Don’t get stung by OWASP - An intro into writing code for greater Android Security

Transcript

1. Don’t get stung by OWASP An intro into writing code

   for greater Android Security @Sp4ghettiCode / spght.dev - Android Worldwide Jan 2022 - Ed George

2. @Sp4ghettiCode / spght.dev • Senior Android Dev @ ASOS •

   Dad to a Pomeranian 🐶 • Security ‘enthusiast’ (note: not expert) Find me on social: • @Sp4ghettiCode 🍝 • spght.dev/talks • Follow me for more! (And dog pictures) Who am I?

3. @Sp4ghettiCode / spght.dev Talk Agenda AKA - What I hope

   I have enough time to cover • Introduction to some of the OWASP Top 10 • Address the most common mistakes in our apps • Look into securing data within Room / Shared Prefs • Q&A • Bonus: The time I was stung by 50 wasps IRL 🙈🐝

4. @Sp4ghettiCode / spght.dev ⚠ MANDATORY LEGAL WARNING ⚠ You know,

   just in case someone goofs up later. • Anything you learn here is to be used for educational purposes ONLY • Do NOT test on apps you are not authorised to use • Please consider seeking your company’s security advice from someone that knows a lot more than me! • This talk is NOT associated with and/or endorsed by the OWASP Foundation or my employer!

5. @Sp4ghettiCode / spght.dev Why should we care about security? *

   * Mobile Developers

6. @Sp4ghettiCode / spght.dev Why should we care? • The mobile

   attack surface is HUGE and growing • Mobile security is often neglected by organisations + devs • Growing financial incentives for malicious actors • Mobile security is not rocket science (as we shall see)! • Mobile’s own ‘Log4Shell’ is always right around the corner…

7. @Sp4ghettiCode / spght.dev – Stéphane Nappo, ‘Global Chief Information Security

   Officer of the Year 2018’ “It takes years to build a reputation and a few minutes of a cyber-incident to ruin it.”

8. @Sp4ghettiCode / spght.dev Introducing OWASP

9. @Sp4ghettiCode / spght.dev ‘Who’ or ‘What’ is OWASP? • Open

   Web Application Security Project • Non-profit OWASP Foundation created in 2001 • Provides free security resources for developers & organisations alike • Also maintains ‘Top 10’ list(s) of the greatest security threats to application security

10. @Sp4ghettiCode / spght.dev Top 10 Mobile Threats Source: owasp.org/www-project-mobile-top-10 (Last

    updated 2016) 1. Improper Platform Usage 2. Insecure Data Storage 3. Insecure Communication 4. Insecure Authentication 5. Insufficient Cryptography 6. Insecure Authorisation 7. Client Code Quality 8. Code Tampering 9. Reverse Engineering 10. Extraneous Functionality

11. @Sp4ghettiCode / spght.dev Top 10 Mobile Threats Source: owasp.org/www-project-mobile-top-10 (Last

    updated 2016) 1. Improper Platform Usage 2. Insecure Data Storage 3. Insecure Communication 4. Insecure Authentication 5. Insufficient Cryptography 6. Insecure Authorisation 7. Client Code Quality 8. Code Tampering 9. Reverse Engineering 10. Extraneous Functionality 5

12. @Sp4ghettiCode / spght.dev Improper Platform Usage #1 OWASP Threat IT’S

    YOU.

13. @Sp4ghettiCode / spght.dev Improper Platform Usage #1 OWASP Threat •

    Misuse of Android features by YOU, the developer • Intents • Android Keychain • App Security Features • Basically, anytime you use the Android framework and mess it up 🤪

14. @Sp4ghettiCode / spght.dev Improper Platform Usage Example • Introducing: My

    Secure App™ • Simple ‘Login Flow’ • “Login Activity” • “Home/Main Activity” • Home is ‘only accessible’ with PIN 1234 Source available @ spght.dev/talks

15. @Sp4ghettiCode / spght.dev Improper Platform Usage Can you spot the

    mistake? <application> <activity android:name=".login.LoginActivity" android:exported="true" android:label="@string/app_name" android:screenOrientation="portrait" android:theme="@style/Theme.OWASPDemo.NoActionBar"> <intent-filter> <action android:name="android.intent.action.MAIN" /> <category android:name="android.intent.category.LAUNCHER" /> </intent-filter> </activity> <activity android:name=".home.MainActivity" android:screenOrientation="portrait" android:exported="true" android:theme="@style/Theme.OWASPDemo.NoActionBar" /> </application>

