Android N Security Overview - Mobile Security Saturday at Ciklum

Transcript

1. Android N Security Overview Constantine Mars, Sr. Android Developer @

   DataArt, GDG Dnipro Co-Organizer +ConstantineMars @ConstantineMars

2. Security?!! WTF?!!

3. What happens if you do security right?

4. What happens if you do security right? Right. Absolutely nothing

5. What happens if you do security wrong?

6. Bad things happen

7. The first simplest rule of security

8. Don’t use the same password everywhere

9. Security tool everyone has

10. A key

11. Hardware keys

12. Presence of user when action happens

13. Disclaimer: no more security basics

14. Google I/O 2016 announces

15. Allo messenger

16. Android Security Architecture

17. Android Security Architecture

18. Google’s focus on Users

19. 8 billion everyday app scans

20. Security Services

21. Security Features

22. Permissions

23. Runtime Permissions (M) • Request permissions at runtime • Selective

    control permissions

24. Runtime Permissions (M) • Simplified installation process • Easier application

    upgrades • More understandable for users

25. Requesting a Permission

26. Handling Permissions Result

27. UX Guidelines for Permissions (M) • Educate in context for

    secondary • Educate up-front for critical • Receive “yes” in 85% • 15.8% “no” • 3% “never ask again”

28. Keystore

29. Android Keystore lets you store cryptographic keys in a container

    to make it more difficult to extract from the device. Once keys are in the keystore, they can be used for cryptographic operations with the key material remaining non-exportable. The Keystore system is used by the KeyChain API as well as the Android Keystore provider feature that was introduced in Android 4.3 (API level 18).

30. Android Keystore Key material may be bound to the secure

    hardware (e.g., Trusted Execution Environment (TEE), Secure Element (SE)) of the Android device Supporting wide range of algorithms

31. Generating new key pair

32. Signing data

33. Verifying data

34. Key Attestation (N) Key Attestation gives you more confidence that

    the keys you use in your app are stored in a device's hardware-backed keystore. Key attestation allows you to verify that an RSA or EC key pair has been created and stored in a device’s hardware-backed keystore within the device’s trusted execution environment (TEE).

35. Get Certificate Chain from the KeyStore

36. Key attestation

37. Authentication

38. Remembering and entering passwords and patterns is pain

39. Smart Lock • Smart Lock’s on-body detection reduces lock screen

    prompts by 50%

40. Fingerprint • Fingerprint increased usage of lockscreen to 90%+ on

    Nexus devices

41. AndroidPay is critical about authentication

42. Stronger authentication • Tied to app secrets (KeyStore) • Credential

    verification in hardware (Trustzone)

43. Fingerprint API (M)

44. Fingerprint API (M)

45. PIN security, Fingerprint and Gatekeeper

46. Best practices • Check KeyguardManager.isDeviceSecure() to identify that device has

    lockscreen or password protection. • Use setUserAuthenticationValidityDurationSeconds during the key generation to set the duration for which authentication is valid:

47. Best practices When generating key - set authentication timeout and

    on body detection:

48. Best practices

49. Best practices If no Fingerprint available - fall back to

    Gatekeeper and KeyguardManager.createConfirmDeviceCredentialIntent:

50. Network security

51. Restrict HTTP in Manifest

52. Network Security Configuration (N)

53. Domain level rules

54. Debug-overrides • Eliminate debugging-related code in your release build •

    Avoid writing custom code that removes security for debug and shipping it When debugging an app that connects over HTTPS you may want to connect to a local development server, which does not have the SSL certificate for your production server. In order to support this without any modification to your app's code you can specify debug-only CAs that are only trusted when android:debuggable is true by using debug-overrides.

55. Debug-overrides

56. Trusted CAs

57. Certificate pinning

58. And one more thing: User CAs are not trusted by

    default anymore

59. Storage Encryption

60. Storage Encryption • Encryption required for all capable devices (M)

    • Backed by hardware and TrustZone (N) • Better UX with DirectBoot (N)

61. Direct Boot • Boot directly to the lock screen •

    Calls, SMS, TalkBack, alarms work after device reboot before unlock • Per-user disk encryption

62. DirectBoot • Credential encrypted storage, which is the default storage

    location and only available after the user has unlocked the device. • Device encrypted storage, which is a storage location available both during Direct Boot mode and after the user has unlocked the device.

63. directBootAware

64. Using DirectBoot storage

65. Verified Boot

66. Verified Boot Verified boot guarantees the integrity of the device

    software starting from a hardware root of trust up to the system partition. During boot, each stage verifies the integrity and authenticity of the next stage before executing it. This capability can be used to warn users of unexpected changes to the software when they acquire a used device, for example.

67. SafetyNet

68. SafetyNet A SafetyNet compatibility check allows your app to check

    if the device where it is running matches the profile of a device that has passed Android compatibility testing. The compatibility check creates a device profile by gathering information about the device hardware and software characteristics, including the platform build.

69. SafetyNet attestation request

70. SafetyNet response

71. Sandboxing

72. Sandboxing • SELinux • Seccomp (N) • Mediaserver hardening •

    ASLR randomness • Library load order randomization • Integrity monitoring

73. Mediaserver hardening

74. What’s outside N security topic? • Security Assesment Tools (Santoku,

    drozer, etc.) • Eternal secrets of ADB and Manifest, Logs, etc. • Exploits: sniffing network traffic, attacking services, providers • SQL-injections • Man-in-the-middle attacks • Custom permissions protection • ProGuard and DexGuard • Reverse Engineering, DEX, GDB • Cross-compiling native executables • Securing SharedPreferences • SQLCipher • etc...

75. Links • Adrian Ludwig talk on Google I/O 2016 https://youtu.be/XZzLjllizYs?list=PLOU2XLYxmsILe6_eGvDN3GyiodoV3qNSC

    • FingerprintDialog sample https://github.com/googlesamples/android-FingerprintDialog • Authentication samples for M http://android-developers.blogspot.com/2015/10/new-in-android-samples-authenticating.html • Android Security Essentials by Pagati Ogal Rai https://www.packtpub.com/application-development/android-application-security-essentials • Google Security Blog https://security.googleblog.com/ • Android Security Bulletins https://source.android.com/security/bulletin/ • Annual Security Review https://goo.gl/VpYom1

76. Security Bulletins

77. Android Annual Security Review

78. Thank you :) Constantine Mars, Sr. Android Developer @ DataArt,

    GDG Dnipro Co-Organizer +ConstantineMars @ConstantineMars