Android Application Security For Developers (ADD 2014)

Transcript

1. Application security ANDROID FOR DEVELOPERS FILIP MAELBRANCKE

2. None

3. X

4. Security = managing risk ASSET VULNERABILITY THREAT

5. Security = managing risk ASSET VULNERABILITY THREAT

6. All in one device Increases threat proBability ! • GPS

   • Contacts • Camera • Email (work) • Wallet

7. Always out Vulnerability / Exploitability ! • Stolen • Forgotten

   • Lost !

8. Everyone uses it Vulnerability / Exploitability ! • Weak pins

   • Use of open public WiFi !

9. Everyone uses it

10. Android security

11. Android security model ! ! ! ! ! ! !

    ! ! ! Game X ! ! ! Game Y ! System ! ! ! ! ! ! ! ! ! ! ! ! ! ! Contacts ! ! ! Email ! ! ! Google Play ! Verify app signature ! ! App sandbox ! ! Permissions application isolation

12. typical mobile app MOBILE APPLICATION UI LOCAL STORAGE REMOTING LAYER

    REMOTE API COMMUNICATION CHANNEL

13. Security APP DATA NETWORK SERVICES

14. None

15. Securing the app JAVA CLASS DEX

16. reverse engineer

17. OBTAIN APK FROM DEVICE adb backup -apk be.myapp ADB BACKUP

    app Titanium, Astro, Helium adb shell pm list packages -f adb pull /data/app/be.myapp-1.apk

18. APK structure APK = zip APK AndroidManifest classes.dex Resources

19. reverse engineer TOOLS ! • Apktool • Dex2jar • Apk

    to Java !

20. reverse engineer smali / baksmali APKTOOL Low level disassembled Dalvik

    bytecode CODE code can be modified recompile / resign

21. reverse engineer apktool d myapp.apk

22. reverse engineer

23. reverse engineer code

24. reverse engineer convert .dex file to a .jar with java

    bytecode DEX2JAR dex -> java java decompiler CODE very readable

25. reverse engineer

26. reverse engineer Jeb Decompiler PAID dex -> java native dalvik

    decompiler

27. reverse engineer

28. Obfuscation

29. Proguard obfuscate optimize Shrink

30. proguard obfuscation

31. proguard

32. proguard configuration

33. proguard Beware!

34. proguard loggingwrapper

35. proguard configuration

36. proguard BEtter

37. other techniques If possible, run code at server! server String

    encryption Hide sensitive strings eg “Secure” Native code Java Native Interface reflection Proxy Introduces indirection Class encryption Use DexGuard

38. dexguard Same config proguard++ Commercial Good value for the money

    Tamper checks

39. dexguard

40. proguard tips Test! release build Mapping.txt Save! Crash? Supported on

    Crashlytics, Crittercism, ...

41. TAMPER DETECTION

42. Environment 1.installer 2.debugger / 3.BINARY Validation Tamper detection / protection

43. INSTALLER PLAY STORE INSTALLER

44. debugger Debugger check

45. debugger Debugger check

46. emulator EMULATOR check

47. SIGNING KEY Valid signing key ! • SHA1 of signing

    cert • Embed • Check with runtime signature !

48. SIGNING KEY Valid signing key

49. rooted device root detection ! • Check typical apps /

    files • Check keys • /system r/w !

50. tamper detection tips + use obfuscation! multiple checks Tampering detected

    Close application Don’t leak where the protection code is
51. None

52. local Data protection Avoid it if you can Avoid External

    storage Avoid external storage for sensitive information For critical info set android:saveEnabled="false" Backup set android:allowBackup=false proper permissions MODE_PRIVATE with files

53. local Data protection getWindow().setFlags(LayoutParams.FLAG _SECURE, LayoutParams.FLAG_SECURE); avoid screen shots LOGOUT

    on inactivity if usability allows and clear the cached information

54. keylogger

55. ANDROID NOT ENOUGH? rooted devices Internal Storage Full disk crypto

    brute forcing

56. encryption

57. JCA APP JCA (Java Cryptography Architecture) Provider Provider Message Digest

    Key Generation Digital Signature ...

