[REDACTED]: How to keep your app's secrets, secret

@sp4ghetticode / spght.dev [REDACTED] How to keep your app's secrets,
secret Ed Holloway-George @ Droidcon Lisbon 2024

@sp4ghetticode / spght.dev Who am I? • Lead Android Dev
@ ASOS • Android Google Dev Expert • I like to talk about mobile security a lot • Available on all good social media platforms (and also Twitter X) • First time in Lisbon 🇵🇹 • Thanks for coming along & I hope you learn something new Introduction

@sp4ghetticode / spght.dev Every app developer has secrets… 👀

@sp4ghetticode / spght.dev What are they? • API Keys •
Secure Strings • Anything that you wouldn’t want to be in the hands of someone else! • Yet, we aren’t always securing them 😅 Our Secrets

@sp4ghetticode / spght.dev The harsh reality Our secrets are out
there! • Experts estimate 55% of mobile apps have hardcoded secrets • Most commonly found are Google, Firebase and Facebook credentials • Secrets pose different levels of risk, depending on what they provide… / Source: Cyber News (2022) cybernews.com/security/android-apps-leak-hardcoded-secrets

@sp4ghetticode / spght.dev What could possibly go wrong?

@sp4ghetticode / spght.dev Firebase 🔥 e.g. Firestore DB / Storage
/ etc • 30% of apps on Play Store utilise Firebase services • Around 5% of these expose data • Credentials hard-coded • Integrations ignored security best-practises • Reverse engineering is easy & can even be automated 😅 / Source: Comparitech Whitepaper (2021) comparitech.com/blog/information-security/firebase-misconfiguration-report

@sp4ghetticode / spght.dev AWS Keys 🔑 e.g. AWS Keys •
Research shows ~0.5% of Mobile Apps expose AWS API Keys • Exposed AWS keys can be used to access critical infrastructure • Verizon, WWE, Uber, Accenture & many more have had AWS breaches / Source: Cloudsek Whitepaper (2021) csek.me/Qwmq

@sp4ghetticode / spght.dev Generally speaking What is potentially at risk?
• Stability 💥 • Finances 🏦 • Reputation 🗣 • Security 🔓 • Your own job!? 😬

Don’t sweat… This talk will help! Is this you right
now?

@sp4ghetticode / spght.dev Top Tip #1: Don’t store secrets in
your codebase

@sp4ghetticode / spght.dev Common codebase issues How many apply to
you? • Secrets hardcoded in files (Gradle, Kotlin, etc) • Your secrets are currently stored in version control • You don’t know if your git history contains secrets • No process to detect secrets in your codebase

@sp4ghetticode / spght.dev How does it work? • Configure plugin
• Add secrets.properties file with secrets • Add dummy .properties file with stubs • Access secrets via BuildConfig or XML • Ensure your secrets.properties file is in .gitignore Secrets Gradle Plugin for Android app/build.gradle secrets.properties .gitignore

@sp4ghetticode / spght.dev How does it work? Secrets Gradle Plugin
for Android • Configure plugin • Add secrets.properties file with secrets • Add dummy .properties file with stubs • Access secrets via BuildConfig or XML • Ensure your secrets.properties file is in .gitignore

@sp4ghetticode / spght.dev Pros / Cons Secrets Gradle Plugin for
Android ✅ Simple integration for most Android apps ✅ Removes real secrets in your codebase or version control ✅ Official solution ✅ Recommended approach ✅ CI friendly 😅 Bakes secrets into your apps 😅 Requires you to share real secrets file with all developers 😅 No encryption, obfuscation, etc

you? ✅ Secrets hardcoded in files (Gradle, Kotlin, etc) • Your secrets are currently stored in version control • You don’t know if your git history contains secrets • No process to detect secrets in your codebase

@sp4ghetticode / spght.dev How does it work? • CLI based
SAST tool • Searches git repos for secrets • Handles common secrets • JWT, AWS, GCP and many more • Configurable rules to add your own • Available as a GitHub Action and pre-commit hook gitleaks

@sp4ghetticode / spght.dev Pros / Cons gitleaks ✅ Integrates easily
into any type of project ✅ Searches git history ✅ Highly configurable ✅ Has many ways to fit into your workflow ✅ CI friendly 😅 Not ‘mobile-specific’ 😅 May require some configuration 😅 Occasional false- positives 😅 Detects secrets only, doesn’t remove them

you? ✅ Secrets hardcoded in files (Gradle, Kotlin, etc) • Your secrets are currently stored in version control ✅ You don’t know if your git history contains secrets • No process to detect secrets in your codebase

@sp4ghetticode / spght.dev

@sp4ghetticode / spght.dev How to change the past! • git
• git filter-branch • Community written tools • git-filter-repo • BFG Repo-Cleaner Rewriting history As seen previously @ DC Lisbon…

@sp4ghetticode / spght.dev git filter-branch Please watch my talk for
more!

