Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OMG What's new in Security

Scott Alexander-Bown
October 27, 2017
55

OMG What's new in Security

Android O brings a plethora of security enhancements to the platform and the SDK. Scott will share with you a concise update on these new security features as well as practical tips and examples of how to implement them and improve your app’s security.

You will learn about features such as Auto fill, restrictions on device hardware identification with the focus on user privacy, new permissions in telephony and updates to how apps can access user accounts.

Scott will discuss the major enhancements to Webview in Android O including isolating it’s process and ability to integrate with Google Safe Browsing API. Also the dropping of support for SSLv3 and enhancements to Network security config that was introduced in Android Nougat.

Scott will also share with you some security features you can implement when your apps is not running on Android O. This is where Google Play services can help. Several new SafteyNet APIs allow developers make smarter decisions about the trustworthiness of the devices their app is running on. You will also learn how easy it is to transition to Google Play App Signing which offers a new way to manage your app’s signing keys.

Scott Alexander-Bown

October 27, 2017
Tweet

Transcript

  1. Device Status ctsProfileMatch basicIntegrity Certified, genuine device that passes CTS

    TRUE TRUE Certified device with unlocked bootloader FALSE TRUE Device with custom ROM (not rooted) FALSE TRUE Emulator FALSE FALSE Signs of system integrity compromise, (rooting) FALSE FALSE Signs of other active attacks (API hooking) FALSE FALSE SafetyNet Documentation https://goo.gl/uKd8Y6
  2. On your secure server! ➔ Validate JWS message SSL cert

    chain ➔ Android Device Verification API ➔ Validate JWS message content SafetyNet Samples: https://goo.gl/Th3bEm @ScottyAB
  3. FIDO U2F API Fast Identity Online Universal 2nd Factor ➔

    Register ➔ Authenticate ➔ Bluetooth or NFC ➔ 'com.google.android.gms:play-services-fido:11.2.0' https://github.com/googlesamples/android-fido
  4. Phone Number Verification With SMS Tokens • Authenticate/verify a User

    • Better UX • Does not require the READ_SMS permission @ScottyAB
  5. Updating the platform ➔ Project Treble ➔ Streaming system updates

    ➔ Update "rollback protection” @ScottyAB
  6. Autofill framework ➔ It just works with standard UI widgets

    ➔ Add support for your own custom views ➔ autofillHints ➔ IMPORTANT_FOR_AUTOFILL_NO “It just works!” @ScottyAB
  7. Autofill service: security recommendations ➔ Partition data ➔ Field in

    focus ➔ Sensitive data restricted to the app that provided it AutofillFollies Whitepaper by Mark Murphy:- https://goo.gl/s1T33C @ScottyAB
  8. Recap: Network Security Config ➔ Custom Truststore ➔ Block clear

    text ➔ SSL Pinning ➔ Debug only config A previous talk https://youtu.be/XzRbhfVyoKo @ScottyAB
  9. Privacy improvements Nougat <=API25 Oreo API26+ ANDROID_ID Per device Per

    app-signing key, user, and device Serial Number Build.Serial Build.getSerial()
  10. ANDROID_ID ➔ Does not change on package uninstall or reinstall*

    ◆ Signing keys the same ◆ Unless uninstalled and then reinstalled after the OTA ➔ Use Advertising ID Google Play Store Policy: Advertising ID https://goo.gl/P2e41N
  11. Advantages ➔ Upload key reset ➔ Streamlined migration ➔ Optimization

    (APK size) Google Dev video - https://youtu.be/5tdGAP927dk @ScottyAB
  12. But... ➔ Permanent enrollment ➔ Register the upload key hash

    with APIs ➔ What about other app stores? @ScottyAB
  13. App Security Improvement Program ➔ Security tips in Play console

    ➔ Apps scanned before publish ➔ Trustmanager. Various AD SDKs, OpenSSL etc