Developing Secure Android Application

Android Developing Secure Application Harsh Dattani, GDG Baroda A learner
like you all! No body is PRO in security

AboutMe.apk A Cyber Security Student @Gujarat Forensic Sciences University and
a Learner! Always! :P Om Shanti Harsh Dattani

Secure Coding Guidelines • Such guidelines even exists on Earth??
:D

:D • Who cares! No one’s gonna hack my app :P

:D • Who cares! No one’s gonna hack my app :P • Lets finish this project anyhow!! ;)

Secure Coding Guidelines • Computer Emergency Response Teams (CERT) are
expert groups that handle Computer/IT security incidents. • Issued Android Secure Coding Guidelines.

We all Know this!

And this! • Activity • Content Providers • Intents •
Permissions • Services • Shared Prefs • Views (Mostly WebView)

Also this!

Assets in Android

Assets in Android • Device Information • Personal Information (User’s)
• Friend’s Personal Information

Attack Vectors in Android

Attack Vectors in Android • Mounting SD Card in PC

• Malicious App

• Malicious App • Network Attack

• Malicious App • Network Attack • Malicious File Attack

• Malicious App • Network Attack • Malicious File Attack • User’s Unawareness

• Malicious App • Network Attack • Malicious File Attack • User’s Unawareness • USB Debugging

• Malicious App • Network Attack • Malicious File Attack • User’s Unawareness • USB Debugging • Root permissions!! (Can do anything)

Security Policies

Unix Security Policy 1. Process Isolation 2. Hardware Isolation 3.
User Permission Model 4. R/W/X Permissions to file 5. Secure IPC

Android Security Policy 1. Application Isolation 2. Sandbox of Application
3. Secure Communication 4. Signing the Application 5. Permission model of Application

To Do’s to Secure Apps

1. Avoid Simple Logics

1: Avoid Simple logics if(LoginAccess==1){ ... ... } ---------------------------------------------------------------------------- if(Login.Access
= True){ ... ... }

2. Test 3rd Party Libraries!

“Caution: Developers rely heavily on third-party libraries. It is important
to thoroughly probe and test this as you test your code. Third-party libraries can contain vulnerabilities and weaknesses. Many developers assume third-party libraries are well-developed and tested, however, issues can and do exist in their code.

3. Use Encryption

“Caution: External storage can become unavailable if the user mounts
the external storage on a computer or removes the media, and there's no security enforced upon files you save to the external storage. All applications can read and write files placed on the external storage and the user can remove them.” -- http://developer.android.com/guide/topics/data/data-storage.html

But How to Encrypt?

How to Encrypt or Encode? 1. Encode Shared Preferences 2.
Encrypt SQLite: SQLCipher 3. Encrypt Network: TLS 4. Data Encryption: Facebook’s Conceal Library 5. MD5, SHA Sensitive Data

4. Handle Input Data

“Caution: An Android application can be coded in Java or
native code, which is C++. When Java is used, many of the data validation issues like buffer overflow, format string issues, and others are eliminated, as the language itself is not vulnerable. When using native code, special care needs to be taken when data is read from an untrusted source because it is vulnerable to issues like buffer overflow, format string issues, and more.” -- White Paper by Mcafee

5. Secure Intents

<Activity android:name="com.example.ProfilePage" android:exported="true”> </activity> ---------------------------------------------------------------------------- <Activity android:name="com.example.ProfilePage" android:exported="false”> </activity> P.S.
Custom Permissions can also be helpful to limit Intent usage by Malicious applications

6. Secure WebView

• setJavaScriptEnabled(): Default is False • setPluginState(): Default is OFF
• setAllowFileAccess(): Default is True • setAllowContentAccess(): Default is True • setAllowFileAccessFromFileURLs(): Default value is True for API level 15 and below, and False for API level level 16 and above. • setAllowUniversalAccessFromFileURLs(): Default value is True for API level 15 and below, and False for API level level 16 and above. --------------------------------------------------------------------------------------------------------------------------------------------- • Don’t: Enable JavaScript for all pages. • Do: If Enabled, make sure it’s a local address or trusted address. • Use HTTPS, whenever possible

7. Secure Logs

Log.v("method", Login.TAG + ", username=" + name); Log.v("method", Login.TAG +
", password=" + pass); ---------------------------------------------------------------------------- -assumenosideeffects class android.util.Log { public static *** d(...); public static *** w(...); public static *** v(...); public static *** i(...); }

8. Secure Intent Leaks

• Don’t Broadcast Sensitive information in Intents • Attacker can
intercept the broadcasted data. (Demo) • Broadcast Securely using: LocalBroadcastManager.getInstance(this).sendBroadcast(intent);

9. Code Obfuscation

• Proguard • Don’t include unused Classes and Libraries •
Difficult to protect from Smali Decompilation

10. Use of Tokens for Authentication

11. Use of HTTPS!

Our Evils: 1. ADB 2. Malicious Applications 3. Unprotected Network
4. Sniffers

Our Friends: 1. Android Fuzzers 2. Xposed Framework 3. Drozer
4. APKtool or any other Static Analysis Tool 5. Penetration Tools for Android and Many more...

AskMe.apk?

ContactMe.apk! [email protected] github.com/harshdattani

Developing Secure Android Application

Developing Secure Android Application

More Decks by Harsh Dattani

Other Decks in Programming

Featured

Transcript