Slide 1
Slide 1 text
What’s NNNNew in Android Security?
Scott Alexander-Bown
droidcon
London 2016 @ScottyAB
Slide 2
Slide 2 text
No content
Slide 3
Slide 3 text
At a glance
Direct boot
Keystore
‘Securer’ networking
Misc system and app differences
Permissions in M
@ScottyAB
Slide 4
Slide 4 text
Terms
6.0 - M - API 23 - Marshmallow
7.0 - N - API 24 - Nougat
@ScottyAB
Slide 5
Slide 5 text
Direct Boot
Slide 6
Slide 6 text
Booting encrypted device
pre-7.0
Boot halted for pin/password
Device encrypted with same key
Android used block-level
encryption
@ScottyAB
Slide 7
Slide 7 text
Direct Boot mode
Boot direct to lock screen
Calls, SMS & Alarms work
And your app too!
@ScottyAB
Slide 8
Slide 8 text
File based encryption
Default
@ScottyAB
Slide 9
Slide 9 text
No content
Slide 10
Slide 10 text
Direct Boot aware
@ScottyAB
Slide 11
Slide 11 text
Direct Boot aware
@ScottyAB
Slide 12
Slide 12 text
Accessing device encrypted storage
@Override
public void onReceive(Context context, Intent intent) {
Context directBootContext =
ContextCompat.createDeviceProtectedStorageContext(context);
if (directBootContext != null) {
SharedPreferences sharedPreferences =
PreferenceManager.getDefaultSharedPreferences(directBootContext);
String token = sharedPreferences.getString(READ_ONLY_OAUTH_TOKEN, null);
//do read only API lookup
///...
}
}
@ScottyAB
Slide 13
Slide 13 text
Accessing device encrypted storage
@Override
public void onReceive(Context context, Intent intent) {
Context directBootContext =
ContextCompat.createDeviceProtectedStorageContext(context);
if (directBootContext != null) {
SharedPreferences sharedPreferences =
PreferenceManager.getDefaultSharedPreferences(directBootContext);
String token = sharedPreferences.getString(READ_ONLY_OAUTH_TOKEN, null);
//do read only API lookup
///...
}
}
@ScottyAB
Slide 14
Slide 14 text
Accessing device encrypted storage
@Override
public void onReceive(Context context, Intent intent) {
Context directBootContext =
ContextCompat.createDeviceProtectedStorageContext(context);
if (directBootContext != null) {
SharedPreferences sharedPreferences =
PreferenceManager.getDefaultSharedPreferences(directBootContext);
String token = sharedPreferences.getString(READ_ONLY_OAUTH_TOKEN, null);
//do read only API lookup
///...
}
}
@ScottyAB
Slide 15
Slide 15 text
Direct Boot, so what is it good for?
Messaging apps, important user notifications.
Already using a BootCompleted listener?
Recommended limited scope i.e Readonly API tokens
@ScottyAB
Slide 16
Slide 16 text
Android Keystore
@ScottyAB
Android 4.3
Slide 17
Slide 17 text
What is the KeyStore?
Originally for unlocking DRM content
App’s can securely create and store
their crypto keys.
Requires device pin or password (or
fingerprint)
Ideally secure element / Trust zone
(hardware-based)
@ScottyAB
Slide 18
Slide 18 text
What’s new?
Android M introduced broader
range of capabilities.
N+ must be hardware backed
(new devices)
Time sensitive (Android M)
@ScottyAB
Slide 19
Slide 19 text
Attestation
Key is baked into the firmware
Create a Key
Remotely validate its cert chain
N+ (New hardware)
@ScottyAB
Slide 20
Slide 20 text
By @doriancussen
Slide 21
Slide 21 text
@ScottyAB
Slide 22
Slide 22 text
Securer Networking
Custom trust store / anchors
Debug only Overrides CA
Block non https traffic
Limit the certs you trust
@ScottyAB
Slide 23
Slide 23 text
minSdkVersion=24?
Slide 24
Slide 24 text
CWAC-NetSecurity
https://github.com/commonsguy/cwac-netsecurity
@ScottyAB
Slide 25
Slide 25 text
Configuring CAs for Debugging
Self signed certs in development
Only enabled when android:debuggable=true
Safer that conditional code
@ScottyAB
Slide 26
Slide 26 text
Configuring CAs for Debugging
@ScottyAB
Slide 27
Slide 27 text
Manifest
@ScottyAB
Slide 28
Slide 28 text
User certs no longer trusted by default
@ScottyAB
Slide 29
Slide 29 text
Trusting user installed certs
@ScottyAB
Slide 30
Slide 30 text
Pinning Certificates
SSL pinning lets apps limit the set of certificates they
accept
Pin a hash of the SubjectPublicKeyInfo of the X.509
certificate.
