Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Safety first
Search
Ana Baotić
July 28, 2016
Programming
10
11k
Safety first
Best practices in app security presentation held at the 360AnDev conference in Denver, CO
Ana Baotić
July 28, 2016
Tweet
Share
More Decks by Ana Baotić
See All by Ana Baotić
Inhibiting the impostor
abaotic
2
310
Sign here, please!
abaotic
1
110
Sign here, please!
abaotic
0
160
Break your app before someone else does
abaotic
1
560
Other Decks in Programming
See All in Programming
NixOS + Kubernetesで構築する自宅サーバーのすべて
ichi_h3
0
710
いま中途半端なSwift 6対応をするより、Default ActorやApproachable Concurrencyを有効にしてからでいいんじゃない?
yimajo
2
410
Foundation Modelsを実装日本語学習アプリを作ってみた!
hypebeans
0
110
なぜあの開発者はDevRelに伴走し続けるのか / Why Does That Developer Keep Running Alongside DevRel?
nrslib
3
400
TFLintカスタムプラグインで始める Terraformコード品質管理
bells17
2
160
大規模アプリのDIフレームワーク刷新戦略 ~過去最大規模の並行開発を止めずにアプリ全体に導入するまで~
mot_techtalk
1
440
Range on Rails ―「多重範囲型」という新たな選択肢が、複雑ロジックを劇的にシンプルにしたワケ
rizap_tech
0
120
開発生産性を上げるための生成AI活用術
starfish719
3
630
タスクの特性や不確実性に応じた最適な作業スタイルの選択(ペアプロ・モブプロ・ソロプロ)と実践 / Optimal Work Style Selection: Pair, Mob, or Solo Programming.
honyanya
3
160
アメ車でサンノゼを走ってきたよ!
s_shimotori
0
220
Django Ninja による API 開発効率化とリプレースの実践
kashewnuts
0
1.3k
理論と実務のギャップを超える
eycjur
0
130
Featured
See All Featured
Site-Speed That Sticks
csswizardry
11
900
Done Done
chrislema
185
16k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
333
22k
Rails Girls Zürich Keynote
gr2m
95
14k
Building Flexible Design Systems
yeseniaperezcruz
329
39k
How To Stay Up To Date on Web Technology
chriscoyier
791
250k
Building Better People: How to give real-time feedback that sticks.
wjessup
369
20k
Testing 201, or: Great Expectations
jmmastey
45
7.7k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
tammyeverts
9
590
A designer walks into a library…
pauljervisheath
209
24k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
9
870
Mobile First: as difficult as doing things right
swwweet
224
10k
Transcript
Safety first Best practices in app security ANA BAOTIĆ TECHNICAL
MANAGER, MOBILE BANKING @ INFINUM @ABAOTIC
We're an independent design & development agency.
None
HOW TO INCREASE SECURITY
BUILD INTEGRITY
ADD A RELEASE KEYSTORE TO YOUR PROJECT
KEYSTORE Can be used for ALL build types You should
NEVER lose it No one should EVER acquire it
KEEP IT SECRET, KEEP IT SAFE
signingConfigs { release { storeFile file("myapp.keystore") storePassword "password123" keyAlias "keyAlias"
keyPassword "password789" } } DO NOT!
ONE ALTERNATIVE local.properties KEYSTORE_PASSWORD=password123 KEY_PASSWORD=password789
try { storeFile file("myapp.keystore") storePassword KEYSTORE_PASSWORD keyAlias "keyAlias" keyPassword KEY_PASSWORD
} catch (ex) { throw new InvalidUserDataException(“…”) }
ENABLE OBFUSCATION
release { minifyEnabled true proguardFiles getDefaultProguardFile( 'proguard-android.txt'), ‘proguard-rules.txt'
signingConfig signingConfigs.release } PROGUARD
DOWNSIDES Disliked* Builds fail Staging vs Production
OTHER OPTIONS DexGuard DexProtector
None
public abstract class e { private int a = -1;
private String b = null; protected boolean k = false; public abstract void a(Intent var1); protected final void a(String var1) { this.b = var1; } public final void c() { this.a = -1; this.b = null; } public final boolean d() { return this.k; } }
WILL THIS KEEP THE APK SAFE?
