AASF.pdf

Transcript

1. @cioccarellia, 7 Oct 2022 Android App Security Fundamentals •

2. Context Security •App anatomy & lifecycle •Protection use cases •Tradeoffs

   •Attack vectors •Security countermeasures •External protection systems •Passive security mechanisms Outline

3. App Anatomy & Endpoints

4. User Device Binary

5. Binary Services Play Store APIs

6. Binary Services APIs Play Store Tampering Emulated Execution Custom OS

   Runtime Attacks Repackaging Automated DRT Decompilation-Reassembly Tools Code Injection Patches Either root-based or repackaged Data Editing Either external or internal (root)

7. Binary Services APIs Play Store Tampering Emulated Execution Custom OS

   Runtime Attacks Repackaging Automated DRT Decompilation-Reassembly Tools Code Injection Patches Either root-based or repackaged Data Editing Either external or internal (root) Root Access Piracy Abuse

8. Binary Services APIs Play Store Tampering Emulated Execution Custom OS

   Runtime Attacks Repackaging Automated DRT Decompilation-Reassembly Tools Code Injection Patches Either root-based or repackaged Data Editing Either external or internal (root) Root Access Piracy Abuse

9. Security Environment Security Layer The set of security-related conditions that

   your app requires to be true in order to work properly. It is your security policy specification. The set of security countermeasures employed by your software to physically check the conditions of the security environment. It is the security policy implementation. •No Pirate Apps Installed •No Emulator •No Custom OS

10. Protection Use Cases

11. Protection Level Free Paid Financial No Value Local Value Aggregated

    Value Zero Zero/Low Low Low Low/Medium High Low/Medium High

12. Calculator • No Endpoints (local value) (free) • Free Download

    • No IAP/Subscriptions (offline) Chess Analyzer • No Endpoints (local value) • Paid Download • No IAP/Subscriptions Task Manager • Service Endpoints (aggregated value) • Free Download • In App Purchase for Pro Version ♫ Streaming Service • Service + API Endpoints (aggregated value) • Free Download • Subscription + Ads ⇒ Zero protection ⇒ Low protection ⇒ Medium protection ⇒ High protection

13. Tradeoffs

14. Security Environment •Underprotection: your app remains susceptible to some kinds

    of attacks Binary Binary Binary too little protection too much protection nailed it •Overprotection: your security environment is stricter than what it would need to be (for your app to operate successfully).

15. Protection Implications • Performance (every security layer check requires CPU

    time and potentially network/storage) • Infrastructure (your application becomes more complex and/or depends on external services) • Negative feedback (your users may find the protection mechanisms unfair)

16. Attack Vectors

17. System Antipiracy Integrity

18. Linux Kernel HAL/HIDL Native Libraries Android Framework System Apps

19. System Antipiracy Apps

20. System Antipiracy Integrity Binary

21. System Antipiracy Integrity GROSS 
 OVERSIMPLIFICATIONS 
 AHEAD

22. Rooting System Antipiracy Integrity Emulated Execution Custom OS Administrative Tools

23. Rooting System Antipiracy Integrity Emulated Execution Custom OS Administrative Tools

    •Data editing (prefs, db, files, binaries) •Administrative code execution (interference) •Memory access & violation

24. System Antipiracy Integrity Emulated Execution Custom OS Administrative Tools •Debugging

    purposes •Reverse engineering Rooting

25. System Antipiracy Integrity Emulated Execution Custom OS Administrative Tools •Lower

    security & stability standards •Instability factor •Usually comes with root access preinstalled/ enabled Rooting

26. System Antipiracy Integrity Emulated Execution Custom OS Administrative Tools •Functionality

    interference •System instability Rooting

27. Pirate Software Malicious Proxies Custom Patches Interception System Antipiracy Integrity

28. Pirate Software Malicious Proxies Custom Patches Interception System Antipiracy Integrity

    •Potential attack residue/pending/underway •Runtime influence •Unsafe environment signal

29. Pirate Software Malicious Proxies Custom Patches Interception System Antipiracy Integrity

    •Usually applied by an automated DRT or APK editor •Tailored for a binary’s components

30. Pirate Software Malicious Proxies Custom Patches Interception System Antipiracy Integrity

    •External component of an attack, which hard- wires to our app •Imminent attack indicators

