Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Android Application Security For Developers (AD...

Filip Maelbrancke
May 17, 2014
Programming
8
230

Android Application Security For Developers (ADD 2014)

Slides from the 'Android Application Security For Developers' session at Android Developer Days 2014 in Ankara

Filip Maelbrancke

May 17, 2014
Tweet

More Decks by Filip Maelbrancke

See All by Filip Maelbrancke
Reactive Spring 5: WebFlux & Reactor
filipmaelbrancke
0
140
Spring 5 and Kotlin
filipmaelbrancke
0
110
Android Accessibility at GDG Devfest Istanbul 2016
filipmaelbrancke
0
100
Effective Android Development
filipmaelbrancke
0
120
Android Accessibility at GDG Devfest Brussels 2016
filipmaelbrancke
0
94
Android Accessibility at BABBQ Amsterdam
filipmaelbrancke
0
200
Android Testing at Mobel (December 9, 2015)
filipmaelbrancke
0
140
Working in an effective team at DevFest Istanbul 2015
filipmaelbrancke
0
66
Working in an effective team at BABBQ 2015 & Droidcon Italy 2015
filipmaelbrancke
1
150

Other Decks in Programming

See All in Programming
これだけは知っておきたいクラス設計の基礎知識 version 2
masuda220
PRO
24
6.6k
Compose Hot Reload is here, stop re-launching your apps! (Android Makers 2025)
zsmb
1
550
Golangci-lint v2爆誕: 君たちはどうすべきか
logica0419
1
160
Jakarta EE Meets AI
ivargrimstad
0
250
Strategic Design (DDD) for the Frontend @DDD Meetup Stuttgart
manfredsteyer
PRO
0
170
Laravel × Clean Architecture
bumptakayuki
PRO
0
110
Dissecting and Reconstructing Ruby Syntactic Structures
ydah
1
970
スモールスタートで始めるためのLambda×モノリス(Lambdalith)
akihisaikeda
2
300
AI Coding Agent Enablement - エージェントを自走させよう
yukukotani
14
6.2k
設計の本質:コード、システム、そして組織へ / The Essence of Design: To Code, Systems, and Organizations
nrslib
5
1.3k
AHC045_解説
shun_pi
0
560
Qiita Bash
mercury_dev0517
2
210

Featured

See All Featured
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
34
2.9k
Fashionably flexible responsive web design (full day workshop)
malarkey
407
66k
Typedesign – Prime Four
hannesfritz
41
2.6k
The Language of Interfaces
destraynor
157
25k
The MySQL Ecosystem @ GitHub 2015
samlambert
251
12k
How STYLIGHT went responsive
nonsquared
99
5.5k
Being A Developer After 40
akosma
91
590k
Designing for humans not robots
tammielis
252
25k
Agile that works and the tools we love
rasmusluckow
328
21k
Large-scale JavaScript Application Architecture
addyosmani
512
110k
GraphQLの誤解/rethinking-graphql
sonatard
71
10k
Into the Great Unknown - MozCon
thekraken
38
1.7k

Transcript

  1. Application security ANDROID FOR DEVELOPERS FILIP MAELBRANCKE

  2. None

  3. X

  4. Security = managing risk ASSET VULNERABILITY THREAT

  5. Security = managing risk ASSET VULNERABILITY THREAT

  6. All in one device Increases threat proBability ! • GPS

    • Contacts • Camera • Email (work) • Wallet

  7. Always out Vulnerability / Exploitability ! • Stolen • Forgotten

    • Lost !

  8. Everyone uses it Vulnerability / Exploitability ! • Weak pins

    • Use of open public WiFi !

  9. Everyone uses it

  10. Android security

  11. Android security model ! ! ! ! ! ! !

    ! ! ! Game X ! ! ! Game Y ! System ! ! ! ! ! ! ! ! ! ! ! ! ! ! Contacts ! ! ! Email ! ! ! Google Play ! Verify app signature ! ! App sandbox ! ! Permissions application isolation

  12. typical mobile app MOBILE APPLICATION UI LOCAL STORAGE REMOTING LAYER

    REMOTE API COMMUNICATION CHANNEL

  13. Security APP DATA NETWORK SERVICES

  14. None

  15. Securing the app JAVA CLASS DEX

  16. reverse engineer

  17. OBTAIN APK FROM DEVICE adb backup -apk be.myapp ADB BACKUP

    app Titanium, Astro, Helium adb shell pm list packages -f adb pull /data/app/be.myapp-1.apk

  18. APK structure APK = zip APK AndroidManifest classes.dex Resources

  19. reverse engineer TOOLS ! • Apktool • Dex2jar • Apk

    to Java !

  20. reverse engineer smali / baksmali APKTOOL Low level disassembled Dalvik

    bytecode CODE code can be modified recompile / resign

  21. reverse engineer apktool d myapp.apk

  22. reverse engineer

  23. reverse engineer code

  24. reverse engineer convert .dex file to a .jar with java

    bytecode DEX2JAR dex -> java java decompiler CODE very readable

  25. reverse engineer

  26. reverse engineer Jeb Decompiler PAID dex -> java native dalvik

    decompiler

  27. reverse engineer

  28. Obfuscation

  29. Proguard obfuscate optimize Shrink

  30. proguard obfuscation

  31. proguard

  32. proguard configuration

  33. proguard Beware!

  34. proguard loggingwrapper

  35. proguard configuration

  36. proguard BEtter

  37. other techniques If possible, run code at server! server String

    encryption Hide sensitive strings eg “Secure” Native code Java Native Interface reflection Proxy Introduces indirection Class encryption Use DexGuard

  38. dexguard Same config proguard++ Commercial Good value for the money

    Tamper checks

  39. dexguard

  40. proguard tips Test! release build Mapping.txt Save! Crash? Supported on

    Crashlytics, Crittercism, ...

