Slide 1

Slide 1 text

@sp4ghetticode / spght.dev How to stop the “Gradle Snatchers” Securing your builds from baddies Ed Holloway-George @ Droidcon Lisbon

Slide 2

Slide 2 text

@sp4ghetticode / spght.dev Who am I? • Lead Android Dev @ ASOS • Android Google Dev Expert • I like to talk about mobile security a lot • Available on all good social media platforms (and also Twitter) • First talk in Lisbon, thanks for inviting me Introduction

Slide 3

Slide 3 text

@sp4ghetticode / spght.dev Supply Chain Attacks A quick intro…

Slide 4

Slide 4 text

@sp4ghetticode / spght.dev Supply Chain Attacks Don’t let it happen to you!

Slide 5

Slide 5 text

@sp4ghetticode / spght.dev • Real-world stories • Securing Dependencies • How to do it via Gradle • Securing Tooling • Securing Gradle wrappers • Securing Gradle distros What we will look at today

Slide 6

Slide 6 text

@sp4ghetticode / spght.dev Now let’s talk about the elephant in the room...

Slide 7

Slide 7 text

@sp4ghetticode / spght.dev

Slide 8

Slide 8 text

@sp4ghetticode / spght.dev Android & Gradle A timeline… 2008-2012 ‘The Eclipse Years’ Ant + ADT

Slide 9

Slide 9 text

@sp4ghetticode / spght.dev Android & Gradle A timeline… 2008-2012 ‘The Eclipse Years’ Ant + ADT The ‘Dark Ages'

Slide 10

Slide 10 text

@sp4ghetticode / spght.dev Android & Gradle 2008-2012 ‘The Eclipse Years’ Ant + ADT Fall 2012 ‘New Build Tool’ AGP v0.1 A timeline…

Slide 11

Slide 11 text

@sp4ghetticode / spght.dev Android & Gradle 2008-2012 ‘The Eclipse Years’ Ant + ADT Fall 2012 ‘New Build Tool’ AGP v0.1 Winter 2014 ‘Initial Release’ AGP v1.0 A timeline…

Slide 12

Slide 12 text

@sp4ghetticode / spght.dev l 2012 uild Tool’ P v0.1 Winter 2014 ‘Initial Release’ AGP v1.0 2024 Present Day AGP v8.x Android & Gradle A timeline…

Slide 13

Slide 13 text

@sp4ghetticode / spght.dev l 2012 uild Tool’ P v0.1 Winter 2014 ‘Initial Release’ AGP v1.0 2024 Present Day AGP v8.x Android & Gradle A timeline… Winter 2018 ‘A Confusing Dependency’

Slide 14

Slide 14 text

@sp4ghetticode / spght.dev Márton Braun @zsmb13 A Confusing Dependency…

Slide 15

Slide 15 text

@sp4ghetticode / spght.dev Márton Braun @zsmb13 A Confusing Dependency… com.example:foo:0.0.1 jitpack.io FROM

Slide 16

Slide 16 text

@sp4ghetticode / spght.dev Márton Braun @zsmb13 A Confusing Dependency… java.lang.SecurityException: Permission denied (missing INTERNET permission?) at java.net.Inet6AddressImpl.lookupHostByName(Inet6AddressImpl.java:135) at java.net.Inet6AddressImpl.lookupAllHostAddr(Inet6AddressImpl.java:90) at java.net.InetAddress.getByName(InetAddress.java:743) 💧

Slide 17

Slide 17 text

@sp4ghetticode / spght.dev ???

Slide 18

Slide 18 text

@sp4ghetticode / spght.dev Márton Braun @zsmb13 A Confusing Dependency… repositories { google() jcenter() maven { url "https://jitpack.io" } } dependencies { implementation ‘com.example:foo:0.0.1’ }

Slide 19

Slide 19 text

@sp4ghetticode / spght.dev A Confusing Dependency… repositories { google() jcenter() maven { url "https://jitpack.io" } } dependencies { implementation 'com.example:foo:0.0.1' }

Slide 20

Slide 20 text

@sp4ghetticode / spght.dev A Confusing Dependency… com.example:foo:0.0.1 repositories { google() jcenter() maven { url "https://jitpack.io" } } dependencies { implementation 'com.example:foo:0.0.1' } Does not exist

