules try to
03:35
understand what's the size of the module
03:38
and now that module interacts with the
03:40
core of the app that should be enough to
03:43
make you in a good position where you
03:45
can actually start working another
03:50
suggestion for onboarding big code bases
03:54
is pay attention to tag depth
03:57
specifically if if the code base that
03:59
you're bored and here I want to mention
04:01
that like I mean the app I'm working on
04:04
is like two million lines of code so
04:06
when you start working with that don't
04:09
try to change the code style like it can
04:12
be really painful especially if you have
04:14
something like this like hey look this
04:16
file is still using rax Java one I'm
04:18
aborting why can't I just convert it to
04:20
extra two in the meanwhile you might end
04:23
up with something like this like get
04:25
reverting your last two hours of work
04:27
just because if that file is incorrect
04:30
Java one maybe someone else at this add
04:32
that same idea in the past and another
04:35
learning when I wasn't waiting bit code
04:38
base code bases is never trust
04:41
appearances so if you're from German you
04:45
probably know this brand and like frozen
04:49
pizzas this is pizza for me it looks
04:53
pretty great on the picture over there I
04:56
don't know if you ever tried this one I
04:58
think there are like not more than three
05:01
mushrooms on top so never trust what the
05:04
outside of your code tells you so for
05:08
example if you end up having a
05:09
functionary something like this is
05:10
available or return false that's trivial
05:12
maybe the results are comment on top
05:14
always return false and when I was like
05:19
onboarding my first project I said like
05:20
oh you know what I'm gonna read
05:22
everything I'm gonna add Java doc
05:24
comments on every function so it's like
05:27
the commutation that's also going to be
05:29
cool then it happens that someone else
05:33
decided that the module started to be
05:34
available and they never updated a
05:36
comment and then you go there you get
05:38
blame and you realize that you are the
05:41
guy that wrote the comment so never
05:43
trust comments they're a great source of
05:45
documentation but always stick to their
05:48
code because that's real logical so I
05:52
assume now you embody your project you
05:54
are working at a company since like one
05:56
month two months now you want to make
05:59
sure that the code that you work with
06:02
and the food that you eat
06:04
sugar-free you want to make sure there
06:07
are no extra stuff added on top you want
06:10
to make sure that you're going bug free
06:12
so to detect unintended behavior of your
06:15
application there are a lot of points
06:17
that you can start investigating to see
06:19
if the app is behaving in a way that you
06:21
don't really expect one of these is
06:25
using a proxy so if you're not familiar
06:28
with proxies proxies are tools that
06:32
allows you to inspect the network and
06:34
see what what your application is
06:37
actually doing under the hood I
06:38
generally love to use charts I know it's
06:41
paid but the subscription subscription
06:44
is not that crazy pricy so that's
06:46
probably worth the cost I'm not working
06:49
for charts anyway you can see all the
06:52
requests the application is firing
06:55
unfortunately it's not they're really
06:57
easy to configure I mean it requires
06:59
some configuration on the emulator and
07:01
on your computer I need to look like
07:03
something like this you will have like
07:05
all the requests the application fired
07:08
and you can inspect the body and see
07:10
like all the communication between
07:12
Europe and the back end is opening if
07:14
you don't want to pay for chars and you
07:17
don't want to like especially if like a
07:20
backing engineer needs to use that you
07:21
don't want to set up charts in their
07:23
computer you can use another tool it's
07:26
called checker it's open source it's
07:29
indeed up this digital proxy but works
07:31
on RL layer it's basically an oak HTTP
07:34
interceptor and it works on device
07:37
without any sort of configuration
07:38
it's just library there you plug in and
07:40
again it's useful to catch on internet
07:43
behavior so let's let's say for example
07:45
they are implementing like a list and
07:47
you have paging and you realize that
07:50
your application is calling them from
07:51
twice for whatever reason we have a bug
07:54
in your erect Java configuration that's
07:57
really useful and it's also useful to
07:59
build awareness so the UI of the library
