Tweet
Tweet

Slide 1

Slide 1 text

Secure data in Android Remember to hard reset whenever you leave your device on the table Yakiv Mospan Author, Android Developer @ Team Technologies Svyatoslav Hromyak Android Developer @ Team Technologies

Slide 2

Slide 2 text

Prerequisites Kotlin Gradle Plugin 1.1.51 Android SDK 26 Android Studio 3.0 Beta 7 Android Virtual Device API 18 Android Virtual Device API 23 Fetch or download sample source code from GitHub https://github.com/TeamTechnologies/security-workshop-sample #dfua

Slide 3

Slide 3 text

Overview #dfua Developing Secrets Keeper Application Encryption in Android Compatibility, Fingerprint and Confirm Credentials Encryption What is it? How it works ?

Slide 4

Slide 4 text

Encryption The most effective way to achieve data security

Slide 5

Slide 5 text

Key How it works Secret key Private key Public key sh7aertsca.. Сipher data Financial data Credentials Sensitive data Plain data Algorithm Asymmetric Symmetric RSA EC AES DES #dfua

Slide 6

Slide 6 text

How it works Plain data #dfua sh7aertsca.. Сipher data Secret key Private key Public key Key RSA EC AES DES Financial data Credentials Sensitive data Algorithm Asymmetric Symmetric

Slide 7

Slide 7 text

Secret key Private key Public key Key How it works Sensitive data Personal life information, physical or mental health details, criminal or civil offences, private photos, private user documents, etc. #dfua sh7aertsca.. Сipher data RSA EC AES DES Financial data Credentials Algorithm Asymmetric Symmetric Plain data

Slide 8

Slide 8 text

How it works #dfua sh7aertsca.. Сipher data Secret key Private key Public key Key Accounts, transactions, reports, credit card information, etc. RSA EC AES DES Credentials Algorithm Asymmetric Symmetric Plain data Sensitive data Financial data

Slide 9

Slide 9 text

How it works Sensitive data Financial data Credentials #dfua sh7aertsca.. Сipher data Secret key Private key Public key Key Usernames, passwords, touch pincodes, fingerprint data, and all other stuff that can provide access to data above. RSA EC AES DES Algorithm Asymmetric Symmetric Plain data

Slide 10

Slide 10 text

How it works Plain data Algorithm #dfua sh7aertsca.. Сipher data Secret key Private key Public key Key RSA EC AES DES Financial data Credentials Sensitive data Asymmetric Symmetric

Slide 11

Slide 11 text

How it works The oldest and best-known technique. The encryption key and the decryption key are the same. #dfua sh7aertsca.. Сipher data Secret key Private key Public key Key RSA EC AES DES Financial data Credentials Sensitive data Plain data Asymmetric Algorithm Symmetric

Slide 12

Slide 12 text

sh7aertsca.. Сipher data How it works #dfua A modern branch of cryptography. Also known as public-key cryptography in which the algorithms employ a pair of keys (a public key and a private key) and use a different component of the pair for different steps of the algorithm. Secret key Private key Public key Key RSA EC AES DES Financial data Credentials Sensitive data Plain data Algorithm Asymmetric Symmetric

Slide 13

Slide 13 text

How it works #dfua sh7aertsca.. Сipher data Secret key Private key Public key Key EC DES Financial data Credentials Sensitive data RSA Plain data Algorithm Asymmetric Symmetric AES

Slide 14

Slide 14 text

How it works #dfua sh7aertsca.. Сipher data Secret key Private key Public key Key Financial data Credentials Sensitive data Plain data EC RSA Algorithm Asymmetric Symmetric AES DES

Slide 15

Slide 15 text

How it works #dfua sh7aertsca.. Сipher data Secret key Private key Public key Key Financial data Credentials Sensitive data Plain data EC Algorithm Asymmetric Symmetric RSA AES DES

Slide 16

Slide 16 text

How it works Asymmetric Symmetric RSA EC AES DES #dfua sh7aertsca.. Сipher data Secret key Private key Public key Key Financial data Credentials Sensitive data Plain data Algorithm

Slide 17

Slide 17 text

How it works Key #dfua sh7aertsca.. Сipher data Private key Public key Secret key Asymmetric Symmetric RSA EC AES DES Financial data Credentials Sensitive data Plain data Algorithm

