$30 off During Our Annual Pro Sale. View Details »

Securing Android Applications

Securing Android Applications

Securing Android Applications

jmortegac

April 26, 2015
Tweet

More Decks by jmortegac

Other Decks in Technology

Transcript

  1. SECURING ANDROID APPLICATIONS October 2014

  2. http://www.linkedin.com/jmortega1 https://speakerdeck.com/jmortega/ @jmortegac

  3. ARCHITECTURE / DALVIK VM / SANDBOX ANDROID APPLICATIONS / PERMISSIONS

    UTILS EXECUTION ENVIRONMENT TOOLS ECLIPSE / ANDROID STUDIO COMPONENTS SECURITY / STATIC ANALYSIS ENCRYPTION / OBSFUSCATION REVERSING APK TOOLS APK ANALYZERS / PENTESTING / FORENSICS
  4. Android Architecture

  5. Dalvik VM REGISTER-BASED VIRTUAL MACHINE RUN ON A SLOW CPU

    WITH LITTLE RAM OPTIMIZED FOR MOBILE DEVICES DEX(Dalvik executable)
  6. Dalvik vs ART(4.4) DALVIK ART Just-In-Time (JIT) Compilation Ahead-Of-Time (AOT)

    Compilation Cache builds up over time Boot times are faster Cache is built at first boot Rebooting device takes significantly longer Apps compiled when executed Stores Compiled Apps Consumes much more internal storage space  Settings>Developer options>Select runtime
  7. Sandbox Each app gets a unique linux ID(uid) and Groud

    ID(gid) Gets own dedicated process and dedicated dalvik VM Applications are "self-signed" with certificate signed by Developer Apps can share the data with other apps using content providers Permissions determine the capacity for communication components The App Data gets stored in /data/data/<app process> accessible only by UID and GID (root exceptional)
  8. /data/data Apps installed by user Apps installed by google default

    : play store, play music , maps Apps that are manufacturer specific : HTC sense, touchwiz Apps that are shipped with stock rom : browsers ROOT
  9. Android Applications

  10. APK Generating ZIP + jarsigner+ zipalign for optimizing apk

  11. Obtain APK  Google Play  Alternative markets (BlackMart, Fdroid,

    Aptoide)  Apk extractor  http://apps.evozi.com/apk-downloader
  12. None
  13. Permissions model  Android permissions protect  Access to sensitive

    APIs  Access to content providers  Inter- and intra-application communication  Protection mechanism to interact with other applications  Location (GPS), Camera, Bluetooth, Telephony, SMS/MMS, Network/data  AndroidManifest.xml
  14. Permissions

  15. Permissions  Be carefull with install applications  Recommend install

    some application to check permissions  Disable automatic updates and check application permissions manually each time an application wants to be installed or updated
  16. Permissions in apps  Check permissions in runtime PackageManager pm

    = context.getPackageManager(); int hasPerm = pm.checkPermission( android.Manifest.permission.WRITE_EXTERNAL_STORAGE, context.getPackageName()); if (hasPerm != PackageManager.PERMISSION_GRANTED) { // do stuff} private boolean checkWriteExternalPermission(){ String permission = "android.permission.WRITE_EXTERNAL_STORAGE"; int res = getContext().checkCallingOrSelfPermission(permission); return (res == PackageManager.PERMISSION_GRANTED); }
  17. Protection levels normal: Default level for not application system, always

    granted dangerous: Higher-Risk permission for access to private data. Requires user approval. SEND_SMS,ACCESS_FINE_LOCATION signature Matching signature key. Two apps signed with the same certificate system, signatureOrSystem:Same as signature, but also system apps pre- installed like Google Play Services
  18. Permissions in apps  Minimize requested permissions  Users like

