Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Android Application Security For Developers (ADD 2014)

Android Application Security For Developers (ADD 2014)

Slides from the 'Android Application Security For Developers' session at Android Developer Days 2014 in Ankara

Filip Maelbrancke

May 17, 2014
Tweet

More Decks by Filip Maelbrancke

Other Decks in Programming

Transcript

  1. Application
    security
    ANDROID
    FOR DEVELOPERS
    FILIP MAELBRANCKE

    View Slide

  2. View Slide

  3. X

    View Slide

  4. Security = managing risk
    ASSET VULNERABILITY
    THREAT

    View Slide

  5. Security = managing risk
    ASSET VULNERABILITY
    THREAT

    View Slide

  6. All in one device
    Increases threat
    proBability
    !
    • GPS
    • Contacts
    • Camera
    • Email (work)
    • Wallet

    View Slide

  7. Always out
    Vulnerability /
    Exploitability
    !
    • Stolen
    • Forgotten
    • Lost
    !

    View Slide

  8. Everyone uses it
    Vulnerability /
    Exploitability
    !
    • Weak pins
    • Use of open public WiFi
    !

    View Slide

  9. Everyone uses it

    View Slide

  10. Android security

    View Slide

  11. Android security model
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    Game X
    !
    !
    !
    Game Y
    !
    System
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    Contacts
    !
    !
    !
    Email
    !
    !
    !
    Google Play
    !
    Verify app signature
    !
    !
    App sandbox
    !
    !
    Permissions
    application isolation

    View Slide

  12. typical mobile app
    MOBILE APPLICATION
    UI
    LOCAL
    STORAGE
    REMOTING
    LAYER
    REMOTE
    API
    COMMUNICATION
    CHANNEL

    View Slide

  13. Security
    APP DATA NETWORK SERVICES

    View Slide

  14. View Slide

  15. Securing the app
    JAVA
    CLASS
    DEX

    View Slide

  16. reverse engineer

    View Slide

  17. OBTAIN APK FROM DEVICE
    adb backup -apk be.myapp
    ADB BACKUP app
    Titanium, Astro, Helium
    adb shell
    pm list packages -f
    adb pull /data/app/be.myapp-1.apk

    View Slide

  18. APK structure
    APK = zip
    APK
    AndroidManifest
    classes.dex
    Resources

    View Slide

  19. reverse engineer
    TOOLS
    !
    • Apktool
    • Dex2jar
    • Apk to Java
    !

    View Slide

  20. reverse engineer
    smali / baksmali
    APKTOOL Low level
    disassembled Dalvik bytecode
    CODE
    code can be modified
    recompile / resign

    View Slide

  21. reverse engineer
    apktool d myapp.apk

    View Slide

  22. reverse engineer

    View Slide

  23. reverse engineer
    code

    View Slide

  24. reverse engineer
    convert .dex file to a .jar with
    java bytecode
    DEX2JAR dex -> java
    java decompiler
    CODE
    very readable

    View Slide

  25. reverse engineer

    View Slide

  26. reverse engineer
    Jeb Decompiler
    PAID dex -> java
    native dalvik decompiler

    View Slide

  27. reverse engineer

    View Slide

  28. Obfuscation

    View Slide

  29. Proguard
    obfuscate
    optimize
    Shrink

    View Slide

  30. proguard
    obfuscation

    View Slide

  31. proguard

    View Slide

  32. proguard
    configuration

    View Slide

  33. proguard
    Beware!

    View Slide

  34. proguard
    loggingwrapper

    View Slide

  35. proguard
    configuration

    View Slide

  36. proguard
    BEtter

    View Slide

  37. other techniques
    If possible, run code at server!
    server String encryption
    Hide sensitive strings eg
    “Secure”
    Native code
    Java Native Interface
    reflection
    Proxy
    Introduces indirection
    Class encryption
    Use DexGuard

    View Slide

  38. dexguard
    Same config
    proguard++ Commercial
    Good value for the money
    Tamper checks

    View Slide

  39. dexguard

    View Slide

  40. proguard tips
    Test!
    release build Mapping.txt
    Save!
    Crash?
    Supported on Crashlytics,
    Crittercism, ...

    View Slide

  41. TAMPER DETECTION

    View Slide

  42. Environment
    1.installer
    2.debugger /
    3.BINARY
    Validation
    Tamper detection / protection

    View Slide

  43. INSTALLER
    PLAY STORE INSTALLER

    View Slide

  44. debugger
    Debugger check

    View Slide

  45. debugger
    Debugger check

    View Slide

  46. emulator
    EMULATOR check

    View Slide

  47. SIGNING KEY
    Valid signing key
    !
    • SHA1 of signing cert
    • Embed
    • Check with runtime
    signature
    !

    View Slide

  48. SIGNING KEY
    Valid signing key

    View Slide

  49. rooted device
    root detection
    !
    • Check typical apps /
    files
    • Check keys
    • /system r/w
    !

    View Slide

  50. tamper detection tips
    + use obfuscation!
    multiple checks Tampering detected
    Close application
    Don’t leak where the protection
    code is

    View Slide

  51. View Slide

  52. local Data protection
    Avoid it if you can
    Avoid External storage
    Avoid external storage for
    sensitive information
    For critical info
    set android:saveEnabled="false"
    Backup
    set android:allowBackup=false
    proper permissions
    MODE_PRIVATE with files

    View Slide

  53. local Data protection
    getWindow().setFlags(LayoutParams.FLAG
    _SECURE, LayoutParams.FLAG_SECURE);
    avoid screen shots LOGOUT on inactivity
    if usability allows and clear the
    cached information

    View Slide

  54. keylogger

    View Slide

  55. ANDROID NOT ENOUGH?
    rooted devices
    Internal Storage Full disk crypto
    brute forcing

    View Slide

  56. encryption

    View Slide

  57. JCA
    APP
    JCA (Java Cryptography Architecture)
    Provider Provider
    Message Digest
    Key Generation
    Digital Signature
    ...

