Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[REDACTED]: How to keep your app's secrets, secret

[REDACTED]: How to keep your app's secrets, secret

Every app has secrets! These could be in many forms (no judgment here!) but in this talk, we'll focus on the most common use case of storing API keys or data in-app that we'd rather not make readily available to malicious actors.

In this talk, we'll look at answering one of the most asked questions in mobile security, "How do I secure my API keys" and ensure you have the knowledge and tools you need to do so.

Ed Holloway-George

September 06, 2024
Tweet

More Decks by Ed Holloway-George

Other Decks in Technology

Transcript

  1. @sp4ghetticode / spght.dev [REDACTED] How to keep your app's secrets,

    secret Ed Holloway-George @ Droidcon Lisbon 2024
  2. @sp4ghetticode / spght.dev Who am I? • Lead Android Dev

    @ ASOS • Android Google Dev Expert • I like to talk about mobile security a lot • Available on all good social media platforms (and also Twitter X) • First time in Lisbon 🇵🇹 • Thanks for coming along & I hope you learn something new Introduction
  3. @sp4ghetticode / spght.dev What are they? • API Keys •

    Secure Strings • Anything that you wouldn’t want to be in the hands of someone else! • Yet, we aren’t always securing them 😅 Our Secrets
  4. @sp4ghetticode / spght.dev The harsh reality Our secrets are out

    there! • Experts estimate 55% of mobile apps have hardcoded secrets • Most commonly found are Google, Firebase and Facebook credentials • Secrets pose different levels of risk, depending on what they provide… / Source: Cyber News (2022) cybernews.com/security/android-apps-leak-hardcoded-secrets
  5. @sp4ghetticode / spght.dev Firebase 🔥 e.g. Firestore DB / Storage

    / etc • 30% of apps on Play Store utilise Firebase services • Around 5% of these expose data • Credentials hard-coded • Integrations ignored security best-practises • Reverse engineering is easy & can even be automated 😅 / Source: Comparitech Whitepaper (2021) comparitech.com/blog/information-security/firebase-misconfiguration-report
  6. @sp4ghetticode / spght.dev AWS Keys 🔑 e.g. AWS Keys •

    Research shows ~0.5% of Mobile Apps expose AWS API Keys • Exposed AWS keys can be used to access critical infrastructure • Verizon, WWE, Uber, Accenture & many more have had AWS breaches / Source: Cloudsek Whitepaper (2021) csek.me/Qwmq
  7. @sp4ghetticode / spght.dev Generally speaking What is potentially at risk?

    • Stability 💥 • Finances 🏦 • Reputation 🗣 • Security 🔓 • Your own job!? 😬
  8. @sp4ghetticode / spght.dev Common codebase issues How many apply to

    you? • Secrets hardcoded in files (Gradle, Kotlin, etc) • Your secrets are currently stored in version control • You don’t know if your git history contains secrets • No process to detect secrets in your codebase
  9. @sp4ghetticode / spght.dev How does it work? • Configure plugin

    • Add secrets.properties file with secrets • Add dummy .properties file with stubs • Access secrets via BuildConfig or XML • Ensure your secrets.properties file is in .gitignore Secrets Gradle Plugin for Android app/build.gradle secrets.properties .gitignore
  10. @sp4ghetticode / spght.dev How does it work? Secrets Gradle Plugin

    for Android • Configure plugin • Add secrets.properties file with secrets • Add dummy .properties file with stubs • Access secrets via BuildConfig or XML • Ensure your secrets.properties file is in .gitignore
  11. @sp4ghetticode / spght.dev Pros / Cons Secrets Gradle Plugin for

    Android ✅ Simple integration for most Android apps ✅ Removes real secrets in your codebase or version control ✅ Official solution ✅ Recommended approach ✅ CI friendly 😅 Bakes secrets into your apps 😅 Requires you to share real secrets file with all developers 😅 No encryption, obfuscation, etc
  12. @sp4ghetticode / spght.dev Common codebase issues How many apply to

    you? ✅ Secrets hardcoded in files (Gradle, Kotlin, etc) • Your secrets are currently stored in version control • You don’t know if your git history contains secrets • No process to detect secrets in your codebase
  13. @sp4ghetticode / spght.dev How does it work? • CLI based

