Android Security ࠷લઢʂ Naoki Yano

໼໺ ௚ً Ϡϑʔגࣜձࣾ GYAOגࣜձࣾ Android Framework / Application / CTS / Driver Engineer Androidྺ 3೥ ؔ౦ྺ 2೥

Android Security ࠷લઢʁʁ Android Nougat ʹ͸ɺ SecurityपΓͷΞοϓσʔτ͕͍ͬͺ͍ʂʂ ɾUsing Scoped Directory Access ɾDirect Boot ɾNetwork Security Config ɾKey Attestation ɾAPK Signature Scheme v2 ͍ͭͰ΋࢖͑ΔΑ͏ʹ ४උ͓ͯ͘͜͠ͱ͕େࣄʂʂ

Android N Security Using Scoped Directory Access Direct Boot Network Security Config Key Attestation APK Signature Scheme v2

Using Scoped Directory Access Android 6.0 Ҏલɿ ɹɹManifestʹPermissionΛఆٛ + PermissionRequest ɹɹ֎෦ετϨʔδશͯ΁ͷΞΫηεΛڐՄɻ APP/FW Dir root Dir A Dir B Dir C Request Permit

Using Scoped Directory Access Android 7.0ɿ ɹɹΞΫηε͍ͨ͠σΟϨΫτϦͷStorageVolumeΛ࡞੒͠ɺRequestΛ౤͛Δɻ ɹɹಛఆͷσΟϨΫτϦ΁ͷΞΫηεͷΈڐՄ͢Δɻ APP/FW Dir root Dir A Dir B Dir C Request Permit

Using Scoped Directory Access ৽نAPI ɾStorageVolume - ಛఆͷϢʔβʔͷڞ༗/֎෦ετϨʔδϘϦϡʔϜʹؔ͢Δ৘ใɻ - createAccessIntent() - ϢʔβʔͷঝೝΛಘͨޙɺඪ४ͷετϨʔδσΟϨΫτϦ·ͨ͸ϘϦϡʔϜશମ ΁ͷΞΫηεΛ༩͑ΔͨΊͷΠϯςϯτΛ࡞੒͢Δɻ - getState() - ετϨʔδϘϦϡʔϜͷঢ়ଶΛऔಘ͢Δɻ

Using Scoped Directory Access ৽نAPI ɾStorageManager ඞཁͳStorageVolumeΛऔಘ͢Δɻ - getPrimaryStorageVolume() - getStorageVolume(File) - getStorageVolumes()

Using Scoped Directory Access // ΞΫηεݖ͕ඞཁͳstorageVolumeͷऔಘ StorageManager sm = getSystemService(StorageManager.class);
 StorageVolume sv = sm.getPrimaryStorageVolume(); // ϢʔβʔঝೝΛಘΔͨΊͷIntentΛੜ੒
 Intent i = sv.createAccessIntent(Environment.DIRECTORY_MUSIC);
 // IntentΛStartActivityForResultͰ౤͛Δ startActivityForResult(i, REQUEST_CODE);

StorageVolume#createAccessIntent(String) package android.os.storage; public final class StorageVolume implements Parcelable { … public @Nullable Intent createAccessIntent(String directoryName) { if ((isPrimary() && directoryName == null) || (directoryName != null && !Environment.isStandardDirectory(directoryName))) { return null; } final Intent intent = new Intent(ACTION_OPEN_EXTERNAL_DIRECTORY); intent.putExtra(EXTRA_STORAGE_VOLUME, this); intent.putExtra(EXTRA_DIRECTORY_NAME, directoryName); return intent; }

StorageVolume#createAccessIntent(String) package android.os; public class Environment { public static final String[] STANDARD_DIRECTORIES = { DIRECTORY_MUSIC, DIRECTORY_PODCASTS, DIRECTORY_RINGTONES, DIRECTORY_ALARMS, DIRECTORY_NOTIFICATIONS, DIRECTORY_PICTURES, DIRECTORY_MOVIES, DIRECTORY_DOWNLOADS, DIRECTORY_DCIM, DIRECTORY_DOCUMENTS };

OpenExternalDirectoryActivity package com.android.documentsui; public class OpenExternalDirectoryActivity extends Activity { … public void onCreate(Bundle savedInstanceState) { // σΟϨΫτϦ͕ࢦఆ͞Εͯͳ͍৔߹͸ɺrootͷݖݶΛऔಘ String directoryName = intent.getStringExtra(EXTRA_DIRECTORY_NAME ); if (directoryName == null) { directoryName = DIRECTORY_ROOT; } //ύʔϛογϣϯऔಘࡁΈͰͳ͍͔֬ೝ final StorageVolume volume = (StorageVolume) storageVolume; if (getScopedAccessPermissionStatus(getApplicationContext(), getCallingPackage(), volume.getUuid(), directoryName) == PERMISSION_NEVER_ASK) { //Ϣʔβ֬ೝDialogදࣔ final int userId = UserHandle.myUserId(); if (!showFragment(this, userId, volume, directoryName)) { }

Using Scoped Directory Access @Override public void onActivityResult(int requestCode, int resultCode, Intent data) { super.onActivityResult(requestCode, resultCode, data); if (requestCode == REQUEST_CODE && resultCode == Activity.RESULT_OK) { // ̎ճ໨Ҏ߱͸μΠΞϩάΛग़͞ͳ͍Α͏ʹઃఆ getActivity().getContentResolver().takePersistableUriPermission(data.getData(), Intent.FLAG_GRANT_READ_URI_PERMISSION | ɹɹɹɹ Intent.FLAG_GRANT_WRITE_URI_PERMISSION); // read, write // data.getData() ʹΞΫηεݖΛಘͨσΟϨΫτϦͷURI͕ೖ͍ͬͯΔ } }

