Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Sécuriser ses appels réseau Android, de 2009 à ...

Sécuriser ses appels réseau Android, de 2009 à 2019

Si, il y a 10 ans, à cause d'un écosystème encore en construction, HTTPS était un protocole complexe à mettre en place, aujourd'hui il semble que c'est l'inverse.

Rejouons l'histoire pour découvrir et comprendre ensemble les différentes failles de sécurité qui ont poussé le Web à passer sur HTTPS ainsi que les implémentations associées sur Android.

À travers du code et des analyses, implémentons, cassons et sécurisons ensemble du code réseau pour comprendre comment nous en sommes arrivés aux implémentations actuelles.

Nous découvrirons ensuite les limitations de 2019 : pouvons-nous empêcher tout le monde d'analyser notre trafic ? Qu'est-il possible de faire aujourd'hui, quels sont les risques pour l'utilisateur, le développeur, l'entreprise ? Quels sont les outils et bonnes pratiques pour empêcher ou au moins ralentir et complexifier nos analyses réseau par des personnes malicieuses ?

Michaël Ohayon, Développer Android

Michaël Ohayon

November 28, 2019
Tweet

More Decks by Michaël Ohayon

Other Decks in Technology

Transcript

  1. #3 Netflix #8 WhatsApp #27 Microsoft Outlook #54 Doctolib #106

    Crédit Agricole #109 Assurance maladie Top des applications sur le Google Play Store
  2. #3 Netflix (Mot de passe général) #8 WhatsApp (Messages, photos)

    #27 Microsoft Outlook (Travail) #54 Doctolib (Médical) #106 Crédit Agricole (Banque) #109 Assurance maladie (Identité, Médical) Top des applications sur le Google Play Store
  3. Today, we're making it even easier for you to use

    https to protect your mail every time you access it. We've added an option to Settings to always use https. https://gmail.googleblog.com/2008/07/making-security-easier.html 24 Juillet 2008
  4. Today, we're making it even easier for you to use

    https to protect your mail every time you access it. We've added an option to Settings to always use https. If you don't regularly log in via unencrypted wireless connections at coffee shops or airports or college dorms, then you might not need this additional layer of security. https://gmail.googleblog.com/2008/07/making-security-easier.html 24 Juillet 2008
  5. Today, we're making it even easier for you to use

    https to protect your mail every time you access it. We've added an option to Settings to always use https. If you don't regularly log in via unencrypted wireless connections at coffee shops or airports or college dorms, then you might not need this additional layer of security. But if you want to always use https, then this setting makes it super easy. Whenever you forget to type https://mail.google.com, we'll add the https for you https://gmail.googleblog.com/2008/07/making-security-easier.html 24 Juillet 2008
  6. We now use https by default for all Facebook users.

    This feature, which we first introduced as an option two years ago, means that your browser is told to communicate with Facebook using a secure connection, as indicated by the "https" rather than "http" in https://www.facebook.com. https://www.facebook.com/notes/facebook-engineering/secure-browsing-by-default/10151590414803920/ 31 Juillet 2013
  7. This specification defines "secure contexts", thereby allowing user agent implementers

    and specification authors to enable certain features only when certain minimum standards of authentication and confidentiality are met. https://www.w3.org/TR/secure-contexts 15 Septembre 2016
  8. Warning: Direct access to the camera is a powerful feature.

    It requires consent from the user, and your site MUST be on a secure origin (HTTPS). https://developers.google.com/web/fundamentals/media/capturing-images/ 15 Septembre 2016
  9. "Chrome will mark all HTTP sites as ‘not secure’ starting

    in July" https://www.theverge.com/2018/2/8/16991254/chrome-not-secure-marked-http-encryption-ssl 8 Février 2018
  10. Mozilla was recently notified that an intermediate certificate, which chains

    up to a root included in Mozilla’s root store, was loaded into a firewall device that performed SSL man-in-the-middle (MITM) traffic management. It was then used, during the process of inspecting traffic, to generate certificates for domains the device owner does not legitimately own or control. The Certificate Authority (CA) has told us that this action was not permitted by their policies and practices and the agreement with their customer, and they have revoked the intermediate certificate that was loaded into the firewall device. While this is not a Firefox-specific issue, to protect our users we are adding the revoked certificate to OneCRL, our mechanism for directly sending revocation information to Firefox which will be shipping in Firefox 37. https://blog.mozilla.org/security/2015/03/23/revoking-trust-in-one-cnnic-intermediate-certificate/ 23 Mars 2015
  11. China Internet Network Information Center (CNNIC), a non-profit organization administrated

    by Cyberspace Administration of China (CAC), operates the “CNNIC Root” and “China Internet Network Information Center EV Certificates Root” certificates that are included in NSS, and used to issue certificates to organizations and the general public. CNNIC issued an unconstrained intermediate certificate that was labeled as a test certificate and had a two week validity, expiring April 3, 2015. Their customer loaded this certificate into a firewall device which performed SSL MITM, and a user inside their network accessed other servers, causing the firewall to issue certificates for domains that this customer did not own or control. Mozilla’s CA Certificate Policy prohibits certificates from being used in this manner when they chain up to a root certificate in Mozilla’s CA program. https://blog.mozilla.org/security/2015/03/23/revoking-trust-in-one-cnnic-intermediate-certificate/ 23 Mars 2015
  12. Late on December 3rd, we became aware of unauthorized digital

    certificates for several Google domains. We investigated immediately and found the certificate was issued by an intermediate certificate authority (CA) linking back to ANSSI, a French certificate authority. Intermediate CA certificates carry the full authority of the CA, so anyone who has one can use it to create a certificate for any website they wish to impersonate. In response, we updated Chrome’s certificate revocation metadata immediately to block that intermediate CA, and then alerted ANSSI and other browser vendors. Our actions addressed the immediate problem for our users. https://security.googleblog.com/2013/12/further-improving-digital-certificate.html 7 Décembre 2013
  13. Est-ce que je peux tout faire ? Non Dans le

    cas où les appareils ne sont pas administrés par vous comme dans le cas d'un site Internet public
  14. Est-ce que je peux tout faire ? Oui Si vous

    avez le contrôle sur les appareils ou le code de vérification.
  15. • Il est temps de passer à HTTPS si ce

    n'est pas encore fait. • L'épinglage de certificats est une bonne pratique. • Les canaux de livraisons classiques sont généralement à privilégier. • Le trafic pourra être inspecté sous certaines conditions. • Le risque côté mobile est restreint mais pas côté serveur. Récapitulatif