Securing Android Applications

Transcript

1. SECURING ANDROID APPLICATIONS October 2014

2. http://www.linkedin.com/jmortega1 https://speakerdeck.com/jmortega/ @jmortegac

3. ARCHITECTURE / DALVIK VM / SANDBOX ANDROID APPLICATIONS / PERMISSIONS

   UTILS EXECUTION ENVIRONMENT TOOLS ECLIPSE / ANDROID STUDIO COMPONENTS SECURITY / STATIC ANALYSIS ENCRYPTION / OBSFUSCATION REVERSING APK TOOLS APK ANALYZERS / PENTESTING / FORENSICS

4. Android Architecture

5. Dalvik VM REGISTER-BASED VIRTUAL MACHINE RUN ON A SLOW CPU

   WITH LITTLE RAM OPTIMIZED FOR MOBILE DEVICES DEX(Dalvik executable)

6. Dalvik vs ART(4.4) DALVIK ART Just-In-Time (JIT) Compilation Ahead-Of-Time (AOT)

   Compilation Cache builds up over time Boot times are faster Cache is built at first boot Rebooting device takes significantly longer Apps compiled when executed Stores Compiled Apps Consumes much more internal storage space  Settings>Developer options>Select runtime

7. Sandbox Each app gets a unique linux ID(uid) and Groud

   ID(gid) Gets own dedicated process and dedicated dalvik VM Applications are "self-signed" with certificate signed by Developer Apps can share the data with other apps using content providers Permissions determine the capacity for communication components The App Data gets stored in /data/data/<app process> accessible only by UID and GID (root exceptional)

8. /data/data Apps installed by user Apps installed by google default

   : play store, play music , maps Apps that are manufacturer specific : HTC sense, touchwiz Apps that are shipped with stock rom : browsers ROOT

9. Android Applications

10. APK Generating ZIP + jarsigner+ zipalign for optimizing apk

11. Obtain APK  Google Play  Alternative markets (BlackMart, Fdroid,

    Aptoide)  Apk extractor  http://apps.evozi.com/apk-downloader
12. None

13. Permissions model  Android permissions protect  Access to sensitive

    APIs  Access to content providers  Inter- and intra-application communication  Protection mechanism to interact with other applications  Location (GPS), Camera, Bluetooth, Telephony, SMS/MMS, Network/data  AndroidManifest.xml

14. Permissions

15. Permissions  Be carefull with install applications  Recommend install

    some application to check permissions  Disable automatic updates and check application permissions manually each time an application wants to be installed or updated

16. Permissions in apps  Check permissions in runtime PackageManager pm

    = context.getPackageManager(); int hasPerm = pm.checkPermission( android.Manifest.permission.WRITE_EXTERNAL_STORAGE, context.getPackageName()); if (hasPerm != PackageManager.PERMISSION_GRANTED) { // do stuff} private boolean checkWriteExternalPermission(){ String permission = "android.permission.WRITE_EXTERNAL_STORAGE"; int res = getContext().checkCallingOrSelfPermission(permission); return (res == PackageManager.PERMISSION_GRANTED); }

17. Protection levels normal: Default level for not application system, always

    granted dangerous: Higher-Risk permission for access to private data. Requires user approval. SEND_SMS,ACCESS_FINE_LOCATION signature Matching signature key. Two apps signed with the same certificate system, signatureOrSystem:Same as signature, but also system apps pre- installed like Google Play Services

18. Permissions in apps  Minimize requested permissions  Users like

    apps that request few permissions  33% apps request more permissions that they need  Get Camera Pic need android.permission.CAMERA? ContentValues contentValues = new ContentValues(); contentValues.put(MediaStore.Images.Media.DESCRIPTION, "Image capture"); contentValues.put(MediaStore.Images.Media.TITLE, "new image"); Uri uri = getContentResolver().insert(MediaStore.Images.Media.EXTERNAL_CONTENT_URI, contentValues); Intent intent = new Intent(MediaStore.ACTION_IMAGE_CAPTURE); intent.putExtra(MediaStore.EXTRA_OUTPUT, uri); intent.putExtra(MediaStore.EXTRA_VIDEO_QUALITY, 1); startActivityForResult(intent, 1);

