What Android developers should know about security

Transcript

1. What Android Developers Should Know About Security

2. Bolot Kerimbaev Android and iOS instructor and developer

3. Android App Developers https://www.bignerdranch.com/app-development/case-studies/

4. What Is Security?

5. None

6. What Is Security? • Confidentiality • Integrity • Availability

7. What Is Security? • Threats • Risks • Responses •

   Remediations

8. Threat model • Malicious apps • Stolen phones • Wi-Fi

   hotspots • Malicious HTML, SMS

9. Case Study: Stagefright • Media server framework • Attack via

   malicious MMS • Remote code execution • Privilege escalation • Publicly disclosed July 2015 • Apps are impacted

10. Demolition Man, 1993

11. Android Security

12. Android Security • Application Signing • (SE)Linux • Permissions •

    Interprocess Communication • Verified Boot

13. KitKat Lollipop Marshmallow Nougat SELinux, enforcing mode Full disk encryption,

    hardware bound Hardware-Isolated Security File-based encryption, Direct Boot Device monitoring warnings WebView updates Verified Boot Verified Boot, strictly enforced Per user VPN Position Independent Executables Fingerprints Library load-order randomization Fortify Source level 2 TLS v1.2 Runtime Permissions APK Signature v2 Certificate pinning Smart Lock StrictMode, disable cleartext Network security config https://source.android.com/security/enhancements/index.html

14. Challenges • Fragmentation • Google vs OEMs vs Carriers vs

    Qualcomm • Vulnerabilities

15. Case Study: Stagefright Pre-N Nougat

16. Who Cares About Security?

17. Security and Design • Most people think it’s important •

    Cannot be applied at the end • Changes can be costly if not planned
18. None

19. Mobile & Server

20. Security practices https://security.googleblog.com/2015/07/new-research-comparing-how-security.html

21. Security practices • Software Updates • Password Manager • 2-Factor

    Authentication

22. Security Updates

23. Password Managers

24. 2-Factor Authentication

25. Security practices • Software Updates • Password Manager • 2-Factor

    Authentication • VPN • Backups • Leak Notifications

26. What Can App Developers Do?

27. Checklists • Android Security Checklist • Industry Specific: PCI, HIPAA

    • OWASP

28. https://www.owasp.org/index.php/OWASP_Mobile_Security_Project

29. Software Updates • Follow best practices, plan for upgrades •

    Train engineers • Perform audits • APIs: evolution, deprecation • Keep up with tools updates

30. Password Management • Integrate with password managers • Implement single

    sign-on, OAuth, etc. • Don’t use device ID • Don’t store passwords • Careful about custom password text fields

31. Case Study: Smart Lock

32. 2-Factor Authentication • TOTP (Google Authenticator, Authy) • FIDO U2F

    (Yubikey) • Don’t use SMS

33. Secure Communication • Use HTTPS (TLS) everywhere • Enable Network

    Security Configuration • Certificate pinning

34. Protect User Data • Secure storage • Easy backups and

    data restoration • Cryptography

35. Vulnerability Reporting • Make it easy to report issues in

    your app • Track vulnerabilities

36. What Can Developers Do? • Practice security as a user

    • Optimize for best security practices • Training • Checklists • Audits, Reviews

37. Questions? • @bolot • @bignerdranch • Android Security course, Q3

    2017