Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing Network Calls on Android, from 2009 to...

Securing Network Calls on Android, from 2009 to 2019

10 years ago, due to a growing up ecosystem, HTTPS was something not that easy to setup. As of today, things have changed.

Let's go back in time and understand why the Web had to switch to HTTPS by looking at security flaws.

We will talk about network to fully understand the security risks and how things works.

Then, let's finish with '19 by talking about what we can do in terms of security. What are the most used tools and things we should know and use.

Michaël Ohayon

April 23, 2019
Tweet

More Decks by Michaël Ohayon

Other Decks in Technology

Transcript

  1. Everyone has a phone with apps Top Applications from the

    French Google Play Store #3 Netflix #8 WhatsApp #27 Microsoft Outlook #54 Doctolib #106 Crédit Agricole #109 Assurance maladie !2
  2. Everyone has a phone with apps and private informations Top

    Applications from the French Google Play Store #3 Netflix General Password #8 WhatsApp Private messages, pictures #27 Microsoft Outlook Work data #54 Doctolib Medical data #106 Crédit Agricole Bank data #109 Assurance maladie Government ID !3
  3. July 24, 2008 "Today, we're making it even easier for

    you to use https to protect your mail every time you access it. We've added an option to Settings to always use https" https://gmail.googleblog.com/2008/07/making-security-easier.html !15
  4. July 24, 2008 "If you don't regularly log in via

    unencrypted wireless connections at coffee shops or airports or college dorms, then you might not need this additional layer of security." https://gmail.googleblog.com/2008/07/making-security-easier.html !16
  5. July 24, 2008 "But if you want to always use

    https, then this setting makes it super easy. Whenever you forget to type https://mail.google.com, we'll add the https for you." https://gmail.googleblog.com/2008/07/making-security-easier.html !17
  6. Why is HTTPS such a big deal? Is it hard

    to monitor HTTP traffic? !21
  7. ARP Spoofing in 2 minutes Network Interface phone ip Network

    Interface phone ip gateway ip gateway ip !28
  8. July 31, 2013 We now use https by default for

    all Facebook users. This feature, which we first introduced as an option two years ago, means that your browser is told to communicate with Facebook using a secure connection, as indicated by the "https" rather than "http" in https://www.facebook.com. https://www.facebook.com/notes/facebook-engineering/secure-browsing-by-default/10151590414803920/ !35
  9. 1 - Tech requirements You need to have access to

    the underlying HTTP Server, not just an FTP access and to be trusted http://conseilscreation.free.fr/pages/ftp_filezilla.php !42
  10. 2 - Pricing Who wants to pay for something already

    working? https://www.sslshopper.com/ssl-certificate-list.html !43
  11. September 15, 2016 "This specification defines "secure contexts", thereby allowing

    user agent implementers and specification authors to enable certain features only when certain minimum standards of authentication and confidentiality are met." https://www.w3.org/TR/secure-contexts/ !48
  12. September 15, 2016 Warning: Direct access to the camera is

    a powerful feature. It requires consent from the user, and your site MUST be on a secure origin (HTTPS). https://developers.google.com/web/fundamentals/media/capturing-images/ !49
  13. February 8, 2018 "Chrome will mark all HTTP sites as

    ‘not secure’ starting in July" https://www.theverge.com/2018/2/8/16991254/chrome-not-secure-marked-http-encryption-ssl !51
  14. !55

  15. Can I use a self-signed certificate? NO (if you plan

    to use this certificate on devices you do not administrate or on apps you are not building, such as web browsers ) !74
  16. Can I use a self-signed certificate? YES (If it's for

    applications where you can control the network logic or devices you can administrate) !75
  17. !78

  18. Is Certificate Pinning the way to go? YES (but don’t

    forget to think about certificate’s lifetime) !79
  19. Recap •HTTPS is the way to go (who would doubt

    that?)
 •Certificate Pinning exists and should be implemented
 •Think twice when releasing outside default stores! •If someone wants to look at the traffic, he may succeed but on compromised devices •Keep cool, in 2019, your apps should be safe enough
 !93