Securing Network Calls on Android, from 2009 to 2019

Transcript

1. Michaël Ohayon Android Developer @mikkL Securing Network Calls on Android,

   from 2009 to 2019 !1

2. Everyone has a phone with apps Top Applications from the

   French Google Play Store #3 Netflix #8 WhatsApp #27 Microsoft Outlook #54 Doctolib #106 Crédit Agricole #109 Assurance maladie !2

3. Everyone has a phone with apps and private informations Top

   Applications from the French Google Play Store #3 Netflix General Password #8 WhatsApp Private messages, pictures #27 Microsoft Outlook Work data #54 Doctolib Medical data #106 Crédit Agricole Bank data #109 Assurance maladie Government ID !3

4. Let's look at how the web did upgrade it's security

   standards !4

5. 1997 !5

6. https://www.telegraph.co.uk/technology/6125914/How-20-popular-websites-looked-when-they-launched.html The Web in 1997 !6

7. HTTP ? !7

8. HTTP 1.1 !8

9. HTTP 1.1 !9

10. HTTP 1.1 !10

11. HTTP 1.1 !11

12. 2006 !12

13. https://thenextweb.com/dd/2014/07/15/website-ages-tracking-aol-yahoo-espn-across-time/ The Web in the 2000s !13

14. 2008 !14

15. July 24, 2008 "Today, we're making it even easier for

    you to use https to protect your mail every time you access it. We've added an option to Settings to always use https" https://gmail.googleblog.com/2008/07/making-security-easier.html !15

16. July 24, 2008 "If you don't regularly log in via

    unencrypted wireless connections at coffee shops or airports or college dorms, then you might not need this additional layer of security." https://gmail.googleblog.com/2008/07/making-security-easier.html !16

17. July 24, 2008 "But if you want to always use

    https, then this setting makes it super easy. Whenever you forget to type https://mail.google.com, we'll add the https for you." https://gmail.googleblog.com/2008/07/making-security-easier.html !17

18. 2009 !18

19. September 23, 2009 !19

20. 2009 !20

21. Why is HTTPS such a big deal? Is it hard

    to monitor HTTP traffic? !21

22. ARP Spoofing in 2 minutes monip.org monip.org Private network !22

23. ARP Spoofing in 2 minutes monip.org monip.org Private network !23

24. ARP Spoofing in 2 minutes monip.org monip.org Private network !24

25. ARP Spoofing in 2 minutes monip.org monip.org Private network !25

26. ARP Spoofing in 2 minutes monip.org monip.org Private network !26

27. ARP Spoofing in 2 minutes !27

28. ARP Spoofing in 2 minutes Network Interface phone ip Network

    Interface phone ip gateway ip gateway ip !28

29. ARP Spoofing in 2 minutes !29

30. ARP Spoofing in 2 minutes !30

31. No HTTPS Anyone can see the traffic !31

32. ARP Spoofing in 2 minutes !32

33. HTTPS Traffic should not be readable !33

34. 2013 !34

35. July 31, 2013 We now use https by default for

    all Facebook users. This feature, which we first introduced as an option two years ago, means that your browser is told to communicate with Facebook using a secure connection, as indicated by the "https" rather than "http" in https://www.facebook.com. https://www.facebook.com/notes/facebook-engineering/secure-browsing-by-default/10151590414803920/ !35

36. How does HTTPS works? !36

37. Key Infrastructure https://www.thesslstore.com/blog/root-certificates-intermediate/ PRE-INSTALLED !37

38. Key Infrastructure https://android.googlesource.com/platform/system/ca-certificates/+/master/files/ !38

39. Key Infrastructure !39

40. Key Infrastructure Root Intermediary Server !40

41. Why was HTTPS slow to deploy? !41

42. 1 - Tech requirements You need to have access to

    the underlying HTTP Server, not just an FTP access and to be trusted http://conseilscreation.free.fr/pages/ftp_filezilla.php !42

