Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Android Application Security at Devoxx 2013

Android Application Security at Devoxx 2013

Slides from the 'Android Application Security' session at Devoxx 2013

Filip Maelbrancke

November 15, 2013
Tweet

More Decks by Filip Maelbrancke

Other Decks in Programming

Transcript

  1. WE Filip Maelbrancke Consultant @ iDA MediaFoundry ! ! !

    Tegbir Dhillon Team lead @ ING Bank Belgium
  2. Security The only system that is truly secure is one

    that is switched off and unplugged, locked in a titanium-lined safe, buried in a concrete bunker, and surrounded by nerve gas and very highly-paid armed guards. Even then, I wouldn't stake my life on it. “ ” Gene Spafford
  3. Security = managing risk Cri$cality/Impact High  Risk Low  Risk Asset

    Medium  Risk Exploitability Low  Risk Vulnerability Medium  Risk M edium  Risk Probability Low  Risk   Threat
  4. All in one device Increases threat proBability ! • GPS

    • Contacts • Camera • Email (work) • Wallet
  5. Always out Vulnerability / Exploitability ! • Stolen • Forgotten

    • Lost • Weak pins • Use of open public WiFi
  6. traditional System resources File system Network System resource App 1

    App 2 App ... UID = 1 2 3 4 5 starts permissions UID = 1 2 3 4 5
  7. Android sandbox App1$$ Linux$UID:$ 12345$ Resources$ UID:12345$ DB$ Network$ File$

    resources$ Permissions$$ UID:12345$ Sandbox$ App2$$ Linux$UID:$ 56789$ Resources$ UID:56789$ DB$ Network$ Files$ resources$ Permissions$ UID:56789$ $ Sandbox$ App1$$ App2$$
  8. shared user id App1$$ App2$$ App1$$ Linux$UID:$ 10160$ Resources$ UID:10160$

    DB$ Network$ File$ Resources$ DB$ Network$ File$ resources$ Permissions$$ UID:10160$ App1$$ Linux$UID:$ 10160$ Sandbox$ <manifest ... android:sharedUserId=“com.example.apps” ...>
  9. Signing tips Secure your private key Strong passwords Four eyes

    principle Keep key-store in safe place Provide geographic redundancy
  10. other techniques If possible, run code at server! server String

    encryption Hide sensitive strings eg “Secure” Native code Java Native Interface reflection Proxy Introduces indirection Class encryption Use DexGuard
  11. SIGNING KEY Valid signing key ! • SHA1 of signing

    cert • Embed • Check with runtime signature !
  12. local Data protection Avoid it if you can Avoid External

    storage Avoid external storage for sensitive information For critical info set android:saveEnabled="false" Backup set android:allowBackup=false proper permissions MODE_PRIVATE with files
  13. bouncy castle Android = subset of upstream release cut-down CONSISTENT

    Consistent crypto across Android versions MINIMAL change github.com/rtyley/spongycastle Spongy castle Repackage of Bouncy Castle for Android
  14. encryption libs SQLCipher sqlcipher.net ! • Modified version of SQLite

    • AES-256 encryption • Drop-in replacement ! iocipher guardianproject.info/code/iocipher ! Virtual encrypted disk
  15. key management Store along with the data (file private to

    the app) Store Embed Embed in source code (obfuscated ?) EASY TO EXTRACT
  16. key management don’t store Don’t store the key on the

    device Have it entered each time necessary Store In systems service SOLUTIONS
  17. key derivation Long random strings of bits encryption keys people

    vs keys Users are familiar with passwords Crypto algo PBKDF2WithHmacSHA1 password based encryption Generate strong crypto keys based on humanly-manageable passwords
  18. proper key derivation Using a salt protects from table- assisted

    / pre-computed dictionary attacks SALT key stretching Repeat the key derivation operation multiple times to produce the final key Slows down brute force attacks https://github.com/nelenkov/android-pbe http://nelenkov.blogspot.jp/2012/04/using-password-based-encryption-on.html Nikolay Elenkov
  19. KEYCHain? Keystore provider ! • Since Android 4.3 • Can

    be hardware-backed https://github.com/nelenkov/android-keystore Nikolay Elenkov
  20. Secure communication channel use https Use SSL / TLS !

    • Confidentiality • Authentication ! VALIDATION Hostname verification ! Certificate pinning
  21. certificate pinning echo | openssl s_client -connect host:443 2>&1 |

    sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > mycertificate.pem get certificate (openssl) embed in application /res/raw Custom trustmanager Based on keystore Load into keystore SSL context Init SSL context with TrustManager https://developer.android.com/training/articles/security-ssl.html
  22. Securing services Controls ! • Kill switch for specific functionality

    • Server downtime communication • Mandatory update mechanism !
  23. securing services Backend REST and APIs can have similar vulnerabilities

    to web applications mitigate follow OWASP top 10
  24. Effective security Using CryptoLint, we performed a study on cryptographic

    implementations in 11,748 Android applications. Overall we find that 10,327 programs – 88% in total – use cryptography inappropriately. The raw scale of misuse indicates a widespread misunderstanding of how to properly use cryptography in Android development. “ ”