08:03
it's something like this these are tests
08:04
up
08:05
so let's simulate some HTTP activity and
08:08
you will have this like sort of personal
08:11
education you can click and see all the
08:14
or the network requested so this allows
08:18
like for example a product manager or a
08:20
designer to get sort of an idea of what
08:22
is going on like when you click on the
08:24
button network is being invoked so I
08:28
know it's still tacky but product
08:30
managers and designers if they're not
08:32
like if tips I'm a little bit of tech
08:34
background they might understand that
08:36
and I find it useful so this is like a
08:38
fork of another library it's called
08:40
Chuck that unfortunately it's not
08:42
maintained anymore so if you use a que
08:44
HTTP especially if you use a HTTP for
08:46
that's comparable so think about that it
08:50
solved a lot of problem for us another
08:53
place where you can look to check
08:54
exactly what your app is going on or
08:56
what your final app is going on is the
08:58
manifest so not just the manifest you're
09:01
right but emerge manifest so the actual
09:04
manifest that will end up in your apk so
09:08
if you're not aware of these the
09:10
manifest on Android follows a two-step
09:12
merge process so first all the manifests
09:14
from all of your libraries and all of
09:16
your modules are collected they're
09:18
merged and then all the manifests from
09:20
all of your source sets are collected as
09:22
well and they're merged specifically
09:25
there is the tab on the bottom of the
09:29
manifest that is called merged manifest
09:31
that allows you to show what's the
09:33
difference between the manifest they
09:34
actually wrote and the manifest that
09:37
will end up in your apk and a lot of
09:39
times you have libraries there are
09:42
pulling in permissions or whatsoever and
09:47
you have no idea why at the end of the
09:49
story you have that extra permission
09:51
with the merge manifest you can have
09:53
like colors and for every color you see
09:56
which library is pulling in that
09:58
specific section of the manifest and
10:01
then the last thing that I want to
10:03
mention it's enforce conventions so make
10:08
sure you spend some time setting up your
10:10
static analysis on your CI system we
10:13
will talk about that for like we could
10:15
give give appropriate talk about this
10:17
I'm just mentioning it my policy here is
10:20
always break to build like John
10:22
trust warnings like don't use warnings
10:24
just break and make sure that people are
10:26
fixing whatever convention you want to
10:29
enforce also think about sharing your
10:33
pre-commit talks another Android
10:35
community is not such a thing about like
10:39
sharing a comic books across projects or
10:41
I mean everyone has a different approach
10:44
to do that I would love to mention
10:45
pre-commit comm is a tool that allows to
10:48
have like a configuration file in your
10:50
app oh and Tay and explains which
10:53
recommitted should be applied and this
10:55
is a nice way to share per commit across
10:58
people working on the same project so
11:01
now you're boarded your your project and
11:05
you also know where to find problems
11:07
from your codebase that might have
11:09
unintended behavior but what happens
11:12
when you're not preparing your own food
11:14
we are getting food from someone else
11:17
and you need to pay attention to the
11:21
place where you get your order or you
11:23
need to pay attention to the like your
11:25
dependencies like other code that ends
11:29
up in your application and there is out
11:30
of your control
11:31
so if you are developing Android apps
11:33
nowadays you probably know that you
11:35
can't really do it without external
11:38
dependencies I don't know if you know
11:39
this meme but when I got out from
11:41
university I like I think a follow one
11:43
course on Android development and they
11:45
told me yeah you need to use a sequel
11:47
light open helper and all that stuff
11:51
that's not the reality
11:53
like the realities that use the stuff
11:55
there is over here external libraries
11:57
you can't really you can really live
11:59
without and just to give you an idea
12:01
that's you're not supposed to read it
12:03
but that's the amount of code they need
12:05
to make a network all without using any
12:09
external library without like using only
12:11
the code that the Android SDK is
12:13
providing you and if you start adding
12:16
like cuddling and some proper
12:20
passing library and okay HTTP on top you
12:23
