I attended Google I/O for the first time in May 2017 and had an absolute blast! It is by far the best conference I’ve attended. Google listened to the gripes of last year’s I/O at Shoreline and fixed all the niggles.  But what does it costs to attend? I’d estimated a total cost of around £2K after totalling up receipts, I’m reasonably happy to see that I was near in the estimate.

Of course this is highly individual based on my experiences this year and current USD to GBP ratio but I hope it serves as indicator for others. Here’s the rough and rounded the numbers.

  • Flights LHR to SFO:  ~£450  
  • Airport transfers UK: £50
  • Airport transfers US: £60
  • AirBnb (split between 4):  £350
  • Taxi/Uber to/from Shoreline: £55
  • Other food/beer (not at I/O): £150
  • I/O Ticket price £950*  

Total: ~£2065

*Disclaimer: As an GDE for Android I am fortunate to get a complementary I/O ticket. However I thought this article would be more useful if I included the ticket price in the main total.

Factors/Comments:

  • I was able to share uber a few times to cut down some of the travel costs.
  • Didn’t factor lost earnings for the 5 days not working (or the reduced efficiency the week after with jet lag)
  • Haven’t included some leisure activities at weekend like bike hire, Makers faire and travelling to/from San Francisco as I figured it’s purely what I got up to and not indicative of costs for others.

Tips and tricks to cut costs:

  • Remembers it’s near unlimited free food, drink, snacks and beer/wine at Google I/O so on a I/O day you shouldn’t need much else.
  • After researching flights, I discovered you can fly into San Francisco (SFO) or San Jose (SJC). SJC is closer but SFO is often cheaper. I did a fair bit of checking of different flight options to get the flights for £450. This is £200 cheaper than LHR to SJC
    • Also see if flying back on different day helps, I found that returning on the Sunday night saved £1000!!! Over flight on the Friday evening.
  • Book accommodation nearer to bus drop off locations i.e  Mountain view caltrain. This is so I could take advance of the free Google I/O buses.
  • Sharing AirBnb brought the accommodations costs down. Nearby hotels wanted $200 per night.
  • If you’re in a permanent role try to convince your employer to cover some of the costs in exchange for things like blog articles and knowledge transfer sessions.
  • If you’re independent contractors consider working the weekend to recover some lost earnings.
  • Monzo card for fee free payments in USD and ATM withdrawals (always pay in USD and don’t let the ATM/ePOS do the conversion)

 

Recently I needed to work with OpenSSL in C/Cpp on Android and I couldn’t find a simple way of including it.  I looked at The Guardian project’s openssl for Android but it was very out of date. That’s when I decided to go for compiling OpenSSL myself. This could of been a minefield but luckily there’s a pre-configured build script that only requires a few modifications. This article aims to cover those modifications and how to integrate the compiled OpenSSL files into an NDK project.

openssl_for_ios_and_android tools/script via github

I’ve upload my minor changes (no-zlib compile option) to this fork https://github.com/scottyab/openssl_for_ios_and_android

NOTE: for my purposes I only needed lib-crypto and lib-ssl as I was focused on local only encryption. If you’re looking to use networking in C/Cpp then you may also need to compile/include curl.

Step 1: Downloads

If you’re new to the NDK check out this Intro to C for Android developers article and the official docs

Step 2: Prep build environment/script

Add ANDROID_NDK environment variable

Add the following line to ~/.bash_profile

export ANDROID_NDK=<path to NDK bundle>

update build-openssl4android.sh to use the downloaded openssl version

~line 20 LIB_NAME="openssl-1.0.2k" to the version you downloaded LIB_NAME="openssl-1.1.0e"

update build-openssl4android.sh to change the zlib compile option

Change the zlib compile option to no-zlib (if you are not using the scottyab fork). Without this change I had build failure app:externalNativeBuildDebug failed with vairous cmake errors i.e c_zlib.c:(.text+0xbc): undefined reference to deflate`. Based on recommendations from this SO issue.

~Line 53 zlib \ to no-zlib \

Step 3: build

Start the build $ ./build-openssl4android.sh

Step 4: Copy output to your Android NDK project

  • Copy the runtimes you want to support, i.e arm, x86, mips from openssl_for_ios_and_android/output to <project root>/distribution/openssl.
  • Rename the directions to remove the openssl- prefix.

Step 5: update cmakerlists.txt file

I used this NDK Samples app Hello-libs as basis for my NDK project setup. Where the native-lib cpp file and cmakerlists.txt are already created/setup.

