Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Android App Security on a Budget

Android App Security on a Budget

Even with all the time & budget in the world you can't make a completely bulletproof app, so how do you stand a chance with a real world app? Real world apps have limited budget, are short on time and the task priorities are often decided by the security oblivious client/project managers.

So what can we developers do to increase our app’s security and help protect our professional reputation? Where should we focus our app security effort? Isn’t security really difficult? and what gives us the biggest bang for our buck?

We will answer these questions and show that improving your security need not be technically challenging or time consuming. Also I’ll illustrate that it doesn’t necessarily need buy-in from stakeholders. We’ll be using commercially viable open source libraries to level up your app’s network verification, tamper protection, device integrity checks and more! while keeping in mind a shoestring budget.

Scott Alexander-Bown

April 21, 2016
Tweet

More Decks by Scott Alexander-Bown

Other Decks in Technology

Transcript

  1. ANDROID APP SECURITY:
    ON A BUDGET
    SCOTT ALEXANDER-BOWN
    ANDROID FREELANCER
    @SCOTTYAB

    View Slide

  2. DEVELOPER - ANDROID
    AUTHOR - ANDROID SECURITY COOKBOOK
    ORGANISER - SWMOBILE GROUP
    @SCOTTYAB
    SCOTT ALEXANDER-BOWN

    View Slide

  3. TL;DR
    STORY OF IMPROVING APP SECURITY.
    MIN EFFORT. MAX IMPACT
    @SCOTTYAB

    View Slide

  4. APP: ACME CORP
    DISCLAIMER:
    ALL CHARACTERS APPEARING IN THIS
    WORK ARE FICTITIOUS. ANY
    RESEMBLANCE TO REAL PERSONS, LIVING
    OR DEAD, IS PURELY COINCIDENTAL.
    @SCOTTYAB

    View Slide

  5. View Slide

  6. View Slide

  7. View Slide

  8. View Slide

  9. OUR REPUTATION!
    @SCOTTYAB

    View Slide

  10. WHAT CAN YOU DO?
    @SCOTTYAB

    View Slide

  11. @SCOTTYAB

    View Slide

  12. 3 Sneaky Sprints
    1. Connection between app and api/server

    2. Device integrity and Data

    3. Apk integrity and protection.
    @SCOTTYAB

    View Slide

  13. SNEAK SPRINT 1:
    NETWORK
    @SCOTTYAB

    View Slide

  14. Let’s make
    SSL
    Stronger!
    @SCOTTYAB

    View Slide

  15. SSL Connection spec
    Use only strong cipher suites (128bit+)

    TLS versions (TLS v1.2)
    @SCOTTYAB

    View Slide

  16. Patch against SSL exploits
    • Android relies on a security ‘Provider’ to provide secure network
    communications.
    • Google Play Services provides a way to update the device security
    provider
    • ProviderInstaller.installIfNeeded(getContext());
    @SCOTTYAB

    View Slide

  17. SSL/TLS Pinning
    Pinning limits the trusted root CA’s
    Devices ship with 100+ Certificate Authorities (CA) and
    users can install their own
    Two types of pinning
    * Certificate pinning
    * Public Key pinning
    What is SSL pinning?
    @SCOTTYAB

    View Slide

  18. SSL Pinning with OKhttp
    SSL pin generator

    http://bit.ly/sslpin

    OKHttp Version

    OkHttp 3.1.2+

    OkHttp 2.7.4+
    @SCOTTYAB

    View Slide

  19. Let’s make Webview less shit
    safer

    View Slide

  20. Webview
    Disable risky settings

    Javascript

    File access

    White list urls / domains

    https://gist.github.com/scottyab/6f51bbd82a0ffb08ac7a
    @SCOTTYAB

    View Slide

  21. SNEAK SPRINT 2:
    DEVICE INTEGRITY AND DATA
    @SCOTTYAB

    View Slide

  22. View Slide

  23. Device Integrity
    Check the execution environment

    Root Check

    Root Beer - https://github.com/scottyab/rootbeer

    SafteyNet API (Google Play services)

