Slide 1

Slide 1 text

@sp4ghetticode / spght.dev [REDACTED] How to keep your app's secrets, secret Ed Holloway-George @ Droidcon Lisbon 2024

Slide 2

Slide 2 text

@sp4ghetticode / spght.dev Who am I? • Lead Android Dev @ ASOS • Android Google Dev Expert • I like to talk about mobile security a lot • Available on all good social media platforms (and also Twitter X) • First time in Lisbon 🇵🇹 • Thanks for coming along & I hope you learn something new Introduction

Slide 3

Slide 3 text

@sp4ghetticode / spght.dev Every app developer has secrets… 👀

Slide 4

Slide 4 text

@sp4ghetticode / spght.dev What are they? • API Keys • Secure Strings • Anything that you wouldn’t want to be in the hands of someone else! • Yet, we aren’t always securing them 😅 Our Secrets

Slide 5

Slide 5 text

@sp4ghetticode / spght.dev The harsh reality Our secrets are out there! • Experts estimate 55% of mobile apps have hardcoded secrets • Most commonly found are Google, Firebase and Facebook credentials • Secrets pose different levels of risk, depending on what they provide… / Source: Cyber News (2022) cybernews.com/security/android-apps-leak-hardcoded-secrets

Slide 6

Slide 6 text

@sp4ghetticode / spght.dev What could possibly go wrong?

Slide 7

Slide 7 text

@sp4ghetticode / spght.dev Firebase 🔥 e.g. Firestore DB / Storage / etc • 30% of apps on Play Store utilise Firebase services • Around 5% of these expose data • Credentials hard-coded • Integrations ignored security best-practises • Reverse engineering is easy & can even be automated 😅 / Source: Comparitech Whitepaper (2021) comparitech.com/blog/information-security/firebase-misconfiguration-report

Slide 8

Slide 8 text

@sp4ghetticode / spght.dev AWS Keys 🔑 e.g. AWS Keys • Research shows ~0.5% of Mobile Apps expose AWS API Keys • Exposed AWS keys can be used to access critical infrastructure • Verizon, WWE, Uber, Accenture & many more have had AWS breaches / Source: Cloudsek Whitepaper (2021) csek.me/Qwmq

Slide 9

Slide 9 text

@sp4ghetticode / spght.dev Generally speaking What is potentially at risk? • Stability 💥 • Finances 🏦 • Reputation 🗣 • Security 🔓 • Your own job!? 😬

Slide 10

Slide 10 text

Don’t sweat… This talk will help! Is this you right now?

Slide 11

Slide 11 text

@sp4ghetticode / spght.dev Top Tip #1: Don’t store secrets in your codebase

Slide 12

Slide 12 text

@sp4ghetticode / spght.dev Common codebase issues How many apply to you? • Secrets hardcoded in files (Gradle, Kotlin, etc) • Your secrets are currently stored in version control • You don’t know if your git history contains secrets • No process to detect secrets in your codebase

Slide 13

Slide 13 text

@sp4ghetticode / spght.dev How does it work? • Configure plugin • Add secrets.properties file with secrets • Add dummy .properties file with stubs • Access secrets via BuildConfig or XML • Ensure your secrets.properties file is in .gitignore Secrets Gradle Plugin for Android app/build.gradle secrets.properties .gitignore

Slide 14

Slide 14 text

@sp4ghetticode / spght.dev How does it work? Secrets Gradle Plugin for Android • Configure plugin • Add secrets.properties file with secrets • Add dummy .properties file with stubs • Access secrets via BuildConfig or XML • Ensure your secrets.properties file is in .gitignore

Slide 15

Slide 15 text

@sp4ghetticode / spght.dev Pros / Cons Secrets Gradle Plugin for Android ✅ Simple integration for most Android apps ✅ Removes real secrets in your codebase or version control ✅ Official solution ✅ Recommended approach ✅ CI friendly 😅 Bakes secrets into your apps 😅 Requires you to share real secrets file with all developers 😅 No encryption, obfuscation, etc

Slide 16

Slide 16 text

@sp4ghetticode / spght.dev Common codebase issues How many apply to you? ✅ Secrets hardcoded in files (Gradle, Kotlin, etc) • Your secrets are currently stored in version control • You don’t know if your git history contains secrets • No process to detect secrets in your codebase

Slide 17

Slide 17 text

@sp4ghetticode / spght.dev How does it work? • CLI based SAST tool • Searches git repos for secrets • Handles common secrets • JWT, AWS, GCP and many more • Configurable rules to add your own • Available as a GitHub Action and pre-commit hook gitleaks

Slide 18

Slide 18 text

@sp4ghetticode / spght.dev Pros / Cons gitleaks ✅ Integrates easily into any type of project ✅ Searches git history ✅ Highly configurable ✅ Has many ways to fit into your workflow ✅ CI friendly 😅 Not ‘mobile-specific’ 😅 May require some configuration 😅 Occasional false- positives 😅 Detects secrets only, doesn’t remove them

Slide 19

Slide 19 text

@sp4ghetticode / spght.dev Common codebase issues How many apply to you? ✅ Secrets hardcoded in files (Gradle, Kotlin, etc) • Your secrets are currently stored in version control ✅ You don’t know if your git history contains secrets • No process to detect secrets in your codebase

Slide 20

Slide 20 text

@sp4ghetticode / spght.dev

Slide 21

Slide 21 text

@sp4ghetticode / spght.dev How to change the past! • git • git filter-branch • Community written tools • git-filter-repo • BFG Repo-Cleaner Rewriting history As seen previously @ DC Lisbon…

Slide 22

Slide 22 text

@sp4ghetticode / spght.dev git filter-branch Please watch my talk for more!

