Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Android security (for developers) at jDays 2015

Filip Maelbrancke
March 17, 2015
Programming
3
410

Android security (for developers) at jDays 2015

Slides from the 'Android Security For Developers' session at jDays 2015 in Göteborg, Sweden

Filip Maelbrancke

March 17, 2015
Tweet

More Decks by Filip Maelbrancke

See All by Filip Maelbrancke
Reactive Spring 5: WebFlux & Reactor
filipmaelbrancke
0
130
Spring 5 and Kotlin
filipmaelbrancke
0
100
Android Accessibility at GDG Devfest Istanbul 2016
filipmaelbrancke
0
99
Effective Android Development
filipmaelbrancke
0
110
Android Accessibility at GDG Devfest Brussels 2016
filipmaelbrancke
0
86
Android Accessibility at BABBQ Amsterdam
filipmaelbrancke
0
190
Android Testing at Mobel (December 9, 2015)
filipmaelbrancke
0
140
Working in an effective team at DevFest Istanbul 2015
filipmaelbrancke
0
61
Working in an effective team at BABBQ 2015 & Droidcon Italy 2015
filipmaelbrancke
1
140

Other Decks in Programming

See All in Programming
弊社の「意識チョット低いアーキテクチャ」10選
texmeijin
5
23k
Vue.js学習の振り返り
hiro_xre
2
130
Sidekiqで実現する 長時間非同期処理の中断と再開 / Pausing and Resuming Long-Running Asynchronous Jobs with Sidekiq
hypermkt
6
2.7k
Content Security Policy入門 セキュリティ設定と 違反レポートのはじめ方 / Introduction to Content Security Policy Getting Started with Security Configuration and Violation Reporting
uskey512
1
430
飲食業界向けマルチプロダクトを実現させる開発体制とリアルな現状
hiroya0601
1
390
PLoP 2024: The evolution of the microservice architecture pattern language
cer
PRO
0
1.6k
Snowflake x dbtで作るセキュアでアジャイルなデータ基盤
tsoshiro
2
430
offers_20241022_imakiire.pdf
imakurusu
2
360
Tuning GraphQL on Rails
pyama86
2
1k
macOS でできる リアルタイム動画像処理
biacco42
7
1.9k
Vue3の一歩踏み込んだパフォーマンスチューニング2024
hal_spidernight
3
3.1k
外部システム連携先が10を超えるシステムでのアーキテクチャ設計・実装事例
kiwasaki
1
230

Featured

See All Featured
Fashionably flexible responsive web design (full day workshop)
malarkey
404
65k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
42
9.2k
We Have a Design System, Now What?
morganepeng
50
7.2k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
46
2.1k
Bootstrapping a Software Product
garrettdimon
PRO
305
110k
Docker and Python
trallard
40
3.1k
Building a Scalable Design System with Sketch
lauravandoore
459
33k
KATA
mclloyd
29
13k
Designing for humans not robots
tammielis
249
25k
The Art of Programming - Codeland 2020
erikaheidi
51
13k