    SAST tool • Searches git repos for secrets • Handles common secrets • JWT, AWS, GCP and many more • Configurable rules to add your own • Available as a GitHub Action and pre-commit hook gitleaks
  14. @sp4ghetticode / spght.dev Pros / Cons gitleaks ✅ Integrates easily

    into any type of project ✅ Searches git history ✅ Highly configurable ✅ Has many ways to fit into your workflow ✅ CI friendly 😅 Not ‘mobile-specific’ 😅 May require some configuration 😅 Occasional false- positives 😅 Detects secrets only, doesn’t remove them
  15. @sp4ghetticode / spght.dev Common codebase issues How many apply to

    you? ✅ Secrets hardcoded in files (Gradle, Kotlin, etc) • Your secrets are currently stored in version control ✅ You don’t know if your git history contains secrets • No process to detect secrets in your codebase
  16. @sp4ghetticode / spght.dev How to change the past! • git

    • git filter-branch • Community written tools • git-filter-repo • BFG Repo-Cleaner Rewriting history As seen previously @ DC Lisbon…
  17. @sp4ghetticode / spght.dev How does it work? git-filter-repo • Nicer

    alternative to git filter- branch • Python script and available via package mangers • Create passwords.txt file • Contains list of your secrets • Run it! 💻 git filter-repo --replace-text passwords.txt • Go get some lunch! (It can take some time)
  18. @sp4ghetticode / spght.dev How does it work? bfg Repo-Cleaner •

    Another alternative to git filter- branch • Executable JAR file • Create passwords.txt file • Contains list of your secrets • Run it! 💻 bfg --replace-text passwords.txt . • Go get some dinner! (You already had lunch)
  19. @sp4ghetticode / spght.dev Pros / Cons History Rewriting Tools ✅

    Highly performant ✅ Tailored tools for the removal of secrets ✅ Other uses e.g. Remove large files ✅ git-filter-repo builds upon functionality provided by BFG ✅ BFG doesn't modify the contents of your latest commit ✅ BFG named (in part) after the ultimate weapon in DOOM 😅 Here be dragons! 🐉 😅 Will likely cause breaking changes to your history 😅 Requires all clones of your codebase to adopt changes 😅 Changes can take a long time for large codebases
  20. @sp4ghetticode / spght.dev Common codebase issues How many apply to

    you? ✅ Secrets hardcoded in files (Gradle, Kotlin, etc) ✅ Your secrets are currently stored in version control ✅ You don’t know if your git history contains secrets 🤔💭 No process to detect secrets in your codebase
  21. @sp4ghetticode / spght.dev A recipe for a secret-free codebase Ep1:

    “Cooking with Ed” • Run gitleaks • Migrate any secrets to Gradle Secrets Plugin • Use bfg / git-filter-repo to clean-up git • Bake at 180°C for 20 minutes • Sprinkle these tools into your CI and processes • Serve the fresh codebase to your hungry developers via a git push —-force —-all
  22. @sp4ghetticode / spght.dev Firebase / Google IMPORTANT!!!! • We all

    have google-services.json files • These are totally fine to expose/commit • But you must restrict the API keys • Visit Google Cloud / Firebase console • Invoke ‘principle of least privilege’
  23. @sp4ghetticode / spght.dev How does it work? DexGuard • From

    the ProGuard creators - GuardSquare • Paid solution • Supports class and string encrypt • Configured similarly to ProGuard / R8 using ‘encryptedstrings’ command • How they do it is ‘magic’ 🧙🪄
  24. @sp4ghetticode / spght.dev Pros / Cons DexGuard ✅ Obfuscates secrets

    in app ✅ Makes it more difficult to reverse engineer ✅ Used in production by many large applications ✅ Provides many more features on top ✅ GuardSquare support is great! 😅 Paid tool, so not available for everyone 😅 Using it just for this use case is probably overkill 😅 Other competitors also exist, so do your own research
  25. @sp4ghetticode / spght.dev Some special mentions Free tools also exist!