would see that your code shrinks and
12:25
shrinks and it's just like way more
12:27
maintainable and you will end up with
12:30
like three lines to make the same
12:32
network hole so you can't really live
12:34
without external dependencies so given
12:37
that you anyway need to get your food
12:40
outside I think it's really important
12:42
where do you get them from like not all
12:46
the restaurants are the same
12:49
specifically the restaurants in the
12:52
context of Android development are the
12:54
maven repository so the places where you
12:57
get your dependencies from there are
12:59
several I'm pretty sure you're familiar
13:01
with them let's like refresh them there
13:03
is the Google maven repo J Center Bob in
13:07
central you can also specify other
13:09
Marvin dependent Marvin repository using
13:12
the URL like in this way I want to
13:16
mention jetpack it's a really famous
13:18
service that gets github repository
13:22
builds them and post them and also you
13:25
can have your own local repository
13:28
called Marvin local so the order of this
13:33
repository is extremely important and
13:36
why we would see later so when you when
13:41
you go ordering food like I don't know
13:44
if you if you like sushi but I love to
13:47
choose okay I never go to the restaurant
13:49
and I say like you know what give me the
13:51
best you have and I mean maybe you do it
13:55
but in terms of dependencies that's not
13:58
always great in terms of dependencies
13:60
that means avoid dynamic dependencies so
14:03
them will end up making your build less
14:07
reproducible and dynamic dependencies
14:09
are stuff that looks like this so JP is
14:12
to see the dependency is uramaki plus
14:15
that means like give me the bus here my
14:16
Kiev out there also this is a dynamic
14:19
dependency this is like 2+2 0 plus and I
14:23
want to mention one thing about this
14:25
because there's no developers that are
14:26
using it here you would think like okay
14:29
yeah that's
14:29
and I stick to todaro but that's like
14:33
the patch version I don't really care
14:35
about that do you really believe that
14:37
all the Android developers and all the
14:39
trauma developers out there really
14:40
follow semantic versioning there are a
14:43
lot of libraries that in the 20.1 they
14:46
introduced breaking changes so pay
14:50
attention to these and also if you do
14:51
stuff like this one there you can do
14:53
that in Gradle that's not so dynamic
14:56
dependency so think about when you do
14:59
that because you never know what you're
15:00
gonna end up having so this is one thing
15:03
in Gradle that you can use and it's
15:06
called version lock and I know it's not
15:09
that much use but I find it really
15:11
useful so in your dependencies block you
15:14
can still say hey you know what
15:15
I always want the best uramaki in the
15:18
configurations block inside the
15:20
isolation the resolution strategy block
15:22
you can activate dependency locking so
15:25
if you do these and you call the
15:28
dependency task with the - - right -
15:32
locks this will happen so you will have
15:35
a great folder with a dependency lock
15:39
file inside and this file will contain
15:43
the resolved version of all of your
15:46
dependency not only they wander you
15:49
define but all the transitive
15:50
dependencies your built is fetching and
15:55
for example here we can see that Aramaki
15:57
is at version 3.14 well this subsequent
16:00
builds of Gradle will keep on using
16:03
those fixed locked versions you can
16:07
always obviously update them so if you
16:09
run again we - - update - locks and a
16:12
pattern those versions will be checked
16:15
if there are new versions released and
16:16
we will be updated you can also do like
16:19
asterisk asterisk and update everything
16:21
there it's really useful especially if
16:23
you want to like have a CIE task that
16:27
every like every week runs that there is
16:30
this file that you can commit and see
16:32
actually what is going on and before
16:33
updating the locks you can actually run
16:35
your test and make sure that your build
16:37
is still working fine
16:39
so let's talk about favorite restaurant
16:44
I'm really picky and I know where is the
16:47
best sushi that I can get in Amberg so
16:50
you can actually restrict dependencies
16:52
to specific repository so you can say
16:56
for example the uramaki you want it from
16:58
that repository only so here it comes
17:02
the thing that I mentioned before the
17:05
order of your repository is important
17:07
because they get queried top to bottom
17:09