Slide 23

Slide 23 text

@sp4ghetticode / spght.dev How does it work? git-filter-repo • Nicer alternative to git filter- branch • Python script and available via package mangers • Create passwords.txt file • Contains list of your secrets • Run it! 💻 git filter-repo --replace-text passwords.txt • Go get some lunch! (It can take some time)

Slide 24

Slide 24 text

@sp4ghetticode / spght.dev How does it work? bfg Repo-Cleaner • Another alternative to git filter- branch • Executable JAR file • Create passwords.txt file • Contains list of your secrets • Run it! 💻 bfg --replace-text passwords.txt . • Go get some dinner! (You already had lunch)

Slide 25

Slide 25 text

@sp4ghetticode / spght.dev Before & After bfg Repo-Cleaner bfg.jar

Slide 26

Slide 26 text

@sp4ghetticode / spght.dev Pros / Cons History Rewriting Tools ✅ Highly performant ✅ Tailored tools for the removal of secrets ✅ Other uses e.g. Remove large files ✅ git-filter-repo builds upon functionality provided by BFG ✅ BFG doesn't modify the contents of your latest commit ✅ BFG named (in part) after the ultimate weapon in DOOM 😅 Here be dragons! 🐉 😅 Will likely cause breaking changes to your history 😅 Requires all clones of your codebase to adopt changes 😅 Changes can take a long time for large codebases

Slide 27

Slide 27 text

@sp4ghetticode / spght.dev Common codebase issues How many apply to you? ✅ Secrets hardcoded in files (Gradle, Kotlin, etc) ✅ Your secrets are currently stored in version control ✅ You don’t know if your git history contains secrets 🤔💭 No process to detect secrets in your codebase

Slide 28

Slide 28 text

@sp4ghetticode / spght.dev Cooking with Ed - “Filmed in front of a live audience”

Slide 29

Slide 29 text

@sp4ghetticode / spght.dev A recipe for a secret-free codebase Ep1: “Cooking with Ed” • Run gitleaks • Migrate any secrets to Gradle Secrets Plugin • Use bfg / git-filter-repo to clean-up git • Bake at 180°C for 20 minutes • Sprinkle these tools into your CI and processes • Serve the fresh codebase to your hungry developers via a git push —-force —-all

Slide 30

Slide 30 text

@sp4ghetticode / spght.dev Top Tip #2: Secure your secrets!

Slide 31

Slide 31 text

@sp4ghetticode / spght.dev

Slide 32

Slide 32 text

@sp4ghetticode / spght.dev Yikes!

Slide 33

Slide 33 text

@sp4ghetticode / spght.dev Firebase / Google IMPORTANT!!!! • We all have google-services.json files • These are totally fine to expose/commit • But you must restrict the API keys • Visit Google Cloud / Firebase console • Invoke ‘principle of least privilege’

Slide 34

Slide 34 text

@sp4ghetticode / spght.dev Firebase / Google Restrictions

Slide 35

Slide 35 text

@sp4ghetticode / spght.dev Firebase / Google Restrictions PLEASE CHECK THIS TODAY (AFTER THE TALK 😅)

Slide 36

Slide 36 text

@sp4ghetticode / spght.dev - You, right now (presumably?) “What about any other secrets?”

Slide 37

Slide 37 text

@sp4ghetticode / spght.dev How does it work? DexGuard • From the ProGuard creators - GuardSquare • Paid solution • Supports class and string encrypt • Configured similarly to ProGuard / R8 using ‘encryptedstrings’ command • How they do it is ‘magic’ 🧙🪄

Slide 38

Slide 38 text

@sp4ghetticode / spght.dev Pros / Cons DexGuard ✅ Obfuscates secrets in app ✅ Makes it more difficult to reverse engineer ✅ Used in production by many large applications ✅ Provides many more features on top ✅ GuardSquare support is great! 😅 Paid tool, so not available for everyone 😅 Using it just for this use case is probably overkill 😅 Other competitors also exist, so do your own research

Slide 39

Slide 39 text

@sp4ghetticode / spght.dev Some special mentions Free tools also exist! • github.com/klaxit/hidden-secrets-gradle-plugin • Gradle Plugin / Utilises NDK • github.com/PatilShreyas/bytemask • Gradle Plugin / Code-gen approach • github.com/DatL4g/Sekret • Kotlin Multiplatform Plugin / Utilises NDK FREE