Transcript

  1. Android security FOR DEVELOPERS FILIP MAELBRANCKE

  2. Your host Filip Maelbrancke Consultant @ AppFoundry fi[email protected] @fmaelbrancke

  3. None

  4. X

  5. Security = managing risk ASSET VULNERABILITY THREAT

  6. Security = managing risk ASSET VULNERABILITY THREAT

  7. All in one device Increases threat proBability • GPS •

    Contacts • Camera • Email (work) • Wallet

  8. Always out Vulnerability / Exploitability • Stolen • Forgotten •

    Lost

  9. Everyone uses it Vulnerability / Exploitability • Weak pins •

    Use of open public WiFi

  10. Android security MODEL Game X Game Y System Contacts Email

    Google Play Verify app signature App sandbox Permissions application isolation

  11. typical mobile app MOBILE APPLICATION UI LOCAL STORAGE REMOTING LAYER

    REMOTE API COMMUNICATION CHANNEL

  12. Security APP HARDENING DATA NETWORK SERVICES

  13. None

  14. Securing the app JAVA CLASS DEX

  15. reverse engineer

  16. obtain apk adb backup -apk be.myapp ADB backup app Titanium,

    Astro, Helium, … adb shell pm list packages -f adb pull /data/app/be.myapp-1.apk

  17. apk structure apk = zip APK AndroidManifest classes.dex Resources

  18. reverse engineer TOOLS • Apktool • Dex2jar • JADX

  19. Reverse engineer smali / baksmali apktool low level disassembled Dex

    bytecode code code can be modified recompile / resign

  20. Reverse engineer apktool d myapp.apk

  21. Reverse engineer

  22. Reverse engineer

  23. Reverse engineer convert .dex file to a .jar with java

    bytecode DEX2JAR dex -> java java decompiler code very readable

  24. Reverse engineer

  25. Reverse engineer command-line / GUI tools JADX

  26. Reverse engineer Jeb Decompiler PAID dex -> java native dex

    decompiler

  27. reverse engineer

  28. Obfuscation

  29. Proguard obfuscate optimize Shrink

  30. proguard obfuscation

  31. proguard

  32. proguard configuration

  33. other techniques If possible, run code at server! server String

    encryption Hide sensitive strings eg “Secure” Native code Java Native Interface reflection Proxy Introduces indirection Class encryption Use DexGuard

  34. dexguard Same config proguard++ Commercial Good value for the money

    Tamper checks

  35. dexguard

  36. proguard tips Test! release build Mapping.txt Save! Crash? Supported on

    Crashlytics, Crittercism, ...

  37. TAMPER DETECTION

  38. Environment 1.installer 2.debugger / emulator 3.BINARY Validation Tamper detection /

    protection

  39. INSTALLER PLAY STORE INSTALLER

  40. debugger Debugger check

  41. debugger Debugger check

  42. emulator EMULATOR check

  43. SIGNING KEY Valid signing key • SHA1 of signing cert

    • Embed • Check with runtime signature

  44. SIGNING KEY Valid signing key

  45. rooted device root detection • Check typical apps / files

    • Check keys • /system r/w
  46. None

  47. Data protection laws that govern data protection Law obligation beyond

    legal obligations ➪ moral obligation

  48. local Data protection Avoid it if you can Avoid External

    storage Avoid external storage for sensitive information For critical info set android:saveEnabled="false" Backup set android:allowBackup=false proper permissions MODE_PRIVATE with files

  49. local Data protection getWindow().setFlags(LayoutParams.FLAG_SECURE, LayoutParams.FLAG_SECURE); avoid screen shots LOGOUT on

    inactivity if usability allows and clear the cached information

  50. keylogger

  51. Android not enough? rooted devices internal storage full disk crypto

    brute forcing

  52. CRYPTO

  53. crypto in Android = JCA APP JCA (Java Cryptography Architecture)

    Provider Provider Message Digest Key Generation Digital Signature ...

  54. JCA Bouncy Castle Android OpenSSL APP JCA (Java Cryptography Architecture)

    Harmony

  55. bouncy castle Android = subset of upstream release cut-down CONSISTENT

    Consistent crypto across Android versions MINIMAL change github.com/rtyley/spongycastle Spongy castle Repackage of Bouncy Castle for Android

  56. GPS dynamic Security provider Since Google Play Services 5 google

    play services replacement for the platform’s bundled provider security patches rapid delivery frequently updated by Google

  57. dynamic security provider setup dependencies { compile 'com.google.android.gms:play-services:6.1.+' }

  58. dynamic security provider setup

  59. Android security providers

  60. Conscrypt

  61. encryption libs SQLCipher sqlcipher.net • Modified version of SQLite •

    AES-256 encryption • Drop-in replacement iocipher guardianproject.info/code/iocipher Virtual encrypted disk