    apps that request few permissions  33% apps request more permissions that they need  Get Camera Pic need android.permission.CAMERA? ContentValues contentValues = new ContentValues(); contentValues.put(MediaStore.Images.Media.DESCRIPTION, "Image capture"); contentValues.put(MediaStore.Images.Media.TITLE, "new image"); Uri uri = getContentResolver().insert(MediaStore.Images.Media.EXTERNAL_CONTENT_URI, contentValues); Intent intent = new Intent(MediaStore.ACTION_IMAGE_CAPTURE); intent.putExtra(MediaStore.EXTRA_OUTPUT, uri); intent.putExtra(MediaStore.EXTRA_VIDEO_QUALITY, 1); startActivityForResult(intent, 1);
  19. Permissions in apps  Application don`t need permission to get

    a camera pic  <uses-permission android:name="android.permission.CAMERA" />  Where is the permission?  In the Google Camera Application  GoogleCamera.apk
  20. Permissions in apps  Create custom permissions <permission android:name="android.permission.CUSTOM_PERMISSION" android:protectionLevel="normal"

    android:label="@string/custom_permission_label"> <permission android:name="android.permission.SEND_SMS" android:permissionGroup=“android.permission-group.COST_MONEY" android:protectionLevel="dangerous" android:label="@string/permlab_sendSms" android:description="@string/permdesc_sendSms" />
  21. Permissions in apps  Group permissions <permission-group android:name="android.permission-group.LOCATION" android:description="@string/permgroupdesc_location" />

    <!-- Allows an application to access fine (e.g., GPS) location --> <permission android:name="android.permission.ACCESS_FINE_LOCATION" android:permissionGroup="android.permission-group.LOCATION" android:protectionLevel="dangerous" android:description="@string/permdesc_accessFineLocation" /> <!-- Allows an application to access coarse (e.g., Cell-ID, WiFi) location --> <permission android:name="android.permission.ACCESS_COARSE_LOCATION" android:permissionGroup="android.permission-group.LOCATION" android:protectionLevel="dangerous" android:description="@string/permdesc_accessCoarseLocation" />
  22. None
  23. Install in SD CARD <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.example1" android:versionCode=“1" android:versionName="1.0" android:installLocation="auto|preferExternal">

    <uses-sdk android:minSdkVersion="8" android:targetSdkVersion="19" /> </manifest> $ adb shell $ pm set-install-location 2 0 [auto]: Let system decide the best location1 [internal]: Install on internal device storage2 [external]: Install on external media
  24.  Check if Play Store is the installer  Check

    if Debuggable
  25.  Check Running emulator  Check Debugger certificate

  26.  Check signing key

  27.  Root detection private boolean isDeviceRooted(){ try{ Runtime.getRuntime().exec("su"); return true;

    }catch(IOExeception ex){ return false; } } public static boolean() isDeviceRooted(){ File f= new File("/system/sbin/su"); return f.exits(); }
  28. None
  29. Malware • Installing applications from known sites • Check permissions

    during installation / upgrade • Review comments from users • Update the operating system and applications. • Disable automatic connection to WiFi networks and avoid connecting to free WiFi • Disable BlueTooth when not in use Recommendations to avoid malware
  30. Malware detection in Google play Bluebox Security Scanner SRT AppScanner

    Lookout Mobile Security Advanced Mobile Care Malwarebytes Anti-Malware CM Security
  31. foresafe.com/scan mobilesandbox.org andrototal.org copperdroid

  32. None
  33. Signing applications  Purpose of certificates in Android is to

    distinguish application authors  Android won't allow application to be upgraded unless signed with same certificate the applications are signed with the same key.  Android allows applications that are signed with the same certificate to run in the same processes  All applications must be signed with a digital certificate
  34. Signing applications  Java keytool $ keytool -genkey -v -keystore

    <keystore filename> -alias <alias for key> -keyalg RSA -keysize 2048 -validity 10000
  35. Sign apk with private key Check the apk signature sm

    236 Sun Feb 02 15:08:10 CET 2014 javamail.pop3.provider X.509, CN=Android Debug, O=Android, C=US [certificate is valid from 3/04/13 18:13 to 27/03/43 17:13] 54226 Sun Feb 02 15:08:10 CET 2014 META-INF/MANIFEST.MF 54279 Sun Feb 02 15:08:10 CET 2014 META-INF/CERT.SF 1203 Sun Feb 02 15:08:10 CET 2014 META-INF/CERT.RSA s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore i = at least one certificate was found in identity scope jar verified. Signing applications $ jarsigner -verify -certs -verbose testing.apk $ jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore mykeystore testing.apk <alias_name>
  36. Android Studio  Tool included in Android SDK for apk

    compress and optimizing $ zipalign -f 4 app-signed.apk final-app.apk  Build > Generate Signed APK
  37. Eclipse/Android Studio