@ScottyAB
Slide 31
Slide 31 text
SSL Pinning
scottyab.com
7HIpactkIAq2Y49…Y=
fwza0LRMXouZHR…E=
@ScottyAB
Slide 32
Slide 32 text
How to get the Pin?
Slide 33
Slide 33 text
How to get the Pin?
$ openssl s_client -servername scottyab.com
-connect scottyab.com:443 | openssl x509 -
pubkey -noout | openssl rsa -pubin -outform
der | openssl dgst -sha256 -binary | openssl
enc -base64
Thanks to John Kozyrakis @ikoz
@ScottyAB
Slide 34
Slide 34 text
Misc
Misc
@ScottyAB
Slide 35
Slide 35 text
Under the hood
The media stack and
platform hardening
Kernel hardening (with error
correction)
@ScottyAB
Slide 36
Slide 36 text
Seamless OTA updates
@ScottyAB
Slide 37
Slide 37 text
App data directory
App data directory now user
only 700 permissions
Sharing files is explicitly opt-in
Use FileProvider (support-lib)
Training article “Sharing Files”
@ScottyAB
Slide 38
Slide 38 text
APK signing schema v1
Problems
Deleting files
adding files to meta-inf
DOS app
@ScottyAB
Slide 39
Slide 39 text
APK signing schema v2
Faster
More Secure
You’re already using both?
zipalign before (not after)
@ScottyAB
Slide 40
Slide 40 text
Scoped directory access
Access common external storage
directories
Storage Access Framework
Environment.DIRECTORY_MOVIES
Remember to call
takePersistableUriPermission()
@ScottyAB
Slide 41
Slide 41 text
Misc differences
No more access to MAC
addresses
Overlays can no longer be
displayed on top of
permissions dialogs
Reduced the power of
device admin applications
@ScottyAB
Slide 42
Slide 42 text
@ScottyAB
Slide 43
Slide 43 text
Runtime Permissions
•Permissions that users “get”
•Control on specific permissions
•Easy for users
•Updates don’t require approval
@ScottyAB
Slide 44
Slide 44 text
Tips of Working with Android Permissions
Only use the permissions
necessary for your app to work
Be transparent
Make system accesses
explicit
Context, Context, Context!
@ScottyAB
Slide 45
Slide 45 text
Permissions required by libraries.
@ScottyAB
Slide 46
Slide 46 text
Checking Device health - SafetyNet API
Read device?
Vulnerable?
Rooted?
@ScottyAB
Slide 47
Slide 47 text
https://github.com/scottyab/safetynethelper
Slide 48
Slide 48 text
play.google.com/store/apps/details?id=com.scottyab.safetynet.sample
Slide 49
Slide 49 text
SafetyNetApi - SafeBrowsing
Social Engineering
Potentially Harmful Apps
@ScottyAB
Slide 50
Slide 50 text
Recap
Direct boot
Keystore
Securer networking
Misc system and app differences
Permissions in M
@ScottyAB
Slide 51
Slide 51 text
Thanks!
Questions?
Scott Alexander-Bown
@ScottyAB
[email protected]
Shout outs:
@commonsguy
@ikoz
+AdrianLudwig
@doriancussen
@niallscott
@trionkidnapper
@subsymbolics
Slide 52
Slide 52 text
Resources
https://www.blackhat.com/ldn-15/summit.html#what-can-you-do-to-an-apk-without-its-private-key-except-
repacking
https://doridori.github.io/android-security-the-forgetful-keystore/#sthash.hFHQpV3A.5WcUVfYk.dpbs
http://android-developers.blogspot.co.uk/2016/09/security-enhancements-in-nougat.html
https://developer.android.com/about/versions/nougat/android-7.0.html#apk_signature_v2
https://blog.stylingandroid.com/nougat-direct-boot/
SafetyNet Helper library https://github.com/scottyab/safetynethelper
Security patch date util - https://gist.github.com/scottyab/77bac6600986eb6a619e07a3d0abae3f
*Adrian Ludwig’s Google IO talk - What’s new in Android Security (M &N) - https://www.youtube.com/watch?
v=XZzLjllizYs
@ScottyAB
Slide 53
Slide 53 text
Training / Developer Docs
https://developer.android.com/training/articles/security-key-
attestation.html
https://developer.android.com/training/articles/scoped-
directory-access.html#accessing
https://developer.android.com/training/articles/user-data-
permissions.html#tenets_of_working_with_android_permissions
https://developer.android.com/training/articles/direct-boot.html
@ScottyAB