and you can specify rules to prevent
17:12
resolution of specific dependencies
17:15
inside specific repositories for example
17:18
inside your repositories block you can
17:20
say that you have a repository there is
17:22
your internal repo like repo sushi JP
17:24
Marvin - and these will include the
17:27
group JP sushi so those dependencies
17:30
will be fetched only there and you can
17:33
say that inside J Center for example you
17:36
want to exclude group by rejects for
17:40
example JP sushi so this allows you to
17:44
make sure that your internal company
17:47
dependency are not fetched by external
17:49
repository it's also really flexible
17:52
because there are a lot of function that
17:54
you can use with regex and you can
17:58
specify like all of your configuration
18:01
what about if you want to make sure that
18:04
you eat gluten-free so what I mention
18:09
here is like maybe the sushi that you're
18:12
eating is gluten-free but there might be
18:15
ingredients inside there are not so pay
18:18
attention to transitive dependencies
18:20
like the band insists they are pulled in
18:23
by others so on Gradle you can define
18:26
constrain constraints for your
18:28
dependencies and what is also cool or at
18:32
least useful is you can leave a because
18:34
message and we will see how and the last
18:39
thing that I want to mention is pay
18:41
extreme attention to a version
18:42
resolution and there are some tricky
18:46
scenarios that could happen
18:48
so let's say that for your project you
18:51
need kaiten sushi version 100 you can
18:56
define constraints and you can say that
18:60
if California will ever be needed you
19:04
want version 301 and if sashimi will
19:08
ever be needed
19:08
you need version 4200 so the fact that
19:13
those two are inside the constraints
19:14
block means that those are not
19:17
necessarily dependency but if they will
19:19
end up being inside your dependency tree
19:22
you specify which version you want you
19:24
can also leave a because message for
19:26
example California 300 at gluten I
19:29
didn't wanted that and sashimi 42 is
19:33
just the best ever what's the what
19:36
happens if another dependency in your
19:38
tree pulls in sashimi 43 there is a
19:42
highest version the highest version will
19:44
win you can say force equal true - mm
19:48
force that specific version because
19:50
maybe you really want the version 32 you
19:54
can actually force the version also at
19:56
the implementation level like I really I
19:58
need this dependency and I really want
20:01
this version and if you really need
20:03
fine-grained control all over all of
20:05
your dependencies you can still specify
20:08
these transitive equal faults I think
20:11
you will probably never need these but
20:13
just to tell you what it does this
20:15
basically blocks transitive dependency
20:17
resolution so you will need to specify
20:19
all the dependency manually otherwise
20:22
your build will never succeed so a
20:26
couple of words related to a version
20:28
resolution so if you have kaiten sushi
20:31
100 you can run the dependencies task to
20:36
see the dependency tree and kaiten sushi
20:39
imports - dependency California and
20:41
sashimi and those are the versions
20:43
what happens if sashimi pulls in also
20:46
California 302 you will see inside a
20:50
graph that the highest version will win
20:52
in this case
20:54
California 301 will not be used the 302
20:57
will be used when telling you this
20:59
because you might end up end up in a
21:01
situation when those two libraries ends
21:05
up having guava guava 27.1 and one meets
21:09
the Android and the other needs the JRE
21:13
first do you guys know which person will
21:17
win know the theory because it's Gradle
21:27
used a compare function from string so
21:31
those are string and like
21:33
lexicographically highest string will
21:36
win so what I wanted to say here is like
21:40
I saw there are libraries that are using
21:41
text inside the version pay attention to
21:44
that then I think from one of the
21:48
upcoming version of grill there will be
21:50
support for variants that allows that
21:54
this notion of Android and JRE not
21:56
inside the version but inside the
21:57
artifact that will prevent scenarios
21:59
like this just make sure that versions
22:02
are resolved using string dot compare
22:05
what about the quality of the food that
22:08
you get what about L checks you want to
22:11
make sure that the quality of the fish
22:12
is the best so unfortunately the current
22:15
status of the dependency environment on
22:18
Java and Android it's not the best
