Hardening your Android App Scott Alexander-Bown Head of Android Mubaloo @scottyab 

me: Scott Alexander-Bown •  Head of Android at Mubaloo •  Passionate about Android and mobile security •  Co-run SWmobile meetup group •  Follow me @scottyab Favourite apps 

It's not about... Fear! 

It's not about... 100% 

Agenda •  Why? o  Attacker motivations o  Reverse engineering •  Hardening techniques o  Android Permissions o  Encryption and key management on Android o  Using SSL better o  Make it harder to pirate/repackage your app o  Device Administration policies o  Miscellaneous tips 

•  Different ads •  Different market •  Extract assets or API keys •  Insert malware •  Software piracy •  Malware and security research •  Fun! Motivations for hacking an app 

Reverse engineering Android app 

Apktool •  http://bit.ly/apktool •  Apktool o  apktool d myapp.apk o  apktool b myapp newmyapp.apk 

Santoku Linux •  Linux ISO •  Pre-installed platform SDKs, drivers, and utilities •  Decompilation and disassembly tools •  Scripts to detect common issues in mobile applications •  Scripts to automate decrypting binaries, deploying apps, enumerating app details, and more •  https://santoku-linux.com/ 

*Disclaimer: I work for Via Forensics as of Monday 

Techniques for hardening 

Protecting internal storage Creating world-readable files is very dangerous •  Do o  File creation mode: Context.MODE_PRIVATE •  Don't use o  MODE_WORLD_READABLE o  MODE_WORLD_WRITEABLE o  (deprecated in API level 17) 

Permissions •  Are all the permissions required? Instead of •  Permission types (protection level) o  Normal o  Dangerous o  Signature 

Custom Permission example • Declared custom permission • Another app/component using the permission 

Don't leak permissions •  Protect entry points (receivers, services, content providers) •  Exported=false •  Context.checkCallingPermission("android.permission. CAMERA") •  Context.enforceCallingPerrmissions(...) •  Tip: Local broadcast manager for in app notifications 

Encryption: 3rd party libs •  SQL Cipher o  256-bit AES Encrypt SQLite database o  http://sqlcipher.net/sqlcipher-for-android •  Keyczar - Open source cryptographic toolkit o  http://www.keyczar.org o  https://github.com/kruton/android-keyczar-demo •  IO Chiper - virtual encrypted disk o  Clone of java.io o  https://guardianproject.info/code/iocipher 

Encryption: Key management Two 'ideal world' solutions •  Don't store the key on the device •  Use a system service (such as keychain) •  Tip: Minimise keys time in ram (null after using them) 

Encryption: Generate random key •  Note: New Implementation of SecureRandom in Android 4.2 

• Use a key derivation algorithm: PBK2F2 • (secure)random salt and iteration count • Tip: Ensure derivation method takes more than 100ms • Code for what to do and what not to do: https://github.com/ nelenkov/android-pbe Password based encryption (PBE) 

Password based encryption (PBE) 

Encryption: no no's •  Store encryption keys in app •  Log/debug statements with encryption keys •  Rely on OS encryption •  Write your own encryption algorithms 

SSL •  Use Https by default •  What about Man in the middle (MITM) attacks? o  Trusting all certificates o  Compromised CA 

SSL Tips •  Pay attention to security exceptions •  Verify the certificate issuing hostname •  SSL Pinning (public key pinning) o Android pinning - https://github.com/moxie0/ AndroidPinning o Android 4.2 - X509TrustManagerExtensions 

SSL: wipe the slate clean •  Don't use a CA! •  Server side o  create your own 4096bit signing certificate (keep offline) o  sign your certs for the web services •  Client/app o  include the signing cert (in a keystore) o  validate against it 

Make your app harder to pirate •  Google License Verification Library o  Modify LVL source as much as possible o  com.android.vending.licensing.* o  Focus on core of the LVL logic: LicenseChecker and LicenseValidator. •  Offload license validation to a trusted server 

Tamper resistance •  Checksum of the app code with validation check on server or unlocker app •  Reflection based tamper checks •  Check installer is from play store 

Obfuscation: Proguard •  Proguard been around for 10+ years •  Project properties file, uncomment #proguard.config= •  Only applied when building release versions •  Entry points should be excluded -keep public class * extends android.app.Activity •  Most popular 3rd party libs/jars come with proguard config •  Bonus: ~50% reduction in .apk size 

•  Optimize and obfuscate tuned for the Android platform/ Dalvik bytecode. •  Encrypt strings •  Encrypt entire classes •  Hide access to sensitive APIs •  Add tamper detection •  Thoroughly remove Android logging code •  More info: http://www.saikoa.com/ Obfuscation: Dexguard 

Remove logging using Proguard 

Device Management Policies •  Since Android 2.2 •  Enforce o  Device lock o  Passcode type (pin, pattern) o  Password complexity o  Device encryption (3.0+) o  Device wipe •  New policies are added in each release •  Policies set by different apps can only change policies to make them stronger •  Cannot uninstall an app while the device admin is still active 

Device Management Policies •  Define a policy as an xml resource •  Reference in manifest •  Create a Device Administration broadcast receiver •  Implement a Device Policy Controller o  DevicePolicyManager.isAdminActive? 

Misc tips Validation •  User input - SQL Injection Anti tamper •  Detect rooted device •  Detect emulator •  isDebuggable? Web views •  Disable Javascript •  Use https •  Validate URLS •  Restrict JavaScript interface 

Misc tips Avoid unsecured components •  Don't use SMS for sensitive data •  Don't use SD card •  Avoid sensitive data in public intents •  Avoid sensitive data in sticky broadcasts •  allowBackups=“false” GUID (Privacy concern) •  Generate a large unique number •  Don't use phone number or IMEI 

Misc tips: development practices Infrastructure •  Code •  Keystore and password •  App store user credentials o  Enable 2 step authentication o  Grant access rather than share account details Process •  Educate developers o  Don't ignore the lint warnings •  Audit / security code review 

Summary •  Go hack your own apps •  Using https isn't enough pin your certs •  Encrypt app data •  Proguard your apps •  Android is getting more secure 

Q&A @scottyab [email protected] 

Bonus Slides Security features of Jelly Bean (Android 4.1 & 4.2) 

Security enhancements in Jelly Bean *Data collected during a 14-day period ending on March 4, 2013 

Security enhancements in Jelly Bean •  New implementation of SecureRandom •  Javascript Interface methods in WebViews must now be annotated (@JavascriptInterface) •  Application verification 

Security enhancements in Jelly Bean •  Content Provider default access has changed •  Remote blacklisting CAs •  Secure USB debugging •  Hidden developer options 

Ref/More info... Using Cryptography to Store Credentials Safely http://android-developers.blogspot.co.uk/2013/02/using-cryptography-to-store-credentials.html Security Enhancements in Jelly Bean http://android-developers.blogspot.co.uk/2013/02/security-enhancements-in-jelly-bean.html Security Tips https://developer.android.com/training/articles/security-tips.html 42 tips on app security https://viaforensics.com/resources/reports/best-practices-ios-android-secure-mobile- development/ Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security http://www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf @scottyab [email protected]