[GDG BCN 2019] Introduction to Android App Security

[GDG BCN 2019] Introduction to Android App Security

38b49a5fa7e0519f2919ac342a463980?s=128

Marc Obrador

October 16, 2019
Tweet

Transcript

  1. Android App Security Introduction Marc Obrador Head of Product Architecture

    @ Build38
  2. Who am I? @marcobrador 2 Marc Obrador Head of Product

    Architecture @ Build38 Barcelona marc@build38.com @marcobrador /in/marc-obrador
  3. 3 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador
  4. 4 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador
  5. Mobile-first world Why do I need to care about Mobile

    App Security? 5 Smartphone = untrusted device Regulation (depending on market) Desktop Mobile 2009 2015 2020 0 20 40 60 80 100 Source: www.gs.statcounter.com @marcobrador
  6. What do I need to protect? 6 @marcobrador

  7. It depends What do I need to protect? 7 @marcobrador

  8. What do I need to protect? 8 User Data Your

    Business DRM @marcobrador
  9. Let’s first switch our perspective How can I protect my

    app? 9 @marcobrador
  10. -40 -20 0 20 40 60 80 -10 -5 0

    5 10 15 20 25 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 Investment Income Cumulated Profit The hacker’s perspective 10 @marcobrador
  11. How can I protect my app? 11 @marcobrador

  12. Make it unattractive for the hacker How can I protect

    my app? 12 @marcobrador
  13. -40 -20 0 20 40 60 80 -10 -5 0

    5 10 15 20 25 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 Investment Income Cumulated Profit The hacker’s perspective 13 @marcobrador
  14. -40 -20 0 20 40 60 80 -10 -5 0

    5 10 15 20 25 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 Investment Income Cumulated Profit How can I protect my app? 14 @marcobrador
  15. 15 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador
  16. 16 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador
  17. - MITM = eavesdropping of network data - It’s 2019

    – use HTTPS! - Certificate pinning is also a good idea Understanding MITM 17 @marcobrador
  18. Enforce HTTPS 18 * Applies only to API <= 27.

    Enforced by default on newer versions. Source: https://developer.android.com/training/articles/security-config @marcobrador
  19. Use Certificate Pinning 19 Source: https://developer.android.com/training/articles/security-config @marcobrador

  20. 20 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador
  21. - Modifying an APK and redistributing it for malicious purposes

    - Goals: § Modify original behavior o Getting paid features for free o Cheating on a game (Pokémon GO) o … § Stealing user data What is it? 21 @marcobrador
  22. Show me the code! 22 @marcobrador

  23. Preventing App Repackaging 23 Obfuscation Detect repackaging @marcobrador

  24. Repackaging detection 24 @marcobrador

  25. 25 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador
  26. Understanding “Root” 26 @marcobrador

  27. Root Detection 27 /scottyab/rootbeer /KimChangYoun/rootbeerFresh /Stericson/RootTools SafetyNet Attestation API @marcobrador

  28. 28 What to do if Root is found? @marcobrador

  29. - User may have legitimately rooted its device - Remote

    root exploits are a thing - No clear action… § Restrict some sensitive functionality § Design your security model assuming that root can (will) happen What to do if Root is found? 29 Source: - https://techcrunch.com/2019/08/29/google-iphone-secretly-hacked/ - https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html @marcobrador
  30. 30 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    (a.k.a Insecure Networking) 2. App Tampering & Repackaging 3. Rooted Devices 3. Recap @marcobrador
  31. - Know what you need to protect - 100% protection

    does not exist – aim for “good enough” - Secure Networking is a must - Java/Kotlin are super easy to reverse engineer § Move security-relevant logic to backend or write it in C/C++ - Root can be really bad – come up with a plan Recap 31 @marcobrador
  32. Thank you! Any questions?