Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Android Application Security For Developers (AD...

Android Application Security For Developers (ADD 2014)

Slides from the 'Android Application Security For Developers' session at Android Developer Days 2014 in Ankara

Filip Maelbrancke

May 17, 2014
Tweet

More Decks by Filip Maelbrancke

Other Decks in Programming

Transcript

  1. X

  2. All in one device Increases threat proBability ! • GPS

    • Contacts • Camera • Email (work) • Wallet
  3. Android security model ! ! ! ! ! ! !

    ! ! ! Game X ! ! ! Game Y ! System ! ! ! ! ! ! ! ! ! ! ! ! ! ! Contacts ! ! ! Email ! ! ! Google Play ! Verify app signature ! ! App sandbox ! ! Permissions application isolation
  4. OBTAIN APK FROM DEVICE adb backup -apk be.myapp ADB BACKUP

    app Titanium, Astro, Helium adb shell pm list packages -f adb pull /data/app/be.myapp-1.apk
  5. reverse engineer smali / baksmali APKTOOL Low level disassembled Dalvik

    bytecode CODE code can be modified recompile / resign
  6. reverse engineer convert .dex file to a .jar with java

    bytecode DEX2JAR dex -> java java decompiler CODE very readable
  7. other techniques If possible, run code at server! server String

    encryption Hide sensitive strings eg “Secure” Native code Java Native Interface reflection Proxy Introduces indirection Class encryption Use DexGuard
  8. SIGNING KEY Valid signing key ! • SHA1 of signing

    cert • Embed • Check with runtime signature !
  9. rooted device root detection ! • Check typical apps /

    files • Check keys • /system r/w !
  10. tamper detection tips + use obfuscation! multiple checks Tampering detected

    Close application Don’t leak where the protection code is
  11. local Data protection Avoid it if you can Avoid External

    storage Avoid external storage for sensitive information For critical info set android:saveEnabled="false" Backup set android:allowBackup=false proper permissions MODE_PRIVATE with files
  12. bouncy castle Android = subset of upstream release cut-down CONSISTENT

    Consistent crypto across Android versions MINIMAL change github.com/rtyley/spongycastle Spongy castle Repackage of Bouncy Castle for Android
  13. encryption libs SQLCipher sqlcipher.net ! • Modified version of SQLite

    • AES-256 encryption • Drop-in replacement ! iocipher guardianproject.info/code/ iocipher ! Virtual encrypted disk
  14. key management Store along with the data (file private to

    the app) Store Embed Embed in source code (obfuscated ?) EASY TO EXTRACT
  15. key management don’t store Don’t store the key on the

    device Have it entered each time necessary Store In systems service SOLUTIONS
  16. key derivation Long random strings of bits encryption keys people

    vs keys Users are familiar with passwords Crypto algo PBKDF2WithHmacSHA1 password based encryption Generate strong crypto keys based on humanly-manageable passwords
  17. proper key derivation Using a salt protects from table- assisted

    / pre-computed dictionary attacks SALT key stretching Repeat the key derivation operation multiple times to produce the final key Slows down brute force attacks
  18. KEYCHain? Keystore provider ! • Since Android 4.3 • Can

    be hardware- backed https://github.com/nelenkov/android-keystore Nikolay Elenkov
  19. Secure communication channel use https Use SSL / TLS !

    • Confidentiality • Authentication ! VALIDATION Hostname verification ! Certificate pinning
  20. certificate pinning echo | openssl s_client -connect host:443 2>&1 |

    sed -ne '/-BEGIN CERTIFICATE-/,/- END CERTIFICATE-/p' > mycertificate.pem get certificate (openssl) embed in application /res/raw Custom Based on keystore Load into keystore SSL context Init SSL context with TrustManager https://developer.android.com/training/articles/security-ssl.html
  21. Securing services Controls ! • Kill switch for specific functionality

    • Server downtime communication • Mandatory update mechanism !
  22. securing services Backend REST and APIs can have similar vulnerabilities

    to web applications mitigate follow OWASP top 10
  23. Effective security Using CryptoLint, we performed a study on cryptographic

    implementations in 11,748 Android applications. Overall we find that 10,327 programs – 88% in total – use cryptography inappropriately. The raw s c a l e o f m i s u s e i n d i c a t e s a w i d e s p r e a d misunderstanding of how to properly use cryptography in Android development. “ ”
  24. suggested reading Android Security Cookbook
 Keith Makan / Scott Alexander-Bown

    (9781782167167) Android Security Internals 
 Nikolay Elenkov (9781593275815) Android Hacker’s Handbook
 Joshua J. Drake et al. (9781118608647) Application Security for the Android platform
 Jeff Six (9781449315078)