Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Safety first

Safety first

Best practices in app security presentation held at the 360AnDev conference in Denver, CO

Ana Baotić

July 28, 2016
Tweet

More Decks by Ana Baotić

Other Decks in Programming

Transcript

  1. Safety first
    Best practices in app security
    ANA BAOTIĆ
    TECHNICAL MANAGER, MOBILE BANKING @ INFINUM

    @ABAOTIC

    View Slide

  2. We're an independent
    design & development
    agency.

    View Slide

  3. View Slide

  4. HOW TO INCREASE SECURITY

    View Slide

  5. BUILD INTEGRITY

    View Slide

  6. ADD A RELEASE KEYSTORE TO YOUR
    PROJECT

    View Slide

  7. KEYSTORE
    Can be used for ALL build types
    You should NEVER lose it
    No one should EVER acquire it

    View Slide

  8. KEEP IT SECRET, KEEP IT SAFE

    View Slide

  9. signingConfigs {
    release {
    storeFile file("myapp.keystore")
    storePassword "password123"
    keyAlias "keyAlias"
    keyPassword "password789"
    }
    }
    DO NOT!

    View Slide

  10. ONE ALTERNATIVE
    local.properties
    KEYSTORE_PASSWORD=password123
    KEY_PASSWORD=password789

    View Slide

  11. try {
    storeFile file("myapp.keystore")
    storePassword KEYSTORE_PASSWORD
    keyAlias "keyAlias"
    keyPassword KEY_PASSWORD
    } catch (ex) {
    throw new InvalidUserDataException(“…”)
    }

    View Slide

  12. ENABLE OBFUSCATION

    View Slide

  13. release {

    minifyEnabled true
    proguardFiles getDefaultProguardFile(
    'proguard-android.txt'), ‘proguard-rules.txt'

    signingConfig signingConfigs.release

    }
    PROGUARD

    View Slide

  14. DOWNSIDES
    Disliked*

    Builds fail
    Staging vs Production

    View Slide

  15. OTHER OPTIONS
    DexGuard
    DexProtector

    View Slide

  16. View Slide

  17. public abstract class e {

    private int a = -1;

    private String b = null;

    protected boolean k = false;


    public abstract void a(Intent var1);


    protected final void a(String var1) {

    this.b = var1;

    }

    public final void c() {

    this.a = -1;

    this.b = null;

    }

    public final boolean d() {

    return this.k;

    }

    }

    View Slide

  18. WILL THIS KEEP
    THE APK SAFE?

    View Slide

  19. View Slide

  20. ADD TAMPERING DETECTION

    View Slide

  21. Verify signing certificate at runtime
    Verify the installer
    context.getPackageManager()
    .getInstallerPackageName(context.getPackageName())
    .startsWith("com.android.vending")
    Check if app is debuggable (or run on emulator)

    View Slide

  22. DATA PRIVACY

    View Slide

  23. MY PRECIOUS

    View Slide

  24. WAYS TO STORE (AND RETRIEVE) DATA
    Internal storage
    External storage
    Content providers*

    View Slide

  25. INTERNAL STORAGE
    Is (generally) sufficiently safe
    Private to your app

    View Slide

  26. SHARED PREFERENCES
    Useful for primitive key-value based data

    View Slide

  27. EXTERNAL STORAGE
    Globally readable and writable

    View Slide

  28. CONTENT PROVIDERS
    Structured storage mechanism
    Can be exported (accessed by other apps)

    View Slide

  29. android:name="com.example.android.datasync.provider.StubProvider"
    android:authorities="com.example.android.datasync.provider"
    android:exported=“false"/>
    android:protectionLevel="signature"

    View Slide

  30. private readable safe
    Internal storage yes yes yes
    External storage no yes no
    Content providers depends yes yes
    Shared prefs. yes yes yes

