In this talk we will look at the Jetpack Security (JetSec) libraries, the common mobile security problems they solve, how they work and the functionality they offer to developers in code
@sp4ghetticode / spght.devLiving the“JetSec Lifestyle” 🏖Ed Holloway-George @ Android Meetup - June 2023
View Slide
@sp4ghetticode / spght.devWho am I?• Lead Android Dev @ ASOS• Android Google Dev Expert• I like to talk about mobilesecurity a lot• Available on all good socialmedia platforms (inc. Tw*tter)• More talks @ spght.devIntroduction
@sp4ghetticode / spght.devWhat is your favouriteAndroid library?
@sp4ghetticode / spght.devRetrofitWhat is your favouriteAndroid library?
@sp4ghetticode / spght.devHilt RetrofitWhat is your favouriteAndroid library?
@sp4ghetticode / spght.devRetrofitHiltKoinTimberLeak CanaryAccompanistPaparazziActionBarSherlockKtorAppyxGlideCoilMockkSQLDelightWhat is your favouriteAndroid library?
@sp4ghetticode / spght.devSo many choices!
@sp4ghetticode / spght.devJetSec
@sp4ghetticode / spght.devWhat is JetSec? 😅
@sp4ghetticode / spght.devJetpackSec
@sp4ghetticode / spght.devJetpack Security
@sp4ghetticode / spght.devSit back and enjoy thejourney… 🛫
@sp4ghetticode / spght.dev- Most Android Developers, 2023“Mobile security is hard & easyto get wrong”
@sp4ghetticode / spght.devJetpack SecurityJetSec solves this• Simple use libraries• Follows security best practises• Addresses common mobile security use-casesWhat is it?
@sp4ghetticode / spght.devJetpack SecurityWhat is it?Suite of security related libraries:• security-crypto• security-app-authenticator• security-identity-credential
@sp4ghetticode / spght.devJetpack SecurityWhat is it?Suite of security related libraries:• security-crypto - stable and ktx available• security-app-authenticator - alpha• security-identity-credential - alpha
@sp4ghetticode / spght.devsecurity-crypto
@sp4ghetticode / spght.devJetpack Securitysecurity-crypto libraryWhat is it trying to solve?• OWASP Mobile Top 10 - #2 Insecure Data Storage• SharedPreferences by default are insecure• Stored in plaintext• XML file has known location /data/data//shared_prefs• Also trivial exploits exist to access production app’s prefsMore details:• “Don’t get stung by OWASP” @ spght.dev/talks• “Unpacking Android Security: Part 2” @ spght.dev/archive
@sp4ghetticode / spght.devJetpack Securitysecurity-crypto library• EncryptedSharedPreferences• Wraps the existing SharedPreferences API• Keys and Values encrypted using AES-256• EncryptedFile• Secure impl of FileInputStream / FileOutputStream
@sp4ghetticode / spght.devJetpack Securitysecurity-crypto libraryWho should use this?• Banking/FinTech Apps• Medical Apps• Chat Apps• Basically anything regulated• Or anyone misusing SharedPreferences… (No PII please)
@sp4ghetticode / spght.devJetpack Securitysecurity-crypto library• How does it work?• Uses Tink under the hood• Helps to provide a simple API to perform cryptography correctly• Keyset: Key to encrypt data stored in SharedPreferences/File• Master Key: Encrypts all keysets• Utilises the Android Keystore system• Secure storage of crypto keys• Has options for hardware key storage (if available), time-bound keys and more…
@sp4ghetticode / spght.devQuick Example #1:EncryptedSharedPreferencesHow to store data securely…
@sp4ghetticode / spght.devJetpack Securitysecurity-crypto library// Build Master Keyval masterKey = MasterKey.Builder(this).setKeyScheme(MasterKey.KeyScheme.AES256_GCM).build()// Create SharedPreferences instanceEncryptedSharedPreferences.create(this,"myEncryptedPrefsFile",masterKey,PrefKeyEncryptionScheme.AES256_SIV,PrefValueEncryptionScheme.AES256_GCM).edit {putString("mySecretKey", “mySecretValue")}
@sp4ghetticode / spght.devJetpack Securitysecurity-crypto library// Build Master Keyval masterKey = MasterKey.Builder(this).setKeyScheme(MasterKey.KeyScheme.AES256_GCM).build()// Create SharedPreferences instanceEncryptedSharedPreferences.create(context = this,fileName = "myEncryptedPrefsFile",masterKey = masterKey,prefKeyEncryptionScheme = PrefKeyEncryptionScheme.AES256_SIV,prefValueEncryptionScheme = PrefValueEncryptionScheme.AES256_GCM).edit {putString("mySecretKey", “mySecretValue")}
@sp4ghetticode / spght.devJetpack Securitysecurity-crypto-ktx library// Build Master Keyval masterKey = MasterKey.Builder(this).setKeyScheme(MasterKey.KeyScheme.AES256_GCM).build()// Create SharedPreferences instanceEncryptedSharedPreferences.create(context = this,fileName = "myEncryptedPrefsFile",masterKey = masterKey).edit {putString("mySecretKey", “mySecretValue")}
@sp4ghetticode / spght.devShared PreferencesBefore:mySecretValue