@sp4ghetticode / spght.dev How does it work? git-filter-repo • Nicer
alternative to git filter- branch • Python script and available via package mangers • Create passwords.txt file • Contains list of your secrets • Run it! 💻 git filter-repo --replace-text passwords.txt • Go get some lunch! (It can take some time)

@sp4ghetticode / spght.dev How does it work? bfg Repo-Cleaner •
Another alternative to git filter- branch • Executable JAR file • Create passwords.txt file • Contains list of your secrets • Run it! 💻 bfg --replace-text passwords.txt . • Go get some dinner! (You already had lunch)

@sp4ghetticode / spght.dev Before & After bfg Repo-Cleaner bfg.jar

@sp4ghetticode / spght.dev Pros / Cons History Rewriting Tools ✅
Highly performant ✅ Tailored tools for the removal of secrets ✅ Other uses e.g. Remove large files ✅ git-filter-repo builds upon functionality provided by BFG ✅ BFG doesn't modify the contents of your latest commit ✅ BFG named (in part) after the ultimate weapon in DOOM 😅 Here be dragons! 🐉 😅 Will likely cause breaking changes to your history 😅 Requires all clones of your codebase to adopt changes 😅 Changes can take a long time for large codebases

you? ✅ Secrets hardcoded in files (Gradle, Kotlin, etc) ✅ Your secrets are currently stored in version control ✅ You don’t know if your git history contains secrets 🤔💭 No process to detect secrets in your codebase

@sp4ghetticode / spght.dev Cooking with Ed - “Filmed in front
of a live audience”

@sp4ghetticode / spght.dev A recipe for a secret-free codebase Ep1:
“Cooking with Ed” • Run gitleaks • Migrate any secrets to Gradle Secrets Plugin • Use bfg / git-filter-repo to clean-up git • Bake at 180°C for 20 minutes • Sprinkle these tools into your CI and processes • Serve the fresh codebase to your hungry developers via a git push —-force —-all

@sp4ghetticode / spght.dev Top Tip #2: Secure your secrets!

@sp4ghetticode / spght.dev

@sp4ghetticode / spght.dev Yikes!

@sp4ghetticode / spght.dev Firebase / Google IMPORTANT!!!! • We all
have google-services.json files • These are totally fine to expose/commit • But you must restrict the API keys • Visit Google Cloud / Firebase console • Invoke ‘principle of least privilege’

@sp4ghetticode / spght.dev Firebase / Google Restrictions

@sp4ghetticode / spght.dev Firebase / Google Restrictions PLEASE CHECK THIS
TODAY (AFTER THE TALK 😅)

@sp4ghetticode / spght.dev - You, right now (presumably?) “What about
any other secrets?”

@sp4ghetticode / spght.dev How does it work? DexGuard • From
the ProGuard creators - GuardSquare • Paid solution • Supports class and string encrypt • Configured similarly to ProGuard / R8 using ‘encryptedstrings’ command • How they do it is ‘magic’ 🧙🪄

@sp4ghetticode / spght.dev Pros / Cons DexGuard ✅ Obfuscates secrets
in app ✅ Makes it more difficult to reverse engineer ✅ Used in production by many large applications ✅ Provides many more features on top ✅ GuardSquare support is great! 😅 Paid tool, so not available for everyone 😅 Using it just for this use case is probably overkill 😅 Other competitors also exist, so do your own research

@sp4ghetticode / spght.dev Some special mentions Free tools also exist!
• github.com/klaxit/hidden-secrets-gradle-plugin • Gradle Plugin / Utilises NDK • github.com/PatilShreyas/bytemask • Gradle Plugin / Code-gen approach • github.com/DatL4g/Sekret • Kotlin Multiplatform Plugin / Utilises NDK FREE

