Slide 1

Slide 1 text

Sécuriser ses appels réseau Android, de 2009 à 2019

Slide 2

Slide 2 text

Qui suis-je ? OHAYON MICHAËL Consultant Android @mikkL Xebian depuis 3 ans

Slide 3

Slide 3 text

Tout le monde possède un téléphone avec des applications

Slide 4

Slide 4 text

#3 Netflix #8 WhatsApp #27 Microsoft Outlook #54 Doctolib #106 Crédit Agricole #109 Assurance maladie Top des applications sur le Google Play Store

Slide 5

Slide 5 text

#3 Netflix (Mot de passe général) #8 WhatsApp (Messages, photos) #27 Microsoft Outlook (Travail) #54 Doctolib (Médical) #106 Crédit Agricole (Banque) #109 Assurance maladie (Identité, Médical) Top des applications sur le Google Play Store

Slide 6

Slide 6 text

Étudions comment le web a mis à jour ses standards de sécurité

Slide 7

Slide 7 text

1997

Slide 8

Slide 8 text

Le web en 1997

Slide 9

Slide 9 text

HTTP 1.1

Slide 10

Slide 10 text

HTTP 1.1

Slide 11

Slide 11 text

HTTP 1.1

Slide 12

Slide 12 text

HTTP 1.1

Slide 13

Slide 13 text

HTTP 1.1

Slide 14

Slide 14 text

2006

Slide 15

Slide 15 text

Le web dans les années 2000

Slide 16

Slide 16 text

2008

Slide 17

Slide 17 text

Today, we're making it even easier for you to use https to protect your mail every time you access it. We've added an option to Settings to always use https. https://gmail.googleblog.com/2008/07/making-security-easier.html 24 Juillet 2008

Slide 18

Slide 18 text

Today, we're making it even easier for you to use https to protect your mail every time you access it. We've added an option to Settings to always use https. If you don't regularly log in via unencrypted wireless connections at coffee shops or airports or college dorms, then you might not need this additional layer of security. https://gmail.googleblog.com/2008/07/making-security-easier.html 24 Juillet 2008

Slide 19

Slide 19 text

Today, we're making it even easier for you to use https to protect your mail every time you access it. We've added an option to Settings to always use https. If you don't regularly log in via unencrypted wireless connections at coffee shops or airports or college dorms, then you might not need this additional layer of security. But if you want to always use https, then this setting makes it super easy. Whenever you forget to type https://mail.google.com, we'll add the https for you https://gmail.googleblog.com/2008/07/making-security-easier.html 24 Juillet 2008

Slide 20

Slide 20 text

2009

Slide 21

Slide 21 text

23 Septembre 2009

Slide 22

Slide 22 text

2009 Android 1.6

Slide 23

Slide 23 text

Pourquoi HTTPS est il si important ? Est il difficile d'intercepter le trafic HTTP ?

Slide 24

Slide 24 text

ARP Spoofing en 2 minutes

Slide 25

Slide 25 text

ARP Spoofing en 2 minutes

Slide 26

Slide 26 text

ARP Spoofing en 2 minutes

Slide 27

Slide 27 text

ARP Spoofing en 2 minutes

Slide 28

Slide 28 text

ARP Spoofing en 2 minutes

Slide 29

Slide 29 text

ARP Spoofing en 2 minutes

Slide 30

Slide 30 text

ARP Spoofing en 2 minutes

Slide 31

Slide 31 text

ARP Spoofing en 2 minutes

Slide 32

Slide 32 text

ARP Spoofing en 2 minutes

Slide 33

Slide 33 text

Sans HTTPS Tout le monde peut voir ce qu'il se passe

Slide 34

Slide 34 text

We now use https by default for all Facebook users. This feature, which we first introduced as an option two years ago, means that your browser is told to communicate with Facebook using a secure connection, as indicated by the "https" rather than "http" in https://www.facebook.com. https://www.facebook.com/notes/facebook-engineering/secure-browsing-by-default/10151590414803920/ 31 Juillet 2013

Slide 35

Slide 35 text

Comment fonctionne HTTPS ?

