layer What about GET params? • Encrypted, but logged on the server! HTTPS Network Security http://nhprice.com/what-is-ios-model- the-overall-explanation-of-ios-7- layers.html
part of the server key e.q RSA (1) CA Certified certificate • CA is responsible for that • CA holds the cert and validates it (2) Self-signed certificate • Created by the server administrator • By default leads to an exception HTTPS - Authentication Network Security
the certificate into the app, and validate the server using it To get that certificate echo | openssl s_client -connect hostname:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’ > hostname.pem Android handles BKS-V1 certs, use Portecle app to convert PEM to BKS-V1 HTTPS – Certificate pinning Network Security
accessible by the app Really? - What if allowBackup=true? (this is accessible with an adb command) Really? – What is the device is rooted? (2) External Storage Anyone can read and write that L But the internal one is limited , so sometimes we need it How to store sensitive data? Encrypt it! -> No one can read Authenticate it! -> Modification is detected! Storing sensitive data on the device Data Security
implementations Above the JVM: BouncyCastle Below the JVM: OpenSSL Different versions... ...different ciphers supported ...known vulnerabilities in older versions Solution: Include the BouncyCastle as a lib Package names will collide! -> Spongy Castle Implementations Cryptography
packagename Different identifier – SC You can include the version you want – 1.58.0 is latest! Includes most of the available ciphers and algorithms Symmetric crypto e.g. AES – 128/256 – CBC/GCM Asymmetric crypto e.g. RSA, ECDSA, ECDHE Key derivation e.g. PBKDF2WithHmacSHA1, PBEWITHHMACSHA1 ... SpongyCastle Cryptography
a string) – Do not store that Salt it with random number – Initialization Vector (IV) Save IV for later use fun generateRandom(lengthInBytes: Int): ByteArray { val random = SecureRandom.getInstance(“SHA1PRNG”) val genBytes = ByteArray(lengthInBytes) random.nextBytes(genBytes) return genBytes } Generate 256bit key for AES-256-GCM, And another 256bit key for HMAC fun deriveKey(password: String, iv: ByteArray): ByteArray { val iterationCount = 1000 val keySpec = PBEKeySpec(password.toCharArray(), iv, iterationCount, KEY_SIZE) val keyFactory = SecretKeyFactory.getInstance(“PBKDF2WithHmacSHA1”) val keyBytes = keyFactory.generateSecret(keySpec).encoded return keyBytes } Example: Generate keys for Realm Cryptography
cipher suite Pin all certificates For local data Encrypt and authenticate Use libraries when possible For cryptography Package the latest Spongy Castle Use random IV and save it! Use PBDF2 for passwords Use AES-256-GCM for encryption Summary Secure Android Applications