22:21
dependencies are really hard to verify
22:23
so when you when you publish artifacts
22:26
on maven central Orange a center Jerry
22:29
published also md5 or sha-1 artifacts
22:35
and those are checked if they are there
22:36
but the problem is that like the GPG
22:39
signatures are ignored so i don't know
22:42
if you have experienced publishing
22:43
libraries but you know that you need to
22:45
have a GPT key and sign your artifacts
22:47
re wise you will not be able to publish
22:48
those signature are basically completely
22:51
ignored we will see how so this is a
22:54
library
22:55
not in Central and there are those ASC
22:58
file there are actually the signature of
23:01
the artifacts basically I don't know
23:04
what's the percentage of people are
23:05
actually looking at that file by your
23:07
build system is ignoring them there is
23:10
actually like ticket on the Apache issue
23:15
tracker and the problem here is that
23:19
there is no easy way to relate a
23:22
developer to a GPG key so I will need a
23:25
way to say like hey I am Nicola that's
23:28
my library and that's my GPG public key
23:30
you can use it to verify my artifact so
23:32
you can be sure that I am the developer
23:34
that actually uploaded their artifact
23:37
ideally the file could be extended with
23:41
those sort of information
23:44
unfortunately Android developers are not
23:47
I mean really interested in these kind
23:50
of things but they can be risky so this
23:52
ticket is open since a while and there
23:53
is not much movement so I don't expect
23:56
major solutions coming out over here but
23:59
my purpose is to raise awareness and let
24:02
you know that stuff can go really bad
24:04
and they can go really bad and they can
24:07
lead to a scenario there is this one so
24:10
there were like a blog post I think one
24:13
year ago it was called like a confusing
24:16
dependency so here call it confusing
24:19
order and what's the problem here the
24:22
problem is that what do you see on
24:24
github is not necessarily what's inside
24:26
your build so what you see on get up
24:28
when you open the source code of a
24:29
library is not necessarily what your app
24:31
will actually use tax is really
24:34
important to understand because you
24:36
might end up in kind of an attack that
24:39
is called xbi cross build an injection
24:42
and you will have code in your build
24:44
that you don't expect and might have
24:47
malicious side-effects so malicious
24:49
packages got uploaded for timber and
24:51
android audio recorder on J Center and
24:54
undried developers just started using it
24:57
the promise that the real package for
25:00
example for timber or
25:02
Android audio recorder was not on J
25:04
Center so Jason had a free spot for that
25:08
artifact and stuff got uploaded on J
25:12
Center and yeah developers starting
25:15
starting to use it that's the link to
25:18
the original blog post they really
25:19
invite you to read if you're interested
25:20
in to these kind of things and the code
25:23
looked something like this
25:24
that's the Android audio recorder
25:26
library and in the constructor
25:29
the library was just like saving a
25:32
stuffed activity and that was trivial
25:34
like this was the code there was
25:35
available on github but if you get the
25:38
dependency from JSON T if you open the
25:40
jar you will see that the code is doing
25:42
that plus starting a thread and the
25:46
thread was doing stuff like trying to
25:51
resolve making like DNS resolution
25:54
requests and inside the DNS resolution
25:56
they were like adding model and device
25:59
of the device inside a hostname so that
26:03
data was sent on the network somewhere
26:06
you might not even notice this stuff it
26:09
will just happen and you are starting to
26:11
distribute this to all of our users and
26:14
what was the problem the problem was
26:16
that
26:16
Android audio recorded wasn't it back
26:21
it's a great tool but there was at the
26:24
bottom so your Gradle build whenever you
26:27
request Android audio recorder 0 300 it
26:31
will start to ask Google it do you have
26:33
it they don't have it will go to J
26:36
Center just until used to don't have
26:38
this dependency so ideally you would
26:40
have asked jetpack to get it but someone
26:45
else uploaded stuff on J Center there at
26:47
that same dependency so if you comment
26:51
out jetpack the builds will succeed and
26:54
that's a big problem
26:57
there were like post-mortem from Jay
27:01
Fogg and J Center God it's interesting
27:07
it's not super much detailed but I
