Don’t get stung by OWASP - An intro into writing code for greater Android Security
In this session, we will take a dive into OWASP's top threats for mobile security, the common Android security pitfalls we all succumb too and look how we may code in a more security-focused mindset going forwards.
Dad to a Pomeranian 🐶 • Security ‘enthusiast’ (note: not expert) Find me on social: • @Sp4ghettiCode 🍝 • spght.dev/talks • Follow me for more! (And dog pictures) Who am I?
I have enough time to cover • Introduction to some of the OWASP Top 10 • Address the most common mistakes in our apps • Look into securing data within Room / Shared Prefs • Q&A • Bonus: The time I was stung by 50 wasps IRL 🙈🐝
just in case someone goofs up later. • Anything you learn here is to be used for educational purposes ONLY • Do NOT test on apps you are not authorised to use • Please consider seeking your company’s security advice from someone that knows a lot more than me! • This talk is NOT associated with and/or endorsed by the OWASP Foundation or my employer!
attack surface is HUGE and growing • Mobile security is often neglected by organisations + devs • Growing financial incentives for malicious actors • Mobile security is not rocket science (as we shall see)! • Mobile’s own ‘Log4Shell’ is always right around the corner…
Web Application Security Project • Non-profit OWASP Foundation created in 2001 • Provides free security resources for developers & organisations alike • Also maintains ‘Top 10’ list(s) of the greatest security threats to application security
Misuse of Android features by YOU, the developer • Intents • Android Keychain • App Security Features • Basically, anytime you use the Android framework and mess it up 🤪
• Use a tool like ‘drozer’ to scan app for vulnerable activities, broadcast receivers and content providers • github.com/FSecureLABS/drozer • Run ADB to exploit Source: securitygrind.com
vulnerability • Apps can draw over other apps and monitor their contents • They can also pass spoofed touch events • Combined, this can be used maliciously to trick users into entering passwords, accepting permissions, etc • Permission required for these apps, but only recently
example • Bypassed any need for permission! • Patched as of Android N (Dec 2017) • This could have happened silently! Credit: Constantinos Patsakis Source: youtu.be/zSb_QcDgJ64
reverse engineer app to make it ‘debuggable’ • Rooted phones… have root! 🪱🥫 • XML file stored in /data/data/<package_name>/shared_prefs • Databases in /data/data/<package_name>/databases
EncryptedSharedPreferences SQLCipher Stores data in plaintext (default) ✅ ✅ ✅ ❌ ❌ Provides encryption functionality ❌ ❌ ⚠ Not by default ✅ ✅ Min API 1 14 16 v1.0.0: 23 v1.1.0 (alpha): 21 16 First Party Support ✅ ✅ ❌ ✅ ❌ Note: DataStore omitted here, but at time of writing (Jan 2022) has no support for encryption
Only add user certificate allowances in the debug-overrides to --> <!-- ensure release builds are secure --> <debug-overrides> <trust-anchors> <certificates src="system" /> <certificates src="user" /> </trust-anchors> </debug-overrides> </network-security-config>
NOT use outdated algorithms • SHA-1, MD5, MD4, RC2 • Encoding != Hashing != Encrypting • BASE64-ing something is not cryptography • Don’t come up with your own solutions • (Unless you are a cryptographer)
using Google’s Tink library • AES-256 for symmetric encryption • RSA-2048 or ECC for asymmetric encryption • BONUS: Avoid storing sensitive data locally!
Twitter @Sp4ghettiCode • More resources and links at spght.dev/talks • Please do reach out if you are interested in learning more or have knowledge to share with the community! • Questions and Answers to follow…