Slide 21

Slide 21 text

@sp4ghetticode / spght.dev A Confusing Dependency… com.example:foo:0.0.1 repositories { google() jcenter() maven { url "https://jitpack.io" } } dependencies { implementation 'com.example:foo:0.0.1' } Shouldn’t exist…

Slide 22

Slide 22 text

@sp4ghetticode / spght.dev Introducing: ‘Fake Wharton’

Slide 23

Slide 23 text

@sp4ghetticode / spght.dev A Confusing Dependency… jakewhaarton/timber/com.example:foo:0.0.1 repositories { google() jcenter() maven { url "https://jitpack.io" } } dependencies { implementation 'com.example:foo:0.0.1' }

Slide 24

Slide 24 text

@sp4ghetticode / spght.dev A Confusing Dependency… jakewhaarton/timber/com.example:foo:0.0.1 repositories { google() jcenter() maven { url "https://jitpack.io" } } dependencies { implementation ‘com.example:foo:0.0.1' }

Slide 25

Slide 25 text

@sp4ghetticode / spght.dev A Confusing Dependency… jakewhaarton/timber/com.example:foo:0.0.1 repositories { google() jcenter() maven { url "https://jitpack.io" } } dependencies { implementation 'com.example:foo:0.0.1' }

Slide 26

Slide 26 text

@sp4ghetticode / spght.dev Long story short…

Slide 27

Slide 27 text

@sp4ghetticode / spght.dev

Slide 28

Slide 28 text

@sp4ghetticode / spght.dev Trust no one Original write-up link available @ spght.dev/talks (Thanks Márton!)

Slide 29

Slide 29 text

@sp4ghetticode / spght.dev Dependency Verification

Slide 30

Slide 30 text

@sp4ghetticode / spght.dev Dependency Verification • Are my app’s dependencies legitimate? 🧐 • Is integrity compromised? • i.e. Are the files the ones we expected? • Is the origin compromised? • i.e. Was it published by the expected author? • a.k.a The ‘provenance’

Slide 31

Slide 31 text

@sp4ghetticode / spght.dev • Gradle offers a solution for both: • Checksum Verification • Signature Verification Dependency Verification

Slide 32

Slide 32 text

@sp4ghetticode / spght.dev Checksum Verification

Slide 33

Slide 33 text

@sp4ghetticode / spght.dev Checksum Verification Example • Checksum is used to confirm that a file is unchanged • Common algorithms to use: MD5 / SHA-1 / SHA-256 • MD5 was proved to be broken in late 90s • SHA-1 also proved to be broken in 2017

Slide 34

Slide 34 text

@sp4ghetticode / spght.dev Checksum Verification Example $ echo "Hello World" >> example.txt SHA-1 $ shasum example.txt 648a6a6ffffdaa0badb23… SHA-256 $ shasum -a 256 example.txt d2a84f4b8b650937ec8f73…

Slide 35

Slide 35 text

@sp4ghetticode / spght.dev Gradle Dependency Setup ./gradlew --write-verification-metadata sha256

Slide 36

Slide 36 text

@sp4ghetticode / spght.dev Gradle Dependency Setup ./gradlew --write-verification-metadata sha256 {project root}/gradle/verification-metadata.xml

Slide 37

Slide 37 text

@sp4ghetticode / spght.dev Gradle Dependency Setup ./gradlew --write-verification-metadata sha256 true false … {project root}/gradle/verification-metadata.xml

Slide 38

Slide 38 text

@sp4ghetticode / spght.dev Gradle Dependency Setup ./gradlew --write-verification-metadata sha256 {project root}/gradle/verification-metadata.xml

Slide 39

Slide 39 text

@sp4ghetticode / spght.dev How it works… Maven Repo

Slide 40

Slide 40 text

@sp4ghetticode / spght.dev How it works… .sha256 .sha512 Maven Repo

Slide 41

Slide 41 text

@sp4ghetticode / spght.dev Reporting issues

Slide 42

Slide 42 text

@sp4ghetticode / spght.dev Reporting issues

Slide 43

Slide 43 text

@sp4ghetticode / spght.dev Reporting issues {project root}/gradle.properties org.gradle.dependency.verification.console=verbose

Slide 44

Slide 44 text

@sp4ghetticode / spght.dev Reporting issues {project root}/build/reports/dependency-verification