    View Slide

  31. SO EVERYTHING
    IS FINE?

    View Slide

  32. NOPE.

    View Slide

  33. View Slide

  34. USE LIBRARIES
    Bouncy Castle
    Spongy Castle
    Keyczar
    AeroGear Crypto
    Conceal

    View Slide

  35. ENCRYPT USING A PIN/PASSWORD

    View Slide

  36. BCRYPT
    Slow

    Key derivation function

    Cost of hash function → work factor

    View Slide

  37. CAN DATA REMAIN
    PRIVATE?

    View Slide

  38. Rooting your device allows access
    Not encrypting allows (mis)use

    View Slide

  39. NETWORK SECURITY

    View Slide

  40. View Slide

  41. HTTP

    View Slide

  42. HTTPS

    View Slide

  43. MAN IN THE MIDDLE

    View Slide

  44. View Slide

  45. CERTIFICATE PINNING
    Defines which CAs are trusted
    Reduces effectiveness of the attack

    View Slide

  46. okhttpbuilder

    .pinClientCertificate(resources,
    R.raw.client_cert, "pass".toCharArray(), “PKCS12”)
    .pinServerCertificates(resources, 

    R.raw.server_cert, "pass".toCharArray(), "BKS")

    .build();
    return new OkClient(client);


    View Slide

  47. WHAT IF (WHEN)
    THE CERTIFICATES
    CHANGE?

    View Slide

  48. INFORM YOUR USERS
    Implement a mechanism for notifying
    users (GCM) and forcing updates

    View Slide

  49. PLAN AHEAD
    Check server security’s impact on devices
    https://www.ssllabs.com/

    View Slide

  50. View Slide

  51. USE THE PLATFORM TO YOUR
    ADVANTAGE

    View Slide

  52. android:usesCleartextTraffic="false"
    ANDROID M
    StrictMode.setVmPolicy(
    new StrictMode.VmPolicy.Builder()
    .detectCleartextNetwork()
    .penaltyLog().build());

    View Slide

  53. FINGERPRINTS

    View Slide

  54. APP LINKING
    HTTPS://DOMAIN[:OPT_PORT]/.WELL-KNOWN/ASSETLINKS.JSON
    [{
    "relation": ["delegate_permission/common.handle_all_urls"],
    "target": {
    "namespace": "android_app",
    "package_name": "com.example",
    "sha256_cert_fingerprints":
    ["14:6D:E9:...44:E5"]
    }
    }]

    View Slide

  55. ANDROID N
    Network Security Configuration feature

    View Slide



  56. ... >
    ...


    ADD A SECURITY CONFIG FILE

    View Slide




  57. example.com





    7HIpa...BCoQYcRhJ3Y=

    fwza0...gO/04cDM1oE=



    CONFIGURE IT

    View Slide

  58. INCLUDE YOUR CLIENTS IN THE
    PROCESS
    Keep them up-to-date
    Help them understand risks and advise them
    Insist on updates and security patches

    View Slide

  59. THINGS TO REMEMBER
    Use internal storage if applicable
    Encrypt data
    Use HTTPS
    Pin certificates
    Be aware of the update cycle

    View Slide

  60. ANDROID IS
    NOT SECURE

    View Slide

  61. BUT YOU CAN MAKE IT LESS EASY TO ABUSE

    View Slide

  62. REFERENCES
    • Gradle configuration
    • http://developer.android.com/guide/topics/data/data-
    storage.html#db
    • https://codahale.com/how-to-safely-store-a-password/
    • http://www.developereconomics.com/android-
    cryptography-tools-for-beginners/
    • https://www.airpair.com/android/posts/adding-
    tampering-detection-to-your-android-app

    View Slide

  63. REFERENCES
    • https://www.ssllabs.com/
    • http://developer.android.com/preview/features/security-
    config.html
    • https://www.ionic.com/mitm-attacks-ssl-pinning-what-
    is-it-and-why-you-should-care/

    View Slide

  64. REFERENCES
    • Android fingeprint security
    • Infinum security articles
    • Infinum Android newsletter
    • Keeping secrets in a Vault

    View Slide

  65. Thank you!
    Visit www.infinum.co or find us on social networks:
    infinum.co infinumco infinumco infinum
    [email protected]
    @ABAOTIC

    View Slide