control over it • But the user is not you! • That user is attack vector • Most users will think differently than you • Most users do not have the newest version 1) BUT IT IS IN MY HANDS! 06
win! • Process separation • Storage separation • Memory separation • Resource separation • Intent separation 2) BUT IT IS A MORE SECURE ENVIRONMENT! 07
requirement A. “Device with the factory setting” B. “Device with #A plus successful attestation” C. “A non-rooted device” D. “Any Google Android device” BASICS 015
it do what the spec says? • Is the code well written? • Is the architecture correct? • Do we need to agree on something? • Did we forget something? BASICS 018
BASICS 020 1) Each implementation task (new feature, bugfix) should at least go through one of the following: ◦ A code review as per “Code review process” ◦ A design review as per “Design QA process” ◦ Manual testing as per “manual QA process” ◦ Automated testing by unit tests or instrumentation tests or integration tests Unless decided otherwise and the reason is documented to the tracker task.
025 3.5 MSTG-CRYPTO-5 The app doesn’t re-use the same cryptographic key for multiple purposes. OK The library does not re-use the same cryptographic key for multiple purposes. 3.6 MSTG-CRYPTO-6 All random values are generated using a sufficiently secure random number generator. OK All random values are generated using a sufficiently secure random number generator. PRNG improvements are applied on platform API levels where they are required as per https://androiddevelopers.googleblog.com/2013/08/somesecureran dom-thoughts.html. 7.1 MSTG-CODE-1 The app is signed and provisioned with a valid certificate, of which the private key is properly protected. N/A The binary is a library and is not directly signed as only Android applications can be signed.
to be event-based • Make it pre-configured based on debug / release • Disable (all but critical?) logs for release ◦ Or off by default if library BASICS 031
ADVANCED 038 1. The SafetyNet Attestation API receives a call from your app. This call includes a nonce. 2. The SafetyNet Attestation service evaluates the runtime environment and requests a signed attestation of the assessment results from Google's servers. 3. Google's servers send the signed attestation to the SafetyNet Attestation service on the device. 4. The SafetyNet Attestation service returns this signed attestation to your app. 5. Your app forwards the signed attestation to your server. 6. This server validates the response and uses it decisions
• Its own CPU • Secure storage • A true random-number generator • Additional mechanisms to resist package tampering and unauthorized sideloading of apps ADVANCED 041
054 ISSUE SEVERITY STANDARDS FILES The App uses an insecure Random number Generator High MASVS: MSTG-CRYPTO-6 j$/util/concurrent/F.java kotlinx/coroutines/scheduling/Corouti neScheduler.java Files may contain hardcoded sensitive information like usernames, passwords, kest, etc. High MASVS: MSTG-STORAGE-14 io/jsonwebtoken/jwsHeader.java
VERIFY 057 DEPENDENCY FINDINGS commons-compress-1.20.jar • CVE-2021-35515 • When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package. • CVE-2021-35516 ..
harri35
matleenalaakso
oripsolob
tetsuyaooooo
debug_mode
rlifchitz
cbtlibrary
lrm
codeforeveryone
nakamuramikumirai
psj59129
yuyakurodou
chrisshort
keithpitt
marcduiker
lara
nonsquared
quramy
pauljervisheath
lemiorhan
sergeychernyshev
3n
addyosmani
eileencodes
![SECURE PROGRAMMING TECHNIQUES Mobile Dev Security Harri Kirik [email protected] •](https://files.speakerdeck.com/presentations/f583b84dea0c4a0e8ce3bb4be205f7af/slide_1.jpg){kind=link}
