Modern Security for Android Developers

Modern Security for Android Developers

In the ’90s the television was what the cellphone is today, everybody has one, the first time we hear about encryption we get all dizzy ’cause we think this is going to be really hard to handle but in reality, the things are completely different, multiple developers still think that Android Security is completely incomprehensible and do nothing about it.

In this talk, we will discuss Encryption, Biometric as a Local Authentication source, Native Code Modules, SSL, TLS, Secure Data layer, and the new changes for Android 11
What is padding in an Encryption Algorithm? what is KeyGenerator? where is the Keystore? what does it mean to have backend encryption?
In this talk, we will address all these questions and the inconvenience of not having any security in your app and how you can make it easy.
Taking a deep class inside the new Jetpack Security, Tink and Biometric how this comes to change the game inside modern security in Android development.

C6e1201f51c1ff186edba69f98476f15?s=128

Dinorah Tovar

October 08, 2020
Tweet

Transcript

  1. Modern Security for Android Developers Dinorah Tovar Platform Mobile Engineer

    @ konfío.mx @ddinorahtovar @ddinorahtovar
  2. Security is a two sides coin!

  3. Encryption, but simpler 
 Algorithm Data Key Cipher Text @ddinorahtovar

  4. Encryption algorithms Cipher Mac Signature Message Digest @ddinorahtovar

  5. Encryption algorithms @ddinorahtovar

  6. Encryption algorithms val cipher = Cipher.getInstance(“AES/CBC/PKCS5Padding") Schema Model Padding @ddinorahtovar

  7. Encryption algorithms •Too many standars: Advanced Encryption Standard (AES)
 Rivest–Shamir–Adleman

    (RSA) •Modes of operation for symmetric and not symmetric keys •Paddings to encrypt long and small data. @ddinorahtovar
  8. Encryption So, encryption is software or hardware? DEPENDS @ddinorahtovar

  9. Encryption in Android •Hardware acceleration •Android Version <application android:name=".YourApp" android:icon="@mipmap/ic_launcher"

    android:label="@string/app_name" android:roundIcon="@mipmap/ic_launcher_round" android:hardwareAccelerated="true"/> @ddinorahtovar
  10. Encryption in Android @ddinorahtovar •Secure Element and Trusted environments Peripherals

    Untrusted Area Trusted Area Applications OS Memory Trusted Component Memory
  11. Encryption in Android @ddinorahtovar •Secure Element and Trusted environments Peripherals

    Untrusted Area Trusted Area Applications OS Memory Trusted Component Memory Secure element
 Memory CPU
  12. Encryption in Android Encryption is hard! @ddinorahtovar But why?

  13. Encryption in Android @ddinorahtovar

  14. Encryption in Android @ddinorahtovar Is this okay?

  15. Encryption in Android @ddinorahtovar KeyChain KeyStore API for credentials that

    can be used across your apps Store cryptographic keys securely
  16. Encryption in Android Solution has arrived @ddinorahtovar

  17. Encryption in Android • Using Tink, a cross-platform for encryption,

    so we need 23 SDK min (for the RC) @ddinorahtovar
  18. Encriptación en Android @ddinorahtovar

  19. Encryption in Android @ddinorahtovar

  20. Encryption in Android @ddinorahtovar

  21. Encryption in Android @ddinorahtovar

  22. Friends, not enemies @ddinorahtovar

  23. Encryption in Android MASTER KEY KEYSET File or SharedPreference Key

    to encrypt @ddinorahtovar
  24. Encryption in Android KeyStore Key Key Alias @ddinorahtovar

  25. Encryption in Android @ddinorahtovar

  26. Encryption in Android @ddinorahtovar

  27. Encryption in Android @ddinorahtovar

  28. Encryption in Android @ddinorahtovar

  29. Biometrics

  30. Biometric prompt @ddinorahtovar

  31. Biometric prompt @ddinorahtovar

  32. Biometric as Local auth 
 Secure Channel Biometric Promp Unlock

    Promp @ddinorahtovar
  33. How does it works? •Unexportable, cause depends of TEE •All

    the data travels in a Secure Channel @ddinorahtovar
  34. Biometric as Local auth @ddinorahtovar False Accept Rate (FAR) Imposter

    Accept Rate (IAR) Spoof Accept Rate (SAR)
  35. Native Modules

  36. C/C++ vs. Java/Kotlin @ddinorahtovar •C/C++ can not be decompiled •But

    can be dissembled
  37. Native Modules @ddinorahtovar

  38. @ddinorahtovar

  39. @ddinorahtovar

  40. Secure Data layer

  41. Secure data layer @ddinorahtovar •Authenticated, encrypted socket-level communication can be

    easily implemented using the SSLSocket Class •In a typical SSL usage scenario, a server is configured with a certificate containing a public key as well as a matching private key. As part of the handshake between an SSL client and server, the server proves it has the private key by signing its certificate with public-key cryptography.
  42. Secure data layer @ddinorahtovar So if I have this, everything

    is cool No!
  43. Certificate Authority @ddinorahtovar CER (.CRT) PFX

  44. Certificate Authority @ddinorahtovar

  45. Certificate Authority @ddinorahtovar

  46. Modern Security for Android Developers Dinorah Tovar Platform Mobile Engineer

    @ konfío.mx @ddinorahtovar @ddinorahtovar