I just hacked your app - AppBuilders Switzerland 2017

Transcript

1. I just hacked
   your app
   

   View Slide

2. Watch this
   

   View Slide

3. View Slide

4. PWNED
   

   View Slide

5. Marcos Placona
   @marcos_placona
   [email protected]
   github.com/mplacona
   androidsecurity.info
   

   View Slide

6. NOT
   

   View Slide

7. View Slide

8. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Vestibulum euismod ipsum
   et semper vestibulum. In congue, risus ac lobortis commodo, arcu elit congue nisi, e
   ullamcorper diam quam in est. Quisque nec lectus eget metus pharetra placerat.
   Quisque nisi lorem, convallis eget lobortis quis, suscipit eu sem. Sed ligula purus,
   lacinia quis ultrices at, sollicitudin at lacus. Duis porta hendrerit semper. Sed vitae
   mauris fringilla, porta turpis facilisis, facilisis risus. Integer quis lobortis velit. Vivamu
   ut placerat ex. Nunc est purus, pretium vitae hendrerit fringilla, molestie at tortor.
   Vestibulum vel purus et urna hendrerit pretium et quis nunc. Fusce sit amet neque in
   justo elementum rutrum ut nec metus. Fusce sollicitudin, dui vel molestie aliquam,
   ligula leo fringilla augue, a luctus quam sem sed tortor. Vivamus mattis nisi purus, si
   amet efficitur lectus mollis nec. Etiam consectetur, nisl eu euismod posuere, justo
   neque vehicula ex, nec lobortis augue neque id mi. Ut aliquam odio ac turpis
   condimentum porttitor.
   Mauris ut est eu sapien tempor congue. Proin ipsum sem, cursus quis magna eu,
   finibus fringilla nulla. Vestibulum viverra felis ac arcu iaculis condimentum. Aenean
   mattis magna non ipsum viverra accumsan. Suspendisse potenti. Nam quis dapibus
   ipsum. Integer at tortor ac neque semper consectetur. Donec vitae mattis felis, quis
   

   View Slide

9. elementum dolor fringilla eu. Nulla luctus arcu et egestas ultrices. Quisque dignissim
   lacinia vehicula. Suspendisse vitae nisl dapibus, dapibus elit quis, efficitur ex. Done
   interdum est purus, nec tempor risus sollicitudin tincidunt. Vestibulum accumsan sed
   libero ut tincidunt.
   Interdum et malesuada fames ac ante ipsum primis in faucibus. Vestibulum vitae
   consectetur ex, vitae viverra felis. Sed vitae imperdiet turpis. Donec eget velit
   sagittis, hendrerit ante id, aliquet libero. Proin pulvinar ornare consectetur. Vestibulum
   ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia Curae; Proin
   consequat tincidunt risus et aliquam. Donec vel vulputate sem, sed ornare lorem.
   Curabitur a maximus urna, ut blandit tellus.
   Suspendisse I haven’t nisl a ultricies semper. Cras really purus mollis vestibulum
   rhoncus. Sed hacked your orci, imperdiet vitae pharetra app, tincidunt laoreet lacus
   Vivamus posuere nisl diam, ut efficitur mauris facilisis vehicula. Vestibulum risus veli
   tincidunt a libero a, vestibulum tincidunt orci. Pellentesque in finibus est. Praesent
   tempus tortor ac magna iaculis, sed cursus quam venenatis. Quisque pharetra
   euismod auctor.
   

   View Slide

10. Sue-y
    /s(j)uːi/
    1. To become annoyed with someone who broke your
    toy without permission and want to sue them for that.
    “Company X got all ‘sue-y’ on me when I hacked their
    app and showed the world"
    

    View Slide

11. View Slide

12. View Slide

13. View Slide

14. Kuba Gretzki
    http://bit.ly/hack4beer
    

    View Slide

15. loyalty
    \ˈlȯi(-ə)l-tē\
    

    View Slide

16. loyalty
    + =
    

    View Slide

17. loyalty
    HTTP Proxy
    

    View Slide

18. POST /users/461845f5d03e6c052a43afbc/points
    Accept: application/json
    Accept-Language: en-gb
    X-App-Version: 1.28.0
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 6.0.1;)
    ...
    Content-Type: application/json; charset=UTF-8
    Content-Length: 375
    Host: api.eatapp.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    {
    "authentication_token":"boKUp9vBHNAJp7XbWZCK",
    "latitude":...,
    "longitude":...,
    "point":{
    "isDoneByGesture":false,
    "main_beacon":{
    "major":38995,
    "minor":12702,
    "uuid":"2C75E74B-41B7-49E3-BD26-CE86B2F569F8"
    },
    "place_id":"450",
    "promoted_products_ids":[
    {"id":"647035946536601578040000"},
    {"id":"647035946536601578040000"},
    {"id":"647035946536601578050000"}
    ]
    }
    }
    

