Tweet
Tweet

Slide 1

Slide 1 text

What Android Developers Should Know About Security

Slide 2

Slide 2 text

Bolot Kerimbaev Android and iOS instructor and developer

Slide 3

Slide 3 text

Android App Developers https://www.bignerdranch.com/app-development/case-studies/

Slide 4

Slide 4 text

What Is Security?

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

What Is Security? • Confidentiality • Integrity • Availability

Slide 7

Slide 7 text

What Is Security? • Threats • Risks • Responses • Remediations

Slide 8

Slide 8 text

Threat model • Malicious apps • Stolen phones • Wi-Fi hotspots • Malicious HTML, SMS

Slide 9

Slide 9 text

Case Study: Stagefright • Media server framework • Attack via malicious MMS • Remote code execution • Privilege escalation • Publicly disclosed July 2015 • Apps are impacted

Slide 10

Slide 10 text

Demolition Man, 1993

Slide 11

Slide 11 text

Android Security

Slide 12

Slide 12 text

Android Security • Application Signing • (SE)Linux • Permissions • Interprocess Communication • Verified Boot

Slide 13

Slide 13 text

KitKat Lollipop Marshmallow Nougat SELinux, enforcing mode Full disk encryption, hardware bound Hardware-Isolated Security File-based encryption, Direct Boot Device monitoring warnings WebView updates Verified Boot Verified Boot, strictly enforced Per user VPN Position Independent Executables Fingerprints Library load-order randomization Fortify Source level 2 TLS v1.2 Runtime Permissions APK Signature v2 Certificate pinning Smart Lock StrictMode, disable cleartext Network security config https://source.android.com/security/enhancements/index.html

Slide 14

Slide 14 text

Challenges • Fragmentation • Google vs OEMs vs Carriers vs Qualcomm • Vulnerabilities

Slide 15

Slide 15 text

Case Study: Stagefright Pre-N Nougat

Slide 16

Slide 16 text

Who Cares About Security?

Slide 17

Slide 17 text

Security and Design • Most people think it’s important • Cannot be applied at the end • Changes can be costly if not planned

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

Mobile & Server

Slide 20

Slide 20 text

Security practices https://security.googleblog.com/2015/07/new-research-comparing-how-security.html

Slide 21

Slide 21 text

Security practices • Software Updates • Password Manager • 2-Factor Authentication

Slide 22

Slide 22 text

Security Updates

Slide 23

Slide 23 text

Password Managers

Slide 24

Slide 24 text

2-Factor Authentication

Slide 25

Slide 25 text

Security practices • Software Updates • Password Manager • 2-Factor Authentication • VPN • Backups • Leak Notifications

Slide 26

Slide 26 text

What Can App Developers Do?

Slide 27

Slide 27 text

Checklists • Android Security Checklist • Industry Specific: PCI, HIPAA • OWASP

Slide 28

Slide 28 text

https://www.owasp.org/index.php/OWASP_Mobile_Security_Project

Slide 29

Slide 29 text

Software Updates • Follow best practices, plan for upgrades • Train engineers • Perform audits • APIs: evolution, deprecation • Keep up with tools updates

Slide 30

Slide 30 text

Password Management • Integrate with password managers • Implement single sign-on, OAuth, etc. • Don’t use device ID • Don’t store passwords • Careful about custom password text fields

Slide 31

Slide 31 text

Case Study: Smart Lock

Slide 32

Slide 32 text

2-Factor Authentication • TOTP (Google Authenticator, Authy) • FIDO U2F (Yubikey) • Don’t use SMS

Slide 33

Slide 33 text

Secure Communication • Use HTTPS (TLS) everywhere • Enable Network Security Configuration • Certificate pinning

Slide 34

Slide 34 text

Protect User Data • Secure storage • Easy backups and data restoration • Cryptography

Slide 35

Slide 35 text

Vulnerability Reporting • Make it easy to report issues in your app • Track vulnerabilities

Slide 36

Slide 36 text

What Can Developers Do? • Practice security as a user • Optimize for best security practices • Training • Checklists • Audits, Reviews

Slide 37

Slide 37 text

Questions? • @bolot • @bignerdranch • Android Security course, Q3 2017