Using Scoped Directory Access ɾײ૝ ɹɹɾσΟϨΫτϦຖʹΞΫηεڐՄΛඞཁͱ͢Δͷ͸ɺ ɹɹɹ࢖͏ଆͱͯ͠΋҆৺Ͱ͖Δɻ ɹɹɾϓϥΠϚϦετϨʔδͱͦΕҎ֎ͰAPIͷ࢖͍ํ͕ ɹɹɹมΘͬͯ͘ΔͷͰ஫ҙʂ

Direct Boot Android 6.0 Ҏલɿ ɹɹ୺຤͕҉߸Խ͞Ε͍ͯΔ৔߹ɺطଘͷอଘઌ͸ɺ ɹɹϢʔβʔ͕ϩοΫΛղআͨ͠ޙʹ͚ͩ࢖༻Ͱ͖Δɻ APP/FW data/user Boot Unlock user key

Direct Boot APP/FW user Boot Unlock Android 7.0ɿ ɹɹϩοΫղআ͞Ε͍ͯͳ͍ঢ়ଶͰ͸ɺμΠϨΫτϒʔτϞʔυͰಈ࡞͢Δɻ ɹɹ୺຤҉߸ԽετϨʔδʹΞΫηεͰ͖Δɻ user_de hard−backed key user key

Direct Boot ৽نAPI ɾandroid:directBootAware ίϯϙʔωϯτ͕҉߸ԽରԠ͢ΔΑ͏ʹࢦఆ͢Δɻ ɾandroid.intent.action.LOCKED_BOOT_COMPLETED ୺຤҉߸ԽετϨʔδ͕࢖༻Մೳʹͳͬͨ͜ͱΛ௨஌͢Δɻ ɾContext#createDeviceProtectedStorageContext() ୺຤҉߸ԽετϨʔδʹΞΫηε͢ΔͨΊͷContextΛੜ੒͢Δɻ

Direct Boot // ίϯϙʔωϯτ͕҉߸ԽରԠ͢ΔΑ͏ʹFlagΛͨͯΔ

Direct Boot // ProtectedStorage΁ͷอଘ final Context deviceContext = getApplicationContext().createDeviceProtectedStorageContext(); deviceContext.moveSharedPreferencesFrom(context, PREFERENCES_NAME)); SharedPreferences sp = deviceContext .getSharedPreferences(PREFERENCES_NAME, Context.MODE_PRIVATE);

Direct Boot // LOCKED_BOOT_COMPLETEDΛड͚ͯσʔλΛऔಘ͢Δ public void onReceive(Context context, Intent intent) { boolean bootCompleted; String action = intent.getAction(); if (BuildCompat.isAtLeastN()) { bootCompleted = Intent.ACTION_LOCKED_BOOT_COMPLETED.equals(action); } else { bootCompleted = Intent.ACTION_BOOT_COMPLETED.equals(action); } if (!bootCompleted) { return; } }

Android 6.0 Ҏલɿ Android 7.0ɿ Direct Boot Android Boot Unlocked Android Boot Unlocked BOOT_COMPLETED LOCKED_BOOT_COMPLETED USER_UNLOCKED BOOT_COMPLETED

Direct Boot ApplicationInfo ai = getApplicationInfo(); Log.i(TAG, “deviceProtectedDataDir: ” + ai.deviceProtectedDataDir); # deviceProtectedDataDir: /data/user_de/0/com.yanokuro.directboot

Direct Boot ɾײ૝ ɹɹɾ୺຤҉߸ԽετϨʔδͰ͸ɺηΩϡϦςΟϨϕϧ͕ ɹɹɹԼ͕ΔͨΊɺԿΛอଘ͢Δ͔ਫ਼͕ࠪඞཁɻ ɹɹɾBOOT_COMPLETE͕ݺ͹ΕΔҐஔ͕มΘͬͨΑɻ

Network Security Config Android 7.0ɿ ΧελϜCAূ໌ॻΛ৴པ͢ΔͨΊͷ҆શͰ؆୯ͳAPIͷఏڙɻ σϑΥϧτͰ͸ɺϢʔβʔ͕௥Ճͨ͠CAΛ৴པ͠ͳ͍ɻ

Network Security Config ɾres/xml/network_security_config Λ࡞੒ ɾmanifestʹ௥ه

Network Security Config

Network Security ConfigɹΧελϜͷূ໌ػؔ example.com

Network Security Configɹূ໌ॻͷఆٛ // ΞϓϦ͕͍࣋ͬͯΔCAূ໌ॻΛ࢖༻ // γεςϜσϑΥϧτͷCAূ໌ॻΛ࢖༻ // Ϣʔβ͕௥Ճͨ͠CAূ໌ॻΛ࢖༻

Network Security Configɹσόοά༻ debuggable=true

Network Security ConfigɹΫϦΞςΩετͷ௨৴Λېࢭ secure.example.com domain>

Network Security Configɹߏ੒ϑΝΠϧ ... ... ...

Network Security ConfigɹAndroid 7.0 default

Network Security ConfigɹAndroid 7.0 ະຬ

Network Security Config ɾײ૝ ɹɹɾઃఆΞϓϦ͔ΒCAೖΕΔඞཁ͕ͳ͘ͳͬͯخ͍͠ɻ ɹɹɾ7.0ΑΓલͰ΋࢖͑Δͱ͍͍ͳɻ

·ͱΊ ͦΕͧΕ஫ҙϙΠϯτ͸͋Δ͕ɺؾΛ͚ͭͯ࢖͑͹ΑΓη ΩϡΞͳΞϓϦ͕࡞Εͦ͏ɻ ֤ػೳͷಈ͖Λ͔ͬ͠Γཧղͯ͠։ൃ͠·͠ΐ͏ɻ

EOF