19. Permissions in apps  Application don`t need permission to get

    a camera pic  <uses-permission android:name="android.permission.CAMERA" />  Where is the permission?  In the Google Camera Application  GoogleCamera.apk

20. Permissions in apps  Create custom permissions <permission android:name="android.permission.CUSTOM_PERMISSION" android:protectionLevel="normal"

    android:label="@string/custom_permission_label"> <permission android:name="android.permission.SEND_SMS" android:permissionGroup=“android.permission-group.COST_MONEY" android:protectionLevel="dangerous" android:label="@string/permlab_sendSms" android:description="@string/permdesc_sendSms" />

21. Permissions in apps  Group permissions <permission-group android:name="android.permission-group.LOCATION" android:description="@string/permgroupdesc_location" />

    <!-- Allows an application to access fine (e.g., GPS) location --> <permission android:name="android.permission.ACCESS_FINE_LOCATION" android:permissionGroup="android.permission-group.LOCATION" android:protectionLevel="dangerous" android:description="@string/permdesc_accessFineLocation" /> <!-- Allows an application to access coarse (e.g., Cell-ID, WiFi) location --> <permission android:name="android.permission.ACCESS_COARSE_LOCATION" android:permissionGroup="android.permission-group.LOCATION" android:protectionLevel="dangerous" android:description="@string/permdesc_accessCoarseLocation" />
22. None

23. Install in SD CARD <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.example1" android:versionCode=“1" android:versionName="1.0" android:installLocation="auto|preferExternal">

    <uses-sdk android:minSdkVersion="8" android:targetSdkVersion="19" /> </manifest> $ adb shell $ pm set-install-location 2 0 [auto]: Let system decide the best location1 [internal]: Install on internal device storage2 [external]: Install on external media

24.  Check if Play Store is the installer  Check

    if Debuggable

25.  Check Running emulator  Check Debugger certificate

26.  Check signing key

27.  Root detection private boolean isDeviceRooted(){ try{ Runtime.getRuntime().exec("su"); return true;

    }catch(IOExeception ex){ return false; } } public static boolean() isDeviceRooted(){ File f= new File("/system/sbin/su"); return f.exits(); }
28. None

29. Malware • Installing applications from known sites • Check permissions

    during installation / upgrade • Review comments from users • Update the operating system and applications. • Disable automatic connection to WiFi networks and avoid connecting to free WiFi • Disable BlueTooth when not in use Recommendations to avoid malware

30. Malware detection in Google play Bluebox Security Scanner SRT AppScanner

    Lookout Mobile Security Advanced Mobile Care Malwarebytes Anti-Malware CM Security

31. foresafe.com/scan mobilesandbox.org andrototal.org copperdroid

32. None

33. Signing applications  Purpose of certificates in Android is to

    distinguish application authors  Android won't allow application to be upgraded unless signed with same certificate the applications are signed with the same key.  Android allows applications that are signed with the same certificate to run in the same processes  All applications must be signed with a digital certificate

34. Signing applications  Java keytool $ keytool -genkey -v -keystore

    <keystore filename> -alias <alias for key> -keyalg RSA -keysize 2048 -validity 10000

35. Sign apk with private key Check the apk signature sm

    236 Sun Feb 02 15:08:10 CET 2014 javamail.pop3.provider X.509, CN=Android Debug, O=Android, C=US [certificate is valid from 3/04/13 18:13 to 27/03/43 17:13] 54226 Sun Feb 02 15:08:10 CET 2014 META-INF/MANIFEST.MF 54279 Sun Feb 02 15:08:10 CET 2014 META-INF/CERT.SF 1203 Sun Feb 02 15:08:10 CET 2014 META-INF/CERT.RSA s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore i = at least one certificate was found in identity scope jar verified. Signing applications $ jarsigner -verify -certs -verbose testing.apk $ jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore mykeystore testing.apk <alias_name>

