Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Android App Security on a Budget

Android App Security on a Budget

Even with all the time & budget in the world you can't make a completely bulletproof app, so how do you stand a chance with a real world app? Real world apps have limited budget, are short on time and the task priorities are often decided by the security oblivious client/project managers.

So what can we developers do to increase our app’s security and help protect our professional reputation? Where should we focus our app security effort? Isn’t security really difficult? and what gives us the biggest bang for our buck?

We will answer these questions and show that improving your security need not be technically challenging or time consuming. Also I’ll illustrate that it doesn’t necessarily need buy-in from stakeholders. We’ll be using commercially viable open source libraries to level up your app’s network verification, tamper protection, device integrity checks and more! while keeping in mind a shoestring budget.

Scott Alexander-Bown

April 21, 2016
Tweet

More Decks by Scott Alexander-Bown

Other Decks in Technology

Transcript

  1. DEVELOPER - ANDROID AUTHOR - ANDROID SECURITY COOKBOOK ORGANISER -

    SWMOBILE GROUP @SCOTTYAB SCOTT ALEXANDER-BOWN
  2. APP: ACME CORP DISCLAIMER: ALL CHARACTERS APPEARING IN THIS WORK

    ARE FICTITIOUS. ANY RESEMBLANCE TO REAL PERSONS, LIVING OR DEAD, IS PURELY COINCIDENTAL. @SCOTTYAB
  3. 3 Sneaky Sprints 1. Connection between app and api/server 2.

    Device integrity and Data 3. Apk integrity and protection. @SCOTTYAB
  4. Patch against SSL exploits • Android relies on a security

    ‘Provider’ to provide secure network communications. • Google Play Services provides a way to update the device security provider • ProviderInstaller.installIfNeeded(getContext()); @SCOTTYAB
  5. SSL/TLS Pinning Pinning limits the trusted root CA’s Devices ship

    with 100+ Certificate Authorities (CA) and users can install their own Two types of pinning * Certificate pinning * Public Key pinning What is SSL pinning? @SCOTTYAB
  6. Webview Disable risky settings Javascript File access White list urls

    / domains https://gist.github.com/scottyab/6f51bbd82a0ffb08ac7a @SCOTTYAB
  7. Device Integrity Check the execution environment Root Check Root Beer

    - https://github.com/scottyab/rootbeer SafteyNet API (Google Play services) SafetyNet Wrapper - https://github.com/scottyab/safetynethelper @SCOTTYAB
  8. Encrypt (obfuscate) Data Shared preferences - replaces with secure-preferences (or

    Hawk) https://github.com/scottyab/secure-preferences SQLlite - replaced with SQL Cipher for Android https://github.com/sqlcipher/android-database-sqlcipher Realm - has an encryption option https://github.com/realm/realm-java/tree/master/examples/ encryptionExample @SCOTTYAB
  9. Tamper check Android requires all apps to be digitally signed

    Consistent for life of app Needed to publish app updates @SCOTTYAB
  10. Build time 1. Get you certificate signature $keytool -list -v

    -keystore your_app.keystore 2. Embed in app String CERTIFICATE_SHA1 = “71920AC9486E087DCBCF5C7F6F…” @SCOTTYAB
  11. Run time 3. Get the Signature from the PackageManager 4.

    Hash the Signature 5. Compare the signature hashes strings @SCOTTYAB
  12. Obfuscation: ProGuard Java code obfuscator Part of the Android SDK

    (free!) To turn on: minifyEnabled=true @SCOTTYAB
  13. ProGuard tips Add to config when you add a new

    lib Strip Log statements Crash stack traces Gradle Proguard plugin https://github.com/hotchemi/gradle-proguard-plugin Consider: DexGuard (paid) @SCOTTYAB
  14. Cons More code==more complexity APK file size was larger Slower

    to start up Encrypted data is really only obfuscated ProGuard config was time consuming No credit for our hard work @SCOTTYAB
  15. Pros Less vulnerable to MITM Webviews are less vulnerable to

    XSS attacks Curious rooted users cannot simply edit our db and pref data Rooted users will struggle Re-complication is hampered tamper check Understanding the decompiled code is hampered by the obfuscation @SCOTTYAB
  16. @SCOTTYAB STRENGTH SSL/TLS SSL PINNING WHITE LIST WEBVIEW CHECK FOR

    ROOT ENCRYPT DATA AT REST TAMPER CHECK OBFUSCATE
  17. Resources Secure mobile development best practices - https://github.com/ nowsecure/secure-mobile-development OWASP

    Mobile security risks - http://bit.ly/owaspmobile Android security cookbook - http://bit.ly/MscEFu Best Practices for Security & Privacy - https://developer.android.com/ training/best-security.html Adding Tamper detection to your apps - https://www.airpair.com/android/ posts/adding-tampering-detection-to-your-android-app @SCOTTYAB
  18. Good practices… Using SSL for API Using Context.MODE_PRIVATE Not using

    the SDcard to store anything Not logging user details to Android.Log