Modern Security for Android Developers

Slide 1

Slide 1 text

Modern Security for Android Developers Dinorah Tovar Platform Mobile Engineer @ konfío.mx @ddinorahtovar @ddinorahtovar

Slide 2

Slide 2 text

Security is a two sides coin!

Slide 3

Slide 3 text

Encryption, but simpler   Algorithm Data Key Cipher Text @ddinorahtovar

Slide 4

Slide 4 text

Encryption algorithms Cipher Mac Signature Message Digest @ddinorahtovar

Slide 5

Slide 5 text

Encryption algorithms @ddinorahtovar

Slide 6

Slide 6 text

Encryption algorithms val cipher = Cipher.getInstance(“AES/CBC/PKCS5Padding") Schema Model Padding @ddinorahtovar

Slide 7

Slide 7 text

Encryption algorithms •Too many standars: Advanced Encryption Standard (AES)  Rivest–Shamir–Adleman (RSA) •Modes of operation for symmetric and not symmetric keys •Paddings to encrypt long and small data. @ddinorahtovar

Slide 8

Slide 8 text

Encryption So, encryption is software or hardware? DEPENDS @ddinorahtovar

Slide 9

Slide 9 text

Encryption in Android •Hardware acceleration •Android Version @ddinorahtovar

Slide 10

Slide 10 text

Encryption in Android @ddinorahtovar •Secure Element and Trusted environments Peripherals Untrusted Area Trusted Area Applications OS Memory Trusted Component Memory

Slide 11

Slide 11 text

Encryption in Android @ddinorahtovar •Secure Element and Trusted environments Peripherals Untrusted Area Trusted Area Applications OS Memory Trusted Component Memory Secure element  Memory CPU

Slide 12

Slide 12 text

Encryption in Android Encryption is hard! @ddinorahtovar But why?

Slide 13

Slide 13 text

Encryption in Android @ddinorahtovar

Slide 14

Slide 14 text

Encryption in Android @ddinorahtovar Is this okay?

Slide 15

Slide 15 text

Encryption in Android @ddinorahtovar KeyChain KeyStore API for credentials that can be used across your apps Store cryptographic keys securely

Slide 16

Slide 16 text

Encryption in Android Solution has arrived @ddinorahtovar

Slide 17

Slide 17 text

Encryption in Android • Using Tink, a cross-platform for encryption, so we need 23 SDK min (for the RC) @ddinorahtovar

Slide 18

Slide 18 text

Encriptación en Android @ddinorahtovar

Slide 19

Slide 19 text

Encryption in Android @ddinorahtovar

Slide 20

Slide 20 text

Encryption in Android @ddinorahtovar

Slide 21

Slide 21 text

Encryption in Android @ddinorahtovar

Slide 22

Slide 22 text

Friends, not enemies @ddinorahtovar

Slide 23

Slide 23 text

Encryption in Android MASTER KEY KEYSET File or SharedPreference Key to encrypt @ddinorahtovar

Slide 24

Slide 24 text

Encryption in Android KeyStore Key Key Alias @ddinorahtovar

Slide 25

Slide 25 text

Encryption in Android @ddinorahtovar

Slide 26

Slide 26 text

Encryption in Android @ddinorahtovar

Slide 27

Slide 27 text

Encryption in Android @ddinorahtovar

Slide 28

Slide 28 text

Encryption in Android @ddinorahtovar

Slide 29

Slide 29 text

Biometrics

Slide 30

Slide 30 text

Biometric prompt @ddinorahtovar

Slide 31

Slide 31 text

Biometric prompt @ddinorahtovar

Slide 32

Slide 32 text

Biometric as Local auth   Secure Channel Biometric Promp Unlock Promp @ddinorahtovar

Slide 33

Slide 33 text

How does it works? •Unexportable, cause depends of TEE •All the data travels in a Secure Channel @ddinorahtovar

Slide 34

Slide 34 text

Biometric as Local auth @ddinorahtovar False Accept Rate (FAR) Imposter Accept Rate (IAR) Spoof Accept Rate (SAR)

Slide 35

Slide 35 text

Native Modules

Slide 36

Slide 36 text

C/C++ vs. Java/Kotlin @ddinorahtovar •C/C++ can not be decompiled •But can be dissembled

Slide 37

Slide 37 text

Native Modules @ddinorahtovar

Slide 38

Slide 38 text

@ddinorahtovar

Slide 39

Slide 39 text

@ddinorahtovar

Slide 40

Slide 40 text

Secure Data layer

Slide 41

Slide 41 text

Secure data layer @ddinorahtovar •Authenticated, encrypted socket-level communication can be easily implemented using the SSLSocket Class •In a typical SSL usage scenario, a server is configured with a certificate containing a public key as well as a matching private key. As part of the handshake between an SSL client and server, the server proves it has the private key by signing its certificate with public-key cryptography.

Slide 42

Slide 42 text

Secure data layer @ddinorahtovar So if I have this, everything is cool No!

Slide 43

Slide 43 text

Certificate Authority @ddinorahtovar CER (.CRT) PFX

Slide 44

Slide 44 text

Certificate Authority @ddinorahtovar

Slide 45

Slide 45 text

Certificate Authority @ddinorahtovar

Slide 46

Slide 46 text

Modern Security for Android Developers Dinorah Tovar Platform Mobile Engineer @ konfío.mx @ddinorahtovar @ddinorahtovar