Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A guide on making Android apps safe and secured

Adit Lal
November 29, 2023

A guide on making Android apps safe and secured

This talk would help you learn about best practices on encryption, integrity, and overall app security lifecycle. We would also discuss best practices for reducing the attack surface through strong control mechanisms by building efficient attack detection mechanisms from tools like - frida, traffic interception, and many more.

Adit Lal

November 29, 2023
Tweet

More Decks by Adit Lal

Other Decks in Technology

Transcript

  1. Adit Lal
    GDE Android
    A guide on making
    Android apps safe and
    secured
    Things every mobile app developer should know

    View full-size slide

  2. ⚠ MANDATORY LEGAL WARNING ⚠
    Information acquired here is solely for educational purposes:
    - Refrain from testing on unauthorized apps.
    - Seek security advice from knowledgeable sources within your
    company.
    - This presentation is not af
    fi
    liated with or endorsed by the OWASP
    Foundation or my employer.

    View full-size slide

  3. Why is the security of apps so
    important?

    View full-size slide

  4. "Crafting a reputation is a time-intensive
    process, yet a mere moment in a cyber
    incident has the potential to shatter it."
    Why is the security of apps so
    important?

    View full-size slide

  5. MSTG
    The Mobile Security Testing
    Guide is a comprehensive
    manual that describes
    technical processes for
    verifying the controls listed in
    the MASVS
    OWASP
    The Open Web Application
    Security Project®
    (OWASP) is a nonprofit
    foundation that works to
    improve the security of
    software
    MASVS
    Mobile App Security
    Requirements and
    Verification is a standard that
    establishes security
    requirements for testing
    mobile app security
    Some terms you should know

    View full-size slide

  6. How do check and verify ?

    View full-size slide

  7. Mobile App Security Requirements and Verification
    MASVS
    Architecture, Design and
    Threat Modeling
    Cryptography Requirements Data storage and
    privacy
    Authentication and
    session management
    Network communication
    requirements Platform interaction
    Code quality and
    build settings

    View full-size slide

  8. Testing Guide
    To begin - Divide into 2 categories
    Static Analysis
    Dynamic Analysis

    View full-size slide

  9. Testing Guide
    Static Analysis
    ● Understand working of a binary without running it
    ● Assets analysis
    ○ Application entry points
    ○ Hard coded secrets
    ○ External libraries
    ● Code analysis (reverse engineering)
    ○ Retrieve the logic of the application
    ○ Identify weakness (cryptographic protocols, …)
    ● Tools : Jadx, IDA pro, Gridra
    Dynamic Analysis

    View full-size slide

  10. Dynamic Analysis
    Testing Guide
    ● Understand the working of a binary by executing it.
    ● On a (rooted) phone, verify app by checking exploits using
    ○ Data storage
    ○ Storage
    ○ Logcat
    ● Traffic analysis
    ○ Man In The Middle attack
    ● Code instrumentation
    ○ Methods hooking
    ● Tools: Debuggers, FRIDA, EdXposed

    View full-size slide

  11. Let’s recap anatomy of APK
    Anatomy of Android apps

    View full-size slide

  12. DEX compiler
    source code
    .java
    Kotlin compiler
    source code
    .kt .kts
    Java bytecode
    .class .jar
    Java compiler
    source code
    .c .cpp
    Dalvik bytecode
    .dex
    Machine code
    .so
    application.apk
    Anatomy of Android apps

    View full-size slide

  13. application.zip
    output → Android Application Package (APK)
    application.apk
    Anatomy of Android apps

    View full-size slide

  14. $ unzip -d application application.apk

    $ ls application/

    AndroidManifest.xml

    META-INF/

    classes.dex, classes2.dex, ...

    lib/

    assets/

    ...
    My input!
    Dalvik bytecode
    Entry point [Read it first]
    Native libraries
    Read-only data
    application.apk
    Anatomy of Android apps

    View full-size slide

  15. Static Analysis

    View full-size slide

  16. Static Analysis - Manifest
    Usually, the first thing that a penetration tester will check on an engagement.
    We will get additional information on
    - Permissions
    - android:protectionLevel attribute
    - Manifest attributes
    - Debuggable
    - CleartextTraffic
    - Network security configuration
    - Backup and restore
    - Exported android components
    - Intent filters
    Tools:

    Jadx

    Jeb

    APKTool
    Static Analysis

    View full-size slide

  17. Static Analysis - Reverse Engineering
    Design
    Code
    Compilation
    Output
    Software
    engineering
    “square an integer”
    int square(int num) {
    return num * num;}
    mov DWORD PTR [rbp-4], edi
    mov eax, DWORD PTR [rbp-4]
    imul eax, eax
    89 7d fc 8b 45 fc 0f af c0
    Static Analysis

    View full-size slide

  18. Static Analysis - Reverse Engineering
    Design
    Code
    Compilation
    Output
    Software
    engineering
    Reverse
    engineering
    “square an integer”
    int square(int num) {
    return num * num;}
    mov DWORD PTR [rbp-4], edi
    mov eax, DWORD PTR [rbp-4]
    imul eax, eax
    89 7d fc 8b 45 fc 0f af c0
    Static Analysis

    View full-size slide

  19. Static Analysis - Reverse Engineering
    Tools:

    Jadx

    Jeb

    APKTool
    Static Analysis

    View full-size slide

  20. Dynamic Analysis

    View full-size slide

  21. Dynamic Analysis
    Tools:

    Burp Suite

    mitmproxy

    HTTP-Toolkit / Charles

    View full-size slide

  22. Dynamic Analysis
    Tools:

    Charles

    View full-size slide

  23. Dynamic Analysis - Storage monitoring
    - Observing changes on the file system while using the application.
    - Files created post log-in
    - Storing of passwords/tokens in Shared Pref file.
    - Files created/changed on internal storage
    - /data/data//….
    - Files created/changed on external storage
    - /sdcard/…
    - Keys created in Keystore

    View full-size slide

  24. Dynamic Analysis - Behaviour analysis
    - Observing behavioural changes for various interaction with the
    app
    Application running on a rooted device may behave differently than on a non-rooted
    device
    - Observing error information
    Gives out small pieces of information (eg) login messages

    View full-size slide

  25. Dynamic Analysis - Code Instrumentation
    Java.perform(function() {
    / / - - - - -
    Location
    - - - - -
    / /
    https:
    / /
    developer.android.com/reference/android/location/Location
    var location = Java.use('android.location.Location');
    / /
    public double getLatitude ()
    var location_getLatitude = location.getLatitude.overload();
    location_getLatitude.implementation = function() {
    var latitude = location_getLatitude.call(this);
    console.log("[+] Location.getLatitude()
    :
    " + latitude);
    return latitude;
    / /
    var modif
    i
    ed_latitude = -75.09978;
    / /
    return modif
    i
    ed_latitude;
    }
    / /
    public double getLongitude ()
    var location_getLongitude = location.getLongitude.overload();
    location_getLongitude.implementation = function() {
    var longitude = location_getLongitude.call(this);
    console.log("[+] Location.getLongitude()
    :
    " + longitude);
    return longitude;
    / /
    var modif
    i
    ed_longitude = -123.332196;
    / /
    return modif
    i
    ed_longitude;
    }
    });

    View full-size slide

  26. Secure Communication
    Enforce

    View full-size slide

  27. Enforce secure communication - Show an app chooser.
    If an implicit intent can launch at least two possible apps on a user's device, explicitly show an
    app chooser.
    This interaction strategy allows users to transfer sensitive information to an app that they trust.
    Intent intent = new Intent(Intent.ACTION_SEND);
    String title =
    getResources().getString(R.string.chooser_title);
    Intent chooser = Intent.createChooser(intent, title);
    try {
    startActivity(chooser);
    } catch (ActivityNotFoundException e) {
    / /
    Def
    i
    ne what your app should do if no activity can
    handle the intent.
    }
    Secure Communication
    Enforce

