Secure your app, fight the leaks!

Transcript

1. SECURE YOUR APP FIGHT THE LEAKS! DROIDCON PARIS 2013

2. EYAL LEZMY Slides http://bit.ly/droidcon-sec http://eyal.fr ANDROID PRESALES ENGINEER, SAMSUNG B2B

   TREASURER AT PARIS ANDROID USER GROUP ANDROID GOOGLE DEVELOPER EXPERT

3. DON'T LET HIM DOWN THE USER TRUSTS YOU Company

4. Copyright © 1995-2012 SAMSUNG All rights reserved APPS HAVE TO

   RESPECT THE DATA Different ways to unintentionally grant other apps access to the data inside your application : Exporting an unprotected component Storing personal data in a world readable file Logging personal data in logcat logs

5. Copyright © 1995-2012 SAMSUNG All rights reserved It declares accessible

   app components Activity, Service, Receive,... Adding <intent-filter> => your element is exported by default CHECK YOUR ANDROIDMANIFEST.XML ContentProvider is always exported by default, until android:targetSdkVersion="17"

6. Copyright © 1995-2012 SAMSUNG All rights reserved Don't export app

   components unless you want to share their content with other applications <application android:label="@string/app_name"> … <service android:name=".ServiceExample“ android:exported="false"> <intent-filter> … </intent-filter> </service> … </application> CHECK YOUR ANDROIDMANIFEST.XML

7. Copyright © 1995-2012 SAMSUNG All rights reserved Don't export app

   components unless you want to share their content with other applications <application android:label="@string/app_name"> … <service android:name=".ServiceExample“ android:exported="false"> <intent-filter> … </intent-filter> </service> … </application> What is your legitimity to expose data? CHECK YOUR ANDROIDMANIFEST.XML

8. Copyright © 1995-2012 SAMSUNG All rights reserved There are different

   permission protection levels: normal Lower risk permission dangerous Higher risk, access to user private data, potential negative impact signature Needs the same certificate signature PERMISIONS

9. Copyright © 1995-2012 SAMSUNG All rights reserved Lets look at

   the code: <permission android:name="com.example.EXAMPLE_PERM“ android:label="@string/example_perm_l“ android:description="@string/example_perm_d“ android:icon="@drawable/example_perm_i“ android:protectionLevel="signature" /> ... <service android:name=".ServiceExample“ android:permission="com.example.EXAMPLE_PERM"> <intent-filter>...</intent-filter> </service> PERMISIONS

10. Copyright © 1995-2012 SAMSUNG All rights reserved Don't be the

    weakest link private boolean checkPermission(Context context) { String permission = "com.example.EXAMPLE_PERM"; int res = context.checkCallingPermission(permission); return (res == PackageManager.PERMISSION_GRANTED); } PERMISIONS Always check the permission of a caller if you use your permission

11. Copyright © 1995-2012 SAMSUNG All rights reserved DISABLE USELESS ACTIVITIES

    Fit your components lifecycle to your application's lifecycle If before configuration (login, account creation, ...) a service or activity is not useful, disable it If your application handles common implicit Intent's actions like ACTION_VIEW or ACTION_SEND consider disabling it by default

12. Copyright © 1995-2012 SAMSUNG All rights reserved PackageManager.setComponentEnabledSetting(componentName, newState, flags);

    DISABLE USELESS ACTIVITIES <activity android:name="com.example.Activity" android:label="@string/app_name" android:enabled="false"> </activity> Disabled: Enabled:

13. Copyright © 1995-2012 SAMSUNG All rights reserved STORING DATA WISELY

    Protect personal data using MODE_PRIVATE for data files, shared preferences, and databases: openFileOutput() openSharedPreferences() openOrCreateDatabase() External storage (sdcard) is shared storage

14. Copyright © 1995-2012 SAMSUNG All rights reserved PLEASE... SHUT THE

    FUCK UP! public static final boolean SHOW_LOG = BuildConfig.DEBUG; public static void d(final String tag, final String msg) { if (SHOW_LOG) Log.d(tag, msg); } Don't expose data through logcat on production Detect the build mode with BuildConfig.DEBUG Be careful about this subject and test it during QA

15. Copyright © 1995-2012 SAMSUNG All rights reserved PROTECTING APP FROM

    USERS No more android:debuggable on the manifest Don't leave this enabled in release code! ADT 8.0+ do it for you automatically

16. Copyright © 1995-2012 SAMSUNG All rights reserved $ adb shell

    shell@android:/ $ run-as com.android.example sh shell@android:/data/data/com.android.example $ id uid=10060(app_60) gid=10060(app_60) shell@android:/data/data/com.android.example $ ls files/secret_data.txt shell@android:/data/data/com.android.example $ cat files/secret_data.txt PROTECTING APP FROM USERS

17. IT'S NOT JUST ABOUT YOUR APP INSECURE NETWORK LOST OR

    STOLEN DEVICES

18. Copyright © 1995-2012 SAMSUNG All rights reserved Free certified SSL:

    https://www.startssl.com/ USE SAFE NETWORKING HTTPS and SSL can protect against Man in the Middle attacks and prevent casual snooping Server certificate validity must be correctly checked "15% of apps have weak or bad SSL implementation on the Play Store"

19. Copyright © 1995-2012 SAMSUNG All rights reserved ...but it may

    help discouraging curious. Use a peer-reviewed library like KeyCzar Take care of the key : Create it at first start, with true random Or grab a user key from your server Or ask the user for a passphrase you won't store DATA ENCRYPTION DOESN'T SOLVE ALL PROBLEMS

20. Copyright © 1995-2012 SAMSUNG All rights reserved On a corporate

    environment, device administration can be considered Password management Device encryption Disable camera Lock the device Remote wipe DEVICE ADMINISTRATION

21. Copyright © 1995-2012 SAMSUNG All rights reserved BEHIND THE STAGE

    The APK's content is always world readable, take care about what you put inside Sensitive files should be kept out of the APK Java is open source, your code too Using Proguard takes a single line of code Or... Dex encryption AAPT modified Logic on server

22. IT'S NOT JUST ABOUT SECURITY THINK ABOUT POLITICS...

23. Copyright © 1995-2012 SAMSUNG All rights reserved THE SECURITY PARADOX

24. Copyright © 1995-2012 SAMSUNG All rights reserved "The more secure

    you make something, the less secure it becomes" Level the security following the user acceptance or... Users will find workarounds Users won't use your service NEVER FORGET THE USER, NEVAAAAA!

25. Copyright © 1995-2012 SAMSUNG All rights reserved REFERENCES Google I/O

    2012 Sessions Android Developpers Live Youtube channel Android Developement Android Developement: Using Cryptography The Commons Blog InformationWeek: Security Paradox ThreatPost: SLL implementation on Android apps StartSSL Free certificates

26. SAMSUNG SMART APP CHALLENGE 2013 SAMSUNG SMART APP CHALLENGE 2013

    A Global app challenge Apps for the Galaxy S4 Use of Samsung Chord SDK Apply June 20 - August 31 www.smartappchallenge.com $800,000 for 10 winners

27. SAMSUNG DEVELOPERS SDKs and Documentation http://developer.samsung.com Samsung Chord SDK Bluetooth

    Low Energy SDK Remote Test Lab Test your applications on real devices through the internet Free 24H 365 Days S Pen & Multi Window SDK AllShare Framework Real Device, NOT emulator Multiple Devices

28. THANK YOU! Slides http://bit.ly/droidcon-sec http://eyal.fr