27:10
really invite you to take a look there
27:12
is like overview of what actually
27:14
happened of course of events and
27:17
unfortunately yeah the description is
27:19
short but what is long is the list of
27:22
all the packages that got uploaded and
27:25
the reason how they managed to upload it
27:27
it's it's so stupid like they just use
27:31
take Wharton there was a free username
27:34
so yeah that's the scope of my talk I
27:40
wanted to raise awareness about this
27:42
this kind of attack actually are not new
27:46
there are famous also in other
27:47
environment specifically there is this
27:49
blog post I'm a visiting credit card
27:52
numbers and password from your site is
27:54
how this is related to node so it's
27:57
extremely interesting I invite you to
27:59
read it and I think one or two weeks ago
28:05
the way these are a blog post want to
28:07
take over the Java code system all you
28:09
need is a man-in-the-middle so about
28:12
this one a couple of other words so this
28:16
kind of attack happens if you fetch our
28:19
dependencies using HTTP rather than HTTP
28:23
this could happen based on how you set
28:25
up your Gradle like if you have a maven
28:28
repository and then you write an HTTP
28:31
URL you will just use plain HTTP to get
28:35
dependencies and if you happen to be in
28:38
a man-in-the-middle attack someone else
28:40
might answer instead of the maven repo
28:43
and provide you dependencies and now you
28:45
will say like yeah ok come on how often
28:48
it will happen there will be a
28:49
man-in-the-middle attack but if you just
28:52
like have an access point and you create
28:55
network and you call it Starbucks and
28:58
you go in the center
28:59
Alexanderplatz and you see down there
29:03
people will get connected and especially
29:06
if you start building Android stuff and
29:09
you connect to that network without
29:11
password and you fetch those
29:14
dependencies they get cached in your
29:16
local cache so you will reuse it also
29:18
when you go back to your office so pay
29:21
attention to this and the last thing
29:24
that I want just tool that I want to
29:25
mention is this dependency check so
29:30
these two doesn't really solve the
29:32
problem that I mentioned but it's useful
29:34
to check if some of your dependency
29:38
contains security flaws or
29:40
vulnerabilities so there is this from a
29:44
wasp and there is this list of all the
29:47
vulnerabilities known so this tool will
29:50
check your Gradle build and will check
29:52
if you're using one of these dependency
29:54
I will tell you hey you are using this
29:55
old version of this library that
29:58
contains women really is like just
30:00
update but these will not prevent you
30:03
from situation like what you think you
30:06
might use you're using HTTP 4 we
30:10
reversing that by you're actually using
30:12
a version there is okgd before with some
30:15
sugar added on top that's pretty easy
30:18
it's just a greater plugin you enable
30:20
leap like that and you have an extra
30:23
task there is dependency check analyze
30:25
it will take some time because it has to
30:27
download the list of all the
30:29
vulnerabilities and checks your stuff at
30:32
least I think the first build is a bit
30:33
longer but it's kind of useful to anyway
30:37
make sure that your app is secure and
30:39
you have good quality code inside so to
30:43
wrap up oh you got some insights and you
30:47
learn something new - like how to avoid
30:49
big projects or like get to know your
30:52
pizza make sure like you're able to like
30:55
find unintended
30:56
and you go sugar-free and most important
30:60
you watch out where you get your food
31:01
from and where you get your dependencies
31:03
from and with these I'm done Thanks
31:07
[Applause]
droidcon News
Tech Showcases, Developer Resources & Partners
EmployerBrandingHeader
https://jobs.droidcon.com/
jobs.droidcon.com
Latest Android Jobs
http://www.kotlinweekly.net/
Kotlin Weekly
Your weekly dose of Kotlin
https://proandroiddev.com/
ProAndroidDev
Android Tech Blogs, Case Studies and Step-by-Step Coding
/detail?content-id=/repository/collaboration/Groups/spaces/droidcon_hq/Documents/public/employerbranding/Zalando/Zalando
Zalando
Meet one of Berlin's top employers
/detail?content-id=/repository/collaboration/Groups/spaces/droidcon_hq/Documents/public/employerbranding/Academy for App Success/Academy for App Success
Academy for App Success
Google Play resources tailored for the global droidcon community |
Droidcon is a registered trademark of Mobile Seasons GmbH Copyright © 2020. All rights reserved.