    View full-size slide

  28. Enforce secure communication - Use Intents for IPC
    To send data to a specific component of an app, you must create a new instance of the Intent
    class and use its setComponent() method to specify both the package name of the app and the
    name of the component. You can then add data to it using the putExtra() method.
    Intent intent = new Intent();
    / /
    Specify the component name
    intent.setComponent(new
    ComponentName("my.other.app","my.other.app.MyActivity"));
    / /
    Add data
    intent.putExtra("DATA", "Hello World!");
    / /
    Send the intent to the activity
    startActivity(intent);
    Secure Communication
    Enforce

    View full-size slide

  29. Enforce secure communication - Use Intents for IPC
    To send data to multiple apps at once, you can send the intent as a broadcast
    using the sendBroadcast() method → can be intercepted.
    ● Use a custom permission whose protectionLevel is set to signature
    ● https://developer.android.com/guide/topics/manifest/permission-
    element#plevel
    android:protectionLevel="signature"
    / >
    -
    permission
    android:name="my.custom.permission"
    / >
    / /
    Create an intent
    Intent intent = new Intent();
    / /
    Add data
    intent.putExtra("DATA", "Hello World");
    / /
    Specify an action name for
    / /
    the receiver's intent
    -
    f
    i
    lter
    intent.setAction("my.app.receive");
    / /
    Send as a broadcast using a custom permission
    sendBroadcast(intent, "my.custom.permission");
    Secure Communication
    Enforce

    View full-size slide

  30. Enforce secure communication - Network Security
    ● No cleartext communication by default starting Android 7.1
    android:usesCleartextTraff
    i
    c=false
    / /
    by default!
    ● Pin certificates (res/xml/network_security_config.xml)
    -
    security
    -
    conf
    i
    g>
    -
    conf
    i
    g>
    example.com
    < /
    domain>
    -
    set expiration="2018-01-01">
    7HIpactkIAq2Y49orFOOQKurWxmmSFZhBCoQYcRhJ3Y=
    < /
    pin>
    < /
    pin
    -
    set>
    < /
    domain
    -
    conf
    i
    g>
    < /
    network
    -
    security
    -
    conf
    i
    g>
    Secure Communication
    Enforce

    View full-size slide

  31. Action - Reaction - Prevention
    Improper
    Can you spot the mistake?
    How to secure your android application

    View full-size slide

  32. Improper Platform Usage
    Can you spot the mistake?
    How to secure your android application

    View full-size slide


  33. android:name=".login.LoginActivity"
    android:exported="true"
    android:label="@string/app_name"
    android:screenOrientation="portrait"
    android:theme="@style/ThemeA">
    -
    f
    i
    lter>
    / >
    / >
    < /
    intent
    -
    f
    i
    lter>
    < /
    activity>
    android:name=".home.MainActivity"
    android:screenOrientation="portrait"
    android:exported="true"
    android:theme=“@style/ThemeA"
    / >
    < /
    application>
    Can you spot the mistake?

    View full-size slide


  34. android:name=".login.LoginActivity"
    android:exported="true"
    android:label="@string/app_name"
    android:screenOrientation="portrait"
    android:theme="@style/ThemeA">
    -
    f
    i
    lter>
    / >
    / >
    < /
    intent
    -
    f
    i
    lter>
    < /
    activity>
    android:name=".home.MainActivity"
    android:screenOrientation="portrait"
    android:exported="true"
    android:theme=“@style/ThemeA"
    / >
    < /
    application>
    How is this exploited?

    View full-size slide

  35. Use a tool like ‘drozer’ to scan app for vulnerable
    activities, broadcast receivers and content providers
    How is this exploited?
    github.com/FSecureLABS/drozer
    •Run ADB to exploit

    View full-size slide


  36. android:name=".login.LoginActivity"
    android:exported="true"
    android:label="@string/app_name"
    android:screenOrientation="portrait"
    android:theme="@style/ThemeA">
    -
    f
    i
    lter>
    / >
    / >
    < /
    intent
    -
    f
    i
    lter>
    < /
    activity>
    android:name=".home.MainActivity"
    android:screenOrientation="portrait"
    android:exported="false"
    android:theme=“@style/ThemeA"
    / >
    < /
    application>
    Fixing the exploit

    View full-size slide

  37. •‘Tap-jacking’ vulnerability
    •Apps can draw over other apps and monitor their contents
    •They can also pass spoofed touch events
    android:f
    i
    lterTouchesWhenObscured=“true"
    •Combined, this can be used maliciously to trick users into
    entering passwords, accepting permissions, etc
    •Permission required for these apps, but only recently
    Other exploits?

