Safety first - Speaker Deck

Slide 1

Slide 1 text

Safety ﬁrst Best practices in app security ANA BAOTIĆ TECHNICAL MANAGER, MOBILE BANKING @ INFINUM  @ABAOTIC

Slide 2

Slide 2 text

We're an independent design & development agency.

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

HOW TO INCREASE SECURITY

Slide 5

Slide 5 text

BUILD INTEGRITY

Slide 6

Slide 6 text

ADD A RELEASE KEYSTORE TO YOUR PROJECT

Slide 7

Slide 7 text

KEYSTORE Can be used for ALL build types You should NEVER lose it No one should EVER acquire it

Slide 8

Slide 8 text

KEEP IT SECRET, KEEP IT SAFE

Slide 9

Slide 9 text

signingConfigs { release { storeFile file("myapp.keystore") storePassword "password123" keyAlias "keyAlias" keyPassword "password789" } } DO NOT!

Slide 10

Slide 10 text

ONE ALTERNATIVE local.properties KEYSTORE_PASSWORD=password123 KEY_PASSWORD=password789

Slide 11

Slide 11 text

try { storeFile file("myapp.keystore") storePassword KEYSTORE_PASSWORD keyAlias "keyAlias" keyPassword KEY_PASSWORD } catch (ex) { throw new InvalidUserDataException(“…”) }

Slide 12

Slide 12 text

ENABLE OBFUSCATION

Slide 13

Slide 13 text

release {   minifyEnabled true proguardFiles getDefaultProguardFile( 'proguard-android.txt'), ‘proguard-rules.txt'   signingConfig signingConfigs.release  } PROGUARD

Slide 14

Slide 14 text

DOWNSIDES Disliked*  Builds fail Staging vs Production

Slide 15

Slide 15 text

OTHER OPTIONS DexGuard DexProtector

Slide 16

Slide 16 text

No content

Slide 17

Slide 17 text

public abstract class e {  private int a = -1;  private String b = null;  protected boolean k = false;    public abstract void a(Intent var1);    protected final void a(String var1) {  this.b = var1;  }  public final void c() {  this.a = -1;  this.b = null;  }  public final boolean d() {  return this.k;  }  }

Slide 18

Slide 18 text

WILL THIS KEEP THE APK SAFE?

Slide 19

Slide 19 text

No content

Slide 20

Slide 20 text

ADD TAMPERING DETECTION

Slide 21

Slide 21 text

Verify signing certiﬁcate at runtime Verify the installer context.getPackageManager() .getInstallerPackageName(context.getPackageName()) .startsWith("com.android.vending") Check if app is debuggable (or run on emulator)

Slide 22

Slide 22 text

DATA PRIVACY

Slide 23

Slide 23 text

MY PRECIOUS

Slide 24

Slide 24 text

WAYS TO STORE (AND RETRIEVE) DATA Internal storage External storage Content providers*

Slide 25

Slide 25 text

INTERNAL STORAGE Is (generally) suﬃciently safe Private to your app

Slide 26

Slide 26 text

SHARED PREFERENCES Useful for primitive key-value based data

Slide 27

Slide 27 text

EXTERNAL STORAGE Globally readable and writable

Slide 28

Slide 28 text

CONTENT PROVIDERS Structured storage mechanism Can be exported (accessed by other apps)

Slide 29

Slide 29 text

android:protectionLevel="signature"

Slide 30

Slide 30 text

private readable safe Internal storage yes yes yes External storage no yes no Content providers depends yes yes Shared prefs. yes yes yes

Slide 31

Slide 31 text

SO EVERYTHING IS FINE?

Slide 32

Slide 32 text

NOPE.

Slide 33

Slide 33 text

No content

Slide 34

Slide 34 text

USE LIBRARIES Bouncy Castle Spongy Castle Keyczar AeroGear Crypto Conceal

Slide 35

Slide 35 text

ENCRYPT USING A PIN/PASSWORD

Slide 36

Slide 36 text

BCRYPT Slow  Key derivation function  Cost of hash function → work factor

Slide 37

Slide 37 text

CAN DATA REMAIN PRIVATE?

