Securely Storing Secrets

Transcript

1. http://www.egeniq.com [email protected] @egeniq DutchAUG Meetup, 22 February 2012 Ivo Jansch

   - @ijansch Securely Storing Secrets On Android Devices

2. About Me @ijansch Developer Author Entreprenerd iOS/Android/PHP 2

3. About Egeniq Mobile Tech Knowledge Geeks Development 3 Sneaky Subliminal

   Message: We’re hiring! [email protected]

4. Tiqr - Learning about Android Security 4 1 2 3

   4 5 6 http://www.tiqr.org

5. The Use Case 5 Android App Third Party Service API

6. Timeline 6

7. OAuth 7 Your Android Application Twitter

8. OAuth 8 OAuth Consumer OAuth Provider

9. Why do you need to protect keys? 9 8 OAuth

   Provider

10. The Android Security Model 10

11. Sandboxing ‣Apps only have access to their own data ‣Access

    is based on Linux user ID ‣Further protected by application signature 11

12. Storage + Secure Storage ‣USB Storage • External storage, sharable

    between apps ‣Device Storage • Apps have their own location, within sandbox ‣Secure Storage • Java KeyStores with strong encryption algorithms • Unfortunately no hardware encrypted storage like iPhone ‣ Note: Honeycomb does have ‘whole device encryption’ 12

13. The Main Problem ‣How can I securely store secrets? •

    Is sandboxing a solution? -> Not when device is rooted • Is device storage a solution? -> Not when device is rooted • Is encryption a solution? ‣ Yes, but where do you store your encryption keys? 13

14. It’s a common question Stackoverflow search for ‘store secrets android’:

    14

15. With common answers - Huh? - Don’t store secrets -

    Don’t use OAuth - Obfuscate - Encrypt 15

16. Know what? I’ll just use a library 16

17. Scribe https://github.com/fernandezpablo85/scribe-java 17

18. A Couple Of Solutions 18

19. Option 1 - Obfuscation 19

20. Option 2 - Encryption 20

21. Option 2 - Encryption 21

22. Option 2 - Encryption 22

23. Option 2 - Encryption 23

24. Option 3 - Using the KeyStore 24

25. Option 3 - Using the KeyStore 25

26. Option 4 - Retrieve key from API 26 Android App

    OAuth Provider Your API ?

27. Option 5 - Transparent Proxy 27 Android App OAuth Provider

    Proxy

28. The Future http://androidicecreamsandwich.me/2012/01/nsa-unleashes-security-enhanced-android-ice- cream-sandwich-soon/ 28

29. Conclusion It’s all about awareness 29

30. Recommended Reading ‣ ISBN: 2147483647 ‣ Authors: • Himanshu Dwivedi

    • Chris Clark • David Thiel ‣ Covers: • Android • Apple • WinMo 30

31. Shameless Plug ‣ March 10 @ Tuschinski Amsterdam ‣ http://mdevcon.com

    ‣ 2 tracks, 14 speakers, 250 developers, ∞ fun ‣ iOS, Android & Generic talks 31

32. Thank you! Questions? http://www.egeniq.com [email protected] @egeniq http://www.egeniq.com [email protected] @ijansch Like

    this subject? Android developer? [email protected]

33. Credits ‣ ‘Tege in Sandbox’ by Judi Cox - http://www.flickr.com/photos/madaise/3406217980/

    ‣ ‘Locker (KHS up close) by Travis Hymas - http://www.flickr.com/photos/ travishasphotos/3481640534/ ‣ ‘Mask’ by Ben Fredericson - http://www.flickr.com/photos/xjrlokix/3932488768/