    SafetyNet Wrapper - https://github.com/scottyab/safetynethelper
    @SCOTTYAB

    View Slide

  24. Encrypt (obfuscate) Data
    Shared preferences - replaces with secure-preferences (or Hawk)

    https://github.com/scottyab/secure-preferences

    SQLlite - replaced with SQL Cipher for Android

    https://github.com/sqlcipher/android-database-sqlcipher

    Realm - has an encryption option

    https://github.com/realm/realm-java/tree/master/examples/
    encryptionExample
    @SCOTTYAB

    View Slide

  25. Encryption without storing key
    App pin code

    Android Keystore

    Device pin

    Finger printreader

    View Slide

  26. SNEAK SPRINT 3:
    APK INTEGRITY & PROTECTION
    @SCOTTYAB

    View Slide

  27. Tamper check
    Android requires all apps to be
    digitally signed

    Consistent for life of app

    Needed to publish app updates
    @SCOTTYAB

    View Slide

  28. Build time
    1. Get you certificate signature
    $keytool -list -v -keystore your_app.keystore
    2. Embed in app
    String CERTIFICATE_SHA1 = “71920AC9486E087DCBCF5C7F6F…”
    @SCOTTYAB

    View Slide

  29. Run time
    3. Get the Signature from the
    PackageManager
    4. Hash the Signature
    5. Compare the signature hashes strings
    @SCOTTYAB

    View Slide

  30. Obfuscation: ProGuard
    Java code obfuscator

    Part of the Android SDK (free!)

    To turn on: minifyEnabled=true
    @SCOTTYAB

    View Slide

  31. View Slide

  32. ProGuard tips
    Add to config when you add a new lib

    Strip Log statements

    Crash stack traces

    Gradle Proguard plugin

    https://github.com/hotchemi/gradle-proguard-plugin

    Consider: DexGuard (paid)
    @SCOTTYAB

    View Slide

  33. View Slide

  34. View Slide

  35. View Slide

  36. Cons
    More code==more complexity

    APK file size was larger

    Slower to start up

    Encrypted data is really only obfuscated

    ProGuard config was time consuming

    No credit for our hard work
    @SCOTTYAB

    View Slide

  37. Pros
    Less vulnerable to MITM

    Webviews are less vulnerable to XSS attacks

    Curious rooted users cannot simply edit our db and pref data

    Rooted users will struggle

    Re-complication is hampered tamper check

    Understanding the decompiled code is hampered by the obfuscation
    @SCOTTYAB

    View Slide

  38. DID WE WIN?

    View Slide

  39. DID WE WIN?

    View Slide

  40. DID WE WIN?

    View Slide

  41. DID WE WIN?
    Much
    Win
    wow
    so security

    View Slide

  42. WHAT CAN YOU DO?
    @SCOTTYAB

    View Slide

  43. @SCOTTYAB
    STRENGTH SSL/TLS
    SSL PINNING
    WHITE LIST WEBVIEW
    CHECK FOR ROOT
    ENCRYPT DATA AT REST
    TAMPER CHECK
    OBFUSCATE

    View Slide

  44. View Slide

  45. View Slide

  46. Resources
    Secure mobile development best practices - https://github.com/
    nowsecure/secure-mobile-development

    OWASP Mobile security risks - http://bit.ly/owaspmobile

    Android security cookbook - http://bit.ly/MscEFu

    Best Practices for Security & Privacy - https://developer.android.com/
    training/best-security.html

    Adding Tamper detection to your apps - https://www.airpair.com/android/
    posts/adding-tampering-detection-to-your-android-app
    @SCOTTYAB

    View Slide

  47. THANKS… @SCOTTYAB
    [email protected]

    View Slide

  48. Good practices…
    Using SSL for API

    Using Context.MODE_PRIVATE

    Not using the SDcard to store anything

    Not logging user details to Android.Log

    View Slide