Slide 18

Slide 18 text

Private key Public key How it works Secret key A single secret key which is used in conventional symmetric encryption to encrypt and decrypt a message. Symmetric #dfua sh7aertsca.. Сipher data RSA EC AES DES Asymmetric Financial data Credentials Sensitive data Plain data Algorithm Key

Slide 19

Slide 19 text

How it works Private key Public key Asymmetric Key Pair. #dfua sh7aertsca.. Сipher data Secret key RSA EC AES DES Symmetric Financial data Credentials Sensitive data Plain data Algorithm Asymmetric Key

Slide 20

Slide 20 text

How it works A single secret key which is used in conventional symmetric encryption which is used to encrypt and decrypt a message. #dfua sh7aertsca.. Сipher data Secret key RSA EC AES DES Symmetric Financial data Credentials Sensitive data Plain data Algorithm Asymmetric Private key Public key Key

Slide 21

Slide 21 text

How it works The public component of a pair of cryptographic keys used for encryption in asymmetric cryptography. Asymmetric #dfua sh7aertsca.. Сipher data Secret key RSA EC AES DES Symmetric Financial data Credentials Sensitive data Plain data Algorithm Private key Public key Key

Slide 22

Slide 22 text

Сipher data How it works #dfua sh7aertsca.. Private key Public key Secret key RSA EC AES DES Asymmetric Symmetric Financial data Credentials Sensitive data Plain data Algorithm Key

Slide 23

Slide 23 text

How it works sh7aertsca.. Сipher data Cipher Output #dfua Private key Public key Secret key RSA EC AES DES Asymmetric Symmetric Financial data Credentials Sensitive data Key Plain data Algorithm

Slide 24

Slide 24 text

Key How it works Plain data Сipher data #dfua sh7aertsca.. Private key Public key Secret key RSA EC AES DES Asymmetric Symmetric Financial data Credentials Sensitive data Algorithm

Slide 25

Slide 25 text

Encryption in Android Java Cryptography Architecture & AndroidKeyStore API

Slide 26

Slide 26 text

Android builds on the Java Cryptography Architecture (JCA), that provides API for digital signatures, certificates, encryption, keys generation and management. #dfua

Slide 27

Slide 27 text

Architecture Provider #dfua KeyPair Generator Certificate Key Store Keys Secure Random Cipher Key Generator

Slide 28

Slide 28 text

Keys KeyPair Generator Architecture Key Generator Provides the public API for generating symmetric cryptographic keys. #dfua Cipher Certificate Key Store Secure Random Provider

Slide 29

Slide 29 text

Key Store Keys Certificate KeyPair Generator Architecture Key Generator An engine class which is capable of generating a private key and its related public key utilizing the algorithm it was initialized with. #dfua Cipher Secure Random Provider

Slide 30

Slide 30 text

Provider KeyPair Generator Architecture Secure Random Key Generator Generates cryptographically secure pseudo-random numbers. #dfua Cipher Certificate Key Store Keys

Slide 31

Slide 31 text

KeyPair Generator Secure Random Key Generator Provider Architecture Keys Keys created with Generators. #dfua Cipher Certificate Key Store

Slide 32

Slide 32 text

KeyPair Generator Secure Random Key Generator Provider Architecture Key Store Keys #dfua Cipher Certificate Database with a well secured mechanism of data protection, that is used to save, get and remove keys. Requires entrance password and passwords for each of the keys.

Slide 33

Slide 33 text

KeyPair Generator Secure Random Key Generator Provider Cipher Architecture Certificate Key Store Keys Certificate used to validate and save asymmetric keys. #dfua

Slide 34

Slide 34 text

KeyPair Generator Secure Random Key Generator Provider Architecture Cipher Provides access to implementations of cryptographic ciphers for encryption and decryption. #dfua Certificate Key Store Keys

Slide 35

Slide 35 text

KeyPair Generator Architecture Certificate Key Store Keys Secure Random Key Generator Provider Defines a set of extensible implementations - independent API’s. #dfua Cipher

Slide 36

Slide 36 text

KeyPair Generator #dfua Architecture Certificate Provider Key Store Keys Secure Random Cipher Key Generator

Slide 37

Slide 37 text

AndroidKeyStore JCA Provider implementation No Keystore passwords (really, at all) Key material never enters the application process Key material may be bound to the secure hardware Asymmetric keys available from 18 + Symmetric keys available from 23 + #dfua

Slide 38

Slide 38 text

And as always happens, it is full of surprises. #dfua

Slide 39

Slide 39 text

Stop this “bla-bla” talkings! We want to code something!