  38. None
  39. None
  40. Content Providers  A specialized type of complex data store

    in Android to standardize access and manipulation of stored data  Browser: bookmarks, browse history  CallLog: missed calls, call details  Contacts: Contact details  MediaStore: Media files
  41. Content Providers  Offers a structured storage mechanism that can

    be limited to your own application or exported to allow access by other applications.  android:exported =“false"  android:exported ="true"  Versions >= 4.2 exported=“false” by default <provider android:name=".data.DataProvider" android:multiprocess="true" android:authorities="myapp.data.DataProvider" android:readPermission="myapp.permission.READ" android:writePermission="myapp.permission.WRITE" />
  42. Data Storage  Shared preferences  External storage Requires permission

    android.permission.WRITE_EXTERNAL_STORAGE  Internal storage Better than external since permissions not required  Sqlite3 File DataBase with extension *.db stored in /data/data/[package_name]/databases  Cloud Google Cloud Messaging(GCM) ROOT
  43. Shared preferences  An xml key-value pairs file stored in

    /data/data/com.your.package/shared_prefs/preferences.xml  Used by an application in order to save small sets of data for the application  Storing sensitive information in shared preferences is not recommended  Library for securing shared preferences  Encrypt the key-value pairs  AES symmetric key  https://github.com/scottyab/secure-preferences ROOT
  44. Secure Shared preferences ROOT

  45. Networking  Use HttpsURLConnection for secure web traffic  HTTPS

    + CA Certificate import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.SSLContext; import javax.net.ssl.TrustManagerFactory; // build key store with ca certificate KeyStore keyStore = buildKeyStore(context, certRawResId); // Create a TrustManager that trusts the CAs in our KeyStore String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm(); TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm); tmf.init(keyStore); // Create an SSLContext that uses our TrustManager SSLContext sslContext = SSLContext.getInstance("TLS"); sslContext.init(null, tmf.getTrustManagers(), null); // Create a connection from url RL url = new URL(urlString); HttpsURLConnection urlConnection = (HttpsURLConnection) url.openConnection(); urlConnection.setSSLSocketFactory(sslContext.getSocketFactory());
  46. Webview class WebAppInterface { private String sensitiveInformation; public String toString()

    { return sensitiveInformation; } } WebView webview = new WebView(this); setContentView(webview); webView.loadUrl("http://website.com"); webView.addJavascriptInterface(new WebAppInterface(this), "injectedObject");  Vulnerability in version 4.1.2(API 16) Jelly Bean in Cross-site scripting (XSS), Cross-site Request Forgery (CSRF) attacks  With JavaScript and Java Reflection can access any of the public methods of the WebAppInterface setJavascriptEnabled(true);
  47. Webview <script> function execute(){ var sendSMS=Android.getClass.forName("android.telephony. SmsManager"). getMethod("getDefault",null).invoke(null,null); sendSMS.sendTextMessage("+323232323",null,"message", null,null);

    } </script>
  48. Webview best practices  Disable JavaScript and Plugin support if

    they are not needed.  Disable local file access. Restricts access to the app’s resource and asset directory.  Prevent loading content from 3rd party hosts.  Activate SSL in activity using HTTPS  In 4.2 @JavascriptInterface method annotation for limit access methods from javascript.  Avoid exposing protected data in javascript interface @JavascriptInterface public void method() { dostuff(); }
  49. Webview best practices Not save passwords Not saving form data

    Clear Cache webSettings.setSavePassword(false); webSettings.setSaveFormData(false); @Override public void onPageFinished(WebView view, String url) { super.onPageFinished(view, url); view.clearCache(true); //delete local files in the browser }
  50. SQLite SQLiteDatabase db = dbHelper.getWriteableDatabase(); String userQuery = "SELECT lastName

