Safety first

Transcript

1. Safety first Best practices in app security ANA BAOTIĆ TECHNICAL

   MANAGER, MOBILE BANKING @ INFINUM
 @ABAOTIC

2. We're an independent design & development agency.

3. None

4. HOW TO INCREASE SECURITY

5. BUILD INTEGRITY

6. ADD A RELEASE KEYSTORE TO YOUR PROJECT

7. KEYSTORE Can be used for ALL build types You should

   NEVER lose it No one should EVER acquire it

8. KEEP IT SECRET, KEEP IT SAFE

9. signingConfigs { release { storeFile file("myapp.keystore") storePassword "password123" keyAlias "keyAlias"

   keyPassword "password789" } } DO NOT!

10. ONE ALTERNATIVE local.properties KEYSTORE_PASSWORD=password123 KEY_PASSWORD=password789

11. try { storeFile file("myapp.keystore") storePassword KEYSTORE_PASSWORD keyAlias "keyAlias" keyPassword KEY_PASSWORD

    } catch (ex) { throw new InvalidUserDataException(“…”) }

12. ENABLE OBFUSCATION

13. release { 
 minifyEnabled true proguardFiles getDefaultProguardFile( 'proguard-android.txt'), ‘proguard-rules.txt' 


    signingConfig signingConfigs.release
 } PROGUARD

14. DOWNSIDES Disliked*
 Builds fail Staging vs Production

15. OTHER OPTIONS DexGuard DexProtector

16. None

17. public abstract class e {
 private int a = -1;


    private String b = null;
 protected boolean k = false;
 
 public abstract void a(Intent var1);
 
 protected final void a(String var1) {
 this.b = var1;
 }
 public final void c() {
 this.a = -1;
 this.b = null;
 }
 public final boolean d() {
 return this.k;
 }
 }

18. WILL THIS KEEP THE APK SAFE?

19. None

20. ADD TAMPERING DETECTION

21. Verify signing certificate at runtime Verify the installer context.getPackageManager() .getInstallerPackageName(context.getPackageName())

    .startsWith("com.android.vending") Check if app is debuggable (or run on emulator)

22. DATA PRIVACY

23. MY PRECIOUS

24. WAYS TO STORE (AND RETRIEVE) DATA Internal storage External storage

    Content providers*

25. INTERNAL STORAGE Is (generally) sufficiently safe Private to your app

26. SHARED PREFERENCES Useful for primitive key-value based data

27. EXTERNAL STORAGE Globally readable and writable

28. CONTENT PROVIDERS Structured storage mechanism Can be exported (accessed by

    other apps)

29. <provider android:name="com.example.android.datasync.provider.StubProvider" android:authorities="com.example.android.datasync.provider" android:exported=“false"/> android:protectionLevel="signature"

30. private readable safe Internal storage yes yes yes External storage

    no yes no Content providers depends yes yes Shared prefs. yes yes yes

31. SO EVERYTHING IS FINE?

32. NOPE.

33. None

34. USE LIBRARIES Bouncy Castle Spongy Castle Keyczar AeroGear Crypto Conceal

35. ENCRYPT USING A PIN/PASSWORD

36. BCRYPT Slow
 Key derivation function
 Cost of hash function →

    work factor

37. CAN DATA REMAIN PRIVATE?

38. Rooting your device allows access Not encrypting allows (mis)use

39. NETWORK SECURITY

40. None

41. HTTP

42. HTTPS

43. MAN IN THE MIDDLE

44. None

45. CERTIFICATE PINNING Defines which CAs are trusted Reduces effectiveness of

    the attack

46. okhttpbuilder
 .pinClientCertificate(resources, R.raw.client_cert, "pass".toCharArray(), “PKCS12”) .pinServerCertificates(resources, 
 R.raw.server_cert, "pass".toCharArray(), "BKS")


    .build(); return new OkClient(client);


47. WHAT IF (WHEN) THE CERTIFICATES CHANGE?

48. INFORM YOUR USERS Implement a mechanism for notifying users (GCM)

    and forcing updates

49. PLAN AHEAD Check server security’s impact on devices https://www.ssllabs.com/

50. None

51. USE THE PLATFORM TO YOUR ADVANTAGE

52. android:usesCleartextTraffic="false" ANDROID M StrictMode.setVmPolicy( new StrictMode.VmPolicy.Builder() .detectCleartextNetwork() .penaltyLog().build());

53. FINGERPRINTS

54. APP LINKING HTTPS://DOMAIN[:OPT_PORT]/.WELL-KNOWN/ASSETLINKS.JSON [{ "relation": ["delegate_permission/common.handle_all_urls"], "target": { "namespace": "android_app",

    "package_name": "com.example", "sha256_cert_fingerprints": ["14:6D:E9:...44:E5"] } }]

55. ANDROID N Network Security Configuration feature

56. <?xml version="1.0" encoding="utf-8"?> <manifest ... > <application android:networkSecurityConfig=" @xml/network_security_config" ...

    > ... </application> </manifest> ADD A SECURITY CONFIG FILE

57. <?xml version="1.0" encoding="utf-8"?> <network-security-config>
 <domain-config cleartextTrafficPermitted="false"> <domain includeSubdomains="true">example.com</domain> 
 <trust-anchors>

    <certificates src="@raw/my_ca"/> </trust-anchors> <pin-set expiration="2018-01-01"> <pin digest="SHA-256">7HIpa...BCoQYcRhJ3Y=</pin> <!-- backup pin --> <pin digest="SHA-256">fwza0...gO/04cDM1oE=</pin> </pin-set> </domain-config> </network-security-config> CONFIGURE IT

58. INCLUDE YOUR CLIENTS IN THE PROCESS Keep them up-to-date Help

    them understand risks and advise them Insist on updates and security patches

59. THINGS TO REMEMBER Use internal storage if applicable Encrypt data

    Use HTTPS Pin certificates Be aware of the update cycle

60. ANDROID IS NOT SECURE

61. BUT YOU CAN MAKE IT LESS EASY TO ABUSE

62. REFERENCES • Gradle configuration • http://developer.android.com/guide/topics/data/data- storage.html#db • https://codahale.com/how-to-safely-store-a-password/ •

    http://www.developereconomics.com/android- cryptography-tools-for-beginners/ • https://www.airpair.com/android/posts/adding- tampering-detection-to-your-android-app

63. REFERENCES • https://www.ssllabs.com/ • http://developer.android.com/preview/features/security- config.html • https://www.ionic.com/mitm-attacks-ssl-pinning-what- is-it-and-why-you-should-care/

64. REFERENCES • Android fingeprint security • Infinum security articles •

    Infinum Android newsletter • Keeping secrets in a Vault

65. Thank you! Visit www.infinum.co or find us on social networks:

    infinum.co infinumco infinumco infinum [email protected] @ABAOTIC