58. JCA Bouncy Castle Android OpenSSL APP JCA (Java Cryptography Architecture)

    Harmony

59. bouncy castle Android = subset of upstream release cut-down CONSISTENT

    Consistent crypto across Android versions MINIMAL change github.com/rtyley/spongycastle Spongy castle Repackage of Bouncy Castle for Android

60. encryption libs SQLCipher sqlcipher.net ! • Modified version of SQLite

    • AES-256 encryption • Drop-in replacement ! iocipher guardianproject.info/code/ iocipher ! Virtual encrypted disk

61. key management Store along with the data (file private to

    the app) Store Embed Embed in source code (obfuscated ?) EASY TO EXTRACT

62. key management don’t store Don’t store the key on the

    device Have it entered each time necessary Store In systems service SOLUTIONS

63. key derivation Long random strings of bits encryption keys people

    vs keys Users are familiar with passwords Crypto algo PBKDF2WithHmacSHA1 password based encryption Generate strong crypto keys based on humanly-manageable passwords

64. proper key derivation Using a salt protects from table- assisted

    / pre-computed dictionary attacks SALT key stretching Repeat the key derivation operation multiple times to produce the final key Slows down brute force attacks

65. key derivation https://github.com/nelenkov/android-pbe http://nelenkov.blogspot.jp/2012/04/using-password-based-encryption-on.html Nikolay Elenkov

66. KEYCHain? Keystore provider ! • Since Android 4.3 • Can

    be hardware- backed https://github.com/nelenkov/android-keystore Nikolay Elenkov

67. network

68. Secure communication channel use https Use SSL / TLS !

    • Confidentiality • Authentication ! VALIDATION Hostname verification ! Certificate pinning

69. secure communication channel hostname verification

70. SSL certificates CA issued, Android recognized CA issued self-signed certificates

    behaviour change custom TrustManager

71. self-signed cert

72. anti pattern don’t trust all!

73. self-signed cert Certificate Custom trustmanager NO man-in-the-middle attacks import in

    your app

74. Certificate authorities

75. Trustmanager StrongTrustManager ! • Validate whole certificate chain • Debian

    certificate store !

76. certificate pinning with expected certificate / public key Associate host

    hashing anonymize certificate / public key

77. certificate pinning echo | openssl s_client -connect host:443 2>&1 |

    sed -ne '/-BEGIN CERTIFICATE-/,/- END CERTIFICATE-/p' > mycertificate.pem get certificate (openssl) embed in application /res/raw Custom Based on keystore Load into keystore SSL context Init SSL context with TrustManager https://developer.android.com/training/articles/security-ssl.html
78. None

79. Securing services Controls ! • Kill switch for specific functionality

    • Server downtime communication • Mandatory update mechanism !

80. securing services Backend REST and APIs can have similar vulnerabilities

    to web applications mitigate follow OWASP top 10

81. Effective security Using CryptoLint, we performed a study on cryptographic

    implementations in 11,748 Android applications. Overall we find that 10,327 programs – 88% in total – use cryptography inappropriately. The raw s c a l e o f m i s u s e i n d i c a t e s a w i d e s p r e a d misunderstanding of how to properly use cryptography in Android development. “ ”

82. effective security hardcoded passphrases manually seeded SecureRandom insufficient key generation

    iterations hardcoded salts non-random initialization vectors

83. security testing Static analysis Manual code review design review Analysis

    Static Dynamic Penetration testing

84. suggested reading Android Security Cookbook
 Keith Makan / Scott Alexander-Bown

    (9781782167167) Android Security Internals 
 Nikolay Elenkov (9781593275815) Android Hacker’s Handbook
 Joshua J. Drake et al. (9781118608647) Application Security for the Android platform
 Jeff Six (9781449315078) 


85. suggested reading developer.android.com
 https://developer.android.com/training/articles/security-tips.html 
 https://source.android.com/devices/tech/security/ OWASP
 https://www.owasp.org/index.php/OWASP_Mobile_Security_Project Google+ community

    
 Android security discussions Blogs
 http://nelenkov.blogspot.com.tr/…


86. Filip maelbrancke TWITTER: @fmaelbrancke EMAIL: [email protected] THANK YOU EMAIL: [email protected]

    consultant @ AppFoundry