    View Slide

  58. JCA
    Bouncy Castle Android OpenSSL
    APP
    JCA (Java Cryptography Architecture)
    Harmony

    View Slide

  59. bouncy castle
    Android = subset of upstream
    release
    cut-down CONSISTENT
    Consistent crypto across
    Android versions
    MINIMAL change
    github.com/rtyley/spongycastle
    Spongy castle
    Repackage of Bouncy Castle for
    Android

    View Slide

  60. encryption libs
    SQLCipher
    sqlcipher.net
    !
    • Modified version of
    SQLite
    • AES-256 encryption
    • Drop-in replacement
    !
    iocipher
    guardianproject.info/code/
    iocipher
    !
    Virtual encrypted disk

    View Slide

  61. key management
    Store along with the data
    (file private to the app)
    Store Embed
    Embed in source code
    (obfuscated ?)
    EASY TO EXTRACT

    View Slide

  62. key management
    don’t store
    Don’t store the key on the device
    Have it entered each time
    necessary
    Store
    In systems service
    SOLUTIONS

    View Slide

  63. key derivation
    Long random strings of bits
    encryption keys people vs keys
    Users are familiar with
    passwords
    Crypto algo
    PBKDF2WithHmacSHA1
    password based encryption
    Generate strong crypto keys
    based on humanly-manageable
    passwords

    View Slide

  64. proper key derivation
    Using a salt protects from table-
    assisted / pre-computed
    dictionary attacks
    SALT key stretching
    Repeat the key derivation
    operation multiple times to
    produce the final key
    Slows down brute force attacks

    View Slide

  65. key derivation
    https://github.com/nelenkov/android-pbe
    http://nelenkov.blogspot.jp/2012/04/using-password-based-encryption-on.html
    Nikolay Elenkov

    View Slide

  66. KEYCHain?
    Keystore provider
    !
    • Since Android 4.3
    • Can be hardware-
    backed
    https://github.com/nelenkov/android-keystore
    Nikolay Elenkov

    View Slide

  67. network

    View Slide

  68. Secure communication channel
    use https
    Use SSL / TLS
    !
    • Confidentiality
    • Authentication
    !
    VALIDATION
    Hostname verification
    !
    Certificate pinning

    View Slide

  69. secure communication channel
    hostname verification

    View Slide

  70. SSL certificates
    CA issued, Android recognized CA issued
    self-signed certificates behaviour change
    custom TrustManager

    View Slide

  71. self-signed cert

    View Slide

  72. anti pattern
    don’t trust all!

    View Slide

  73. self-signed cert
    Certificate Custom trustmanager
    NO man-in-the-middle attacks
    import in your app

    View Slide

  74. Certificate authorities

    View Slide

  75. Trustmanager
    StrongTrustManager
    !
    • Validate whole
    certificate chain
    • Debian certificate store
    !

    View Slide

  76. certificate pinning
    with expected certificate / public
    key
    Associate host hashing
    anonymize certificate / public
    key

    View Slide

  77. certificate pinning
    echo | openssl s_client -connect host:443
    2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-
    END CERTIFICATE-/p' > mycertificate.pem
    get certificate (openssl) embed in application
    /res/raw
    Custom
    Based on keystore
    Load into keystore
    SSL context
    Init SSL context with
    TrustManager
    https://developer.android.com/training/articles/security-ssl.html

    View Slide

  78. View Slide

  79. Securing services
    Controls
    !
    • Kill switch for specific
    functionality
    • Server downtime
    communication
    • Mandatory update
    mechanism
    !

    View Slide

  80. securing services
    Backend
    REST and APIs can have similar
    vulnerabilities to web
    applications
    mitigate
    follow OWASP top 10

    View Slide

  81. Effective security
    Using CryptoLint, we performed a study on
    cryptographic implementations in 11,748 Android
    applications. Overall we find that 10,327 programs –
    88% in total – use cryptography inappropriately. The raw
    s c a l e o f m i s u s e i n d i c a t e s a w i d e s p r e a d
    misunderstanding of how to properly use cryptography
    in Android development.


    View Slide

  82. effective security
    hardcoded passphrases manually seeded
    SecureRandom
    insufficient key generation
    iterations
    hardcoded salts
    non-random initialization vectors

    View Slide

  83. security testing
    Static analysis
    Manual
    code review design review
    Analysis
    Static
    Dynamic
    Penetration testing

    View Slide

  84. suggested reading
    Android Security Cookbook

    Keith Makan / Scott Alexander-Bown (9781782167167)
    Android Security Internals 

    Nikolay Elenkov (9781593275815)
    Android Hacker’s Handbook

    Joshua J. Drake et al. (9781118608647)
    Application Security for the Android platform

    Jeff Six (9781449315078)

    View Slide

  85. suggested reading
    developer.android.com

    https://developer.android.com/training/articles/security-tips.html 

    https://source.android.com/devices/tech/security/
    OWASP

    https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
    Google+ community 

    Android security discussions
    Blogs

    http://nelenkov.blogspot.com.tr/…


    View Slide

  86. Filip maelbrancke
    TWITTER: @fmaelbrancke
    EMAIL: [email protected]
    THANK YOU
    EMAIL: [email protected]
    consultant @ AppFoundry

    View Slide