Tweet
Tweet

Slide 1

Slide 1 text

Don’t get stung by OWASP An intro into writing code for greater Android Security @Sp4ghettiCode / spght.dev - Android Worldwide Jan 2022 - Ed George

Slide 2

Slide 2 text

@Sp4ghettiCode / spght.dev • Senior Android Dev @ ASOS • Dad to a Pomeranian 🐶 • Security ‘enthusiast’ (note: not expert) Find me on social: • @Sp4ghettiCode 🍝 • spght.dev/talks • Follow me for more! (And dog pictures) Who am I?

Slide 3

Slide 3 text

@Sp4ghettiCode / spght.dev Talk Agenda AKA - What I hope I have enough time to cover • Introduction to some of the OWASP Top 10 • Address the most common mistakes in our apps • Look into securing data within Room / Shared Prefs • Q&A • Bonus: The time I was stung by 50 wasps IRL 🙈🐝

Slide 4

Slide 4 text

@Sp4ghettiCode / spght.dev ⚠ MANDATORY LEGAL WARNING ⚠ You know, just in case someone goofs up later. • Anything you learn here is to be used for educational purposes ONLY • Do NOT test on apps you are not authorised to use • Please consider seeking your company’s security advice from someone that knows a lot more than me! • This talk is NOT associated with and/or endorsed by the OWASP Foundation or my employer!

Slide 5

Slide 5 text

@Sp4ghettiCode / spght.dev Why should we care about security? * * Mobile Developers

Slide 6

Slide 6 text

@Sp4ghettiCode / spght.dev Why should we care? • The mobile attack surface is HUGE and growing • Mobile security is often neglected by organisations + devs • Growing financial incentives for malicious actors • Mobile security is not rocket science (as we shall see)! • Mobile’s own ‘Log4Shell’ is always right around the corner…

Slide 7

Slide 7 text

@Sp4ghettiCode / spght.dev – Stéphane Nappo, ‘Global Chief Information Security Officer of the Year 2018’ “It takes years to build a reputation and a few minutes of a cyber-incident to ruin it.”

Slide 8

Slide 8 text

@Sp4ghettiCode / spght.dev Introducing OWASP

Slide 9

Slide 9 text

@Sp4ghettiCode / spght.dev ‘Who’ or ‘What’ is OWASP? • Open Web Application Security Project • Non-profit OWASP Foundation created in 2001 • Provides free security resources for developers & organisations alike • Also maintains ‘Top 10’ list(s) of the greatest security threats to application security

Slide 10

Slide 10 text

@Sp4ghettiCode / spght.dev Top 10 Mobile Threats Source: owasp.org/www-project-mobile-top-10 (Last updated 2016) 1. Improper Platform Usage 2. Insecure Data Storage 3. Insecure Communication 4. Insecure Authentication 5. Insufficient Cryptography 6. Insecure Authorisation 7. Client Code Quality 8. Code Tampering 9. Reverse Engineering 10. Extraneous Functionality

Slide 11

Slide 11 text

@Sp4ghettiCode / spght.dev Top 10 Mobile Threats Source: owasp.org/www-project-mobile-top-10 (Last updated 2016) 1. Improper Platform Usage 2. Insecure Data Storage 3. Insecure Communication 4. Insecure Authentication 5. Insufficient Cryptography 6. Insecure Authorisation 7. Client Code Quality 8. Code Tampering 9. Reverse Engineering 10. Extraneous Functionality 5

Slide 12

Slide 12 text

@Sp4ghettiCode / spght.dev Improper Platform Usage #1 OWASP Threat IT’S YOU.