@sp4ghetticode / spght.devShared PreferencesAfter:ASTonpk6n1buL…12a9015525…128801700a…
@sp4ghetticode / spght.devJetpack SecuritySecure Storage ComparisonSharedPreferences Room Realm EncryptedSharedPreferences SQLCipherStores data inplaintext(By default)😅 Yes 😅 Yes 😅 Yes 🥳 No 🥳 NoProvidesencryptionfunctionality❌ ❌⚠Not by default✅ ✅Min API 1 14 16v1.0.0: 23v1.1.0 (alpha): 2116First Party(i.e. Google)Support✅ ✅ ❌ ✅ ❌
More info@ spght.dev
@sp4ghetticode / spght.devsecurity-app-authenticator
@sp4ghetticode / spght.devJetpack Securitysecurity-app-authenticator libraryWhat is it trying to solve?• OWASP Mobile Top 10 - #8 Code Tampering• We sometimes need to verify an app via its signing identity• i.e. How can we ensure an app hasn’t been modified?• How do we verify the identity of a calling process during IPC?More details:• “Don’t get stung by OWASP - Part 2” @ spght.dev/talks
@sp4ghetticode / spght.devJetpack Securitysecurity-app-authenticator library• AppAuthenticator• Able to verify an app on device• Consumes an application package name and SHA-256 hash• Returns SIGNATURE_MATCH or SIGNATURE_NOT_MATCH• SHA-256 can supplied via XML resource or input stream
@sp4ghetticode / spght.devJetpack Securitysecurity-app-authenticator libraryWho should use this?• Similar apps to security-crypto• Banking/FinTech• Any app particularly targeted by hackers 😈• Maybe all of us! It’s easy to setup…
@sp4ghetticode / spght.devQuick Example #2:AppAuthenticatorHow to verify your own app…
@sp4ghetticode / spght.devAppAuthenticatorFinding your app’s signing SHA-256./gradlew signingReportVariant: releaseConfig: releaseStore: /Users/foo/bar/release.keystoreAlias: YourReleaseKeyAliasValid until: Saturday, 31 December 2050…SHA-256: 06:17:15:FA:74:46:A0:08...
@sp4ghetticode / spght.devAppAuthenticator/res/xml/app_auth.xml061715fa7446a008…
@sp4ghetticode / spght.devAppAuthenticatorCalling checkAppIdentity// Create AppAuthenticator instanceval authenticator = AppAuthenticator.createFromResource(context,R.xml.expected_app_identities)// Perform identity check on a given package nameval identity = authenticator.checkAppIdentity(packageName)// Handle the result of the identity checkval result = when (identity) {AppAuthenticator.SIGNATURE_MATCH -> "Signature matches"AppAuthenticator.SIGNATURE_NO_MATCH -> "Signature does not match"else -> throw IllegalStateException("Huh???")}
@sp4ghetticode / spght.devJetpack Securitysecurity-app-authenticator libraryOther usages• Check other apps identity• Android 11 added package visibility changes• Use Manifest tag to specify relevant packages• android.permission.QUERY_ALL_PACKAGES is restricted on Play Store• checkCallingAppIdentity method• Able to verify apps during IPC• Checks signature permission, process id and user id
@sp4ghetticode / spght.devsecurity-identity-credential
@sp4ghetticode / spght.devJetpack Securitysecurity-identity-credential libraryWhat is it trying to solve?• Storage/Retrieval Personal Digital Credentials• E.g. Mobile Driver's License (mDL)• Available in the USA now• At least 4 states issuing• Another ~25 states interested• “Coming soon to the UK” 🤔
@sp4ghetticode / spght.devJetpack Securitysecurity-identity-credential libraryWho should use this?• mDL issuers / receivers• Government Agencies• Services that require proof of identity, age, residence, etc.• But probably none of us (yet)…• It’s very early days!
@sp4ghetticode / spght.dev• Provides Android 7+ support for theexisting Android 11 IdentityCredential APIs• Prioritises specific hardware-backedstorage when available (API 30+)• Provides fallback to an Android keystore-backed implementation (API 24+)Image: https://blog.esper.io/android-dessert-bites-10-mdl-323421432Jetpack Securitysecurity-identity-credential library
@sp4ghetticode / spght.dev• Sample app availableon GitHub• Still in activedevelopment• One to watch in thefuture…Jetpack Securitysecurity-identity-credential librarygithub.com/google/identity-credential
@sp4ghetticode / spght.devSTOP THE PRESSES!https://blog.google/products/google-pay/google-wallet-new-features-june-2023New Google Blog out TODAY• Add your NI number to GoogleWallet via HMRC app• Potentially using this lib?!
@sp4ghetticode / spght.devJetSec OverviewAndroidX release notesdeveloper.android.com/jetpack/androidx/releases/security
@sp4ghetticode / spght.devWhat is your newestfavourite Android library?
@sp4ghetticode / spght.dev
@sp4ghetticode / spght.devspght.dev/talksFor more in-depth Mobile Security talks/blogs
@sp4ghetticode / spght.devThanks!spght.dev/talks
@sp4ghetticode / spght.devEOFspght.dev/talks