  41. TAMPER DETECTION

  42. Environment 1.installer 2.debugger / 3.BINARY Validation Tamper detection / protection

  43. INSTALLER PLAY STORE INSTALLER

  44. debugger Debugger check

  45. debugger Debugger check

  46. emulator EMULATOR check

  47. SIGNING KEY Valid signing key ! • SHA1 of signing

    cert • Embed • Check with runtime signature !

  48. SIGNING KEY Valid signing key

  49. rooted device root detection ! • Check typical apps /

    files • Check keys • /system r/w !

  50. tamper detection tips + use obfuscation! multiple checks Tampering detected

    Close application Don’t leak where the protection code is
  51. None

  52. local Data protection Avoid it if you can Avoid External

    storage Avoid external storage for sensitive information For critical info set android:saveEnabled="false" Backup set android:allowBackup=false proper permissions MODE_PRIVATE with files

  53. local Data protection getWindow().setFlags(LayoutParams.FLAG _SECURE, LayoutParams.FLAG_SECURE); avoid screen shots LOGOUT

    on inactivity if usability allows and clear the cached information

  54. keylogger

  55. ANDROID NOT ENOUGH? rooted devices Internal Storage Full disk crypto

    brute forcing

  56. encryption

  57. JCA APP JCA (Java Cryptography Architecture) Provider Provider Message Digest

    Key Generation Digital Signature ...

  58. JCA Bouncy Castle Android OpenSSL APP JCA (Java Cryptography Architecture)

    Harmony

  59. bouncy castle Android = subset of upstream release cut-down CONSISTENT

    Consistent crypto across Android versions MINIMAL change github.com/rtyley/spongycastle Spongy castle Repackage of Bouncy Castle for Android

  60. encryption libs SQLCipher sqlcipher.net ! • Modified version of SQLite

    • AES-256 encryption • Drop-in replacement ! iocipher guardianproject.info/code/ iocipher ! Virtual encrypted disk

  61. key management Store along with the data (file private to

    the app) Store Embed Embed in source code (obfuscated ?) EASY TO EXTRACT

  62. key management don’t store Don’t store the key on the

    device Have it entered each time necessary Store In systems service SOLUTIONS

  63. key derivation Long random strings of bits encryption keys people

    vs keys Users are familiar with passwords Crypto algo PBKDF2WithHmacSHA1 password based encryption Generate strong crypto keys based on humanly-manageable passwords

  64. proper key derivation Using a salt protects from table- assisted

    / pre-computed dictionary attacks SALT key stretching Repeat the key derivation operation multiple times to produce the final key Slows down brute force attacks

  65. key derivation https://github.com/nelenkov/android-pbe http://nelenkov.blogspot.jp/2012/04/using-password-based-encryption-on.html Nikolay Elenkov

  66. KEYCHain? Keystore provider ! • Since Android 4.3 • Can

    be hardware- backed https://github.com/nelenkov/android-keystore Nikolay Elenkov

  67. network

  68. Secure communication channel use https Use SSL / TLS !

    • Confidentiality • Authentication ! VALIDATION Hostname verification ! Certificate pinning

  69. secure communication channel hostname verification

  70. SSL certificates CA issued, Android recognized CA issued self-signed certificates

    behaviour change custom TrustManager

  71. self-signed cert

  72. anti pattern don’t trust all!

  73. self-signed cert Certificate Custom trustmanager NO man-in-the-middle attacks import in

    your app

  74. Certificate authorities

  75. Trustmanager StrongTrustManager ! • Validate whole certificate chain • Debian

    certificate store !

  76. certificate pinning with expected certificate / public key Associate host

    hashing anonymize certificate / public key

  77. certificate pinning echo | openssl s_client -connect host:443 2>&1 |

    sed -ne '/-BEGIN CERTIFICATE-/,/- END CERTIFICATE-/p' > mycertificate.pem get certificate (openssl) embed in application /res/raw Custom Based on keystore Load into keystore SSL context Init SSL context with TrustManager https://developer.android.com/training/articles/security-ssl.html
  78. None

  79. Securing services Controls ! • Kill switch for specific functionality

    • Server downtime communication • Mandatory update mechanism !

  80. securing services Backend REST and APIs can have similar vulnerabilities

    to web applications mitigate follow OWASP top 10

  81. Effective security Using CryptoLint, we performed a study on cryptographic

    implementations in 11,748 Android applications. Overall we find that 10,327 programs – 88% in total – use cryptography inappropriately. The raw s c a l e o f m i s u s e i n d i c a t e s a w i d e s p r e a d misunderstanding of how to properly use cryptography in Android development. “ ”

  82. effective security hardcoded passphrases manually seeded SecureRandom insufficient key generation

    iterations hardcoded salts non-random initialization vectors

  83. security testing Static analysis Manual code review design review Analysis

    Static Dynamic Penetration testing

  84. suggested reading Android Security Cookbook
 Keith Makan / Scott Alexander-Bown

    (9781782167167) Android Security Internals 
 Nikolay Elenkov (9781593275815) Android Hacker’s Handbook
 Joshua J. Drake et al. (9781118608647) Application Security for the Android platform
 Jeff Six (9781449315078) 


  85. suggested reading developer.android.com
 https://developer.android.com/training/articles/security-tips.html 
 https://source.android.com/devices/tech/security/ OWASP
 https://www.owasp.org/index.php/OWASP_Mobile_Security_Project Google+ community

    
 Android security discussions Blogs
 http://nelenkov.blogspot.com.tr/…


  86. Filip maelbrancke TWITTER: @fmaelbrancke EMAIL: [email protected] THANK YOU EMAIL: [email protected]

    consultant @ AppFoundry