    FROM useraccounts WHERE userID = ?"; SQLiteStatement prepStatement =db.compileStatement(userQuery); prepStatement.bindString(1, "userID"); prepStatement.simpleQueryForString(); Prepared statements to avoid sql injection rawQuery compileStatement
  51. SQLite Cipher  https://github.com/sqlcipher/android-database-sqlcipher public void initDB(Context context, String password)

    { SQLiteDatabase database = SQLiteDatabase.openOrCreateDatabase(DB_NAME,password, null); database.execSQL("create table MyTable(a, b)"); } import net.sqlcipher.database.*; import android.database.sqlite.*;
  52. Static analysis

  53. Static analysis

  54. LINT ECLIPSE /ANDROID STUDIO  Scans Android project sources for

    potential bugs  Comes with the SDK and detects common programming errors
  55. Lint $ lint --check Security --html security_report.html <project_home>  http://developer.android.com/tools/help/lint.html

  56. ANDROID STUDIO

  57. SONARQuBE http://www.sonarqube.org/

  58. None
  59. None
  60. Encryption in phone  Supported since Android 3.0  Encrypts

    the entire device with AES 128.  Based on dm-crypt implementation  PBKDF2 algorithm for password  Takes at Least 1 h for Encryption of Data.  Denoted to reduce in performance.
  61. Encryption in applications  Android Crypto API  Based in

    javax.crypto from javaSE  Obtain secretKey public static SecretKey generateKey(char[] password, byte[] salt) throws Exception { int iterations = 1000; int outputKeyLength = 256; SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance(“PBKDF2WithHmacSHA1”); KeySpec keySpec = new PBEKeySpec(password, salt,iterations, outputKeyLength); byte[] keyBytes = secretKeyFactory.generateSecret(keySpec).getEncoded(); return new SecretKeySpec(keyBytes, “AES”); } import java.security.*; import javax.crypto.*;
  62. Encryption in applications public static String encryptText(char[] password, String plainText)

    throws Exception { //Obtain secretkey SecureRandom secureRandom = new SecureRandom(); int saltLength = 8; byte[] salt = new byte[saltLength]; secureRandom.nextBytes(salt); SecretKey secretKey = generateKey(password, salt); Cipher cipher = Cipher.getInstance(“AES/CBC/PKCS5Padding”); byte[] initVector = new byte[cipher.getBlockSize()]; secureRandom.nextBytes(initVector); IvParameterSpec ivParameterSpec = new IvParameterSpec(initVector); cipher.init(Cipher.ENCRYPT_MODE, secretKey, ivParameterSpec); byte[] cipherData = cipher.doFinal(plainText.getBytes(“UTF-8”)); return Base64.encodeToString(cipherData,Base64.NO_WRAP | Base64.NO_PADDING) + “]” + Base64.encodeToString(initVector,Base64.NO_WRAP | Base64.NO_PADDING) + “]” + Base64.encodeToString(salt,Base64.NO_WRAP | Base64.NO_PADDING); }
  63. None
  64. Obsfuscation  Renames classes, fields and methods using short names

    (a,b,c,..)
  65. Obsfuscation in android projects Proguard Integrated in SDK  http://developer.android.com/tools/help/proguard.html

    Enable Proguard in eclipse proguard.config=${sdk.dir}/tools/proguard/proguard-android.txt:proguard- project.txt
  66. Obsfuscation in android projects Enable Proguard in android STUDIO In

    build.gradle android { buildTypes { release { runProguard true proguardFile getDefaultProguardFile('proguard-android.txt') , 'proguard-rules.pro' } }
  67. Proguard.config -optimizationpasses 5 -dontusemixedcaseclassnames -dontskipnonpubliclibraryclasses -dontpreverify -verbose -optimizations !code/simplification/arithmetic,!field/*,!class/merging/* -keep