Slide 40

Slide 40 text

Secrets Keeper Developing Sample Application

Slide 41

Slide 41 text

Main goal of sample application is to to save user Secrets locally and keep them protected using Encryption, Fingerprint and Confirm Credentials API’s. #dfua

Slide 42

Slide 42 text

Requirements Support Android 18 + Devices Allow user to access application only if Lock Screen is set Protect user password with Encryption Protect user Secrets with Encryption Allow user to access Secrets with Fingerprint Add additional Confirm Credentials protection #dfua

Slide 43

Slide 43 text

No content

Slide 44

Slide 44 text

No content

Slide 45

Slide 45 text

Project Structure What to do next? Environment, Stages and Tips

Slide 46

Slide 46 text

Project is separated on different Stages using gradle flavors. Stage represents some task, that need to be completed. Stage can have subtasks - levels.

Slide 47

Slide 47 text

Encryption Stage

Slide 48

Slide 48 text

Fingerprint Stage

Slide 49

Slide 49 text

Confirm Credentials Stage

Slide 50

Slide 50 text

Origination Stage. We are beginning from it and will update it during the workshop.

Slide 51

Slide 51 text

Completed Workshop Flavor

Slide 52

Slide 52 text

Classes that we will update during the workshop

Slide 53

Slide 53 text

If during the session you went out of time, lost focus, came later than others or something just went wrong - select next Stage or Level and continue to work on it.

Slide 54

Slide 54 text

Guides with more detailed information (what need to be done to complete the stage and full code snippets) are placed in Readme file . On each Stage you need to listen for explanations and follow by Guide steps.

Slide 55

Slide 55 text

Encryption Stage - Level 1

Slide 56

Slide 56 text

Lock Screen and Keyguard Choose a key Create storage for key Create master key and save it Use key to encrypt / decrypt Secrets and User Password Protect Data #dfua Checklist Encryption Stage - Level 1

Slide 57

Slide 57 text

Lets open the Project itself, Workshop Guide from Readme file and continue our work there. #dfua

Slide 58

Slide 58 text

Encryption Stage - Level 2

Slide 59

Slide 59 text

Encrypt large data Create Symmetric Key with Default Provider Create Symmetric Key with Android Provider Wrap / Unwrap Key with Cipher #dfua Checklist Encryption Stage - Level 2

Slide 60

Slide 60 text

Encryption Stage - Level 3

Slide 61

Slide 61 text

Initialization Vector Encryption with Initialization Vector Decryption with Initialization Vector Protect Data with Initialization Vector #dfua Checklist Encryption Stage - Level 3

Slide 62

Slide 62 text

Encryption Stage - Level 4

Slide 63

Slide 63 text

Key Invalidation Issue Default Keystore Save Symmetric Key in Default Keystore Protect Data and Compatibility Issues #dfua Checklist Encryption Stage - Level 4

Slide 64

Slide 64 text

Fingerprint Stage

Slide 65

Slide 65 text

Fingerprint Fingerprint Manager Fingerprint Authentication Fingerprint key Fingerprint Crypto Object Validate Fingerprint Authentication #dfua Checklist Fingerprint Stage

Slide 66

Slide 66 text

Confirm Credentials Stage

Slide 67

Slide 67 text

Confirm Credentials Key Validate Confirm Credentials Authentication Confirm Credentials Intent #dfua Checklist Confirm Credentials Stage

Slide 68

Slide 68 text

After words

Slide 69

Slide 69 text

Summary Android provides various of possibilities to secure data But not all of them works as designed to Do not use Android Key Store API on pre M devices Use it only if you not scared to lose data (can be reloaded) Choose the Key Algorithm that is best for your needs Remember that asymmetric Keys are not good for large data #dfua

Slide 70

Slide 70 text

Summary Android provides various of possibilities to secure data But not all of them works as designed to Do not use Android Key Store API on pre M devices Use it only if you not scared to lose data (can be reloaded) Choose the Key Algorithm that is best for your needs Remember that asymmetric Keys are not good for large data #dfua

