Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Safety first

Safety first

Best practices in app security presentation held at the 360AnDev conference in Denver, CO

Ana Baotić

July 28, 2016
Tweet

More Decks by Ana Baotić

Other Decks in Programming

Transcript

  1. Safety first
    Best practices in app security
    ANA BAOTIĆ
    TECHNICAL MANAGER, MOBILE BANKING @ INFINUM

    @ABAOTIC

    View full-size slide

  2. We're an independent
    design & development
    agency.

    View full-size slide

  3. HOW TO INCREASE SECURITY

    View full-size slide

  4. BUILD INTEGRITY

    View full-size slide

  5. ADD A RELEASE KEYSTORE TO YOUR
    PROJECT

    View full-size slide

  6. KEYSTORE
    Can be used for ALL build types
    You should NEVER lose it
    No one should EVER acquire it

    View full-size slide

  7. KEEP IT SECRET, KEEP IT SAFE

    View full-size slide

  8. signingConfigs {
    release {
    storeFile file("myapp.keystore")
    storePassword "password123"
    keyAlias "keyAlias"
    keyPassword "password789"
    }
    }
    DO NOT!

    View full-size slide

  9. ONE ALTERNATIVE
    local.properties
    KEYSTORE_PASSWORD=password123
    KEY_PASSWORD=password789

    View full-size slide

  10. try {
    storeFile file("myapp.keystore")
    storePassword KEYSTORE_PASSWORD
    keyAlias "keyAlias"
    keyPassword KEY_PASSWORD
    } catch (ex) {
    throw new InvalidUserDataException(“…”)
    }

    View full-size slide

  11. ENABLE OBFUSCATION

    View full-size slide

  12. release {

    minifyEnabled true
    proguardFiles getDefaultProguardFile(
    'proguard-android.txt'), ‘proguard-rules.txt'

    signingConfig signingConfigs.release

    }
    PROGUARD

    View full-size slide

  13. DOWNSIDES
    Disliked*

    Builds fail
    Staging vs Production

    View full-size slide

  14. OTHER OPTIONS
    DexGuard
    DexProtector

    View full-size slide

  15. public abstract class e {

    private int a = -1;

    private String b = null;

    protected boolean k = false;


    public abstract void a(Intent var1);


    protected final void a(String var1) {

    this.b = var1;

    }

    public final void c() {

    this.a = -1;

    this.b = null;

    }

    public final boolean d() {

    return this.k;

    }

    }

    View full-size slide

  16. WILL THIS KEEP
    THE APK SAFE?

    View full-size slide

  17. ADD TAMPERING DETECTION

    View full-size slide

  18. Verify signing certificate at runtime
    Verify the installer
    context.getPackageManager()
    .getInstallerPackageName(context.getPackageName())
    .startsWith("com.android.vending")
    Check if app is debuggable (or run on emulator)

    View full-size slide

  19. DATA PRIVACY

    View full-size slide

  20. WAYS TO STORE (AND RETRIEVE) DATA
    Internal storage
    External storage
    Content providers*

    View full-size slide

  21. INTERNAL STORAGE
    Is (generally) sufficiently safe
    Private to your app

    View full-size slide

  22. SHARED PREFERENCES
    Useful for primitive key-value based data

    View full-size slide

  23. EXTERNAL STORAGE
    Globally readable and writable

    View full-size slide

  24. CONTENT PROVIDERS
    Structured storage mechanism
    Can be exported (accessed by other apps)

    View full-size slide

  25. android:name="com.example.android.datasync.provider.StubProvider"
    android:authorities="com.example.android.datasync.provider"
    android:exported=“false"/>
    android:protectionLevel="signature"

    View full-size slide

  26. private readable safe
    Internal storage yes yes yes
    External storage no yes no
    Content providers depends yes yes
    Shared prefs. yes yes yes

