Device & App Integrity with Google SafetyNet

Transcript

1. Device & App Integrity with Google SafetyNet ANTONIS FILIPPIDIS –

   ANDROID TECHNICAL LEAD SOFTWARE ENGINEER STELIOS ELEOTRIVARIS – SOFTWARE ENGINEER

2. Device and application integrity. Why? A rooted device can be

   potentially dangerous to users/apps. When an Android device is rooted the system security and safeguards cannot be guaranteed. A user or malicious program on such a device can elevate their permissions to root and circumvent this protection giving them access to other app’s private data. © 2016 Advantage FSE DEVICE & APPLICATION INTEGRITY WITH SAFETY-NET www.afse.eu

3. © 2016 Advantage FSE DEVICE & APPLICATION INTEGRITY CHECKS WITH

   SAFETY-NET www.afse.eu

4. Device integrity detection (aka root-detection) RootDetection == indication of root

   Most methods try to identify common tools and root-cloackers used by the community eg. supersu, hidesu Some checks that can identify root access: - check for root apps - check test keys (platform system image is signed with production keys) - check system properties - check for root binaries (su, busybox) - check read/write permissions on specific system folders - NDK checks for any of the above (c, c++ code tend to be harder for an attacker to intercept and hide ) © 2016 Advantage FSE DEVICE & APPLICATION INTEGRITY CHECKS WITH SAFETY-NET www.afse.eu

5. Root detection tools Open Source library: Rootbeer - https://github.com/scottyab/rootbeer Commercial

   Obfuscation/protection tools: Arxan’s GuardIT Guard Square’s DexGuard © 2016 Advantage FSE DEVICE & APPLICATION INTEGRITY CHECKS WITH SAFETY-NET www.afse.eu

6. Application integrity checklist Secure application integrity 1. Do you obfuscate

   the binary executable file as part of the build? Try to use eg. Proguard 2. Are app integrity checks performed during runtime? Check for the application signature hash that signed the app. Checksum your binary . Secure locally stored data 3. Does your app encrypt its local storage? Use eg. SQLCipher 4. Is compromised local data being detected by the app? Checksum of your data files Secure data transfer 5. Do you use a secure connection to access APIs or data sources? Use https protocol, encrypt/decrypt every packet at runtime. 6. Does the app session expire? Protect private data in case device is left unattended. Extra security measures Prevent running on a jailbroken/rooted device Preventing taking screenshots of the app screens Detecting if the application is running on an emulator Restricting debuggers A significant attacker prevention step is to Offload validation to a trusted server © 2016 Advantage FSE DEVICE & APPLICATION INTEGRITY CHECKS WITH SAFETY-NET www.afse.eu

7. Is there a simpler approach? ..and free Google SafetyNet Google

   Play’s SafetyNet service allows your application to gain information about the ‘CTS compatibility’ status of the device you are running on. You can think of CTS compatibility as a mix of rooting detection, device tampering detection and active MitM detection. Who uses it? Android Pay PockemonGo © 2016 Advantage FSE DEVICE & APPLICATION INTEGRITY CHECKS WITH SAFETY-NET www.afse.eu

8. How does it work? SafetyNet is a data collection system

   used by Google to gather security-related information from 1 billion Play-enabled Android devices. Google is in a position to determine if a device is being tampered in a multitude of ways. Google maintains this information and knows at any point in time if a specific device is in a suspicious state. The actual analysis of the collected data is done server-side, leaving less room for manipulation; again good security design. The SafetyNetService is one of the Google Play Services. The service handling code is packaged in the Google Play Services package that ships with Google-endorsed Android devices and is updated through the Play Store. The actual implementation of snet is not inside any APKs. The SafetyNet service reaches out to a Google server and downloads a binary package with the code, used with reflection. Google does not disclose how exactly it determines “CTS compatibility” based on the collected data. So, an attacker would have to figure out what to hide by trial and error. Even though he would be able to make educated guesses, he wouldn’t know what exactly Google is looking for. © 2016 Advantage FSE DEVICE & APPLICATION INTEGRITY CHECKS WITH SAFETY-NET www.afse.eu