Slide 13

Slide 13 text

@Sp4ghettiCode / spght.dev Improper Platform Usage #1 OWASP Threat • Misuse of Android features by YOU, the developer • Intents • Android Keychain • App Security Features • Basically, anytime you use the Android framework and mess it up 🤪

Slide 14

Slide 14 text

@Sp4ghettiCode / spght.dev Improper Platform Usage Example • Introducing: My Secure App™ • Simple ‘Login Flow’ • “Login Activity” • “Home/Main Activity” • Home is ‘only accessible’ with PIN 1234 Source available @ spght.dev/talks

Slide 15

Slide 15 text

@Sp4ghettiCode / spght.dev Improper Platform Usage Can you spot the mistake?

Slide 16

Slide 16 text

@Sp4ghettiCode / spght.dev Improper Platform Usage Can you spot the mistake?

Slide 17

Slide 17 text

@Sp4ghettiCode / spght.dev Improper Platform Usage How is this exploited? • Use a tool like ‘drozer’ to scan app for vulnerable activities, broadcast receivers and content providers • github.com/FSecureLABS/drozer • Run ADB to exploit Source: securitygrind.com

Slide 18

Slide 18 text

@Sp4ghettiCode / spght.dev Improper Platform Usage Exploit Demo adb shell am start -n dev.spght.owasp/dev.spght.owasp.home.MainActivity

Slide 19

Slide 19 text

@Sp4ghettiCode / spght.dev Improper Platform Usage Fixing the exploit

Slide 20

Slide 20 text

@Sp4ghettiCode / spght.dev Improper Platform Usage Example #2 • ‘Tap-jacking’ vulnerability • Apps can draw over other apps and monitor their contents • They can also pass spoofed touch events • Combined, this can be used maliciously to trick users into entering passwords, accepting permissions, etc • Permission required for these apps, but only recently

Slide 21

Slide 21 text

@Sp4ghettiCode / spght.dev Improper Platform Usage Exploit Demo • ‘Tap-jacking’ example • Bypassed any need for permission! • Patched as of Android N (Dec 2017) • This could have happened silently! Credit: Constantinos Patsakis Source: youtu.be/zSb_QcDgJ64

Slide 22

Slide 22 text

@Sp4ghettiCode / spght.dev Improper Platform Usage Fixing the exploit #2

Slide 23

Slide 23 text

@Sp4ghettiCode / spght.dev Insecure Data Storage #2 OWASP Threat IT’S YOUR DATA.

Slide 24

Slide 24 text

@Sp4ghettiCode / spght.dev Insecure Data Storage #2 OWASP Threat • SharedPreferences • Stores KVPs in plaintext XML • Trivial to access • Room Database • SQLite Database • Again, trivial to access stored data

Slide 25

Slide 25 text

@Sp4ghettiCode / spght.dev Insecure Data Storage Exploit • Possible to reverse engineer app to make it ‘debuggable’ • Rooted phones… have root! 🪱🥫 • XML file stored in /data/data//shared_prefs • Databases in /data/data//databases

Slide 26

Slide 26 text

@Sp4ghettiCode / spght.dev Insecure Data Storage Jetpack Security Library • developer.android.com/topic/security/data • Provides EncryptedSharedPreferences • Utilises Google’s Tink security lib • Currently in v1.0.0 stable (April 2021) • v1.1.0 alpha-03 (May 2021) provides support for API 21+

Slide 27

Slide 27 text

@Sp4ghettiCode / spght.dev Insecure Data Storage EncryptedSharedPreferences Migration EncryptedSharedPreferences.create( context, "my_secure_app_prefs", MasterKey.Builder(context) .setKeyScheme(MasterKey.KeyScheme.AES256_GCM) .build(), EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV, EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM )

Slide 28

Slide 28 text

@Sp4ghettiCode / spght.dev Insecure Data Storage SQLCipher • github.com/sqlcipher/android-database-sqlcipher • Provides custom SupportSQLiteOpenHelper.Factory implementation • Implements 256-bit AES encryption of database files • Uses ‘passphrase’ to unlock files to allow read/write