Slide 36

Slide 36 text

Infrastructure à clé https://www.thesslstore.com/blog/root-certificates-intermediate

Slide 37

Slide 37 text

https://android.googlesource.com/platform/system/ca-certificates/+/master/files Infrastructure à clé

Slide 38

Slide 38 text

Infrastructure à clé

Slide 39

Slide 39 text

Infrastructure à clé

Slide 40

Slide 40 text

Pourquoi le déploiement du HTTPS a-t-il pris autant de temps ?

Slide 41

Slide 41 text

Un accès avancé au serveur est requis pas seulement un accès FTP. . Prérequis technique

Slide 42

Slide 42 text

Pourquoi payer quand ça fonctionne ? Le prix

Slide 43

Slide 43 text

Le manque de documentation

Slide 44

Slide 44 text

Le manque d'outil d'automatisation

Slide 45

Slide 45 text

Pas si simple

Slide 46

Slide 46 text

2016

Slide 47

Slide 47 text

This specification defines "secure contexts", thereby allowing user agent implementers and specification authors to enable certain features only when certain minimum standards of authentication and confidentiality are met. https://www.w3.org/TR/secure-contexts 15 Septembre 2016

Slide 48

Slide 48 text

Warning: Direct access to the camera is a powerful feature. It requires consent from the user, and your site MUST be on a secure origin (HTTPS). https://developers.google.com/web/fundamentals/media/capturing-images/ 15 Septembre 2016

Slide 49

Slide 49 text

2018

Slide 50

Slide 50 text

"Chrome will mark all HTTP sites as ‘not secure’ starting in July" https://www.theverge.com/2018/2/8/16991254/chrome-not-secure-marked-http-encryption-ssl 8 Février 2018

Slide 51

Slide 51 text

Android 9

Slide 52

Slide 52 text

Est il simple de passer au HTTPS ?

Slide 53

Slide 53 text

Est il simple de passer au HTTPS ? OUI !

Slide 54

Slide 54 text

No content

Slide 55

Slide 55 text

Est ce que tous mes problèmes de sécurité seront résolus ?

Slide 56

Slide 56 text

Est ce que tous mes problèmes de sécurité seront résolus ? NON

Slide 57

Slide 57 text

Quels sont les risques de ce système ?

Slide 58

Slide 58 text

Mozilla was recently notified that an intermediate certificate, which chains up to a root included in Mozilla’s root store, was loaded into a firewall device that performed SSL man-in-the-middle (MITM) traffic management. It was then used, during the process of inspecting traffic, to generate certificates for domains the device owner does not legitimately own or control. The Certificate Authority (CA) has told us that this action was not permitted by their policies and practices and the agreement with their customer, and they have revoked the intermediate certificate that was loaded into the firewall device. While this is not a Firefox-specific issue, to protect our users we are adding the revoked certificate to OneCRL, our mechanism for directly sending revocation information to Firefox which will be shipping in Firefox 37. https://blog.mozilla.org/security/2015/03/23/revoking-trust-in-one-cnnic-intermediate-certificate/ 23 Mars 2015

Slide 59

Slide 59 text

China Internet Network Information Center (CNNIC), a non-profit organization administrated by Cyberspace Administration of China (CAC), operates the “CNNIC Root” and “China Internet Network Information Center EV Certificates Root” certificates that are included in NSS, and used to issue certificates to organizations and the general public. CNNIC issued an unconstrained intermediate certificate that was labeled as a test certificate and had a two week validity, expiring April 3, 2015. Their customer loaded this certificate into a firewall device which performed SSL MITM, and a user inside their network accessed other servers, causing the firewall to issue certificates for domains that this customer did not own or control. Mozilla’s CA Certificate Policy prohibits certificates from being used in this manner when they chain up to a root certificate in Mozilla’s CA program. https://blog.mozilla.org/security/2015/03/23/revoking-trust-in-one-cnnic-intermediate-certificate/ 23 Mars 2015