@sp4ghetticode / spght.dev An example: Free tools also exist! •
github.com/klaxit/hidden-secrets-gradle-plugin • Gradle Plugin / Utilises NDK / Example: Hidden Secrets Plugin

@sp4ghetticode / spght.dev Pros / Cons Secret obfuscation plugins ✅
Obscures secrets in app ✅ Setup is relatively simple ✅ Makes it more difficult to reverse engineer ✅ Good for small projects / hobbyists / Indie apps 😅 Still very possible to reverse engineer 😅 Can add a dependency on NDK to your project 😅 Still not good enough for large scale apps

@sp4ghetticode / spght.dev Cooking with Ed - “Putting the ‘Ed’
into barely edible”

@sp4ghetticode / spght.dev A recipe for better ‘hard-baked’ secrets Ep2:
“Cooking with Ed” • Always restrict API keys usage (if possible) • Use the tools we covered if they are to your taste • Using the NDK won’t solve all your problems • Remember, baking secrets into your app is always a risk! • Don’t get burned 🔥

@sp4ghetticode / spght.dev Top Tip #3: Get rid of your
secrets!

@sp4ghetticode / spght.dev - You again, about 5 seconds ago
“Well duh. How?”

@sp4ghetticode / spght.dev API Proxy Service A high-level example api.yourdomain.com/…
Proxied API response GET apidomain.com/api/… API response Your App Your Proxy Server APIs

@sp4ghetticode / spght.dev API Proxy Service A high-level example api.yourdomain.com/…
Proxied API response GET apidomain.com/api/… API response Your App Your Proxy Server APIs Your secrets are here!

@sp4ghetticode / spght.dev How could it be abused? API Proxy
Service • Non-legit calls to service (e.g. a script or another app) • DoS attack (large number of calls) • Man-in-the-middle style attack

@sp4ghetticode / spght.dev Securing the API Calls API Proxy Service
• Communicate over HTTPS SSL/TLS • Authenticate calls to proxy service • Use revokable short-lived tokens • Rate limit • Remember principle of least privilege!

@sp4ghetticode / spght.dev Device Attestation API Proxy Service • Attestation
• “An official verification of something as true or authentic” • Play Integrity API / Firebase App Check • Ensures legitimate device access • Blocks malicious requests / Source: Safeguarding user security on Android (IO/24) youtu.be/RccJYep2v5I

@sp4ghetticode / spght.dev API Proxy Service Now with more ✨
Your App Your Proxy Server APIs Your Identity Server Play Integrity

@sp4ghetticode / spght.dev / Image Source: Wikipedia CC BY-SA 4.0
The Swiss Cheese Model

@sp4ghetticode / spght.dev / Image Source: Wikipedia CC BY-SA 4.0
The Swiss Cheese Model More cheese; Less problems

@sp4ghetticode / spght.dev Pros / Cons API Proxy Service ✅
Removes secrets from your app 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 ✅ Highly scalable ✅ Backend traditionally much harder to exploit ✅ Can easily rotate keys without disruption ✅ Increased logging/reporting ✅ We now control the API between the frontend & backend 😅 Requires much more effort to implement 😅 Increased latency 😅 Single point of failure 😅 BigTech friendly but not easy to achieve for most 😅 In reality it is actually more complex than this example

@sp4ghetticode / spght.dev Cooking with Ed - “This is the
last time I promise”

@sp4ghetticode / spght.dev A recipe for a ‘near-perfect’ application Ep3:
“Cooking with Ed” • Remove all the secrets from your app • Provide their functionality via a proxy- service you control • Rate limit to your liking • Ensure only real devices and known users can access your services • Apply the ‘Swiss cheese model’ generously

@sp4ghetticode / spght.dev In summary… Your plan to have safer
secrets • Erase historic secrets from your repos • Always restrict your API keys (if possible) • Obfuscate to add an extra layer of security • Consider device attestation • Beware of baked-in secrets • If you can, proxy calls and remove in-app secrets ✨

@sp4ghetticode / spght.dev spght.dev/talks For more in-depth Mobile Security talks/blogs

@sp4ghetticode / spght.dev Bom apetite! spght.dev/talks

@sp4ghetticode / spght.dev EOF spght.dev/talks

[REDACTED]: How to keep your app's secrets, secret

[REDACTED]: How to keep your app's secrets, secret

More Decks by Ed Holloway-George

Other Decks in Technology

Featured

Transcript