Slide 45

Slide 45 text

@sp4ghetticode / spght.dev Signature Verification

Slide 46

Slide 46 text

@sp4ghetticode / spght.dev Signature Verification Example • Public Maven repos often require signed artifacts • Signed using PGP standard • Developer must create a key-pair • Upload public key to key-server • Sign artifacts and upload to Maven repo

Slide 47

Slide 47 text

@sp4ghetticode / spght.dev Gradle Dependency Setup ./gradlew --write-verification-metadata sha256,pgp

Slide 48

Slide 48 text

@sp4ghetticode / spght.dev Gradle Dependency Setup ./gradlew --write-verification-metadata sha256,pgp true true … {project root}/gradle/verification-metadata.xml

Slide 49

Slide 49 text

@sp4ghetticode / spght.dev Gradle Dependency Setup ./gradlew --write-verification-metadata sha256,pgp {project root}/gradle/verification-metadata.xml

Slide 50

Slide 50 text

@sp4ghetticode / spght.dev How it works… Maven Repo

Slide 51

Slide 51 text

@sp4ghetticode / spght.dev How it works… .asc Maven Repo timber-5.0.1.aar timber-5.0.1.aar.asc

Slide 52

Slide 52 text

@sp4ghetticode / spght.dev How it works…

Slide 53

Slide 53 text

@sp4ghetticode / spght.dev Dependency Verification The pros… • Gain trust in your app’s dependencies • Flexible in the type of verification you wish to use Supply chain attacks mitigated • You will sleep a lot easier at night! (and so will I)

Slide 54

Slide 54 text

@sp4ghetticode / spght.dev The cons… • This is not a frictionless process • You MUST start with total trust in the dependencies • You could still include compromised dependencies • XML 💩 • Simplest solution: Ship with no dependencies! (Yes, really 😅) Dependency Verification

Slide 55

Slide 55 text

@sp4ghetticode / spght.dev Repository Filter • Filter what packages can be fetched from repos • Rules to include and exclude dependencies • Works for dependencies and plugins • Note: Use Gradle 7.0+ (Due to CVE-2021-29427)* * Discovered by Droidcon regular @ZacSweers

Slide 56

Slide 56 text

@sp4ghetticode / spght.dev Repository Filter repositories { maven { url "https://jitpack.io" content { // Fetch dependencies includeGroup "com.example" includeModule("com.example", "foo") // Exclude dependencies excludeGroupByRegex("dev\\.spght\\..*") } } }

Slide 57

Slide 57 text

@sp4ghetticode / spght.dev Repository Filter • Gain trust your dependencies come from the right source • Ordering issues eliminated • Can easily create simple or complex rulesets • Do not leak dependencies by calling multiple repos * Discovered by Droidcon regular @ZacSweers

Slide 58

Slide 58 text

@sp4ghetticode / spght.dev l 2012 uild Tool’ P v0.1 Winter 2014 ‘Initial Release’ AGP v1.0 2023 Present Day AGP v8.x Android & Gradle A timeline… Winter 2018 ‘A Confusing Dependency’

Slide 59

Slide 59 text

@sp4ghetticode / spght.dev 014 lease’ 0 2023 Present Day AGP v8.x Android & Gradle A timeline… Winter 2018 ‘A Confusing Dependency’ Winter 2022 ‘Wrapper Exploit Observed’

Slide 60

Slide 60 text

@sp4ghetticode / spght.dev Where’s a great place to see hacking in the wild?

Slide 61

Slide 61 text

No content

Slide 62

Slide 62 text

@sp4ghetticode / spght.dev (It’s relevant I promise) • MinecraftOnline.com • Oldest multiplayer Minecraft Server (2010- present) • 290,000 unique players Background

Slide 63

Slide 63 text

@sp4ghetticode / spght.dev (It’s relevant I promise) • Minecraft servers use ‘plugins’ • Plugins are JVM language projects (like Android) • Gradle is the build system used (like Android) Background

Slide 64

Slide 64 text

@sp4ghetticode / spght.dev Banned Player What happened?

