Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Living the 'JetSec Lifestyle'

Living the 'JetSec Lifestyle'

In this talk we will look at the Jetpack Security (JetSec) libraries, the common mobile security problems they solve, how they work and the functionality they offer to developers in code

Ed Holloway-George

June 02, 2023
Tweet

More Decks by Ed Holloway-George

Other Decks in Programming

Transcript

  1. @sp4ghetticode / spght.dev
    Living the


    “JetSec Lifestyle” 🏖
    Ed Holloway-George @ Android Meetup - June 2023

    View Slide

  2. @sp4ghetticode / spght.dev
    Who am I?
    • Lead Android Dev @ ASOS


    • Android Google Dev Expert


    • I like to talk about mobile
    security a lot


    • Available on all good social
    media platforms (inc. Tw*tter)


    • More talks @ spght.dev


    Introduction

    View Slide

  3. @sp4ghetticode / spght.dev
    What is your favourite
    Android library?

    View Slide

  4. @sp4ghetticode / spght.dev
    Retrofit
    What is your favourite
    Android library?

    View Slide

  5. @sp4ghetticode / spght.dev
    Hilt Retrofit
    What is your favourite
    Android library?

    View Slide

  6. @sp4ghetticode / spght.dev
    Retrofit
    Hilt
    Koin
    Timber
    Leak Canary
    Accompanist
    Paparazzi
    ActionBar


    Sherlock
    Ktor
    Appyx
    Glide
    Coil
    Mockk
    SQLDelight
    What is your favourite
    Android library?

    View Slide

  7. @sp4ghetticode / spght.dev
    So many choices!

    View Slide

  8. @sp4ghetticode / spght.dev
    JetSec

    View Slide

  9. @sp4ghetticode / spght.dev
    What is JetSec? 😅

    View Slide

  10. @sp4ghetticode / spght.dev
    JetSec

    View Slide

  11. @sp4ghetticode / spght.dev
    JetpackSec

    View Slide

  12. @sp4ghetticode / spght.dev
    Jetpack Security

    View Slide

  13. @sp4ghetticode / spght.dev
    Sit back and enjoy the
    journey… 🛫

    View Slide

  14. @sp4ghetticode / spght.dev
    - Most Android Developers, 2023
    “Mobile security is hard & easy
    to get wrong”

    View Slide

  15. @sp4ghetticode / spght.dev
    Jetpack Security
    JetSec solves this


    • Simple use libraries


    • Follows security best practises


    • Addresses common mobile security use-cases


    What is it?

    View Slide

  16. @sp4ghetticode / spght.dev
    Jetpack Security
    What is it?
    Suite of security related libraries:


    • security-crypto
    • security-app-authenticator
    • security-identity-credential

    View Slide

  17. @sp4ghetticode / spght.dev
    Jetpack Security
    What is it?
    Suite of security related libraries:


    • security-crypto - stable and ktx available


    • security-app-authenticator - alpha


    • security-identity-credential - alpha

    View Slide

  18. @sp4ghetticode / spght.dev
    security-crypto

    View Slide

  19. @sp4ghetticode / spght.dev
    security-crypto

    View Slide

  20. @sp4ghetticode / spght.dev
    Jetpack Security
    security-crypto library
    What is it trying to solve?


    • OWASP Mobile Top 10 - #2 Insecure Data Storage


    • SharedPreferences by default are insecure


    • Stored in plaintext


    • XML file has known location /data/data//shared_prefs


    • Also trivial exploits exist to access production app’s prefs


    More details:


    • “Don’t get stung by OWASP” @ spght.dev/talks


    • “Unpacking Android Security: Part 2” @ spght.dev/archive


    View Slide

  21. @sp4ghetticode / spght.dev
    Jetpack Security
    security-crypto library
    • EncryptedSharedPreferences


    • Wraps the existing SharedPreferences API


    • Keys and Values encrypted using AES-256


    • EncryptedFile


    • Secure impl of FileInputStream / FileOutputStream

    View Slide

  22. @sp4ghetticode / spght.dev
    Jetpack Security
    security-crypto library
    Who should use this?


    • Banking/FinTech Apps


    • Medical Apps


    • Chat Apps


    • Basically anything regulated


    • Or anyone misusing SharedPreferences… (No PII please)

    View Slide

  23. @sp4ghetticode / spght.dev
    Jetpack Security
    security-crypto library
    • How does it work?