  • Add the following lines (The references to native-lib is where your Cpp code will likely be)

//configure import libs

set(distribution_DIR ${CMAKE_SOURCE_DIR}/../../../../distribution)

//add the open ssl crypto lib
add_library(libcrypto STATIC IMPORTED)
set_target_properties(libcrypto PROPERTIES IMPORTED_LOCATION ${distribution_DIR}/openssl/${ANDROID_ABI}/lib/libcrypto.a)

# add the open ssl ssl lib

add_library(libssl STATIC IMPORTED)

set_target_properties(libssl PROPERTIES IMPORTED_LOCATION

${distribution_DIR}/openssl/${ANDROID_ABI}/lib/libssl.a)

//add to target_include_directories

target_include_directories(native-lib PRIVATE

${distribution_DIR}/openssl/${ANDROID_ABI}/include)

//add to target_link_libraries

target_link_libraries( # Specifies the target library.

native-lib

# Links the openssl crypto

libcrypto

libssl

${log-lib} )

Step 6: Finish / Build in gradle

That’s it you should be good to go and ready to start using openssl in your c and cpp files.

./gradlew assemble

Slides and links(below) from my “What’s NNNNNNNNew in Android Security” talk at Droidcon London. The video via SkillsMatter is here.

Resources:

Training and Developer Docs

Would you like me to speak at your conference or meetup? If so please get in contact.

Any questions, please drop me an email or tweet.

 

Droidcon London is one of my favourite conferences with it’s wall to wall Android theme. I’ve spoken 3 times over the past 6 years or so and I’m super excited to be speaking this year after a break of a couple of years. I tend to speak about Android Security because it’s an area of app development that isn’t often prioritised high enough. Mobile security comes with it’s own set of challenges where devices and data are physically at more risk than traditional PC/Laptop environment.

In addition to checking out the other security talks I’m keen to learn tips and quick wins for view animations and screen transitions. Also top of my list is learning from real world experiences and lessons learnt using different architectural approaches such as MVP and Clean architecture. I’m looking forward to getting to grips with Kotlin based on the news that Kotlin is supported for build scripts in Gradle 3.0. 

whats_new_in_android_security_v3_key

My Talk – What’s NNNNNNew in Android Security?

As you might guess from the name is all about the new security features in the most recent versions of Android: Nougat aka N.

whats_new_in_android_security_v3_key_at_glance

Who should come to it?

There were several notable security updates in Android Nougat and in this talk I’ve distilled the information specially for the busy developer who don’t have a lot of time to invest in learning new APIs. I’m personally most excited about Android 7’s Network security config. It’s an easy way to increase your app’s network security without writing any code (just xml based config). I’ll show you the most likely things you’d use it for with code samples. For example allowing self signed certificates for development API and SSL pinning.

See you there!

Also watch @scottyab and speakerdeck profile for the slides 

Thanks to Matt Rollings, Niall Scott and Andy Barber proofreading feedback.

Scott MCEI had a great time at MCE conference in Warsaw, Poland in April. I’d recommend MCE as a mobile conference I attended both Android and iOS talks and there were all high quality. Also all the people I met were very friendly and spoke great english. I was introduced to Polish vodka and some tasty polish food. Thanks to the organisers for inviting me and I hope to attend again.

In this presentation I share a story of a recent Android app I developed where app security wasn’t prioritised and how I still provided a minimal level of security to protect the app’s users and developer reputation.

For those wondering why my t-shirt has a mantis shrimp on it? check out this awesome oatmeal comic.

Last week I attended the first Blackhat mobile security summit in London. It was a great chance for us to learn from security specialists.

I co-wrote this article to highlights some of our favourite and key takeaways.

  • New Android Security Rewards Program
  • State of malware on Android/mobile
  • Samsung / SwiftKey Zip Traversal Hack
  • SSL validation (or lack of) still one of most common app vulns
  • “erase everything” = not everything?
  • Windows phone 8 exploits and security faux pas

gotocope_smI have been fortunate enough to be invited to speak at goto; conference in Copenhagen on October 6th. I’ll be giving a talk I one of my favourite subjects: Android app security. If you can make it please come and say hi.

 

Abstract:

Global mobile adoption is spreading like wildfire, pervasive government surveillance programs are coming to light and major internet security exploits are being uncovered. This results in increased awareness from users, managers and developers for the dire need for rigorous security in deployed code. While mobile device security can be helped via mobile device management (MDM) solutions it’s our responsibility as app developers/publishers to ensure our apps protect user privacy and critical business data. The problem is securing your Android app and data is not always obvious or well documented.

This talk will cover current Android app threats and look at how with freely available tools we can easily reverse engineer an Android app. After a brief introduction to Android platform security and how to protected app components, we’ll cover enhanced SSL validation, encryption, tamper protection and advanced obfuscation techniques. We will also focus on leveraging open source commercially viable libraries allowing us to increase our app’s security with minimal effort.

These best practise techniques will arm you with practical solutions that can help you survive in the Android security jungle.

I have released a new open source library to wrap a Google Play services API called SafetyNet, which has been completely eclipsed by the recent Google IO and WWDC coverage 😉 safetynet_framed

Here’s a blog post that explains a bit about what is it and why and here’s the code on github.

I’ve also released the Sample app on the Google Play store so you can run the Safety Net test on your own device.