Slide 40

Slide 40 text

@sp4ghetticode / spght.dev An example: Free tools also exist! • github.com/klaxit/hidden-secrets-gradle-plugin • Gradle Plugin / Utilises NDK / Example: Hidden Secrets Plugin

Slide 41

Slide 41 text

@sp4ghetticode / spght.dev Pros / Cons Secret obfuscation plugins ✅ Obscures secrets in app ✅ Setup is relatively simple ✅ Makes it more difficult to reverse engineer ✅ Good for small projects / hobbyists / Indie apps 😅 Still very possible to reverse engineer 😅 Can add a dependency on NDK to your project 😅 Still not good enough for large scale apps

Slide 42

Slide 42 text

@sp4ghetticode / spght.dev Cooking with Ed - “Putting the ‘Ed’ into barely edible”

Slide 43

Slide 43 text

@sp4ghetticode / spght.dev A recipe for better ‘hard-baked’ secrets Ep2: “Cooking with Ed” • Always restrict API keys usage (if possible) • Use the tools we covered if they are to your taste • Using the NDK won’t solve all your problems • Remember, baking secrets into your app is always a risk! • Don’t get burned 🔥

Slide 44

Slide 44 text

@sp4ghetticode / spght.dev Top Tip #3: Get rid of your secrets!

Slide 45

Slide 45 text

@sp4ghetticode / spght.dev - You again, about 5 seconds ago “Well duh. How?”

Slide 46

Slide 46 text

@sp4ghetticode / spght.dev API Proxy Service A high-level example api.yourdomain.com/… Proxied API response GET apidomain.com/api/… API response Your App Your Proxy Server APIs

Slide 47

Slide 47 text

@sp4ghetticode / spght.dev API Proxy Service A high-level example api.yourdomain.com/… Proxied API response GET apidomain.com/api/… API response Your App Your Proxy Server APIs Your secrets are here!

Slide 48

Slide 48 text

@sp4ghetticode / spght.dev How could it be abused? API Proxy Service • Non-legit calls to service (e.g. a script or another app) • DoS attack (large number of calls) • Man-in-the-middle style attack

Slide 49

Slide 49 text

@sp4ghetticode / spght.dev Securing the API Calls API Proxy Service • Communicate over HTTPS SSL/TLS • Authenticate calls to proxy service • Use revokable short-lived tokens • Rate limit • Remember principle of least privilege!

Slide 50

Slide 50 text

@sp4ghetticode / spght.dev Device Attestation API Proxy Service • Attestation • “An official verification of something as true or authentic” • Play Integrity API / Firebase App Check • Ensures legitimate device access • Blocks malicious requests / Source: Safeguarding user security on Android (IO/24) youtu.be/RccJYep2v5I

Slide 51

Slide 51 text

@sp4ghetticode / spght.dev API Proxy Service Now with more ✨ Your App Your Proxy Server APIs Your Identity Server Play Integrity

Slide 52

Slide 52 text

@sp4ghetticode / spght.dev / Image Source: Wikipedia CC BY-SA 4.0 The Swiss Cheese Model

Slide 53

Slide 53 text

@sp4ghetticode / spght.dev / Image Source: Wikipedia CC BY-SA 4.0 The Swiss Cheese Model More cheese; Less problems

Slide 54

Slide 54 text

@sp4ghetticode / spght.dev Pros / Cons API Proxy Service ✅ Removes secrets from your app 🎉 🎉 🎉 🎉 🎉 🎉 🎉 🎉 ✅ Highly scalable ✅ Backend traditionally much harder to exploit ✅ Can easily rotate keys without disruption ✅ Increased logging/reporting ✅ We now control the API between the frontend & backend 😅 Requires much more effort to implement 😅 Increased latency 😅 Single point of failure 😅 BigTech friendly but not easy to achieve for most 😅 In reality it is actually more complex than this example

Slide 55

Slide 55 text

@sp4ghetticode / spght.dev Cooking with Ed - “This is the last time I promise”

Slide 56

Slide 56 text

@sp4ghetticode / spght.dev A recipe for a ‘near-perfect’ application Ep3: “Cooking with Ed” • Remove all the secrets from your app • Provide their functionality via a proxy- service you control • Rate limit to your liking • Ensure only real devices and known users can access your services • Apply the ‘Swiss cheese model’ generously

Slide 57

Slide 57 text

@sp4ghetticode / spght.dev In summary… Your plan to have safer secrets • Erase historic secrets from your repos • Always restrict your API keys (if possible) • Obfuscate to add an extra layer of security • Consider device attestation • Beware of baked-in secrets • If you can, proxy calls and remove in-app secrets ✨

Slide 58

Slide 58 text

@sp4ghetticode / spght.dev spght.dev/talks For more in-depth Mobile Security talks/blogs

Slide 59

Slide 59 text

@sp4ghetticode / spght.dev Bom apetite! spght.dev/talks

Slide 60

Slide 60 text

@sp4ghetticode / spght.dev EOF spght.dev/talks