We spent last Saturday sponsoring and attending the 2017 edition of DevFest Florida, an annual conference for web and mobile developers and designers organized by the Google Developer Groups of Tampa Bay, Melbourne, and Orlando. The event was held at Disney’s Contemporary Resort, located a monorail ride away from the Magic Kingdom.
This year’s conference featured four tracks, with presentations given by 31 speakers, covering a wide array of topics. The speakers came from a mix of companies, ranging from one-person operations to the likes of Google. Talks from Microsoft, Mozilla, Capital One, Viacom, and Comcast ran the gamut from design to development for web, mobile, and IoT (internet of things). We’ve seen conferences that charged five to ten times as much that didn’t have as good a lineup of presentations.
In addition to sponsoring the event and sending a good number of Sourcetoaders to attend, we also sent two speakers and a lot of our legendary “Code Naked” t-shirts.
In his talk, Attacking Android One Application at a Time, Sourcetoad senior software engineer, Connor Tumbleson, gave the audience a grand tour of the techniques that people use to reverse-engineer Android apps to find out how they work, and more importantly, how weaknesses in their implementation can be exploited.
Android is the world’s most popular mobile ecosystem. With over 2 billion monthly active Android devices in use, the most popular Android apps have large user-bases, which make them tempting targets for third parties to gain unauthorized access to their functionality and data.
Connor conducted a review of some of the most popular free Android apps and ran a number of reverse engineering tools on them. He found that security was often given little or no consideration. He gave the following examples:
- A popular game, whose ads you’ve probably seen on TV, doesn’t encrypt its communications with its servers, making its messages ripe for interception, and opening the app to man-in-the-middle attacks.
- Another app used files that appeared to be unreadable to unauthorized parties, until Connor did a little investigative work and found that adding 4 missing bytes to them revealed they were relatively ordinary compressed data.
- Even when app developers made use of real encryption, they made critical mistakes, like embedding the encryption keys — the information required to unscramble encrypted data — within the app. This is the software equivalent of hiding the key to your house under the front doormat.
Connor isn’t just someone with an interest in reverse engineering. He’s also the maintainer of Apktool, an application that can take finished Android applications (the “apk” in “Apktool” refers to the standard abbreviation for “Android application package”) and convert them into the source code from which they came. It’s like a tool that can generate the blueprints for any house it’s presented with. He knows his way around the structure of Android applications and how unauthorized parties can take advantage of them. We feel that Apktool is a useful contribution to the Android developer ecosystem, and it’s why we sponsor its development.
The presentation was a fascinating, eye-opening look into how software on the computers that we always keep within reach is made, and how easily it can be compromised. It was also a reminder to application designers and developers that security can’t simply be treated as an afterthought or taken lightly.
Our lead product manager Joey deVilla opened with a couple of quick accordion numbers, and then started into his presentation, Native Android development for people who’ve been avoiding it.
Aimed at web developers who’ve been thinking about writing native Android applications but have been avoiding it because they’ve heard it’s difficult and time-consuming, Joey’s presentation was a live-coding exercise where he showed how Android application development has evolved since “the bad old days” of only a couple of years ago:
- The development environment is better. Instead of using a development environment like Eclipse (which was literally designed by committee, and it shows), Android developers now use the much better-designed, easier-to-use Android Studio. It was created by Jetbrains, who specialize in building tools that developers love.
- The programming language is better. Instead of Java, which was seen as revolutionary in 1995, but clunky in 2017, we now have Kotlin, a language that borrows from languages like Scala and Groovy, looks a lot like Apple’s popular Swift programming language, lets you write more functionality in fewer lines of code, and is making a splash in the programming world. Like Android Studio, Kotlin was also created by JetBrains.
- And finally, native mobile development isn’t harder than web development; it’s just a little different. Besides, web development is just as complex these days.
And finally, if you looked at DevFest Florida’s speaker lineup, you may have noticed something. 13 out of its 31 speakers are women, and of those 13, 8 are women of color. That’s unusual for most conventions, and for a tech conference, that’s downright unheard of. We believe that representation matters, especially in our line of work. A healthy technology ecosystem that produces things all people can use requires this kind of openness, and we’re happy to see DevFest Florida provided a forum and the opportunity for such a diverse group to stand up and be heard. That’s why we were proud to be sponsors.