36. Android Studio  Tool included in Android SDK for apk

    compress and optimizing $ zipalign -f 4 app-signed.apk final-app.apk  Build > Generate Signed APK

37. Eclipse/Android Studio

38. None
39. None

40. Content Providers  A specialized type of complex data store

    in Android to standardize access and manipulation of stored data  Browser: bookmarks, browse history  CallLog: missed calls, call details  Contacts: Contact details  MediaStore: Media files

41. Content Providers  Offers a structured storage mechanism that can

    be limited to your own application or exported to allow access by other applications.  android:exported =“false"  android:exported ="true"  Versions >= 4.2 exported=“false” by default <provider android:name=".data.DataProvider" android:multiprocess="true" android:authorities="myapp.data.DataProvider" android:readPermission="myapp.permission.READ" android:writePermission="myapp.permission.WRITE" />

42. Data Storage  Shared preferences  External storage Requires permission

    android.permission.WRITE_EXTERNAL_STORAGE  Internal storage Better than external since permissions not required  Sqlite3 File DataBase with extension *.db stored in /data/data/[package_name]/databases  Cloud Google Cloud Messaging(GCM) ROOT

43. Shared preferences  An xml key-value pairs file stored in

    /data/data/com.your.package/shared_prefs/preferences.xml  Used by an application in order to save small sets of data for the application  Storing sensitive information in shared preferences is not recommended  Library for securing shared preferences  Encrypt the key-value pairs  AES symmetric key  https://github.com/scottyab/secure-preferences ROOT

44. Secure Shared preferences ROOT

45. Networking  Use HttpsURLConnection for secure web traffic  HTTPS

    + CA Certificate import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.SSLContext; import javax.net.ssl.TrustManagerFactory; // build key store with ca certificate KeyStore keyStore = buildKeyStore(context, certRawResId); // Create a TrustManager that trusts the CAs in our KeyStore String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm(); TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm); tmf.init(keyStore); // Create an SSLContext that uses our TrustManager SSLContext sslContext = SSLContext.getInstance("TLS"); sslContext.init(null, tmf.getTrustManagers(), null); // Create a connection from url RL url = new URL(urlString); HttpsURLConnection urlConnection = (HttpsURLConnection) url.openConnection(); urlConnection.setSSLSocketFactory(sslContext.getSocketFactory());

46. Webview class WebAppInterface { private String sensitiveInformation; public String toString()

    { return sensitiveInformation; } } WebView webview = new WebView(this); setContentView(webview); webView.loadUrl("http://website.com"); webView.addJavascriptInterface(new WebAppInterface(this), "injectedObject");  Vulnerability in version 4.1.2(API 16) Jelly Bean in Cross-site scripting (XSS), Cross-site Request Forgery (CSRF) attacks  With JavaScript and Java Reflection can access any of the public methods of the WebAppInterface setJavascriptEnabled(true);

47. Webview <script> function execute(){ var sendSMS=Android.getClass.forName("android.telephony. SmsManager"). getMethod("getDefault",null).invoke(null,null); sendSMS.sendTextMessage("+323232323",null,"message", null,null);

    } </script>

48. Webview best practices  Disable JavaScript and Plugin support if

    they are not needed.  Disable local file access. Restricts access to the app’s resource and asset directory.  Prevent loading content from 3rd party hosts.  Activate SSL in activity using HTTPS  In 4.2 @JavascriptInterface method annotation for limit access methods from javascript.  Avoid exposing protected data in javascript interface @JavascriptInterface public void method() { dostuff(); }

49. Webview best practices Not save passwords Not saving form data

    Clear Cache webSettings.setSavePassword(false); webSettings.setSaveFormData(false); @Override public void onPageFinished(WebView view, String url) { super.onPageFinished(view, url); view.clearCache(true); //delete local files in the browser }

