[DroidCon Lisbon 2019] Intro to Android App Security

38b49a5fa7e0519f2919ac342a463980?s=47 Marc Obrador
September 10, 2019

[DroidCon Lisbon 2019] Intro to Android App Security

In this talk we cover the basics of Android App Security.
We first start with an introduction and motivation, talking about why do you need to care about app security, what are the important things to protect, and try to understand the motivation an attacker might have to hack your application.
After that we move on to more technical details, covering the things you (as a developer) can do to protect your applications against the most common security threads. This includes secure networking, user data protection, dealing with rooted devices, IP protection, etc.

38b49a5fa7e0519f2919ac342a463980?s=128

Marc Obrador

September 10, 2019
Tweet

Transcript

  1. Android App Security Introduction Marc Obrador Head of Product Architecture

    @ Build38
  2. Who am I? @marcobrador 2 Marc Obrador Head of Product

    Architecture @ Build38 Barcelona marc.obrador@build38.com @marcobrador /in/marc-obrador
  3. 3 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador
  4. 4 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador
  5. Mobile-first world Why do I need to care about Mobile

    App Security? 5 Smartphone = untrusted device Regulation (depending on market) Desktop Mobile 2009 2015 2020 0 20 40 60 80 100 Source: www.gs.statcounter.com @marcobrador
  6. What do I need to protect? 6 @marcobrador

  7. It depends What do I need to protect? 7 @marcobrador

  8. What do I need to protect? 8 User Data Your

    IP DRM @marcobrador
  9. Let’s first switch our perspective How can I protect my

    app? 9 @marcobrador
  10. -40 -20 0 20 40 60 80 -10 -5 0

    5 10 15 20 25 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 Investment Income Cumulated Profit The hacker’s perspective 10 @marcobrador
  11. How can I protect my app? 11 @marcobrador

  12. Make it unattractive for the hacker How can I protect

    my app? 12 @marcobrador
  13. -40 -20 0 20 40 60 80 -10 -5 0

    5 10 15 20 25 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 Investment Income Cumulated Profit The hacker’s perspective 13 @marcobrador
  14. -40 -20 0 20 40 60 80 -10 -5 0

    5 10 15 20 25 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 Investment Income Cumulated Profit How can I protect my app? 14 @marcobrador
  15. 15 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador
  16. 16 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador
  17. - MITM = eavesdropping of network data - It’s 2019

    – use HTTPS! - Certificate pinning is also a good idea Understanding MITM 17 @marcobrador
  18. Enforce HTTPS 18 * Applies only to API <= 27.

    Enforced by default on newer versions. Source: https://developer.android.com/training/articles/security-config @marcobrador
  19. Use Certificate Pinning 19 Source: https://developer.android.com/training/articles/security-config @marcobrador

  20. 20 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador
  21. - Modifying an APK and redistributing it for malicious purposes

    - Goals: § Modify original behavior o Getting paid features for free o Cheating on a game (Pokémon GO) o … § Stealing user data What is it? 21 @marcobrador
  22. Show me the code! 22 @marcobrador

  23. Preventing App Repackaging 23 Obfuscation Detect repackaging @marcobrador

  24. Repackaging detection 24 @marcobrador

  25. 25 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador
  26. Understanding “Root” 26 @marcobrador

  27. Root Detection 27 /scottyab/rootbeer /Stericson/RootTools SafetyNet Attestation API @marcobrador

  28. 28 What to do if Root is found? @marcobrador

  29. - User may have legitimately rooted its device - Remote

    root exploits are a thing - No clear action… § Restrict some sensitive functionality § Design your security model assuming that root can (will) happen What to do if Root is found? 29 @marcobrador
  30. 30 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador
  31. - Know what you need to protect - 100% protection

    does not exist – aim for “good enough” - Secure Networking is a must - Java/Kotlin are super easy to reverse engineer § Move security-relevant logic to backend or write it in C/C++ - Root can be really bad – come up with a plan Recap 31 @marcobrador
  32. Thank you! Any questions?