  62. key management Store along with the data (file private to

    the app) Store Embed Embed in source code (obfuscated ?) EASY TO EXTRACT

  63. key management don’t store Don’t store the key on the

    device Have it entered each time necessary Store In systems service SOLUTIONS

  64. key derivation Long random strings of bits encryption keys people

    vs keys Users are familiar with passwords Crypto algo PBKDF2WithHmacSHA1 password based encryption Generate strong crypto keys based on humanly-manageable passwords

  65. proper key derivation Using a salt protects from table- assisted

    / pre-computed dictionary attacks SALT key stretching Repeat the key derivation operation multiple times to produce the final key Slows down brute force attacks

  66. key derivation https://github.com/nelenkov/android-pbe http://nelenkov.blogspot.jp/2012/04/using-password-based-encryption-on.html Nikolay Elenkov

  67. KEYCHain? Keystore provider • Since Android 4.3 • Can be

    hardware-backed

  68. Android keystore available from Android 4.3 java security provider APP

    can generate & save private keys keys private to each app

  69. keystore

  70. keystore

  71. network

  72. Secure communication channel use https Use SSL / TLS •

    Confidentiality • Authentication VALIDATION Hostname verification Certificate pinning http://android-ssl.org/

  73. secure communication channel hostname verification

  74. SSL certificates CA issued, Android recognized CA issued behaviour change

    custom TrustManager self-signed certificates

  75. certificate authorities

  76. certificate authorities https://bluebox.com/blog/technical/questioning-the-chain-of-trust-investigations-into- the-root-certificates-on-mobile-devices

  77. Trustmanager StrongTrustManager • Validate whole certificate chain • Debian certificate

    store

  78. self signed cert

  79. anti-pattern don’t trust all!

  80. Self-signed cert import in your app certificate custom trustmanager no

    man-in-the-middle attacks

  81. certificate pinning with expected certificate / public key Associate host

    hashing anonymize certificate / public key

  82. certificate pinning echo | openssl s_client -connect host:443 2>&1 |

    sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > mycertificate.pem get certificate (openssl) embed in application /res/raw Custom trustmanager Based on keystore Load into keystore SSL context Init SSL context with TrustManager https://developer.android.com/training/articles/security-ssl.html

  83. NOGOTOFAIL Test tool man in the middle server attempts to

    inject attacks into connections checks https://github.com/google/nogotofail
  84. None

  85. Securing services Controls • Kill switch for specific functionality •

    Server downtime communication • Mandatory update mechanism

  86. securing services Backend REST and APIs can have similar vulnerabilities

    to web applications mitigate follow OWASP top 10
  87. None

  88. Effective security Using CryptoLint, we performed a study on cryptographic

    implementations in 11,748 Android applications. Overall we find that 10,327 programs – 88% in total – use cryptography inappropriately. The raw scale of misuse indicates a widespread misunderstanding of how to properly use cryptography in Android development. “ ”

  89. effective security hardcoded passphrases manually seeded SecureRandom insufficient key generation

    iterations hardcoded salts non-random initialization vectors

  90. security testing Static analysis Manual code review design review Analysis

    Static Dynamic Penetration testing

  91. suggested reading Android Security Cookbook
 Keith Makan / Scott Alexander-Bown

    (9781782167167) Android Security Internals 
 Nikolay Elenkov (9781593275815) Android Hacker’s Handbook
 Joshua J. Drake et al. (9781118608647) Application Security for the Android platform
 Jeff Six (9781449315078) 


  92. suggested reading developer.android.com
 https://developer.android.com/training/articles/security-tips.html 
 https://source.android.com/devices/tech/security/ OWASP
 https://www.owasp.org/index.php/OWASP_Mobile_Security_Project Google+ community

    
 Android security discussions Blogs
 http://nelenkov.blogspot.com.tr/…


  93. Questions? Filip Maelbrancke Consultant @ AppFoundry fi[email protected] @fmaelbrancke