Slide 29

Slide 29 text

@Sp4ghettiCode / spght.dev Insecure Data Storage SQLCipher val passphrase: ByteArray = SQLiteDatabase.getBytes(userEnteredPassphrase) val factory = SupportFactory(passphrase) val room: MyDatabase = Room.databaseBuilder(ctx, MyDatabase::class.java, DB_NAME) .openHelperFactory(factory) .build()

Slide 30

Slide 30 text

@Sp4ghettiCode / spght.dev Insecure Data Storage Cheatsheet SharedPreferences Room Realm EncryptedSharedPreferences SQLCipher Stores data in plaintext (default) ✅ ✅ ✅ ❌ ❌ Provides encryption functionality ❌ ❌ ⚠ Not by default ✅ ✅ Min API 1 14 16 v1.0.0: 23 v1.1.0 (alpha): 21 16 First Party Support ✅ ✅ ❌ ✅ ❌ Note: DataStore omitted here, but at time of writing (Jan 2022) has no support for encryption

Slide 31

Slide 31 text

@Sp4ghettiCode / spght.dev Insecure Communication #3 OWASP Threat IT’S YOUR NETWORKING.

Slide 32

Slide 32 text

@Sp4ghettiCode / spght.dev Insecure Communication #3 OWASP Threat • Misconfigured Network Security Configuration • Allowing clear-text traffic (i.e.HTTPS HTTP) • User Certificates allowed • Logging network traffic in LogCat • No Certificate Pinning / Certificate Transparency

Slide 33

Slide 33 text

@Sp4ghettiCode / spght.dev Insecure Communication Exploit • Use tools such as Charles • Breakpoints allow for modification of request / response • SSL proxy possible when user certificates are allowed

Slide 34

Slide 34 text

@Sp4ghettiCode / spght.dev Insecure Communication Network Security Config

Slide 35

Slide 35 text

@Sp4ghettiCode / spght.dev Insecure Communication Network Security Config

Slide 36

Slide 36 text

@Sp4ghettiCode / spght.dev Insecure Authentication #4 OWASP Threat IT’S YOUR IDENTITY.

Slide 37

Slide 37 text

@Sp4ghettiCode / spght.dev Insecure Authentication #4 OWASP Threat • APIs that don’t utilise access tokens • Storing passwords / PINs locally • Weak password policies • Persistent authentication enabled by default

Slide 38

Slide 38 text

@Sp4ghettiCode / spght.dev Insecure Authentication #4 OWASP Threat • Use revokable tokens in your APIs • Don’t do any authentication locally if possible • PINs should be length of 5+ • Opt-in for ‘remember me’ functionality

Slide 39

Slide 39 text

@Sp4ghettiCode / spght.dev Insecure Cryptography #5 OWASP Threat IT’S YOUR ALGORITHMS.

Slide 40

Slide 40 text

@Sp4ghettiCode / spght.dev Insecure Cryptography #5 OWASP Threat • Do NOT use outdated algorithms • SHA-1, MD5, MD4, RC2 • Encoding != Hashing != Encrypting • BASE64-ing something is not cryptography • Don’t come up with your own solutions • (Unless you are a cryptographer)

Slide 41

Slide 41 text

@Sp4ghettiCode / spght.dev Insecure Cryptography #5 OWASP Threat • Consider using Google’s Tink library • AES-256 for symmetric encryption • RSA-2048 or ECC for asymmetric encryption • BONUS: Avoid storing sensitive data locally!

Slide 42

Slide 42 text

@Sp4ghettiCode / spght.dev Recap Top threats! • YOU • YOUR DATA • YOUR NETWORK • YOUR IDENTITY • YOUR ALGORITHMS

Slide 43

Slide 43 text

@Sp4ghettiCode / spght.dev Thanks for watching! • Find me on Twitter @Sp4ghettiCode • More resources and links at spght.dev/talks • Please do reach out if you are interested in learning more or have knowledge to share with the community! • Questions and Answers to follow…

Slide 44

Slide 44 text

@Sp4ghettiCode / spght.dev EOF