9. App flow without SafetyNet 1/3 © 2016 Advantage FSE DEVICE

   & APPLICATION INTEGRITY CHECKS WITH SAFETY-NET www.afse.eu

10. Insecure Flow with SafetyNet 2/3 © 2016 Advantage FSE DEVICE

    & APPLICATION INTEGRITY CHECKS WITH SAFETY-NET www.afse.eu

11. JWS – Json Web Signature format © 2016 Advantage FSE

    DEVICE & APPLICATION INTEGRITY CHECKS WITH SAFETY-NET www.afse.eu

12. Secure Flow with SafetyNet 3/3 © 2016 Advantage FSE DEVICE

    & APPLICATION INTEGRITY CHECKS WITH SAFETY-NET www.afse.eu

13. Someone managed to bypass SafetyNet. Now what? Recent updates of

    Safetynet: -now the code is obfuscated. Initially Google seemed to leave things unobfuscated on purpose in order to increase transparency, however this appears to have changed. -In September 2016, Google decided to introduce more aggressive checks into ctsProfileMatch, e.g. acting on VerifiedBoot status. Due to these changes, devices that are not “rooted” but may only use a different bootloader will cause ctsProfileMatch to be set to false. So, a new flag was added: { "nonce": "R2Rra24fVm5xa2Mg", "timestampMs": 9860437986543, "apkPackageName": "com.package.name.of.requesting.app", "apkCertificateDigestSha256": ["base64 encoded, SHA-256 hash of the certificate used to sign requesting app"], "apkDigestSha256": "base64 encoded, SHA-256 hash of the app's APK", "ctsProfileMatch": true, "basicIntegrity": true, } In such cases, basicIntegrity will still remain true. It seems that this is set to false only if an su binary is placed in expected locations. The basicIntegrity field currently seems to behave like ctsProfileMatch did before the recent changes. It now offers another flavor: A lookupUri() API that allows apps to check if a given URI is classified as Potentially Harmful App by Google’s threat intelligence systems. © 2016 Advantage FSE DEVICE & APPLICATION INTEGRITY CHECKS WITH SAFETY-NET www.afse.eu

14. Show me the code !!! © 2016 Advantage FSE DEVICE

    & APPLICATION INTEGRITY CHECKS WITH SAFETY-NET www.afse.eu

15. © 2016 Advantage FSE www.afse.eu

16. © 2016 Advantage FSE www.afse.eu

17. © 2016 Advantage FSE www.afse.eu Google Play services Safety Net

18. © 2016 Advantage FSE www.afse.eu The safety net wrapper library

19. © 2016 Advantage FSE www.afse.eu Connect to Google Play Services

20. © 2016 Advantage FSE www.afse.eu

21. © 2016 Advantage FSE www.afse.eu

22. © 2016 Advantage FSE www.afse.eu

23. © 2016 Advantage FSE www.afse.eu Requesting a Compatibility Check •

    Obtain a single use token • Send the compatibility check request • Read the response • Validate the response

24. © 2016 Advantage FSE www.afse.eu Obtain a single use token

25. © 2016 Advantage FSE www.afse.eu

26. © 2016 Advantage FSE www.afse.eu Send the compatibility check request

27. © 2016 Advantage FSE www.afse.eu

28. © 2016 Advantage FSE www.afse.eu

29. © 2016 Advantage FSE www.afse.eu Read the compatibility check response

30. © 2016 Advantage FSE www.afse.eu

31. © 2016 Advantage FSE www.afse.eu

32. © 2016 Advantage FSE www.afse.eu

33. © 2016 Advantage FSE www.afse.eu

34. © 2016 Advantage FSE www.afse.eu

35. © 2016 Advantage FSE www.afse.eu

36. © 2016 Advantage FSE www.afse.eu

37. © 2016 Advantage FSE www.afse.eu Validating the response with Google

    APIs

38. © 2016 Advantage FSE www.afse.eu

39. © 2016 Advantage FSE www.afse.eu

40. © 2016 Advantage FSE www.afse.eu

41. © 2016 Advantage FSE www.afse.eu

42. © 2016 Advantage FSE www.afse.eu Wrapper Library

43. © 2016 Advantage FSE www.afse.eu

44. © 2016 Advantage FSE www.afse.eu Android Device Verification API Key

45. © 2016 Advantage FSE www.afse.eu

46. © 2016 Advantage FSE www.afse.eu

47. References and sample Project Sample Project on Github: https://github.com/Vivecstel/SafetNetSampleApp References

    and image credits: https://developer.android.com/training/safetynet/index.html https://medium.com/@scottyab/detecting-root-on-android-97803474f694#.e541dle10 https://www.arxan.com/technology/mobile-sdks-and-wdks/ https://www.guardsquare.com/en/dexguard https://mentormate.com/blog/6-mobile-application-security-techniques/ https://android-developers.googleblog.com/2010/09/securing-android-lvl-applications.html https://www.cigital.com/blog/using-safetynet-api/ https://koz.io/inside-safetynet/ © 2016 Advantage FSE DEVICE & APPLICATION INTEGRITY CHECKS WITH SAFETY-NET www.afse.eu

48. Questions ? © 2016 Advantage FSE DEVICE & APPLICATION INTEGRITY

    CHECKS WITH SAFETY-NET www.afse.eu

49. Thank you !! www.afse.eu Contact us @: [email protected] [email protected] ©

    2016 Advantage FSE DEVICE & APPLICATION INTEGRITY CHECKS WITH SAFETY-NET www.afse.eu