Upgrade to Pro — share decks privately, control downloads, hide ads and more …

What's Nnnnnew in Security Droidcon IT

What's Nnnnnew in Security Droidcon IT

Fresh from Droidcon IT. Android N brings a plethora of security enhancements to the platform and the SDK. Including Network Layer Security, Hardware-backed Keystore, APK Signing v2, Scoped Directory Access and Direct Boot. Come to this talk to get a concise update on the new features, practical tips and examples of how to implement in your app today!

Scott Alexander-Bown

April 07, 2017
Tweet

More Decks by Scott Alexander-Bown

Other Decks in Technology

Transcript

  1. At a glance Direct boot Android Keystore (Key Attestation) ‘Securer’

    networking Misc system and app differences SafetyNet @ScottyAB Slides/Links https://goo.gl/sL5z7U
  2. Terms 6.0 - M - API 23 - Marshmallow 7.0

    - N - API 24 - Nougat 7.1 - N (MR1) - API 25 - Nougat @ScottyAB
  3. Booting encrypted device pre-7.0 Boot halted for pin/password Device encrypted

    with same key Android used block-level encryption @ScottyAB
  4. Direct Boot mode Boot direct to lock screen Calls, SMS

    & Alarms work And your app too! @ScottyAB
  5. Direct Boot aware <receiver /> <receiver
 android:name=".directboot.MyDirectBootAwareReceiver"
 android:directBootAware="true">
 <intent-filter>
 <action

    android:name="android.intent.action.ACTION_LOCKED_BOOT_COMPLETED" />
 </intent-filter>
 </receiver> @ScottyAB
  6. Direct Boot aware <receiver /> <receiver
 android:name=".directboot.MyDirectBootAwareReceiver"
 android:directBootAware="true">
 <intent-filter>
 <action

    android:name="android.intent.action.ACTION_LOCKED_BOOT_COMPLETED" />
 </intent-filter>
 </receiver> @ScottyAB
  7. Accessing device encrypted storage @Override
 public void onReceive(Context context, Intent

    intent) {
 
 Context directBootContext = ContextCompat.createDeviceProtectedStorageContext(context);
 
 if (directBootContext != null) {
 SharedPreferences sharedPreferences = PreferenceManager.getDefaultSharedPreferences(directBootContext);
 
 String token = sharedPreferences.getString(READ_ONLY_OAUTH_TOKEN, null);
 
 //do read only API lookup
 ///...
 }
 } @ScottyAB
  8. Accessing device encrypted storage @Override
 public void onReceive(Context context, Intent

    intent) {
 
 Context directBootContext = ContextCompat.createDeviceProtectedStorageContext(context);
 
 if (directBootContext != null) {
 SharedPreferences sharedPreferences = PreferenceManager.getDefaultSharedPreferences(directBootContext);
 
 String token = sharedPreferences.getString(READ_ONLY_OAUTH_TOKEN, null);
 
 //do read only API lookup
 ///...
 }
 } @ScottyAB
  9. Accessing device encrypted storage @Override
 public void onReceive(Context context, Intent

    intent) {
 
 Context directBootContext = ContextCompat.createDeviceProtectedStorageContext(context);
 
 if (directBootContext != null) {
 SharedPreferences sharedPreferences = PreferenceManager.getDefaultSharedPreferences(directBootContext);
 
 String token = sharedPreferences.getString(READ_ONLY_OAUTH_TOKEN, null);
 
 //do read only API lookup
 ///...
 }
 } @ScottyAB
  10. Direct Boot, so what is it good for? Messaging apps,

    important user notifications. Already using a BootCompleted listener? Device encrypted storage for limited scope API tokens i.e Readonly @ScottyAB
  11. What’s new? AES and HMAC (Android M) N+ must be

    hardware backed (new devices) @ScottyAB
  12. is the Keystore hardware backed? // deprecated KeyChain.isBoundKeyAlgorithm(“RSA”); // Recommended

    alternative PrivateKey key = ...; // private key from KeyChain KeyFactory keyFactory = KeyFactory.getInstance(key.getAlgorithm(), “AndroidKeyStore"); KeyInfo keyInfo = keyFactory.getKeySpec(key, KeyInfo.class); if (keyInfo.isInsideSecureHardware()) { // The key is bound to the secure hardware of this Android @ScottyAB
  13. Key Attestation verify key is stored in hardware- backed keystore

    N+ (New devices) Special key is baked into the firmware @ScottyAB
  14. Securer Networking Custom trust store / anchors Debug only Overrides

    CA Block non https traffic Limit the certs you trust @ScottyAB
  15. Configuring CAs for Debugging Self signed certs in development Only

    enabled when android:debuggable=true Safer that conditional code @ScottyAB
  16. User certs not trusted by default* *Running on API 24+

    and targeting API 24+ @ScottyAB mitmproxy
  17. Trusting user installed certs <network-security-config>
 <debug-overrides>
 <trust-anchors>
 <certificates src="user" />


    </trust-anchors>
 </debug-overrides>
 </network-security-config> @ScottyAB Gist: https://goo.gl/KN1QLp
  18. Pinning Certificates SSL pinning lets apps limit the set of

    certificates they accept Pin a hash of the SubjectPublicKeyInfo of the X.509 certificate. @ScottyAB https://youtu.be/ AO5tpN073As
  19. SSL Pinning <network-security-config>
 <domain-config>
 <domain>scottyab.com</domain>
 <pin-set expiration="2018-03-08">
 <pin digest=“SHA-256”>7HIpactkIAq2Y49…Y=</pin>
 <!--

    backup pin -->
 <pin digest=“SHA-256”>fwza0LRMXouZHR…E=</pin>
 </pin-set>
 </domain-config>
 </network-security-config> 
 @ScottyAB
  20. How to get the Pin? $ openssl s_client -servername scottyab.com

    -connect scottyab.com:443 | openssl x509 - pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64 Thanks to John Kozyrakis @ikoz @ScottyAB
  21. Under the hood The media stack and platform hardening Kernel

    hardening (with error correction) @ScottyAB
  22. App data directory Sharing files is explicitly opt-in content:// URI

    instead of file:// Use FileProvider (support-lib) @ScottyAB
  23. APK signing schema v2 Faster More Secure You’re already using

    both? zipalign before (not after) @ScottyAB
  24. SafetyNetApi - Misc Check Verified Apps status Enable Verified Apps

    List installed Potentially Harmful Apps (PHA) reCAPTCHA Integration @ScottyAB
  25. Android O SSLv3 dropped Webview isolated process Android_ID and Build.Serial

    Native libraries (writable and executable) @ScottyAB Bonus slide!
  26. Thanks for listening Scott Alexander-Bown @ScottyAB [email protected] Shout outs: @commonsguy

    @ikoz +AdrianLudwig @doriancussen @niallscott @trionkidnapper @subsymbolics Slides/Links https://goo.gl/sL5z7U Hire me