Slide 60

Slide 60 text

Abus de confiance https://www.thesslstore.com/blog/root-certificates-intermediate/

Slide 61

Slide 61 text

Late on December 3rd, we became aware of unauthorized digital certificates for several Google domains. We investigated immediately and found the certificate was issued by an intermediate certificate authority (CA) linking back to ANSSI, a French certificate authority. Intermediate CA certificates carry the full authority of the CA, so anyone who has one can use it to create a certificate for any website they wish to impersonate. In response, we updated Chrome’s certificate revocation metadata immediately to block that intermediate CA, and then alerted ANSSI and other browser vendors. Our actions addressed the immediate problem for our users. https://security.googleblog.com/2013/12/further-improving-digital-certificate.html 7 Décembre 2013

Slide 62

Slide 62 text

Est-ce possible sous Android ?

Slide 63

Slide 63 text

Est-ce possible sous Android ? OUI

Slide 64

Slide 64 text

L'exemple du "débug"

Slide 65

Slide 65 text

Abus de confiance

Slide 66

Slide 66 text

Abus de confiance

Slide 67

Slide 67 text

Automatisation

Slide 68

Slide 68 text

Comment l'empêcher ?

Slide 69

Slide 69 text

Comment l'empêcher ? Puis-je tout contrôler ?

Slide 70

Slide 70 text

Certification privée

Slide 71

Slide 71 text

Est-ce que je peux tout faire ?

Slide 72

Slide 72 text

Est-ce que je peux tout faire ? Ça dépend

Slide 73

Slide 73 text

Est-ce que je peux tout faire ? Non Dans le cas où les appareils ne sont pas administrés par vous comme dans le cas d'un site Internet public

Slide 74

Slide 74 text

Est-ce que je peux tout faire ? Oui Si vous avez le contrôle sur les appareils ou le code de vérification.

Slide 75

Slide 75 text

OkHttp Certificate Pinner sous Android

Slide 76

Slide 76 text

Bravo ! Vous avez appris le certificate pinning.

Slide 77

Slide 77 text

No content

Slide 78

Slide 78 text

Est-ce que je dois épingler mes certificats ? OUI (Penser à la pérennité)

Slide 79

Slide 79 text

Est-ce que tous mes soucis seront résolus ?

Slide 80

Slide 80 text

Est-ce que tous mes soucis seront résolus ? Non (Mais la plupart oui)

Slide 81

Slide 81 text

De quoi devrais-je me méfier ?

Slide 82

Slide 82 text

De quoi devrais-je me méfier ? Le social engineering

Slide 83

Slide 83 text

Ingénierie sociale https://www.androidpolice.com/2018/06/03/fake-fortnite-apks-dont-tricked-downloading-one/

Slide 84

Slide 84 text

De quoi devrais-je me méfier ?

Slide 85

Slide 85 text

De quoi devrais-je me méfier ? Le reverse engineering

Slide 86

Slide 86 text

Décompilation https://blog.bramp.net/post/2015/08/01/decompile-and-recompile-android-apk/

Slide 87

Slide 87 text

Interception d'appels

Slide 88

Slide 88 text

Automatisation https://github.com/ac-pm/SSLUnpinning_Xposed

Slide 89

Slide 89 text

Automatisation https://github.com/ac-pm/SSLUnpinning_Xposed

Slide 90

Slide 90 text

Dois-je m'inquiéter ?

Slide 91

Slide 91 text

Dois-je m'inquiéter ? Au niveau mobile, non.

Slide 92

Slide 92 text

Dois-je m'inquiéter ? Au niveau mobile, non. L'équipe serveur devrait se méfier.

Slide 93

Slide 93 text

● Il est temps de passer à HTTPS si ce n'est pas encore fait. ● L'épinglage de certificats est une bonne pratique. ● Les canaux de livraisons classiques sont généralement à privilégier. ● Le trafic pourra être inspecté sous certaines conditions. ● Le risque côté mobile est restreint mais pas côté serveur. Récapitulatif

Slide 94

Slide 94 text

Des questions ? @Xebiconfr - #Xebicon19