    • github.com/klaxit/hidden-secrets-gradle-plugin • Gradle Plugin / Utilises NDK • github.com/PatilShreyas/bytemask • Gradle Plugin / Code-gen approach • github.com/DatL4g/Sekret • Kotlin Multiplatform Plugin / Utilises NDK FREE
  26. @sp4ghetticode / spght.dev An example: Free tools also exist! •

    github.com/klaxit/hidden-secrets-gradle-plugin • Gradle Plugin / Utilises NDK / Example: Hidden Secrets Plugin
  27. @sp4ghetticode / spght.dev Pros / Cons Secret obfuscation plugins ✅

    Obscures secrets in app ✅ Setup is relatively simple ✅ Makes it more difficult to reverse engineer ✅ Good for small projects / hobbyists / Indie apps 😅 Still very possible to reverse engineer 😅 Can add a dependency on NDK to your project 😅 Still not good enough for large scale apps
  28. @sp4ghetticode / spght.dev A recipe for better ‘hard-baked’ secrets Ep2:

    “Cooking with Ed” • Always restrict API keys usage (if possible) • Use the tools we covered if they are to your taste • Using the NDK won’t solve all your problems • Remember, baking secrets into your app is always a risk! • Don’t get burned 🔥
  29. @sp4ghetticode / spght.dev API Proxy Service A high-level example api.yourdomain.com/…

    Proxied API response GET apidomain.com/api/… API response Your App Your Proxy Server APIs
  30. @sp4ghetticode / spght.dev API Proxy Service A high-level example api.yourdomain.com/…

    Proxied API response GET apidomain.com/api/… API response Your App Your Proxy Server APIs Your secrets are here!
  31. @sp4ghetticode / spght.dev How could it be abused? API Proxy

    Service • Non-legit calls to service (e.g. a script or another app) • DoS attack (large number of calls) • Man-in-the-middle style attack
  32. @sp4ghetticode / spght.dev Securing the API Calls API Proxy Service

    • Communicate over HTTPS SSL/TLS • Authenticate calls to proxy service • Use revokable short-lived tokens • Rate limit • Remember principle of least privilege!
  33. @sp4ghetticode / spght.dev Device Attestation API Proxy Service • Attestation

    • “An official verification of something as true or authentic” • Play Integrity API / Firebase App Check • Ensures legitimate device access • Blocks malicious requests / Source: Safeguarding user security on Android (IO/24) youtu.be/RccJYep2v5I
  34. @sp4ghetticode / spght.dev API Proxy Service Now with more ✨

    Your App Your Proxy Server APIs Your Identity Server Play Integrity
  35. @sp4ghetticode / spght.dev / Image Source: Wikipedia CC BY-SA 4.0

    The Swiss Cheese Model More cheese; Less problems
  36. @sp4ghetticode / spght.dev Pros / Cons API Proxy Service ✅

    Removes secrets from your app 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 ✅ Highly scalable ✅ Backend traditionally much harder to exploit ✅ Can easily rotate keys without disruption ✅ Increased logging/reporting ✅ We now control the API between the frontend & backend 😅 Requires much more effort to implement 😅 Increased latency 😅 Single point of failure 😅 BigTech friendly but not easy to achieve for most 😅 In reality it is actually more complex than this example
  37. @sp4ghetticode / spght.dev A recipe for a ‘near-perfect’ application Ep3:

    “Cooking with Ed” • Remove all the secrets from your app • Provide their functionality via a proxy- service you control • Rate limit to your liking • Ensure only real devices and known users can access your services • Apply the ‘Swiss cheese model’ generously
  38. @sp4ghetticode / spght.dev In summary… Your plan to have safer

    secrets • Erase historic secrets from your repos • Always restrict your API keys (if possible) • Obfuscate to add an extra layer of security • Consider device attestation • Beware of baked-in secrets • If you can, proxy calls and remove in-app secrets ✨