Android App Security on a Budget

Transcript

1. ANDROID APP SECURITY: ON A BUDGET SCOTT ALEXANDER-BOWN ANDROID FREELANCER

   @SCOTTYAB

2. DEVELOPER - ANDROID AUTHOR - ANDROID SECURITY COOKBOOK ORGANISER -

   SWMOBILE GROUP @SCOTTYAB SCOTT ALEXANDER-BOWN

3. TL;DR STORY OF IMPROVING APP SECURITY. MIN EFFORT. MAX IMPACT

   @SCOTTYAB

4. APP: ACME CORP DISCLAIMER: ALL CHARACTERS APPEARING IN THIS WORK

   ARE FICTITIOUS. ANY RESEMBLANCE TO REAL PERSONS, LIVING OR DEAD, IS PURELY COINCIDENTAL. @SCOTTYAB
5. None
6. None
7. None
8. None

9. OUR REPUTATION! @SCOTTYAB

10. WHAT CAN YOU DO? @SCOTTYAB

11. @SCOTTYAB

12. 3 Sneaky Sprints 1. Connection between app and api/server 2.

    Device integrity and Data 3. Apk integrity and protection. @SCOTTYAB

13. SNEAK SPRINT 1: NETWORK @SCOTTYAB

14. Let’s make SSL Stronger! @SCOTTYAB

15. SSL Connection spec Use only strong cipher suites (128bit+) TLS

    versions (TLS v1.2) @SCOTTYAB

16. Patch against SSL exploits • Android relies on a security

    ‘Provider’ to provide secure network communications. • Google Play Services provides a way to update the device security provider • ProviderInstaller.installIfNeeded(getContext()); @SCOTTYAB

17. SSL/TLS Pinning Pinning limits the trusted root CA’s Devices ship

    with 100+ Certificate Authorities (CA) and users can install their own Two types of pinning * Certificate pinning * Public Key pinning What is SSL pinning? @SCOTTYAB

18. SSL Pinning with OKhttp SSL pin generator http://bit.ly/sslpin OKHttp Version

    OkHttp 3.1.2+ OkHttp 2.7.4+ @SCOTTYAB

19. Let’s make Webview less shit safer

20. Webview Disable risky settings Javascript File access White list urls

    / domains https://gist.github.com/scottyab/6f51bbd82a0ffb08ac7a @SCOTTYAB

21. SNEAK SPRINT 2: DEVICE INTEGRITY AND DATA @SCOTTYAB

22. None

23. Device Integrity Check the execution environment Root Check Root Beer

    - https://github.com/scottyab/rootbeer SafteyNet API (Google Play services) SafetyNet Wrapper - https://github.com/scottyab/safetynethelper @SCOTTYAB

24. Encrypt (obfuscate) Data Shared preferences - replaces with secure-preferences (or

    Hawk) https://github.com/scottyab/secure-preferences SQLlite - replaced with SQL Cipher for Android https://github.com/sqlcipher/android-database-sqlcipher Realm - has an encryption option https://github.com/realm/realm-java/tree/master/examples/ encryptionExample @SCOTTYAB

25. Encryption without storing key App pin code Android Keystore Device

    pin Finger printreader

26. SNEAK SPRINT 3: APK INTEGRITY & PROTECTION @SCOTTYAB

27. Tamper check Android requires all apps to be digitally signed

    Consistent for life of app Needed to publish app updates @SCOTTYAB

28. Build time 1. Get you certificate signature $keytool -list -v

    -keystore your_app.keystore 2. Embed in app String CERTIFICATE_SHA1 = “71920AC9486E087DCBCF5C7F6F…” @SCOTTYAB

29. Run time 3. Get the Signature from the PackageManager 4.

    Hash the Signature 5. Compare the signature hashes strings @SCOTTYAB

30. Obfuscation: ProGuard Java code obfuscator Part of the Android SDK

    (free!) To turn on: minifyEnabled=true @SCOTTYAB
31. None

32. ProGuard tips Add to config when you add a new

    lib Strip Log statements Crash stack traces Gradle Proguard plugin https://github.com/hotchemi/gradle-proguard-plugin Consider: DexGuard (paid) @SCOTTYAB
33. None
34. None
35. None

36. Cons More code==more complexity APK file size was larger Slower

    to start up Encrypted data is really only obfuscated ProGuard config was time consuming No credit for our hard work @SCOTTYAB

37. Pros Less vulnerable to MITM Webviews are less vulnerable to

    XSS attacks Curious rooted users cannot simply edit our db and pref data Rooted users will struggle Re-complication is hampered tamper check Understanding the decompiled code is hampered by the obfuscation @SCOTTYAB

38. DID WE WIN?

39. DID WE WIN?

40. DID WE WIN?

41. DID WE WIN? Much Win wow so security

42. WHAT CAN YOU DO? @SCOTTYAB

43. @SCOTTYAB STRENGTH SSL/TLS SSL PINNING WHITE LIST WEBVIEW CHECK FOR

    ROOT ENCRYPT DATA AT REST TAMPER CHECK OBFUSCATE
44. None
45. None

46. Resources Secure mobile development best practices - https://github.com/ nowsecure/secure-mobile-development OWASP

    Mobile security risks - http://bit.ly/owaspmobile Android security cookbook - http://bit.ly/MscEFu Best Practices for Security & Privacy - https://developer.android.com/ training/best-security.html Adding Tamper detection to your apps - https://www.airpair.com/android/ posts/adding-tampering-detection-to-your-android-app @SCOTTYAB

47. THANKS… @SCOTTYAB [email protected]

48. Good practices… Using SSL for API Using Context.MODE_PRIVATE Not using

    the SDcard to store anything Not logging user details to Android.Log