    • Uses Tink under the hood


    • Helps to provide a simple API to perform cryptography correctly


    • Keyset: Key to encrypt data stored in SharedPreferences/File


    • Master Key: Encrypts all keysets


    • Utilises the Android Keystore system


    • Secure storage of crypto keys


    • Has options for hardware key storage (if available), time-bound keys and more…


    View Slide

  24. @sp4ghetticode / spght.dev
    Quick Example #1:


    EncryptedSharedPreferences


    How to store data securely…

    View Slide

  25. @sp4ghetticode / spght.dev
    Jetpack Security
    security-crypto library
    // Build Master Key


    val masterKey = MasterKey.Builder(this)


    .setKeyScheme(MasterKey.KeyScheme.AES256_GCM)


    .build()


    // Create SharedPreferences instance


    EncryptedSharedPreferences.create(


    this,


    "myEncryptedPrefsFile",


    masterKey,


    PrefKeyEncryptionScheme.AES256_SIV,


    PrefValueEncryptionScheme.AES256_GCM


    ).edit {


    putString("mySecretKey", “mySecretValue")


    }


    View Slide

  26. @sp4ghetticode / spght.dev
    Jetpack Security
    security-crypto library
    // Build Master Key


    val masterKey = MasterKey.Builder(this)


    .setKeyScheme(MasterKey.KeyScheme.AES256_GCM)


    .build()


    // Create SharedPreferences instance


    EncryptedSharedPreferences.create(


    context = this,


    fileName = "myEncryptedPrefsFile",


    masterKey = masterKey,


    prefKeyEncryptionScheme = PrefKeyEncryptionScheme.AES256_SIV,


    prefValueEncryptionScheme = PrefValueEncryptionScheme.AES256_GCM


    ).edit {


    putString("mySecretKey", “mySecretValue")


    }


    View Slide

  27. @sp4ghetticode / spght.dev
    Jetpack Security
    security-crypto-ktx library
    // Build Master Key


    val masterKey = MasterKey.Builder(this)


    .setKeyScheme(MasterKey.KeyScheme.AES256_GCM)


    .build()


    // Create SharedPreferences instance


    EncryptedSharedPreferences.create(


    context = this,


    fileName = "myEncryptedPrefsFile",


    masterKey = masterKey


    ).edit {


    putString("mySecretKey", “mySecretValue")


    }


    View Slide

  28. @sp4ghetticode / spght.dev
    Shared Preferences
    Before:






    mySecretValue





    View Slide

  29. @sp4ghetticode / spght.dev
    Shared Preferences
    After:






    ASTonpk6n1buL…


    12a9015525…


    128801700a…





    View Slide

  30. @sp4ghetticode / spght.dev
    Jetpack Security
    Secure Storage Comparison
    SharedPreferences Room Realm EncryptedSharedPreferences SQLCipher
    Stores data in
    plaintext


    (By default)
    😅 Yes 😅 Yes 😅 Yes 🥳 No 🥳 No
    Provides


    encryption
    functionality
    ❌ ❌



    Not by default
    ✅ ✅
    Min API 1 14 16
    v1.0.0: 23


    v1.1.0 (alpha): 21
    16
    First Party


    (i.e. Google)


    Support
    ✅ ✅ ❌ ✅ ❌

    View Slide

  31. More info
    @ spght.dev

    View Slide

  32. @sp4ghetticode / spght.dev
    security-app-authenticator

    View Slide

  33. @sp4ghetticode / spght.dev
    Jetpack Security
    security-app-authenticator library
    What is it trying to solve?


    • OWASP Mobile Top 10 - #8 Code Tampering


    • We sometimes need to verify an app via its signing identity


    • i.e. How can we ensure an app hasn’t been modified?


    • How do we verify the identity of a calling process during IPC?


    More details:


    • “Don’t get stung by OWASP - Part 2” @ spght.dev/talks


    View Slide

  34. @sp4ghetticode / spght.dev
    Jetpack Security
    security-app-authenticator library
    • AppAuthenticator


    • Able to verify an app on device


    • Consumes an application package name and SHA-256 hash


    • Returns SIGNATURE_MATCH or SIGNATURE_NOT_MATCH


    • SHA-256 can supplied via XML resource or input stream

    View Slide

  35. @sp4ghetticode / spght.dev
    Jetpack Security
    security-app-authenticator library
    Who should use this?


