Secure your app's data with JetSec

Transcript

1. Secure your app’s data with JetSec Monika Kumar Jethani

2. About Me Monika is an Android developer with 6 years

   of experience in mobile application development. She is a regular Android/Kotlin speaker at mobile development conferences/meetups. Last, but not the least, she shares her birthday with Java :) Twitter handle: @monika_jethani

3. Agenda • Need for Encryption • Challenges with Encryption •

   Intro to JetSec • Double layer security model • Android Keystore and Master Key • Encrypting Files • Encrypting Shared Preferences • Demo • Overview of Tink • What’s new in JetSec

4. Need for encryption • To protect data in shared storage.

   • To protect sensitive data like personally identifiable information (PII), personal health information(PHI), financial details, enterprise data, etc. • To protect data on a rooted device, even with full-disk encryption. • To prevent the users from accessing tokens and keys used in your app.

5. Challenges with Encryption

6. I don’t know the different encryption algorithms and the differences

   between them. How can I do encryption of data in my app?

7. JetSec The Jetpack Security library provides an implementation of the

   security best practices related to reading and writing data at rest, as well as key creation and verification. Source: developer.android.com

8. JetSec Features • Key creation and storage • Encryption Operations

   • Supported from API levels 23+ • Allows you to locally protect files that may contain sensitive data, API keys, OAuth tokens, and other types of secrets. • Apt for consumer apps such as banking and chat apps as well as enterprise apps. • Provides great encryption as well as good performance. • Apt for apps that require a hardware-backed keystore and user presence for providing key access.

9. Getting started with JetSec implementation "androidx.security:security-crypto:1.0.0-rc03"

10. Double layer Security Model • Keyset - It contains one

    or more keys to encrypt a file or shared preferences. It is stored in SharedPreferences. • A Master(Primary) key - It encrypts all keysets that are used for each cryptographic operation. This key is stored in Android keystore, making it difficult to extract.

11. Android Keystore • Hardware-backed • Stores cryptographic keys, making them

    hard to extract. • Stores keys in a trusted execution environment or StrongBox. • To allow JetSec to store keys in StrongBox, we need to enable a flag.

12. Master Key val masterKeyAlias = MasterKeys.getOrCreate(MasterKeys.AES256_GCM_SPEC)

13. Custom Key val keySpecifications = KeyGenParameterSpec.Builder( "keystore_alias", KeyProperties.PURPOSE_ENCRYPT ).apply {

    setKeySize(256) setBlockModes(KeyProperties.BLOCK_MODE_GCM) setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE) }.build() val masterKey = MasterKeys.getOrCreate(keySpecifications)

14. Add-ons for Key Creation val advancedSpec = KeyGenParameterSpec.Builder( "master_keystore_alias", KeyProperties.PURPOSE_ENCRYPT

    or KeyProperties.PURPOSE_DECRYPT ).apply { setBlockModes(KeyProperties.BLOCK_MODE_GCM) setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE) setKeySize(256) setUserAuthenticationRequired(true) setUserAuthenticationValidityDurationSeconds(15) // must be larger than 0 if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P) { setUnlockedDeviceRequired(true) setIsStrongBoxBacked(true) } }.build() val masterKeyAlias = MasterKeys.getOrCreate(advancedSpec)

15. Encrypting Files • Uses EncryptedFile class. • Provides custom implementations

    of FileInputStream and FileOutputStream. • Uses the Streaming Authenticated Encryption with Associated Data (AEAD) primitive of Tink. • Facilitates secure reading and writing operations.

16. Creating an Encrypted File val encryptedFile = EncryptedFile.Builder( secretFile, context,

    masterKeyAlias, EncryptedFile.FileEncryptionScheme.AES256_GCM_HKDF_4KB) .build()

17. Reading and Writing to EncryptedFile encryptedFile.openFileOutput().bufferedWriter().use { bufferedWriter -> //

    Writing some data.. } encryptedFile.openFileInput().bufferedReader().useLines { lines -> // Reading data.. }

18. Encrypting Shared Preferences • Uses EncryptedSharedPreferences class. • Wrapper around

    SharedPreferences class. • Encrypts keys and values using two-stream method, 1. Keys are encrypted deterministically. 2. Values are encrypted non-deterministically using AES-256 GCM.

19. Creating an Encrypted SharedPreference val sharedPreferences = EncryptedSharedPreferences.create( "encrypted_shared_prefs", //filename

    masterKeyAlias, context, EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV, EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM)

20. Writing to EncryptedSharedPreferences sharedPreferences.edit() .putString(SHARED_PREFERENCES_KEY, data.text.toString()) .apply()

21. Demo of Encrypting and Decrypting Shared Preferences data

22. None

23. Contents of Shared Preferences file after encryption

24. What does JetSec use under the hood? • JetSec uses

    Tink under the hood. • Tink is an open-source, cross-platform security project from Google. • https://github.com/google/tink • Provides cryptographic APIs that are secure, easy to use, harder to misuse.

25. Features of Tink • Key Rotation • Message Signing •

    Hybrid Encryption • MAC • Google Cloud Key support • Create you own primitives

26. What’s new in JetSec? • Lollipop(API 21+) is now supported

    • MasterKeys class has become deprecated and a new MasterKey class has come into picture to support new features and new versions of Android that don’t have KeyGenParameterSpec.

27. https://issuetracker.google.com/issues/new?component=618647&template=1257270

28. Thank you For queries, write to me at twitter @monika_jethani