In this talk we will look at the Jetpack Security (JetSec) libraries, the common mobile security problems they solve, how they work and the functionality they offer to developers in code
@ ASOS • Android Google Dev Expert • I like to talk about mobile security a lot • Available on all good social media platforms (inc. Tw*tter) • More talks @ spght.dev Introduction
trying to solve? • OWASP Mobile Top 10 - #2 Insecure Data Storage • SharedPreferences by default are insecure • Stored in plaintext • XML file has known location /data/data/<package_name>/shared_prefs • Also trivial exploits exist to access production app’s prefs More details: • “Don’t get stung by OWASP” @ spght.dev/talks • “Unpacking Android Security: Part 2” @ spght.dev/archive
it work? • Uses Tink under the hood • Helps to provide a simple API to perform cryptography correctly • Keyset: Key to encrypt data stored in SharedPreferences/File • Master Key: Encrypts all keysets • Utilises the Android Keystore system • Secure storage of crypto keys • Has options for hardware key storage (if available), time-bound keys and more…
Realm EncryptedSharedPreferences SQLCipher Stores data in plaintext (By default) 😅 Yes 😅 Yes 😅 Yes 🥳 No 🥳 No Provides encryption functionality ❌ ❌ ⚠ Not by default ✅ ✅ Min API 1 14 16 v1.0.0: 23 v1.1.0 (alpha): 21 16 First Party (i.e. Google) Support ✅ ✅ ❌ ✅ ❌
trying to solve? • OWASP Mobile Top 10 - #8 Code Tampering • We sometimes need to verify an app via its signing identity • i.e. How can we ensure an app hasn’t been modified? • How do we verify the identity of a calling process during IPC? More details: • “Don’t get stung by OWASP - Part 2” @ spght.dev/talks
Able to verify an app on device • Consumes an application package name and SHA-256 hash • Returns SIGNATURE_MATCH or SIGNATURE_NOT_MATCH • SHA-256 can supplied via XML resource or input stream
<package name="com.example.app"> <!-- Your own SHA-256 here --> <cert-digest>061715fa7446a008…</cert-digest> </package> </expected-identity> </app-authenticator>
val authenticator = AppAuthenticator.createFromResource( context, R.xml.expected_app_identities ) // Perform identity check on a given package name val identity = authenticator.checkAppIdentity(packageName) // Handle the result of the identity check val result = when (identity) { AppAuthenticator.SIGNATURE_MATCH -> "Signature matches" AppAuthenticator.SIGNATURE_NO_MATCH -> "Signature does not match" else -> throw IllegalStateException("Huh???") }
Check other apps identity • Android 11 added package visibility changes • Use Manifest tag <queries> to specify relevant packages • android.permission.QUERY_ALL_PACKAGES is restricted on Play Store • checkCallingAppIdentity method • Able to verify apps during IPC • Checks signature permission, process id and user id
trying to solve? • Storage/Retrieval Personal Digital Credentials • E.g. Mobile Driver's License (mDL) • Available in the USA now • At least 4 states issuing • Another ~25 states interested • “Coming soon to the UK” 🤔
this? • mDL issuers / receivers • Government Agencies • Services that require proof of identity, age, residence, etc. • But probably none of us (yet)… • It’s very early days!