    • Similar apps to security-crypto


    • Banking/FinTech


    • Any app particularly targeted by hackers 😈


    • Maybe all of us! It’s easy to setup…

    View Slide

  36. @sp4ghetticode / spght.dev
    Quick Example #2:


    AppAuthenticator


    How to verify your own app…

    View Slide

  37. @sp4ghetticode / spght.dev
    AppAuthenticator
    Finding your app’s signing SHA-256
    ./gradlew signingReport


    Variant: release


    Config: release


    Store: /Users/foo/bar/release.keystore


    Alias: YourReleaseKeyAlias


    Valid until: Saturday, 31 December 2050





    SHA-256: 06:17:15:FA:74:46:A0:08...

    View Slide

  38. @sp4ghetticode / spght.dev
    AppAuthenticator
    /res/xml/app_auth.xml















    061715fa7446a008…











    View Slide

  39. @sp4ghetticode / spght.dev
    AppAuthenticator
    Calling checkAppIdentity
    // Create AppAuthenticator instance


    val authenticator = AppAuthenticator.createFromResource(


    context,


    R.xml.expected_app_identities


    )


    // Perform identity check on a given package name


    val identity = authenticator.checkAppIdentity(packageName)


    // Handle the result of the identity check


    val result = when (identity) {


    AppAuthenticator.SIGNATURE_MATCH -> "Signature matches"


    AppAuthenticator.SIGNATURE_NO_MATCH -> "Signature does not match"


    else -> throw IllegalStateException("Huh???")


    }

    View Slide

  40. @sp4ghetticode / spght.dev
    Jetpack Security
    security-app-authenticator library
    Other usages


    • Check other apps identity


    • Android 11 added package visibility changes


    • Use Manifest tag to specify relevant packages


    • android.permission.QUERY_ALL_PACKAGES is restricted on Play Store


    • checkCallingAppIdentity method


    • Able to verify apps during IPC


    • Checks signature permission, process id and user id


    View Slide

  41. More info
    @ spght.dev

    View Slide

  42. @sp4ghetticode / spght.dev
    security-identity-credential

    View Slide

  43. @sp4ghetticode / spght.dev
    Jetpack Security
    security-identity-credential library
    What is it trying to solve?


    • Storage/Retrieval Personal Digital Credentials


    • E.g. Mobile Driver's License (mDL)


    • Available in the USA now


    • At least 4 states issuing


    • Another ~25 states interested


    • “Coming soon to the UK” 🤔


    View Slide

  44. @sp4ghetticode / spght.dev
    Jetpack Security
    security-identity-credential library
    Who should use this?


    • mDL issuers / receivers


    • Government Agencies


    • Services that require proof of identity, age, residence, etc.


    • But probably none of us (yet)…


    • It’s very early days!


    View Slide

  45. @sp4ghetticode / spght.dev
    • Provides Android 7+ support for the
    existing Android 11 IdentityCredential APIs


    • Prioritises specific hardware-backed
    storage when available (API 30+)


    • Provides fallback to an Android keystore-
    backed implementation (API 24+)
    Image: https://blog.esper.io/android-dessert-bites-10-mdl-323421432
    Jetpack Security
    security-identity-credential library

    View Slide

  46. @sp4ghetticode / spght.dev
    • Sample app available
    on GitHub


    • Still in active
    development


    • One to watch in the
    future…


    Jetpack Security
    security-identity-credential library
    github.com/google/identity-credential

    View Slide

  47. @sp4ghetticode / spght.dev
    STOP THE PRESSES!
    https://blog.google/products/google-pay/google-wallet-new-features-june-2023
    New Google Blog out TODAY


    • Add your NI number to Google
    Wallet via HMRC app


    • Potentially using this lib?!

    View Slide

  48. @sp4ghetticode / spght.dev
    JetSec Overview
    AndroidX release notes
    developer.android.com/jetpack/androidx/releases/security

    View Slide

  49. @sp4ghetticode / spght.dev
    What is your newest
    favourite Android library?

    View Slide

  50. @sp4ghetticode / spght.dev

    View Slide

  51. @sp4ghetticode / spght.dev
    spght.dev/talks
    For more in-depth Mobile Security talks/blogs

    View Slide

  52. @sp4ghetticode / spght.dev
    Thanks!
    spght.dev/talks

    View Slide

  53. @sp4ghetticode / spght.dev
    EOF
    spght.dev/talks

    View Slide