16. @Sp4ghettiCode / spght.dev Improper Platform Usage Can you spot the

    mistake? <application> <activity android:name=".login.LoginActivity" android:exported="true" android:label="@string/app_name" android:screenOrientation="portrait" android:theme="@style/Theme.OWASPDemo.NoActionBar"> <intent-filter> <action android:name="android.intent.action.MAIN" /> <category android:name="android.intent.category.LAUNCHER" /> </intent-filter> </activity> <activity android:name=".home.MainActivity" android:screenOrientation="portrait" android:exported="true" android:theme="@style/Theme.OWASPDemo.NoActionBar" /> </application>

17. @Sp4ghettiCode / spght.dev Improper Platform Usage How is this exploited?

    • Use a tool like ‘drozer’ to scan app for vulnerable activities, broadcast receivers and content providers • github.com/FSecureLABS/drozer • Run ADB to exploit Source: securitygrind.com

18. @Sp4ghettiCode / spght.dev Improper Platform Usage Exploit Demo adb shell

    am start -n dev.spght.owasp/dev.spght.owasp.home.MainActivity

19. @Sp4ghettiCode / spght.dev Improper Platform Usage Fixing the exploit <application>

    <activity android:name=".login.LoginActivity" android:exported="true" android:label="@string/app_name" android:screenOrientation="portrait" android:theme="@style/Theme.OWASPDemo.NoActionBar"> <intent-filter> <action android:name="android.intent.action.MAIN" /> <category android:name="android.intent.category.LAUNCHER" /> </intent-filter> </activity> <activity android:name=".home.MainActivity" android:screenOrientation="portrait" android:exported="false" android:theme="@style/Theme.OWASPDemo.NoActionBar" /> </application>

20. @Sp4ghettiCode / spght.dev Improper Platform Usage Example #2 • ‘Tap-jacking’

    vulnerability • Apps can draw over other apps and monitor their contents • They can also pass spoofed touch events • Combined, this can be used maliciously to trick users into entering passwords, accepting permissions, etc • Permission required for these apps, but only recently

21. @Sp4ghettiCode / spght.dev Improper Platform Usage Exploit Demo • ‘Tap-jacking’

    example • Bypassed any need for permission! • Patched as of Android N (Dec 2017) • This could have happened silently! Credit: Constantinos Patsakis Source: youtu.be/zSb_QcDgJ64

22. @Sp4ghettiCode / spght.dev Improper Platform Usage Fixing the exploit #2

    <Button android:id="@+id/example" android:layout_width="match_parent" android:layout_height="wrap_content" android:filterTouchesWhenObscured="true" android:text=“Hello World" />

23. @Sp4ghettiCode / spght.dev Insecure Data Storage #2 OWASP Threat IT’S

    YOUR DATA.

24. @Sp4ghettiCode / spght.dev Insecure Data Storage #2 OWASP Threat •

    SharedPreferences • Stores KVPs in plaintext XML • Trivial to access • Room Database • SQLite Database • Again, trivial to access stored data

25. @Sp4ghettiCode / spght.dev Insecure Data Storage Exploit • Possible to

    reverse engineer app to make it ‘debuggable’ • Rooted phones… have root! 🪱🥫 • XML file stored in /data/data/<package_name>/shared_prefs • Databases in /data/data/<package_name>/databases

26. @Sp4ghettiCode / spght.dev Insecure Data Storage Jetpack Security Library •

    developer.android.com/topic/security/data • Provides EncryptedSharedPreferences • Utilises Google’s Tink security lib • Currently in v1.0.0 stable (April 2021) • v1.1.0 alpha-03 (May 2021) provides support for API 21+

27. @Sp4ghettiCode / spght.dev Insecure Data Storage EncryptedSharedPreferences Migration EncryptedSharedPreferences.create( context,

    "my_secure_app_prefs", MasterKey.Builder(context) .setKeyScheme(MasterKey.KeyScheme.AES256_GCM) .build(), EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV, EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM )

28. @Sp4ghettiCode / spght.dev Insecure Data Storage SQLCipher • github.com/sqlcipher/android-database-sqlcipher •