31. Pirate Software Malicious Proxies Custom Patches Interception System Antipiracy Integrity

    •Traffic interception

32. System Antipiracy Integrity ¯\_(ツ)_/¯

33. Security Countermeasures

34. System Antipiracy Integrity

35. System Antipiracy Integrity GROSS 
 OVERSIMPLIFICATIONS 
 AHEAD

36. System Antipiracy Integrity Root Detection Emulator Detection Custom Binaries SELinux

    Status System Build Info

37. System Antipiracy Integrity Root Detection Emulator Detection Custom Binaries SELinux

    Status System Build Info •Administrative access request •Binary dumping & analysis •Root managers •Custom ROM build tags •System certificates •Filesystem checks

38. System Antipiracy Integrity Root Detection Emulator Detection Custom Binaries SELinux

    Status System Build Info •Known emulator build fingerprint data •Advanced system detection

39. System Antipiracy Integrity Root Detection Emulator Detection Custom Binaries SELinux

    Status System Build Info •Shell output analysis •Installed application managing binaries

40. System Antipiracy Integrity Root Detection Emulator Detection Custom Binaries SELinux

    Status System Build Info •getenforce system command

41. System Antipiracy Integrity Root Detection Emulator Detection Custom Binaries SELinux

    Status System Build Info •Generic filter through build hardcoded data

42. System Antipiracy Integrity Antipiracy Checks

43. System Antipiracy Integrity Antipiracy Checks •Installed application list match against

    local dataset of pirate software •Lower-fidelity detection mechanisms

44. System Antipiracy Integrity ¯\_(ツ)_/¯

45. ℙ(Success) < 1

46. External Protection Systems

47. Binary Services APIs Play Store Tampering Emulated Execution Custom OS

    Runtime Attacks Repackaging Automated DRT Decompilation-Reassembly Tools Code Injection Patches Either root-based or repackaged Data Editing Either external or internal (root) Root Access Piracy Abuse

48. Binary Services APIs Play Store Tampering Emulated Execution Custom OS

    Runtime Attacks Repackaging Automated DRT Decompilation-Reassembly Tools Code Injection Patches Either root-based or repackaged Data Editing Either external or internal (root) Root Access Piracy Abuse EPSs

49. Binary Services APIs Play Store Tampering Emulated Execution Custom OS

    Runtime Attacks Repackaging Automated DRT Decompilation-Reassembly Tools Code Injection Patches Either root-based or repackaged Data Editing Either external or internal (root) Root Access Piracy Abuse EPSs

50. // Receive the nonce from the secure server. val nonce:

    String = … // Create an instance of a manager. val integrityManager = IntegrityManagerFactory.create(applicationContext) // Request the integrity token by providing a nonce. val integrityTokenResponse: Task<IntegrityTokenResponse> = integrityManager.requestIntegrityToken( IntegrityTokenRequest.builder() .setNonce(nonce) .build())

51. Passive Security

52. Structural Security Dynamic Security Set of measures backed into the

    application from the ground up. The building blocks of the application are made with security in mind, so that the final binary is robust against a variety of attacks. Active runtime capabilities to intercept and respond to malicious attacks, interference or tampering attempts as they happen. • Code obfuscation • Encrypted data storage • Secure data transitions • Dynamic code loading

53. Libraries • Kevlar (https: // github.com/kevlar-kt/kevlar) • PiracyChecker (https: //

    github.com/javiersantos/PiracyChecker) • TamperDetector (https: / / github.com/mukeshsolanki/Android-Tamper-Detector) • RootBeer (https: // github.com/scottyab/rootbeer) • RootInspector (https: // github.com/devadvance/rootinspector) • Emulator Detector (https: // github.com/framgia/android-emulator-detector) Slides @cioccarellia, 7 Oct 2022 • • On my twitter later Code • There wasn’t any :D

54. Documentation @cioccarellia, 7 Oct 2022 • • Play Integrity (https:

    / / developer.android.com/google/play/integrity) • SafetyNet (https: / / developer.android.com/training/safetynet) [deprecated] • Tampering/RevEng (https: // mobile-security.gitbook.io/mobile-security-testing-guide/android-testing- guide/0x05c-reverse-engineering-and-tampering) • Tamper Detection (https: // www.airpair.com/android/posts/adding-tampering-detection-to-your-android-app) • Securing Android LVL (https: // android-developers.googleblog.com/2010/09/securing-android-lvl- applications.html) • Root Detection (https: / / www.appknox.com/blog/root-detection-techniques) • Verifying Purchases (https: / / stackoverflow.com/questions/33850864/how-to-verify-purchase-for-android- app-in-server-side-google-play-in-app-billin) • Secure Data (https: // developer.android.com/topic/security/data) • Attack Anatomy (https: / / kevlar-kt.github.io/kevlar/pages/overview/anatomy_of_attacks)