Slide 38

Slide 38 text

Rooting your device allows access Not encrypting allows (mis)use

Slide 39

Slide 39 text

NETWORK SECURITY

Slide 40

Slide 40 text

No content

Slide 41

Slide 41 text

HTTP

Slide 42

Slide 42 text

HTTPS

Slide 43

Slide 43 text

MAN IN THE MIDDLE

Slide 44

Slide 44 text

No content

Slide 45

Slide 45 text

CERTIFICATE PINNING Deﬁnes which CAs are trusted Reduces eﬀectiveness of the attack

Slide 46

Slide 46 text

okhttpbuilder  .pinClientCertificate(resources, R.raw.client_cert, "pass".toCharArray(), “PKCS12”) .pinServerCertificates(resources,   R.raw.server_cert, "pass".toCharArray(), "BKS")  .build(); return new OkClient(client); 

Slide 47

Slide 47 text

WHAT IF (WHEN) THE CERTIFICATES CHANGE?

Slide 48

Slide 48 text

INFORM YOUR USERS Implement a mechanism for notifying users (GCM) and forcing updates

Slide 49

Slide 49 text

PLAN AHEAD Check server security’s impact on devices https://www.ssllabs.com/

Slide 50

Slide 50 text

No content

Slide 51

Slide 51 text

USE THE PLATFORM TO YOUR ADVANTAGE

Slide 52

Slide 52 text

android:usesCleartextTraffic="false" ANDROID M StrictMode.setVmPolicy( new StrictMode.VmPolicy.Builder() .detectCleartextNetwork() .penaltyLog().build());

Slide 53

Slide 53 text

FINGERPRINTS

Slide 54

Slide 54 text

APP LINKING HTTPS://DOMAIN[:OPT_PORT]/.WELL-KNOWN/ASSETLINKS.JSON [{ "relation": ["delegate_permission/common.handle_all_urls"], "target": { "namespace": "android_app", "package_name": "com.example", "sha256_cert_fingerprints": ["14:6D:E9:...44:E5"] } }]

Slide 55

Slide 55 text

ANDROID N Network Security Conﬁguration feature

Slide 56

Slide 56 text

... ADD A SECURITY CONFIG FILE

Slide 57

Slide 57 text

  example.com   7HIpa...BCoQYcRhJ3Y= fwza0...gO/04cDM1oE= CONFIGURE IT

Slide 58

Slide 58 text

INCLUDE YOUR CLIENTS IN THE PROCESS Keep them up-to-date Help them understand risks and advise them Insist on updates and security patches

Slide 59

Slide 59 text

THINGS TO REMEMBER Use internal storage if applicable Encrypt data Use HTTPS Pin certiﬁcates Be aware of the update cycle

Slide 60

Slide 60 text

ANDROID IS NOT SECURE

Slide 61

Slide 61 text

BUT YOU CAN MAKE IT LESS EASY TO ABUSE

Slide 62

Slide 62 text

REFERENCES • Gradle conﬁguration • http://developer.android.com/guide/topics/data/data- storage.html#db • https://codahale.com/how-to-safely-store-a-password/ • http://www.developereconomics.com/android- cryptography-tools-for-beginners/ • https://www.airpair.com/android/posts/adding- tampering-detection-to-your-android-app

Slide 63

Slide 63 text

REFERENCES • https://www.ssllabs.com/ • http://developer.android.com/preview/features/security- conﬁg.html • https://www.ionic.com/mitm-attacks-ssl-pinning-what- is-it-and-why-you-should-care/

Slide 64

Slide 64 text

REFERENCES • Android fingeprint security • Infinum security articles • Infinum Android newsletter • Keeping secrets in a Vault

Slide 65

Slide 65 text

Thank you! Visit www.infinum.co or find us on social networks: infinum.co infinumco infinumco infinum [email protected] @ABAOTIC