    public class * extends android.app.Activity -keep public class * extends android.app.Application -keep public class * extends android.app.Service -keep public class * extends android.content.BroadcastReceiver -keep public class * extends android.content.ContentProvider -keep public class * extends android.app.backup.BackupAgentHelper -keep public class * extends android.preference.Preference -keep public class com.android.vending.licensing.ILicensingService -keepclasseswithmembernames class * { native <methods>; } -keepclasseswithmembernames class * { public <init>(android.content.Context, android.util.AttributeSet); } -keepclasseswithmembernames class * { public <init>(android.content.Context, android.util.AttributeSet, int); } -keepclassmembers enum * { public static **[] values(); public static ** valueOf(java.lang.String); } -keep class * implements android.os.Parcelable { public static final android.os.Parcelable$Creator *; }
  68. Proguard tool http://proguard.sourceforge.net

  69. None
  70. None
  71. Reverse Engineering Android Application

  72. Rename Android app (.apk) to .zip Extract zip Run dex2jar

    on the extracted file Open the .jar in a java decompiler Reverse Engineering Android Application
  73. Apk Tool  Reverses .apk file to an android project

    $ apktool d target.apk output_directory
  74. Apk Tool

  75. Java vs Smali  Reverses .apk file to an android

    project  Learning smali through dalvik codes  http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html
  76. Dex2jar  http://code.google.com/p/dex2jar  Converts Android’s Dalvik executables into Java

    jar files. $ unzip target.apk $ d2jdex2jar.sh classes.dex -o target.jar
  77. Dex2jar activity_main.xml

  78. Java Decompiler  http://java.decompiler.free.fr

  79. Dex to Java Decompiler  https://github.com/skylot/jadx Decompile directly form apk

    or dex
  80. None
  81. Android Application Vulnerability Scanner java –jar ScanAndroidApps.jar

  82. Virtuous Ten Studio http://virtuous-ten-studio.com/ Only for windows

  83. Virtuous Ten Studio

  84. Virtuous Ten Studio

  85. Apk Analyser  https://github.com/maaaaz/androwarn  https://github.com/sonyxperiadev/ApkAnalyser  https://github.com/honeynet/apkinspector  https://code.google.com/p/droidbox

  86. Apk Analyser  http://developer.sonymobile.com/knowledge-base/tools/analyse-your-apks-with-apkanalyser/  java -jar ApkAnalyser.jar

  87. Androwarn python androwarn.py -i my_apk.apk -r html -v 3

  88. DroidBox python apimonitor.py my_apk.apk

  89. None
  90. None
  91. Dexter online  https://dexter.bluebox.com

  92. Dexter online

  93. TraceDroid  http://tracedroid.few.vu.nl  Records the behavior of the executed

    app, such as its network communication, the UI, but also its internal function calls and Java code that is executed.  Emulates a few actions, such as user interaction, incoming calls and SMS messages, etc. - this will reveal most malicious intents of an app.
  94. Pentesting  Virtual Machine with tools for Reverse Engineering 

    https://redmine.honeynet.org/projects/are/wiki  https://appsec-labs.com/AppUse  Hacking distro dedicated to Mobile forensics and Security
  95.  https://github.com/viaforensics/android-forensics  http://andriller.com/ Forensics analisys

  96. Intent Snifer  — Sees Activity’s startup Intents  —

    android.permission.GET_TASKS: Recent tasks Intents ActivityManager am = (ActivityManager) getSystemService(ACTIVITY_SERVICE); List<RecentTaskInfo> rti = am.getRecentTasks(1000,ActivityManager.RECENT_WITH_EXCLUDED); for (RecentTaskInfo c : rti) { log.append("received: " + rti.toString() + "\n"); }
  97. None
  98. Books

  99. References  http://code.google.com/p/dex2jar/  https://code.google.com/p/android-apktool  https://code.google.com/p/androguard/wiki/Installation  http://ashishb.net/security/android-security-related-tools 

    http://androidcracking.blogspot.com.es  http://developer.android.com/guide/topics/security/permissions.html  http://source.android.com/devices/tech/security/#android- application-security  http://siis.cse.psu.edu/android_sec_tutorial.html
  100. None