50. SQLite SQLiteDatabase db = dbHelper.getWriteableDatabase(); String userQuery = "SELECT lastName

    FROM useraccounts WHERE userID = ?"; SQLiteStatement prepStatement =db.compileStatement(userQuery); prepStatement.bindString(1, "userID"); prepStatement.simpleQueryForString(); Prepared statements to avoid sql injection rawQuery compileStatement

51. SQLite Cipher  https://github.com/sqlcipher/android-database-sqlcipher public void initDB(Context context, String password)

    { SQLiteDatabase database = SQLiteDatabase.openOrCreateDatabase(DB_NAME,password, null); database.execSQL("create table MyTable(a, b)"); } import net.sqlcipher.database.*; import android.database.sqlite.*;

52. Static analysis

53. Static analysis

54. LINT ECLIPSE /ANDROID STUDIO  Scans Android project sources for

    potential bugs  Comes with the SDK and detects common programming errors

55. Lint $ lint --check Security --html security_report.html <project_home>  http://developer.android.com/tools/help/lint.html

56. ANDROID STUDIO

57. SONARQuBE http://www.sonarqube.org/

58. None
59. None

60. Encryption in phone  Supported since Android 3.0  Encrypts

    the entire device with AES 128.  Based on dm-crypt implementation  PBKDF2 algorithm for password  Takes at Least 1 h for Encryption of Data.  Denoted to reduce in performance.

61. Encryption in applications  Android Crypto API  Based in

    javax.crypto from javaSE  Obtain secretKey public static SecretKey generateKey(char[] password, byte[] salt) throws Exception { int iterations = 1000; int outputKeyLength = 256; SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance(“PBKDF2WithHmacSHA1”); KeySpec keySpec = new PBEKeySpec(password, salt,iterations, outputKeyLength); byte[] keyBytes = secretKeyFactory.generateSecret(keySpec).getEncoded(); return new SecretKeySpec(keyBytes, “AES”); } import java.security.*; import javax.crypto.*;

62. Encryption in applications public static String encryptText(char[] password, String plainText)

    throws Exception { //Obtain secretkey SecureRandom secureRandom = new SecureRandom(); int saltLength = 8; byte[] salt = new byte[saltLength]; secureRandom.nextBytes(salt); SecretKey secretKey = generateKey(password, salt); Cipher cipher = Cipher.getInstance(“AES/CBC/PKCS5Padding”); byte[] initVector = new byte[cipher.getBlockSize()]; secureRandom.nextBytes(initVector); IvParameterSpec ivParameterSpec = new IvParameterSpec(initVector); cipher.init(Cipher.ENCRYPT_MODE, secretKey, ivParameterSpec); byte[] cipherData = cipher.doFinal(plainText.getBytes(“UTF-8”)); return Base64.encodeToString(cipherData,Base64.NO_WRAP | Base64.NO_PADDING) + “]” + Base64.encodeToString(initVector,Base64.NO_WRAP | Base64.NO_PADDING) + “]” + Base64.encodeToString(salt,Base64.NO_WRAP | Base64.NO_PADDING); }
63. None

64. Obsfuscation  Renames classes, fields and methods using short names

    (a,b,c,..)

65. Obsfuscation in android projects Proguard Integrated in SDK  http://developer.android.com/tools/help/proguard.html

    Enable Proguard in eclipse proguard.config=${sdk.dir}/tools/proguard/proguard-android.txt:proguard- project.txt

66. Obsfuscation in android projects Enable Proguard in android STUDIO In

    build.gradle android { buildTypes { release { runProguard true proguardFile getDefaultProguardFile('proguard-android.txt') , 'proguard-rules.pro' } }