Slide 71

Slide 71 text

Summary Android provides various of possibilities to secure data But not all of them works as designed to Do not use Android Key Store API on pre M devices Use it only if you not scared to lose data (can be reloaded) Choose the Key Algorithm that is best for your needs Remember that asymmetric Keys are not good for large data #dfua

Slide 72

Slide 72 text

Summary Android provides various of possibilities to secure data But not all of them works as designed to Do not use Android Key Store API on pre M devices Use it only if you not scared to lose data (can be reloaded) Choose the Key Algorithm that is best for your needs Remember that asymmetric Keys are not good for large data #dfua

Slide 73

Slide 73 text

Summary Android provides various of possibilities to secure data But not all of them works as designed to Do not use Android Key Store API on pre M devices Use it only if you not scared to lose data (can be reloaded) Choose the Key Algorithm that is best for your needs Remember that asymmetric Keys are not good for large data #dfua

Slide 74

Slide 74 text

Summary Android provides various of possibilities to secure data But not all of them works as designed to Do not use Android Key Store API on pre M devices Use it only if you not scared to lose data (can be reloaded) Choose the Key Algorithm that is best for your needs Remember that asymmetric Keys are not good for large data #dfua

Slide 75

Slide 75 text

Summary Use Initialization Vectors and Salt value for better protection Fingerprint is not the main security option Always handle cases of key invalidation Remember that there is a fingerprint compatibility helper Use Confirm Credentials instead of custom screen locks #dfua

Slide 76

Slide 76 text

Summary Use Initialization Vectors and Salt value for better protection Fingerprint is not the main security option Always handle cases of key invalidation Remember that there is a fingerprint compatibility helper Use Confirm Credentials instead of custom screen locks #dfua

Slide 77

Slide 77 text

Summary Use Initialization Vectors and Salt value for better protection Fingerprint is not the main security option Always handle cases of key invalidation Remember that there is a fingerprint compatibility helper Use Confirm Credentials instead of custom screen locks #dfua

Slide 78

Slide 78 text

Summary Use Initialization Vectors and Salt value for better protection Fingerprint is not the main security option Always handle cases of key invalidation Remember that there is a fingerprint compatibility helper Use Confirm Credentials instead of custom screen locks #dfua

Slide 79

Slide 79 text

Summary Use Initialization Vectors and Salt value for better protection Fingerprint is not the main security option Always handle cases of key invalidation Remember that there is a fingerprint compatibility helper Use Confirm Credentials instead of custom screen locks #dfua

Slide 80

Slide 80 text

Summary Use Initialization Vectors and Salt value for better protection Fingerprint is not the main security option Always handle cases of key invalidation Remember that there is a fingerprint compatibility helper Use Confirm Credentials instead of custom screen locks #dfua

Slide 81

Slide 81 text

Security is a complex unit. All of that will not work if application is running on corrupted environment. #dfua

Slide 82

Slide 82 text

What’s Next? Key Attestation Integrity check (Safetynet) #dfua

Slide 83

Slide 83 text

Resources JCA Documentation http://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/CryptoSpec.html Android Keystore Documentation https://developer.android.com/training/articles/keystore.html Android Keystore Supported Algorithms http://developer.android.com/training/articles/keystore.html#SupportedAlgorithms Android Source https://source.android.com/security/keystore/ #dfua

Slide 84

Slide 84 text

Resources Fingerprint & Confirm Credentials Authentication https://developer.android.com/about/versions/marshmallow/android-6.0.html Fingerprint Google Sample https://github.com/googlesamples/android-FingerprintDialog Confirm Credentials Google Sample https://github.com/googlesamples/android-ConfirmCredential Android Arsenal, Security and Fingerprint tags https://android-arsenal #dfua

Slide 85

Slide 85 text

Resources Nikolay Elenkov, Book https://www.amazon.com/Android-Security-Internals-In-Depth-Architecture/dp/1593275811 Nikolay Elenkov, Blog http://nelenkov.blogspot.com/ Dorian Cussen, Blog https://doridori.github.io/android-security-the-forgetful-keystore/ Courses https://www.coursera.org/learn/crypto #dfua

Slide 86

Slide 86 text

Thank You! Questions? Yakiv Mospan Author, Android Developer @ Team Technologies Svyatoslav Hromyak Android Developer @ Team Technologies