Modern Security for Android Developers

Transcript

1. Modern Security for Android Developers Dinorah Tovar Platform Mobile Engineer

   @ konfío.mx @ddinorahtovar @ddinorahtovar

2. Security is a two sides coin!

3. Encryption, but simpler 
 Algorithm Data Key Cipher Text @ddinorahtovar

4. Encryption algorithms Cipher Mac Signature Message Digest @ddinorahtovar

5. Encryption algorithms @ddinorahtovar

6. Encryption algorithms val cipher = Cipher.getInstance(“AES/CBC/PKCS5Padding") Schema Model Padding @ddinorahtovar

7. Encryption algorithms •Too many standars: Advanced Encryption Standard (AES)
 Rivest–Shamir–Adleman

   (RSA) •Modes of operation for symmetric and not symmetric keys •Paddings to encrypt long and small data. @ddinorahtovar

8. Encryption So, encryption is software or hardware? DEPENDS @ddinorahtovar

9. Encryption in Android •Hardware acceleration •Android Version <application android:name=".YourApp" android:icon="@mipmap/ic_launcher"

   android:label="@string/app_name" android:roundIcon="@mipmap/ic_launcher_round" android:hardwareAccelerated="true"/> @ddinorahtovar

10. Encryption in Android @ddinorahtovar •Secure Element and Trusted environments Peripherals

    Untrusted Area Trusted Area Applications OS Memory Trusted Component Memory

11. Encryption in Android @ddinorahtovar •Secure Element and Trusted environments Peripherals

    Untrusted Area Trusted Area Applications OS Memory Trusted Component Memory Secure element
 Memory CPU

12. Encryption in Android Encryption is hard! @ddinorahtovar But why?

13. Encryption in Android @ddinorahtovar

14. Encryption in Android @ddinorahtovar Is this okay?

15. Encryption in Android @ddinorahtovar KeyChain KeyStore API for credentials that

    can be used across your apps Store cryptographic keys securely

16. Encryption in Android Solution has arrived @ddinorahtovar

17. Encryption in Android • Using Tink, a cross-platform for encryption,

    so we need 23 SDK min (for the RC) @ddinorahtovar

18. Encriptación en Android @ddinorahtovar

19. Encryption in Android @ddinorahtovar

20. Encryption in Android @ddinorahtovar

21. Encryption in Android @ddinorahtovar

22. Friends, not enemies @ddinorahtovar

23. Encryption in Android MASTER KEY KEYSET File or SharedPreference Key

    to encrypt @ddinorahtovar

24. Encryption in Android KeyStore Key Key Alias @ddinorahtovar

25. Encryption in Android @ddinorahtovar

26. Encryption in Android @ddinorahtovar

27. Encryption in Android @ddinorahtovar

28. Encryption in Android @ddinorahtovar

29. Biometrics

30. Biometric prompt @ddinorahtovar

31. Biometric prompt @ddinorahtovar

32. Biometric as Local auth 
 Secure Channel Biometric Promp Unlock

    Promp @ddinorahtovar

33. How does it works? •Unexportable, cause depends of TEE •All

    the data travels in a Secure Channel @ddinorahtovar

34. Biometric as Local auth @ddinorahtovar False Accept Rate (FAR) Imposter

    Accept Rate (IAR) Spoof Accept Rate (SAR)

35. Native Modules

36. C/C++ vs. Java/Kotlin @ddinorahtovar •C/C++ can not be decompiled •But

    can be dissembled

37. Native Modules @ddinorahtovar

38. @ddinorahtovar

39. @ddinorahtovar

40. Secure Data layer

41. Secure data layer @ddinorahtovar •Authenticated, encrypted socket-level communication can be

    easily implemented using the SSLSocket Class •In a typical SSL usage scenario, a server is configured with a certificate containing a public key as well as a matching private key. As part of the handshake between an SSL client and server, the server proves it has the private key by signing its certificate with public-key cryptography.

42. Secure data layer @ddinorahtovar So if I have this, everything

    is cool No!

43. Certificate Authority @ddinorahtovar CER (.CRT) PFX

44. Certificate Authority @ddinorahtovar

45. Certificate Authority @ddinorahtovar

46. Modern Security for Android Developers Dinorah Tovar Platform Mobile Engineer

    @ konfío.mx @ddinorahtovar @ddinorahtovar