Slide 65

Slide 65 text

@sp4ghetticode / spght.dev What happened? Totally Legit Player

Slide 66

Slide 66 text

@sp4ghetticode / spght.dev What happened? Totally Legit Dev-Team Member

Slide 67

Slide 67 text

@sp4ghetticode / spght.dev What happened? Totally Legit Dev-Team Member Malicious Commit 😈

Slide 68

Slide 68 text

@sp4ghetticode / spght.dev What happened? Totally Legit Dev-Team Member

Slide 69

Slide 69 text

@sp4ghetticode / spght.dev How to prevent this! • First known public supply-chain attack on the Wrapper • Verification of wrapper’s integrity prevents this • Verification of Gradle binary is a good second step • Hashes of wrapper and distributions available • gradle.org/release-checksums

Slide 70

Slide 70 text

@sp4ghetticode / spght.dev Gradle Wrapper Verification Verification Script gist.github.com/ed-george/3751d09ccdfd33cfe48d8987d9f68510

Slide 71

Slide 71 text

@sp4ghetticode / spght.dev Gradle Wrapper Verification Github Action github.com/marketplace/actions/gradle-wrapper-validation

Slide 72

Slide 72 text

@sp4ghetticode / spght.dev Verifying the Wrapper The pros… • Mega straightforward • You could probably do it before I finish this talk • Easily slips into most CI pipelines • GitHub users pretty much get it for free

Slide 73

Slide 73 text

@sp4ghetticode / spght.dev Verifying the Wrapper The cons… • Still fairly unlikely to be an attack vector • Otherwise, no other cons (that I can think of)!

Slide 74

Slide 74 text

@sp4ghetticode / spght.dev Verifying the Distribution {project root}/gradle/wrapper/gradle-wrapper.properties distributionUrl=https\://services.gradle.org/distributions/gradle-7.5-bin.zip

Slide 75

Slide 75 text

@sp4ghetticode / spght.dev Verifying the Distribution {project root}/gradle/wrapper/gradle-wrapper.properties distributionUrl=https\://services.gradle.org/distributions/gradle-7.5-bin.zip distributionSha256Sum=cb87f222c5585bd46838ad4…

Slide 76

Slide 76 text

@sp4ghetticode / spght.dev Verifying the Distribution ./gradlew wrapper --gradle-version=7.5 \ --gradle-distribution-sha256-sum=cb87f222c…

Slide 77

Slide 77 text

@sp4ghetticode / spght.dev Verifying the Distribution ./gradlew wrapper --gradle-version=7.5 \ --gradle-distribution-sha256-sum=cb87f222c… Remember: Run this cmd twice!

Slide 78

Slide 78 text

@sp4ghetticode / spght.dev Verifying the Distribution

Slide 79

Slide 79 text

@sp4ghetticode / spght.dev Verifying the Distribution The pros… • Guarantees integrity of your Gradle distro • Simple to setup • Verification is quick

Slide 80

Slide 80 text

@sp4ghetticode / spght.dev Verifying the Distribution The cons… • Remembering to update via wrapper command and flag • As well as remembering to call it twice… • Again, not many other cons (that I can think of)!

Slide 81

Slide 81 text

@sp4ghetticode / spght.dev Verifying the gradlew file (Not yet) • The gradlew script is also often overlooked • No official process for verifying • Roll your own solution? 😅 • Have thorough PR review processes!

Slide 82

Slide 82 text

@sp4ghetticode / spght.dev Verifying the gradlew file (Not yet)

Slide 83

Slide 83 text

@sp4ghetticode / spght.dev Summary

Slide 84

Slide 84 text

@sp4ghetticode / spght.dev In summary… • Gradle supply-chain attacks are very rare but do occur • Consider dependency verification • Use repository filtering to ensure the origin • Verify your wrappers • Verify your distribution

Slide 85

Slide 85 text

@sp4ghetticode / spght.dev I want to learn more… (Perhaps from someone better?!) • Great talk by Cédric Champeau from Gradle at Devoxx 2019 • Gradle Security documentation • Speak to a nice human from Gradle @ Android Makers

Slide 86

Slide 86 text

@sp4ghetticode / spght.dev I was asleep/hungover/otherwise absent for this talk What did I miss? Now also available as a blog!

Slide 87

Slide 87 text

@sp4ghetticode / spght.dev Droidcon Lisbon 2-for-1 Offer!!! I am talking again today - 14:20 in this room “How to keep your app’s secret, secret!”

Slide 88

Slide 88 text

@sp4ghetticode / spght.dev spght.dev/talks For more in-depth Mobile Security talks/blogs

Slide 89

Slide 89 text

@sp4ghetticode / spght.dev Thanks! spght.dev/talks

Slide 90

Slide 90 text

@sp4ghetticode / spght.dev EOF spght.dev/talks