    View full-size slide

  38. Permissions
    Best practices: Control | Transparency | Data minimization
    ● Request a minimal number of permissions
    ● Associate runtime permissions with specific actions
    ● Consider your app's dependencies
    ● Be transparent
    ● Make system accesses explicit
    Android Permissions Samples Repository
    ● https://github.com/android/permissions-samples

    View full-size slide

  39. Action - Reaction - Prevention
    Storing User Data

    View full-size slide

  40. Storing User Data - Android application sandbox
    ● Applications are isolated into their own space (user-based protection)
    ○ Prefer using internal storage, it prevents other apps from accessing it.
    ● Backup (true by default)
    ○ https://developer.android.com/guide/topics/data/autobackup

    . . .
    >
    ○ Cloud backups / Device-to-device (D2D) transfers

    . . .
    android:fullBackupContent="@xml/backup_rules" …>
    backup_rules.xml 👉 -
    backup
    -
    content>
    / >
    / >
    < /
    full
    -
    backup
    -
    content>

    View full-size slide

  41. Storing User Data - File Encryption
    ● Storing data on the external storage should be encrypted
    https://developer.android.com/guide/topics/security/
    cryptography
    ● Recommended algorithms
    ‣Cipher - AES in either CBC or GCM mode with 256-bit keys
    ‣MessageDigest - SHA-2 family
    ‣Mac - SHA-2 family HMAC
    ‣Signature - SHA-2 family with ECDSA

    View full-size slide

  42. Storing User Data - Encrypted Key Value Storage
    SharedPreferences is a simple key-value storage
    ● In the application private directory
    ● Not encrypted
    EncryptedSharedPreferences
    ● Store data encrypted in your SharedPreference
    ● Key Store handled everything in the background
    val masterKeyAlias = MasterKeys.getOrCreate(MasterKeys.AES256_GCM_SPEC)
    val encryptedSharedPreferences = EncryptedSharedPreferences.create(
    "secret_shared_prefs", masterKeyAlias, context,
    PrefKeyEncryptionScheme.AES256_SIV,
    PrefValueEncryptionScheme.AES256_GCM)
    / /
    use the shared preferences and editor as you normally would
    SharedPreferences.Editor editor = sharedPreferences.edit();

    View full-size slide

  43. Common App security
    risks

    View full-size slide

  44. Common App security risks - Third party frameworks
    3rd party SDKs or frameworks can be a huge security risk for your
    applications.
    Since they get compiled with your app and run in the same sandbox
    they have the same rights as your app.
    Be aware that your application is not secure if any of external
    libraries is not secure.

    View full-size slide

  45. Common App security risks - Analytics
    Less is more: especially in combination with third party analytics
    SDKs
    You should be careful which information you want to collect.
    Analytics data can often already be enough to identify users or to be
    able to access their data.

    View full-size slide

  46. Common App security risks - Loggings
    The problem arises if the logged stuff contains username, password
    or other sensitive information.
    Remove log statements in release builds!
    proguard
    -
    rules.pro
    -
    assumenosideeffects class android.util.Log {
    public static boolean isLoggable(java.lang.String, int);
    public static int v(
    . . .
    );
    public static int d(
    . . .
    );
    public static int i(
    . . .
    );
    }

    View full-size slide

  47. Android Security
    Security by Design on Play Academy
    ● Learn about best practices for encryption, integrity, and the
    overall app security lifecycle.
    Shortlink → goo.gle/androidsecuritycourse
    Scan Me!

    View full-size slide

  48. Android Security
    https://github.com/jeremylong/DependencyCheck
    https://github.com/tanprathan/MobileApp-Pentest-Cheatsheet
    https://github.com/ashishb/android-security-awesome
    https://github.com/talsec/Free-RASP-Android
    https://github.com/tjunxiang92/Android-Vulnerabilities
    https://developer.android.com/topic/security/best-practices

    View full-size slide

  49. Thats all folks!
    https:/
    /linktr.ee/aldefy

    View full-size slide