43. 2 - Pricing Who wants to pay for something already

    working? https://www.sslshopper.com/ssl-certificate-list.html !43

44. 3 - Lack of documentation !44

45. 4 - Lack of automation tools !45

46. Not that easy !46

47. 2016 !47

48. September 15, 2016 "This specification defines "secure contexts", thereby allowing

    user agent implementers and specification authors to enable certain features only when certain minimum standards of authentication and confidentiality are met." https://www.w3.org/TR/secure-contexts/ !48

49. September 15, 2016 Warning: Direct access to the camera is

    a powerful feature. It requires consent from the user, and your site MUST be on a secure origin (HTTPS). https://developers.google.com/web/fundamentals/media/capturing-images/ !49

50. 2018 !50

51. February 8, 2018 "Chrome will mark all HTTP sites as

    ‘not secure’ starting in July" https://www.theverge.com/2018/2/8/16991254/chrome-not-secure-marked-http-encryption-ssl !51

52. Android 9 https://developer.android.com/about/versions/pie/android-9.0-changes-28#framework-security-changes !52

53. Is it easy to switch to HTTPS in 2018? !53

54. Is it easier to switch to HTTPS in 2018? YES

    !54

55. !55

56. Will this solve all my security issues? !56

57. Will this solve all my security issues? NO !57

58. Trusting weak CA’s !58

59. Trusting weak CA’s !59

60. Trusting weak CA’s !60

61. Trusting weak CA’s https://www.thesslstore.com/blog/root-certificates-intermediate/ COMPROMISED COMPROMISED !61

62. Trusting weak CA’s !62

63. Trusting weak CA’s !63

64. Is this possible on Android? !64

65. Is this possible on Android? YES !65

66. The "debug" use case https://www.charlesproxy.com monip.org monip.org Private network !66

67. Trusting weak CA’s COMPROMISED COMPROMISED COMPROMISED !67

68. Trusting weak CA’s !68

69. Automating User Certs trust !69

70. What can I do? !70

71. Can I create my own certificate chain? !71

72. Self-signed certificate PRIVATE !72

73. Can I use a self-signed certificate? MAYBE !73

74. Can I use a self-signed certificate? NO (if you plan

    to use this certificate on devices you do not administrate or on apps you are not building, such as web browsers ) !74

75. Can I use a self-signed certificate? YES (If it's for

    applications where you can control the network logic or devices you can administrate) !75

76. OkHttp Certificate Pinner !76

77. Congrats! You just learned (basic) SSL pinning! More : https://medium.com/@appmattus/android-security-ssl-pinning-1db8acb6621e

    !77

78. !78

79. Is Certificate Pinning the way to go? YES (but don’t

    forget to think about certificate’s lifetime) !79

80. Will this solve all my security issues? !80

81. Will this solve all my security issues? NO (but most

    of them) !81

82. What should I be afraid of? !82

83. What should I be afraid of? Social Engineering !83

84. What should I be afraid of? Social Engineering (The device

    may be compromised) !84

85. Social Engineering https://www.androidpolice.com/2018/06/03/fake-fortnite-apks-dont-tricked-downloading-one/ !85

86. What should I be afraid of? Reverse Engineering !86

87. What should I be afraid of? Reverse Engineering (The device

    is already compromised) !87

88. Decompiling keytool / jarsigner https://blog.bramp.net/post/2015/08/01/decompile-and-recompile-android-apk/ !88

89. Call interception !89

90. Automating Unpinning https://github.com/ac-pm/SSLUnpinning_Xposed !90

91. https://github.com/ac-pm/SSLUnpinning_Xposed Automating Unpinning !91

92. Should I be worried? You should not, but the backend

    team may !92

93. Recap •HTTPS is the way to go (who would doubt

    that?)
 •Certificate Pinning exists and should be implemented
 •Think twice when releasing outside default stores! •If someone wants to look at the traffic, he may succeed but on compromised devices •Keep cool, in 2019, your apps should be safe enough
 !93

94. Thanks! !94