None
ADD TAMPERING DETECTION
Verify signing certificate at runtime Verify the installer context.getPackageManager() .getInstallerPackageName(context.getPackageName())
.startsWith("com.android.vending") Check if app is debuggable (or run on emulator)
DATA PRIVACY
MY PRECIOUS
WAYS TO STORE (AND RETRIEVE) DATA Internal storage External storage
Content providers*
INTERNAL STORAGE Is (generally) sufficiently safe Private to your app
SHARED PREFERENCES Useful for primitive key-value based data
EXTERNAL STORAGE Globally readable and writable
CONTENT PROVIDERS Structured storage mechanism Can be exported (accessed by
other apps)
<provider android:name="com.example.android.datasync.provider.StubProvider" android:authorities="com.example.android.datasync.provider" android:exported=“false"/> android:protectionLevel="signature"
private readable safe Internal storage yes yes yes External storage
no yes no Content providers depends yes yes Shared prefs. yes yes yes
SO EVERYTHING IS FINE?
NOPE.
None
USE LIBRARIES Bouncy Castle Spongy Castle Keyczar AeroGear Crypto Conceal
ENCRYPT USING A PIN/PASSWORD
BCRYPT Slow Key derivation function Cost of hash function →
work factor
CAN DATA REMAIN PRIVATE?
Rooting your device allows access Not encrypting allows (mis)use
NETWORK SECURITY
None
HTTP
HTTPS
MAN IN THE MIDDLE
None
CERTIFICATE PINNING Defines which CAs are trusted Reduces effectiveness of
the attack
okhttpbuilder .pinClientCertificate(resources, R.raw.client_cert, "pass".toCharArray(), “PKCS12”) .pinServerCertificates(resources, R.raw.server_cert, "pass".toCharArray(), "BKS")
.build(); return new OkClient(client);
WHAT IF (WHEN) THE CERTIFICATES CHANGE?
INFORM YOUR USERS Implement a mechanism for notifying users (GCM)
and forcing updates
PLAN AHEAD Check server security’s impact on devices https://www.ssllabs.com/
None
USE THE PLATFORM TO YOUR ADVANTAGE
android:usesCleartextTraffic="false" ANDROID M StrictMode.setVmPolicy( new StrictMode.VmPolicy.Builder() .detectCleartextNetwork() .penaltyLog().build());
FINGERPRINTS
APP LINKING HTTPS://DOMAIN[:OPT_PORT]/.WELL-KNOWN/ASSETLINKS.JSON [{ "relation": ["delegate_permission/common.handle_all_urls"], "target": { "namespace": "android_app",
"package_name": "com.example", "sha256_cert_fingerprints": ["14:6D:E9:...44:E5"] } }]
ANDROID N Network Security Configuration feature
<?xml version="1.0" encoding="utf-8"?> <manifest ... > <application android:networkSecurityConfig=" @xml/network_security_config" ...
> ... </application> </manifest> ADD A SECURITY CONFIG FILE
<?xml version="1.0" encoding="utf-8"?> <network-security-config> <domain-config cleartextTrafficPermitted="false"> <domain includeSubdomains="true">example.com</domain> <trust-anchors>
<certificates src="@raw/my_ca"/> </trust-anchors> <pin-set expiration="2018-01-01"> <pin digest="SHA-256">7HIpa...BCoQYcRhJ3Y=</pin> <!-- backup pin --> <pin digest="SHA-256">fwza0...gO/04cDM1oE=</pin> </pin-set> </domain-config> </network-security-config> CONFIGURE IT
INCLUDE YOUR CLIENTS IN THE PROCESS Keep them up-to-date Help
them understand risks and advise them Insist on updates and security patches
THINGS TO REMEMBER Use internal storage if applicable Encrypt data
Use HTTPS Pin certificates Be aware of the update cycle
ANDROID IS NOT SECURE
BUT YOU CAN MAKE IT LESS EASY TO ABUSE
REFERENCES • Gradle configuration • http://developer.android.com/guide/topics/data/data- storage.html#db • https://codahale.com/how-to-safely-store-a-password/ •
http://www.developereconomics.com/android- cryptography-tools-for-beginners/ • https://www.airpair.com/android/posts/adding- tampering-detection-to-your-android-app
REFERENCES • https://www.ssllabs.com/ • http://developer.android.com/preview/features/security- config.html • https://www.ionic.com/mitm-attacks-ssl-pinning-what- is-it-and-why-you-should-care/
REFERENCES • Android fingeprint security • Infinum security articles •
Infinum Android newsletter • Keeping secrets in a Vault
Thank you! Visit www.infinum.co or find us on social networks:
infinum.co infinumco infinumco infinum
[email protected]
@ABAOTIC