The Android Security Jungle: Pitfalls, Threats & Survival Tips

Transcript

1. The Android security jungle: pitfalls, threats and survival tips Scott

   Alexander-Bown @scottyab

2. The Jungle • Ecosystem • Google’s protection • Threats •

   Risks

3. • Network • Data protection (encryption) • App/device integrity •

   App binary security • Testing Survival

4. • Lead Android Dev (remote) at Intohand • Co-Author -

   Android Security Cookbook • Co-Founder of SWmobile Scott Alexander-Bown

5. 1.4 Billion users

6. OpenSignals.com

7. None

8. Security Services • Google Play • Approval process (human approval

   since 2015) • Developer security notifications • Android Bouncer • Android device manager (Device security) • Safety net (intrusion detection) • Android at Work

9. Slide Adrian Ludwig’s - Android Security State of the Union

10. Newer version of Android are more secure 1.5 stack buffer,

    integer overflow protection 2.3+ null pointer dereference mitigation, NX 4.0+ ASLR 4.1+ ASLR strengthened 4.3 Security-Enhanced Linux 5.0 Security-Enhanced Linux - enforcing Updatabled Webview (via playstore)

11. Threats

12. Threats: App Hijacking • Taking an app and adding malware

    • Concerns • Reversing Android apps is easy • No need for certificate authority • Sideload

13. “I ain’t got time to (heart)bleed”

14. None
15. None

16. OWASP • Mobile Security Project • iOS and Android •

    Top 10 risks • attack vectors • threat agents • impacts

17. OWASP top 10 risks • M1: Weak Server Side Controls

    • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection • M4: Unintended Data Leakage • M5: Poor Authorization and Authentication • M6: Broken Cryptography • M7: Client Side Injection • M8: Security Decisions Via Untrusted Inputs • M9: Improper Session Handling • M10: Lack of Binary Protections

18. Survival kit

19. Survival tips 1. Harden the network communications 2. Protect stored

    data (encryption) 3. Validate the device and app integrity 4. Increase binary security

20. Network communications • Use SSL / TLS! • Use the

    platform SSL/TLS validation (i.e don’t disable it!) • Use only strong cipher suites (128bit+) and TLS versions (TLS v1.2) • OkHttp 2.1 - https://publicobject.com/2014/11/12/okhttp-2-1/

21. Looks like you’re not using SSL pinning? • Devices ship

    with 100+ Certificate Authorities (CA) and users can install their own • Pinning limits the trusted root CA’s • Two types • Certificate pinning • Public Key pinning

22. Public key pinning

23. Patch against SSL exploits • Google Play Services provides a

    dynamic security provider • ProviderInstaller.installIfNeeded(getContext()); • https://developer.android.com/training/articles/security-gms- provider.html#patching

24. Tips

25. Password based encryption Code in a slide :’(

26. Encryption libraries • Conceal • https://facebook.github.io/conceal • SQL cipher https://www.zetetic.net/sqlcipher/sqlcipher-for-android/

    • Secure-Preferences (or Hawk) • https://github.com/scottyab/secure-preferences

27. Hardcoded encryption key

28. Verifying App integrity • Debuggable check • Apk Checksum •

    Signing certificate verification

29. Signing Certificate Verification Build-time Runtime 1. Get you certificate signature

    $keytool -list -v -keystore your_app.keystore 2. Embed in app String CERTIFICATE_SHA1 = “71920AC9486E087DCBCF5C7F6F…”; 3. Get the Signature from the PackageManager 4. Hash the Signature 5. Compare the signature hashes strings

30. Verifying device integrity • Emulator check • https://github.com/strazzere/a nti-emulator •

    Google SafteyNet test • https://github.com/scottyab/sa fetynethelper

31. root@android:/ # • Root apps / Dangerous apps • Suspect

    system properties • SU/BusyBox binaries • RW /system • https://github.com/scottyab/rootbeer

32. Obfuscation

33. ProGuard • Java code obfuscator • Part of the Android

    SDK • Free as in Beer! • ReTrace - Supported by Error handling services such as Crashlytics

34. DexGuard • Commercial version of ProGuard • Designed for Android

    and protection • Useful security utils - SSL Pinning, Root check, logging removal etc • My favourite features • String Encryption • API hiding
35. None

36. Quick Android Review Kit (Quak) • Python script • Works

    with .apk or source code • Automated tests • weaknesses • exploits • Creates exploit .apks • https://github.com/linkedin/qark
37. None

38. Click here for more! • 42+ Secure mobile development tips

    http://bit.ly/viafor42 • OWASP Mobile security risks http://bit.ly/owaspmobile • Android security cookbook [book] http://bit.ly/MscEFu • Android security internals [book] http://bit.ly/andsecint • Droidsec (whitepapers) droidsec.org/wiki
39. None
40. None

41. • @gotocph • @intohand • 20th Century Fox • Android

    security team Thanks

42. Questions? [email protected] @scottyab github.com/scottyab Please Remember to rate this session

    Thank you
43. None
44. None

45. WebView • Before • getSettings().setJavaScriptEnabled(false) • getSettings().setAllowFileAccess(false) • During •

    WebViewClient.shouldOverrideUrlLoading() • enforce local content or Https • Whitelisted hosts/urls • .shouldInterceptRequest() to intercept XmlHttpRequests • After • webview.clearCache(true)