What's 'Q' in Android Security

Transcript

1. What’s ‘Q’ in Android Security Scott Alexander-Bown @ScottyAB [email protected]

2. @ScottyAB

3. None
4. None

5. Updatablity Privacy Platform hardening @ScottyAB

6. Updatablity Privacy Platform hardening @ScottyAB

7. 8 devices 7 device makers 23 devices 13 device makers

   Project: Treble @ScottyAB

8. Project: Mainline aka Google Play System updates • Updates/security patches

   faster • Delivered via Google Play • Components ◦ Media Framework Components ◦ Conscrypt Image from android-developers.googleblog.com @ScottyAB

9. Updatablity Privacy Platform hardening @ScottyAB

10. Location Storage Connectivity Device Ids and more @ScottyAB

11. Access to Location in Background developer.android.com/training/location/receive-location-updates • Tri state dialog

    • System reminder about access to device location in the background • Graceful degradation i.e handle “deny and don't ask again”

12. Background permission android:name="android.permission.ACCESS_BACKGROUND_LOCATION" Must declare if targeting Q If targets

    P or lower system auto adds the permission during install developer.android.com/training/location/receive-location-updates @ScottyAB

13. developer.android.com/about/versions/10/privacy/changes#app-access-device-location

14. Location: Foreground Service developer.android.com/preview/privacy/device-location Remember to declare FOREGROUND_SERVICE permission if

    targeting P+ • New foreground Service Type @ScottyAB

15. Location External Storage Connectivity Device Ids and more @ScottyAB

16. What is the big change? • You get a filtered

    view into external storage • Use the MediaStore to access files from other apps

17. Scoped storage on Q • With READ_EXTERNAL_STORAGE • Accessing other

    apps files only if there are in media collections ◦ Photos -> MediaStore.Images ◦ Videos -> MediaStore.Video ◦ Music -> MediaStore.Audio @ScottyAB

18. Do you need external storage permissions?

19. @ScottyAB

20. Fixed it Warning: Scoped storage will be required in next

    year's major platform release for all apps, independent of target SDK level. @ScottyAB

21. Scoped storage will be required in Android R for all

    apps!

22. Location Storage Connectivity restrictions Device Ids and more @ScottyAB

23. • Cannot change the connection settings programmatically ◦ WifiManager.setWifiEnabled() ◦

    manual configuration of the list of Wi-Fi networks is now restricted to system apps* • Suggest WiFi networks ◦ WifiManager.addNetworkSuggestions(..) ◦ Listen for broadcast WifiManager.ACTION_WIFI_NETWORK_SUGGESTION_POST_CONNECTION @ScottyAB

24. Settings Panel Intent(Settings.Panel.ACTION_INTERNET_CONNECTIVITY) Start Intent AndroidX wrapper (TBC) @ScottyAB

25. Location Storage Connectivity Non resettable hardware IDs And more @ScottyAB

26. ‍♀ Now require READ_PRIVILEGED_PHONE_STATE If your app targets Android Q

    -> SecurityException If your app targets API level 28 or below -> null or placeholder data (if hold READ_PHONE_STATE permission) Otherwise, a SecurityException occurs. Restricted access to Device serial and IMEI @ScottyAB

27. Location Storage Connectivity Device Ids And a whole lot more...

    @ScottyAB

28. TLS 1.3 supported by default in Android Q Enhanced security

    40% faster with TLS 1.3 compared to TLS 1.2 Disable TLS 1.3 (only if you need to) ◦ SSLContext.getInstance("TLSv1.2") ◦ SSLSocket.setEnabledProtocols(..) @ScottyAB

29. Oh, BTW val url = URL("https://scottyab.com") val httpsURLConnection = url.openConnection()

    as HttpsURLConnection httpsURLConnection.sslSocketFactory = null • HttpsURLConnection.setSSLSocketFactory(null) throws an IllegalArgumentException @ScottyAB

30. Run embedded DEX code directly from APK • android:useEmbeddedDex=”true” in

    the <application> • Cannot use compressed DEX code ◦ Reduced performance ◦ Gradle: aaptOptions { noCompress 'dex' } @ScottyAB

31. More non-SDK interface restrictions Are you using reflection or JNI?

    More restrictions in Q! (also some whitelisted) StrictMode.VmPolicy.Builder().detectNonSdkApiUsage() developer.android.com/preview/non-sdk-q @ScottyAB

32. Misc Restrictions Background activity starts blocked Access to clipboard data

    ⚠ SYSTEM_ALERT_WINDOW on Android Q Go devices @ScottyAB

33. Encryption libraries @ScottyAB

34. Android X: Security • minSdk: 23 (M) • Safe and

    easy to use (based on Tink) • AES256 GCM • Implementations ◦ EncryptedFile ◦ EncryptedSharedPreferences developer.android.com/topic/security/data @ScottyAB

35. "androidx.security:security-crypto:1.0.0-alpha02" https://gist.github.com/scottyab/5012ab75454a777a60ec433661aafa8b @ScottyAB Generate the Key/Alias

36. "androidx.security:security-crypto:1.0.0-alpha02" https://gist.github.com/scottyab/5012ab75454a777a60ec433661aafa8b @ScottyAB Create

37. Under the hood facebook.github.io/stetho/ @ScottyAB

38. Migrating from regular shared prefs Do you need to migrate

    all prefs? ‍♂ What if decrypt fails? recover options? @ScottyAB

39. Updatablity Privacy Platform hardening @ScottyAB

40. android-developers.googleblog.com/2019/05/queue-hardening-enhancements.html @ScottyAB

41. Adiantum: Encryption for the Next Billion Users • For Devices

    without AES hardware support ◦ Android Go Devices ◦ Smartwatches ◦ TVs • File/Disk encryption • Now part of the Android platform @ScottyAB

42. @ScottyAB

43. Privacy Checklist developer.android.com/about/versions/10/privacy @ScottyAB

44. developer.android.com/about/versions/10/privacy

45. Thank ‘Q’ Scott Alexander-Bown @ScottyAB [email protected] If you dig mobile

    come to SW mobile meetup.

46. References - android-developers.googleblog.com/2019/05/queue-hardening-enhancements.html - developer.android.com/preview/privacy - source.android.com/security/enhancements