Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Modern Security for Android Developers

Modern Security for Android Developers

In the ’90s the television was what the cellphone is today, everybody has one, the first time we hear about encryption we get all dizzy ’cause we think this is going to be really hard to handle but in reality, the things are completely different, multiple developers still think that Android Security is completely incomprehensible and do nothing about it.

In this talk, we will discuss Encryption, Biometric as a Local Authentication source, Native Code Modules, SSL, TLS, Secure Data layer, and the new changes for Android 11
What is padding in an Encryption Algorithm? what is KeyGenerator? where is the Keystore? what does it mean to have backend encryption?
In this talk, we will address all these questions and the inconvenience of not having any security in your app and how you can make it easy.
Taking a deep class inside the new Jetpack Security, Tink and Biometric how this comes to change the game inside modern security in Android development.

Dinorah Tovar

October 08, 2020
Tweet

More Decks by Dinorah Tovar

Other Decks in Technology

Transcript

  1. Modern Security
    for Android Developers
    Dinorah Tovar
    Platform Mobile Engineer
    @ konfío.mx
    @ddinorahtovar
    @ddinorahtovar

    View Slide

  2. Security is a two
    sides coin!

    View Slide

  3. Encryption, but simpler

    Algorithm
    Data
    Key
    Cipher
    Text
    @ddinorahtovar

    View Slide

  4. Encryption algorithms
    Cipher Mac
    Signature Message Digest
    @ddinorahtovar

    View Slide

  5. Encryption algorithms
    @ddinorahtovar

    View Slide

  6. Encryption algorithms
    val cipher = Cipher.getInstance(“AES/CBC/PKCS5Padding")
    Schema
    Model
    Padding
    @ddinorahtovar

    View Slide

  7. Encryption algorithms
    •Too many standars: Advanced Encryption Standard (AES)

    Rivest–Shamir–Adleman (RSA)
    •Modes of operation for symmetric and not symmetric keys
    •Paddings to encrypt long and small data.
    @ddinorahtovar

    View Slide

  8. Encryption
    So, encryption is software or hardware?
    DEPENDS
    @ddinorahtovar

    View Slide

  9. Encryption in Android
    •Hardware acceleration
    •Android Version
    android:name=".YourApp"
    android:icon="@mipmap/ic_launcher"
    android:label="@string/app_name"
    android:roundIcon="@mipmap/ic_launcher_round"
    android:hardwareAccelerated="true"/>
    @ddinorahtovar

    View Slide

  10. Encryption in Android
    @ddinorahtovar
    •Secure Element and Trusted environments
    Peripherals
    Untrusted Area Trusted Area
    Applications
    OS
    Memory
    Trusted
    Component
    Memory

    View Slide

  11. Encryption in Android
    @ddinorahtovar
    •Secure Element and Trusted environments
    Peripherals
    Untrusted Area Trusted Area
    Applications
    OS
    Memory
    Trusted
    Component
    Memory
    Secure element

    Memory CPU

    View Slide

  12. Encryption in Android
    Encryption is hard!
    @ddinorahtovar
    But why?

    View Slide

  13. Encryption in Android
    @ddinorahtovar

    View Slide

  14. Encryption in Android
    @ddinorahtovar
    Is this okay?

    View Slide

  15. Encryption in Android
    @ddinorahtovar
    KeyChain KeyStore
    API for
    credentials that
    can be used
    across your apps
    Store
    cryptographic
    keys securely

    View Slide

  16. Encryption in Android
    Solution has arrived
    @ddinorahtovar

    View Slide

  17. Encryption in Android
    • Using Tink, a cross-platform for encryption, so we need 23
    SDK min (for the RC)
    @ddinorahtovar

    View Slide

  18. Encriptación en Android
    @ddinorahtovar

    View Slide

  19. Encryption in Android
    @ddinorahtovar

    View Slide

  20. Encryption in Android
    @ddinorahtovar

    View Slide

  21. Encryption in Android
    @ddinorahtovar

    View Slide

  22. Friends, not
    enemies
    @ddinorahtovar

    View Slide

  23. Encryption in Android
    MASTER KEY
    KEYSET
    File or
    SharedPreference
    Key to
    encrypt
    @ddinorahtovar

    View Slide

  24. Encryption in Android
    KeyStore
    Key
    Key Alias
    @ddinorahtovar

    View Slide

  25. Encryption in Android
    @ddinorahtovar

    View Slide

  26. Encryption in Android
    @ddinorahtovar

    View Slide

  27. Encryption in Android
    @ddinorahtovar

    View Slide

  28. Encryption in Android
    @ddinorahtovar

    View Slide

  29. Biometrics

    View Slide

  30. Biometric prompt
    @ddinorahtovar

    View Slide

  31. Biometric prompt
    @ddinorahtovar

    View Slide

  32. Biometric as Local auth

    Secure
    Channel
    Biometric
    Promp
    Unlock
    Promp
    @ddinorahtovar

    View Slide

  33. How does it works?
    •Unexportable, cause depends of TEE
    •All the data travels in a Secure Channel
    @ddinorahtovar

    View Slide

  34. Biometric as Local auth
    @ddinorahtovar
    False Accept
    Rate (FAR)
    Imposter Accept
    Rate (IAR)
    Spoof Accept
    Rate (SAR)

    View Slide

  35. Native Modules

    View Slide

  36. C/C++ vs. Java/Kotlin
    @ddinorahtovar
    •C/C++ can not be decompiled
    •But can be dissembled

    View Slide

  37. Native Modules
    @ddinorahtovar

    View Slide

  38. @ddinorahtovar

    View Slide

  39. @ddinorahtovar

    View Slide

  40. Secure Data layer

    View Slide

  41. Secure data layer
    @ddinorahtovar
    •Authenticated, encrypted socket-level communication can be easily
    implemented using the SSLSocket Class
    •In a typical SSL usage scenario, a server is configured with a
    certificate containing a public key as well as a matching private key.
    As part of the handshake between an SSL client and server, the
    server proves it has the private key by signing its certificate
    with public-key cryptography.

    View Slide

  42. Secure data layer
    @ddinorahtovar
    So if I have this, everything is cool
    No!

    View Slide

  43. Certificate Authority
    @ddinorahtovar
    CER (.CRT) PFX

    View Slide

  44. Certificate Authority
    @ddinorahtovar

    View Slide

  45. Certificate Authority
    @ddinorahtovar

    View Slide

  46. Modern Security for
    Android Developers
    Dinorah Tovar
    Platform Mobile Engineer
    @ konfío.mx
    @ddinorahtovar
    @ddinorahtovar

    View Slide