OMG What's new in Security

Transcript

1. What's new in Security? Scott Alexander-Bown @ScottyAB [email protected] MG

2. It’s for developers Not security experts @ScottyAB

3. Google Play Services Oreo Google Play Store

4. You cannot trust the client

5. What can you use today?

6. SafetyNet part of Google Play Services ‘com.google.android.gms:play-services-safetynet:11.2.0’ *Unofficial logo

7. @ScottyAB .listHarmfulApps()

8. .verifyWithRecaptcha() @ScottyAB

9. Verify on secure server POST to https://www.google.com/recaptcha/api/siteverify • TokenResult (from

   SafteyNet recaptchaTokenResponse) • Your Racaptcha secret

10. @ScottyAB .lookupUri(..) Images from safebrowsing.google.com

11. .attest(..) @ScottyAB

12. Device Status ctsProfileMatch basicIntegrity Certified, genuine device that passes CTS

    TRUE TRUE Certified device with unlocked bootloader FALSE TRUE Device with custom ROM (not rooted) FALSE TRUE Emulator FALSE FALSE Signs of system integrity compromise, (rooting) FALSE FALSE Signs of other active attacks (API hooking) FALSE FALSE SafetyNet Documentation https://goo.gl/uKd8Y6

13. On your secure server! ➔ Validate JWS message SSL cert

    chain ➔ Android Device Verification API ➔ Validate JWS message content SafetyNet Samples: https://goo.gl/Th3bEm @ScottyAB

14. FIDO U2F API Fast Identity Online Universal 2nd Factor ➔

    Register ➔ Authenticate ➔ Bluetooth or NFC ➔ 'com.google.android.gms:play-services-fido:11.2.0' https://github.com/googlesamples/android-fido

15. SMS Retriever API @ScottyAB Image from https://developers.google.com/identity/sms-retriever/overview

16. Phone Number Verification With SMS Tokens • Authenticate/verify a User

    • Better UX • Does not require the READ_SMS permission @ScottyAB

17. Oreo!

18. Platform ➔ Kernel Hardening ➔ Dev options req password ➔

    Install unknown apps @ScottyAB

19. Updating the platform ➔ Project Treble ➔ Streaming system updates

    ➔ Update "rollback protection” @ScottyAB

20. Autofill framework ➔ It just works with standard UI widgets

    ➔ Add support for your own custom views ➔ autofillHints ➔ IMPORTANT_FOR_AUTOFILL_NO “It just works!” @ScottyAB

21. Autofill service: security recommendations ➔ Partition data ➔ Field in

    focus ➔ Sensitive data restricted to the app that provided it AutofillFollies Whitepaper by Mark Murphy:- https://goo.gl/s1T33C @ScottyAB

22. WebView: Isolated Process @ScottyAB

23. WebView: Safe Browsing <manifest> <meta-data android:name="android.webkit.WebView.EnableSafeBrowsing" android:value="true" /> </manifest>

24. Recap: Network Security Config ➔ Custom Truststore ➔ Block clear

    text ➔ SSL Pinning ➔ Debug only config A previous talk https://youtu.be/XzRbhfVyoKo @ScottyAB
25. None

26. New Telephony Permissions ➔ READ_PHONE_NUMBERS ➔ ANSWER_PHONE_CALLS ➔ Part of

    android.permission-group.PHONE @ScottyAB

27. Privacy improvements Nougat <=API25 Oreo API26+ ANDROID_ID Per device Per

    app-signing key, user, and device Serial Number Build.Serial Build.getSerial()

28. ANDROID_ID ➔ Does not change on package uninstall or reinstall*

    ◆ Signing keys the same ◆ Unless uninstalled and then reinstalled after the OTA ➔ Use Advertising ID Google Play Store Policy: Advertising ID https://goo.gl/P2e41N

29. PlayStore

30. Typical app signing @ScottyAB Image from Google Play console

31. Google Play app signing @ScottyAB Image from Google Play console

32. Advantages ➔ Upload key reset ➔ Streamlined migration ➔ Optimization

    (APK size) Google Dev video - https://youtu.be/5tdGAP927dk @ScottyAB

33. But... ➔ Permanent enrollment ➔ Register the upload key hash

    with APIs ➔ What about other app stores? @ScottyAB

34. What about the future?

35. Network Security config

36. Google Play Services Oreo Google Play Store

37. Thanks Scott Alexander-Bown @ScottyAB [email protected] Available for hire (remote) MG

38. App Security Improvement Program ➔ Security tips in Play console

    ➔ Apps scanned before publish ➔ Trustmanager. Various AD SDKs, OpenSSL etc

39. Exclude devices