    View Slide

19. POST /users/461845f5d03e6c052a43afbc/points
    Accept: application/json
    Accept-Language: en-gb
    X-App-Version: 1.28.0
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 6.0.1;)
    ...
    Content-Type: application/json; charset=UTF-8
    Content-Length: 375
    Host: api.eatapp.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    {
    "authentication_token":"boKUp9vBHNAJp7XbWZCK",
    "latitude":...,
    "longitude":...,
    "point":{
    "isDoneByGesture":false,
    "main_beacon":{
    "major":38995,
    "minor":12702,
    "uuid":"2C75E74B-41B7-49E3-BD26-CE86B2F569F8"
    },
    "place_id":"450",
    "promoted_products_ids":[
    {"id":"647035946536601578040000"},
    {"id":"647035946536601578040000"},
    {"id":"647035946536601578050000"}
    ]
    }
    }
    

    View Slide

20. POST /users/461845f5d03e6c052a43afbc/points
    Accept: application/json
    Accept-Language: en-gb
    X-App-Version: 1.28.0
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 6.0.1;)
    ...
    Content-Type: application/json; charset=UTF-8
    Content-Length: 375
    Host: api.eatapp.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    {
    "authentication_token":"boKUp9vBHNAJp7XbWZCK",
    "latitude":...,
    "longitude":...,
    "point":{
    "isDoneByGesture":false,
    "main_beacon":{
    "major":38995,
    "minor":12702,
    "uuid":"2C75E74B-41B7-49E3-BD26-CE86B2F569F8"
    },
    "place_id":"450",
    "promoted_products_ids":[
    {"id":"647035946536601578040000"},
    {"id":"647035946536601578040000"},
    {"id":"647035946536601578050000"}
    ]
    }
    }
    

    View Slide

21. View Slide

22. View Slide

23. View Slide

24. stop!
    

    View Slide

25. • Encrypt all the values
    • Utilise security features when they exist
    • Certificate pinning
    • DO NOT TRUST THE DEVICE
    

    View Slide

26. Encrypt all the values
    dependencies {
    compile 'com.scottyab:aescrypt:0.0.1'
    }
    String password = "password";
    String message = "hello world";
    try {
    String encryptedMsg = AESCrypt.encrypt(password, message);
    }catch (GeneralSecurityException e){
    //handle error
    }
    String password = "password";
    String encryptedMsg = "2B22cS3UC5s35WBihLBo8w==";
    try {
    String messageAfterDecrypt = AESCrypt.decrypt(password, encryptedMsg);
    }catch (GeneralSecurityException e){
    //handle error - could be due to incorrect password or tampered encryptedMsg
    }
    

    View Slide

27. • Encrypt all the values
    • Utilise security features when they exist
    • Certificate pinning
    • DO NOT TRUST THE DEVICE
    

    View Slide

28. Utilise security features when they exist
    

    View Slide

29. • Encrypt all the values
    • Utilise security features when they exist
    • Certificate pinning
    • DO NOT TRUST THE DEVICE
    

    View Slide

30. Certificate pinning
    String hostname = "publicobject.com";
    CertificatePinner certificatePinner = new CertificatePinner.Builder()
    .add(hostname, "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")
    .build();
    OkHttpClient client = OkHttpClient.Builder()
    .certificatePinner(certificatePinner)
    .build();
    Request request = new Request.Builder()
    .url("https://" + hostname)
    .build();
    client.newCall(request).execute();
    http://bit.ly/android-certificate-pinning
    

    View Slide

31. Certificate pinning
    String hostname = "publicobject.com";
    CertificatePinner certificatePinner = new CertificatePinner.Builder()
    .add(hostname, "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")
    .build();
    OkHttpClient client = OkHttpClient.Builder()
    .certificatePinner(certificatePinner)
    .build();
    Request request = new Request.Builder()
    .url("https://" + hostname)
    .build();
    client.newCall(request).execute();
    http://bit.ly/android-certificate-pinning
    

    View Slide

32. Certificate pinning
    String hostname = "publicobject.com";
    CertificatePinner certificatePinner = new CertificatePinner.Builder()
    .add(hostname, "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")
    .build();
    OkHttpClient client = OkHttpClient.Builder()
    .certificatePinner(certificatePinner)
    .build();
    Request request = new Request.Builder()
    .url("https://" + hostname)
    .build();
    client.newCall(request).execute();
    http://bit.ly/android-certificate-pinning
    

    View Slide

33. • Encrypt all the values
    • Utilise security features when they exist
    • Certificate pinning
    • DO NOT TRUST THE DEVICE
    

    View Slide

34. Someone will decompile your app
    

    View Slide

35. And when they do…
    

    View Slide

36. –Every Developer
    “But I need magic strings”
    

    View Slide

37. Options
    http://bit.ly/SafeKey
    Encrypt
    Make sure you encrypt or at least
    encode them
    Server
    Get your keys of a server you own
    

    View Slide

38. Store in the NDK
    http://bit.ly/NDKStorage
    

    View Slide

39. start!
    