    Provides custom SupportSQLiteOpenHelper.Factory implementation • Implements 256-bit AES encryption of database files • Uses ‘passphrase’ to unlock files to allow read/write

29. @Sp4ghettiCode / spght.dev Insecure Data Storage SQLCipher val passphrase: ByteArray

    = SQLiteDatabase.getBytes(userEnteredPassphrase) val factory = SupportFactory(passphrase) val room: MyDatabase = Room.databaseBuilder(ctx, MyDatabase::class.java, DB_NAME) .openHelperFactory(factory) .build()

30. @Sp4ghettiCode / spght.dev Insecure Data Storage Cheatsheet SharedPreferences Room Realm

    EncryptedSharedPreferences SQLCipher Stores data in plaintext (default) ✅ ✅ ✅ ❌ ❌ Provides encryption functionality ❌ ❌ ⚠ Not by default ✅ ✅ Min API 1 14 16 v1.0.0: 23 v1.1.0 (alpha): 21 16 First Party Support ✅ ✅ ❌ ✅ ❌ Note: DataStore omitted here, but at time of writing (Jan 2022) has no support for encryption

31. @Sp4ghettiCode / spght.dev Insecure Communication #3 OWASP Threat IT’S YOUR

    NETWORKING.

32. @Sp4ghettiCode / spght.dev Insecure Communication #3 OWASP Threat • Misconfigured

    Network Security Configuration • Allowing clear-text traffic (i.e.HTTPS HTTP) • User Certificates allowed • Logging network traffic in LogCat • No Certificate Pinning / Certificate Transparency

33. @Sp4ghettiCode / spght.dev Insecure Communication Exploit • Use tools such

    as Charles • Breakpoints allow for modification of request / response • SSL proxy possible when user certificates are allowed

34. @Sp4ghettiCode / spght.dev Insecure Communication Network Security Config <network-security-config> <!--

    Ensure cleartextTrafficPermitted is false (Default as of Android 9) --> <base-config cleartextTrafficPermitted="false"> <trust-anchors> <certificates src="system" /> </trust-anchors> </base-config> </network-security-config>

35. @Sp4ghettiCode / spght.dev Insecure Communication Network Security Config <network-security-config> <!--

    Only add user certificate allowances in the debug-overrides to --> <!-- ensure release builds are secure --> <debug-overrides> <trust-anchors> <certificates src="system" /> <certificates src="user" /> </trust-anchors> </debug-overrides> </network-security-config>

36. @Sp4ghettiCode / spght.dev Insecure Authentication #4 OWASP Threat IT’S YOUR

    IDENTITY.

37. @Sp4ghettiCode / spght.dev Insecure Authentication #4 OWASP Threat • APIs

    that don’t utilise access tokens • Storing passwords / PINs locally • Weak password policies • Persistent authentication enabled by default

38. @Sp4ghettiCode / spght.dev Insecure Authentication #4 OWASP Threat • Use

    revokable tokens in your APIs • Don’t do any authentication locally if possible • PINs should be length of 5+ • Opt-in for ‘remember me’ functionality

39. @Sp4ghettiCode / spght.dev Insecure Cryptography #5 OWASP Threat IT’S YOUR

    ALGORITHMS.

40. @Sp4ghettiCode / spght.dev Insecure Cryptography #5 OWASP Threat • Do

    NOT use outdated algorithms • SHA-1, MD5, MD4, RC2 • Encoding != Hashing != Encrypting • BASE64-ing something is not cryptography • Don’t come up with your own solutions • (Unless you are a cryptographer)

41. @Sp4ghettiCode / spght.dev Insecure Cryptography #5 OWASP Threat • Consider

    using Google’s Tink library • AES-256 for symmetric encryption • RSA-2048 or ECC for asymmetric encryption • BONUS: Avoid storing sensitive data locally!

42. @Sp4ghettiCode / spght.dev Recap Top threats! • YOU • YOUR

    DATA • YOUR NETWORK • YOUR IDENTITY • YOUR ALGORITHMS

43. @Sp4ghettiCode / spght.dev Thanks for watching! • Find me on

    Twitter @Sp4ghettiCode • More resources and links at spght.dev/talks • Please do reach out if you are interested in learning more or have knowledge to share with the community! • Questions and Answers to follow…

44. @Sp4ghettiCode / spght.dev EOF