67. Proguard.config -optimizationpasses 5 -dontusemixedcaseclassnames -dontskipnonpubliclibraryclasses -dontpreverify -verbose -optimizations !code/simplification/arithmetic,!field/*,!class/merging/* -keep

    public class * extends android.app.Activity -keep public class * extends android.app.Application -keep public class * extends android.app.Service -keep public class * extends android.content.BroadcastReceiver -keep public class * extends android.content.ContentProvider -keep public class * extends android.app.backup.BackupAgentHelper -keep public class * extends android.preference.Preference -keep public class com.android.vending.licensing.ILicensingService -keepclasseswithmembernames class * { native <methods>; } -keepclasseswithmembernames class * { public <init>(android.content.Context, android.util.AttributeSet); } -keepclasseswithmembernames class * { public <init>(android.content.Context, android.util.AttributeSet, int); } -keepclassmembers enum * { public static **[] values(); public static ** valueOf(java.lang.String); } -keep class * implements android.os.Parcelable { public static final android.os.Parcelable$Creator *; }

68. Proguard tool http://proguard.sourceforge.net

69. None
70. None

71. Reverse Engineering Android Application

72. Rename Android app (.apk) to .zip Extract zip Run dex2jar

    on the extracted file Open the .jar in a java decompiler Reverse Engineering Android Application

73. Apk Tool  Reverses .apk file to an android project

    $ apktool d target.apk output_directory

74. Apk Tool

75. Java vs Smali  Reverses .apk file to an android

    project  Learning smali through dalvik codes  http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html

76. Dex2jar  http://code.google.com/p/dex2jar  Converts Android’s Dalvik executables into Java

    jar files. $ unzip target.apk $ d2jdex2jar.sh classes.dex -o target.jar

77. Dex2jar activity_main.xml

78. Java Decompiler  http://java.decompiler.free.fr

79. Dex to Java Decompiler  https://github.com/skylot/jadx Decompile directly form apk

    or dex
80. None

81. Android Application Vulnerability Scanner java –jar ScanAndroidApps.jar

82. Virtuous Ten Studio http://virtuous-ten-studio.com/ Only for windows

83. Virtuous Ten Studio

84. Virtuous Ten Studio

85. Apk Analyser  https://github.com/maaaaz/androwarn  https://github.com/sonyxperiadev/ApkAnalyser  https://github.com/honeynet/apkinspector  https://code.google.com/p/droidbox

86. Apk Analyser  http://developer.sonymobile.com/knowledge-base/tools/analyse-your-apks-with-apkanalyser/  java -jar ApkAnalyser.jar

87. Androwarn python androwarn.py -i my_apk.apk -r html -v 3

88. DroidBox python apimonitor.py my_apk.apk

89. None
90. None

91. Dexter online  https://dexter.bluebox.com

92. Dexter online

93. TraceDroid  http://tracedroid.few.vu.nl  Records the behavior of the executed

    app, such as its network communication, the UI, but also its internal function calls and Java code that is executed.  Emulates a few actions, such as user interaction, incoming calls and SMS messages, etc. - this will reveal most malicious intents of an app.

94. Pentesting  Virtual Machine with tools for Reverse Engineering 

    https://redmine.honeynet.org/projects/are/wiki  https://appsec-labs.com/AppUse  Hacking distro dedicated to Mobile forensics and Security

95.  https://github.com/viaforensics/android-forensics  http://andriller.com/ Forensics analisys

96. Intent Snifer  — Sees Activity’s startup Intents  —

    android.permission.GET_TASKS: Recent tasks Intents ActivityManager am = (ActivityManager) getSystemService(ACTIVITY_SERVICE); List<RecentTaskInfo> rti = am.getRecentTasks(1000,ActivityManager.RECENT_WITH_EXCLUDED); for (RecentTaskInfo c : rti) { log.append("received: " + rti.toString() + "\n"); }
97. None

98. Books

99. References  http://code.google.com/p/dex2jar/  https://code.google.com/p/android-apktool  https://code.google.com/p/androguard/wiki/Installation  http://ashishb.net/security/android-security-related-tools 

    http://androidcracking.blogspot.com.es  http://developer.android.com/guide/topics/security/permissions.html  http://source.android.com/devices/tech/security/#android- application-security  http://siis.cse.psu.edu/android_sec_tutorial.html
100. None