    View Slide

40. • Add tampering detection
    • Check your app’s signature
    • Check for rooted device
    • Check for emulator
    • Check if the app is debuggable
    

    View Slide

41. Tampering detection
    // myPackageName should decode at runtime to "com.yourpackagename"
    // google should decode at runtime to "com.android.vending";
    // amazon should decode at runtime to "com.amazon.venezia";
    public boolean isHacked(Context context, String myPackageName, String google, String amazon)
    {
    //Crooks renamed your app?
    if (context.getPackageName().compareTo(myPackageName != 0)
    return true; // BOOM!
    //Rogues relocated your app?
    String installer = context.getPackageManager().getInstallerPackageName(myPackageName);
    if (installer == null)
    return true; // BOOM!
    if (installer.compareTo(google) != 0 && installer.compareTo(amazon) != 0)
    return true; // BOOM!
    return false;
    }
    http://bit.ly/android-tampering-detection
    

    View Slide

42. Tampering detection
    // myPackageName should decode at runtime to "com.yourpackagename"
    // google should decode at runtime to "com.android.vending";
    // amazon should decode at runtime to "com.amazon.venezia";
    public boolean isHacked(Context context, String myPackageName, String google, String amazon)
    {
    //Crooks renamed your app?
    if (context.getPackageName().compareTo(myPackageName != 0)
    return true; // BOOM!
    //Rogues relocated your app?
    String installer = context.getPackageManager().getInstallerPackageName(myPackageName);
    if (installer == null)
    return true; // BOOM!
    if (installer.compareTo(google) != 0 && installer.compareTo(amazon) != 0)
    return true; // BOOM!
    return false;
    }
    http://bit.ly/android-tampering-detection
    

    View Slide

43. • Add tampering detection
    • Check your app’s signature
    • Check for rooted device
    • Check for emulator
    • Check if the app is debuggable
    

    View Slide

44. private static final int VALID = 0;
    private static final int INVALID = 1;
    private static final String APP_SIGNATURE = "1038C0E34658923C4192E61B16846";
    public static int checkAppSignature(Context context) {
    try {
    PackageInfo packageInfo = context.getPackageManager()
    .getPackageInfo(context.getPackageName(),
    PackageManager.GET_SIGNATURES);
    for (Signature signature : packageInfo.signatures) {
    byte[] signatureBytes = signature.toByteArray();
    MessageDigest md = MessageDigest.getInstance("SHA");
    md.update(signature.toByteArray());
    //compare signatures
    if (SIGNATURE.equals(APP_SIGNATURE)){
    return VALID;
    };
    }
    } catch (Exception e) {
    //assumes an issue in checking signature., but we let the caller decide on what to do.
    }
    return INVALID;
    }
    Check your app’s signature
    http://bit.ly/AndroidTampering
    

    View Slide

45. • Add tampering detection
    • Check your app’s signature
    • Check for rooted device
    • Check for emulator
    • Check if the app is debuggable
    

    View Slide

46. private static boolean canExecuteCommand(String command) {
    try {
    int exitValue =
    Runtime.getRuntime().exec(command).waitFor();
    if (exitValue != 0) return false;
    else return true;
    } catch (Exception e) {
    return false;
    }
    }
    Check for rooted device
    

    View Slide

47. • Add tampering detection
    • Check your app’s signature
    • Check for rooted device
    • Check for emulator
    • Check if the app is debuggable
    

    View Slide

48. Build.FINGERPRINT.startsWith("generic")
    Check for emulator
    

    View Slide

49. • Add tampering detection
    • Check your app’s signature
    • Check for rooted device
    • Check for emulator
    • Check if the app is debuggable
    

    View Slide

50. public static boolean isDebuggable(Context context){
    return (context.getApplicationInfo().flags &
    ApplicationInfo.FLAG_DEBUGGABLE) != 0;
    }
    Check if the app is debuggable
    

    View Slide

51. Debuggable app
    

    View Slide

52. View Slide

53. Things to look at
    • Protect your apps with tools like ProGuard and
    DexGuard.
    • Look at the SafetyNet API by Google
    • Implement Network Security Configuration
    http://bit.ly/SafeKey
    

    View Slide

54. ProGuard DexGuard
    • Installed by default
    • Name Obfuscation
    • Code Optimisation
    • Removal of Redundant Code
    • FREE
    • Class Encryption
    • Call Hiding through Reflection
    • String Encryption
    • Certificate Checks
    • Debug Detection
    • Emulator Detection
    • Root Detection
    • Tamper Detection
    • Costs $$$
    

    View Slide

55. Things to look at
    • Protect your apps with tools like ProGuard and
    DexGuard.
    • Look at the SafetyNet API by Google
    • Implement Network Security Configuration
    http://bit.ly/SafeKey
    

    View Slide

56. SafetyNet API by Google
    

    View Slide

57. Things to look at
    • Protect your apps with tools like ProGuard and
    DexGuard.
    • Look at the SafetyNet API by Google
    • Implement Network Security Configuration
    http://bit.ly/SafeKey
    

    View Slide

58. Network Security Configuration
    

    View Slide

59. View Slide

60. View Slide

61. Marcos Placona
    @marcos_placona
    [email protected]
    Thanks
    github.com/mplacona
    androidsecurity.info
    

    View Slide