[GDG BCN 2019] Introduction to Android App Security

Transcript

1. Android App Security Introduction Marc Obrador Head of Product Architecture

   @ Build38

2. Who am I? @marcobrador 2 Marc Obrador Head of Product

   Architecture @ Build38 Barcelona [email protected] @marcobrador /in/marc-obrador

3. 3 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

   (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador

4. 4 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

   (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador

5. Mobile-first world Why do I need to care about Mobile

   App Security? 5 Smartphone = untrusted device Regulation (depending on market) Desktop Mobile 2009 2015 2020 0 20 40 60 80 100 Source: www.gs.statcounter.com @marcobrador

6. What do I need to protect? 6 @marcobrador

7. It depends What do I need to protect? 7 @marcobrador

8. What do I need to protect? 8 User Data Your

   Business DRM @marcobrador

9. Let’s first switch our perspective How can I protect my

   app? 9 @marcobrador

10. -40 -20 0 20 40 60 80 -10 -5 0

    5 10 15 20 25 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 Investment Income Cumulated Profit The hacker’s perspective 10 @marcobrador

11. How can I protect my app? 11 @marcobrador

12. Make it unattractive for the hacker How can I protect

    my app? 12 @marcobrador

13. -40 -20 0 20 40 60 80 -10 -5 0

    5 10 15 20 25 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 Investment Income Cumulated Profit The hacker’s perspective 13 @marcobrador

14. -40 -20 0 20 40 60 80 -10 -5 0

    5 10 15 20 25 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 Investment Income Cumulated Profit How can I protect my app? 14 @marcobrador

15. 15 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador

16. 16 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador

17. - MITM = eavesdropping of network data - It’s 2019

    – use HTTPS! - Certificate pinning is also a good idea Understanding MITM 17 @marcobrador

18. Enforce HTTPS 18 * Applies only to API <= 27.

    Enforced by default on newer versions. Source: https://developer.android.com/training/articles/security-config @marcobrador

19. Use Certificate Pinning 19 Source: https://developer.android.com/training/articles/security-config @marcobrador

20. 20 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador

21. - Modifying an APK and redistributing it for malicious purposes

    - Goals: § Modify original behavior o Getting paid features for free o Cheating on a game (Pokémon GO) o … § Stealing user data What is it? 21 @marcobrador

22. Show me the code! 22 @marcobrador

23. Preventing App Repackaging 23 Obfuscation Detect repackaging @marcobrador

24. Repackaging detection 24 @marcobrador

25. 25 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador

26. Understanding “Root” 26 @marcobrador

27. Root Detection 27 /scottyab/rootbeer /KimChangYoun/rootbeerFresh /Stericson/RootTools SafetyNet Attestation API @marcobrador

28. 28 What to do if Root is found? @marcobrador

29. - User may have legitimately rooted its device - Remote

    root exploits are a thing - No clear action… § Restrict some sensitive functionality § Design your security model assuming that root can (will) happen What to do if Root is found? 29 Source: - https://techcrunch.com/2019/08/29/google-iphone-secretly-hacked/ - https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html @marcobrador

30. 30 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador

31. - Know what you need to protect - 100% protection

    does not exist – aim for “good enough” - Secure Networking is a must - Java/Kotlin are super easy to reverse engineer § Move security-relevant logic to backend or write it in C/C++ - Root can be really bad – come up with a plan Recap 31 @marcobrador

32. Thank you! Any questions?