    View full-size slide

  27. SO EVERYTHING
    IS FINE?

    View full-size slide

  28. USE LIBRARIES
    Bouncy Castle
    Spongy Castle
    Keyczar
    AeroGear Crypto
    Conceal

    View full-size slide

  29. ENCRYPT USING A PIN/PASSWORD

    View full-size slide

  30. BCRYPT
    Slow

    Key derivation function

    Cost of hash function → work factor

    View full-size slide

  31. CAN DATA REMAIN
    PRIVATE?

    View full-size slide

  32. Rooting your device allows access
    Not encrypting allows (mis)use

    View full-size slide

  33. NETWORK SECURITY

    View full-size slide

  34. MAN IN THE MIDDLE

    View full-size slide

  35. CERTIFICATE PINNING
    Defines which CAs are trusted
    Reduces effectiveness of the attack

    View full-size slide

  36. okhttpbuilder

    .pinClientCertificate(resources,
    R.raw.client_cert, "pass".toCharArray(), “PKCS12”)
    .pinServerCertificates(resources, 

    R.raw.server_cert, "pass".toCharArray(), "BKS")

    .build();
    return new OkClient(client);


    View full-size slide

  37. WHAT IF (WHEN)
    THE CERTIFICATES
    CHANGE?

    View full-size slide

  38. INFORM YOUR USERS
    Implement a mechanism for notifying
    users (GCM) and forcing updates

    View full-size slide

  39. PLAN AHEAD
    Check server security’s impact on devices
    https://www.ssllabs.com/

    View full-size slide

  40. USE THE PLATFORM TO YOUR
    ADVANTAGE

    View full-size slide

  41. android:usesCleartextTraffic="false"
    ANDROID M
    StrictMode.setVmPolicy(
    new StrictMode.VmPolicy.Builder()
    .detectCleartextNetwork()
    .penaltyLog().build());

    View full-size slide

  42. FINGERPRINTS

    View full-size slide

  43. APP LINKING
    HTTPS://DOMAIN[:OPT_PORT]/.WELL-KNOWN/ASSETLINKS.JSON
    [{
    "relation": ["delegate_permission/common.handle_all_urls"],
    "target": {
    "namespace": "android_app",
    "package_name": "com.example",
    "sha256_cert_fingerprints":
    ["14:6D:E9:...44:E5"]
    }
    }]

    View full-size slide

  44. ANDROID N
    Network Security Configuration feature

    View full-size slide



  45. ... >
    ...


    ADD A SECURITY CONFIG FILE

    View full-size slide




  46. example.com





    7HIpa...BCoQYcRhJ3Y=

    fwza0...gO/04cDM1oE=



    CONFIGURE IT

    View full-size slide

  47. INCLUDE YOUR CLIENTS IN THE
    PROCESS
    Keep them up-to-date
    Help them understand risks and advise them
    Insist on updates and security patches

    View full-size slide

  48. THINGS TO REMEMBER
    Use internal storage if applicable
    Encrypt data
    Use HTTPS
    Pin certificates
    Be aware of the update cycle

    View full-size slide

  49. ANDROID IS
    NOT SECURE

    View full-size slide

  50. BUT YOU CAN MAKE IT LESS EASY TO ABUSE

    View full-size slide

  51. REFERENCES
    • Gradle configuration
    • http://developer.android.com/guide/topics/data/data-
    storage.html#db
    • https://codahale.com/how-to-safely-store-a-password/
    • http://www.developereconomics.com/android-
    cryptography-tools-for-beginners/
    • https://www.airpair.com/android/posts/adding-
    tampering-detection-to-your-android-app

    View full-size slide

  52. REFERENCES
    • https://www.ssllabs.com/
    • http://developer.android.com/preview/features/security-
    config.html
    • https://www.ionic.com/mitm-attacks-ssl-pinning-what-
    is-it-and-why-you-should-care/

    View full-size slide

  53. REFERENCES
    • Android fingeprint security
    • Infinum security articles
    • Infinum Android newsletter
    • Keeping secrets in a Vault

    View full-size slide

  54. Thank you!
    Visit www.infinum.co or find us on social networks:
    infinum.co infinumco infinumco infinum
    [email protected]
    @ABAOTIC

    View full-size slide