Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Android App Security on a Budget

Scott Alexander-Bown
April 21, 2016
Technology
4
9.4k

Android App Security on a Budget

Even with all the time & budget in the world you can't make a completely bulletproof app, so how do you stand a chance with a real world app? Real world apps have limited budget, are short on time and the task priorities are often decided by the security oblivious client/project managers.

So what can we developers do to increase our app’s security and help protect our professional reputation? Where should we focus our app security effort? Isn’t security really difficult? and what gives us the biggest bang for our buck?

We will answer these questions and show that improving your security need not be technically challenging or time consuming. Also I’ll illustrate that it doesn’t necessarily need buy-in from stakeholders. We’ll be using commercially viable open source libraries to level up your app’s network verification, tamper protection, device integrity checks and more! while keeping in mind a shoestring budget.

Scott Alexander-Bown

April 21, 2016
Tweet

More Decks by Scott Alexander-Bown

See All by Scott Alexander-Bown
Fundamentals of creating Android mobile apps
scottyab
0
23
What's 'Q' in Android Security
scottyab
0
57
Faster mobile debugging using a HTTP Proxy
scottyab
0
16
I <3 Charles Proxy
scottyab
0
36
What_s_new_from_Google_IO_2018.pdf
scottyab
0
46
Doppl, an intro!
scottyab
0
34
OMG What's new in Security
scottyab
0
46
What's New from Google I/O 2017
scottyab
0
55
What's Nnnnnew in Security Droidcon IT
scottyab
1
55

Other Decks in Technology

See All in Technology
Federated Learning 連合学習
regonn
2
700
マネジメント3.0モデル入門(120分版)
takufujii
11
2.7k
試して分かった!AWS を使った PLCのデータ収集と分析基盤の実践ノウハウ #FA設備技術勉強会#13
ganota
1
13k
安全にプロセスを停止するためにシグナル制御を学ぼう!
yamamotohiroya
0
220
Autonomous Database Cloud 技術詳細 / adb-s_technical_detail_jp
oracle4engineer
PRO
10
25k
What's New in early 2023
nicolasgrekas
1
110
SIGNATE開発失敗談
bonjiri_niwa
0
280
他言語と比較して今こそ理解しよう! 目指せ、列挙型マスター!
soachr
0
120
チームで定期的にブログを書けるようにした / Tips for writing regular technical blog posts with your team
nttcom
0
130
PHPマジックメソッドクイズ!/PHP Magic Method Quiz
ykanoh
0
250
Cloudflare WorkersとKVで キャッシュを非同期に更新する | Cloudflare Meetup Nagoya
aiji42
0
130
世界モデルによる4脚ロボットの歩行学習
robots
1
300

Featured

See All Featured
Designing the Hi-DPI Web
ddemaree
273
33k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
351
21k
What the flash - Photography Introduction
edds
64
10k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
500
130k
Documentation Writing (for coders)
carmenintech
51
3k
Support Driven Design
roundedbygravity
88
8.9k
How STYLIGHT went responsive
nonsquared
89
4.2k
Producing Creativity
orderedlist
PRO
335
38k
YesSQL, Process and Tooling at Scale
rocio
159
13k
4 Signs Your Business is Dying
shpigford
171
20k
VelocityConf: Rendering Performance Case Studies
addyosmani
317
22k
Atom: Resistance is Futile
akmur
256
24k

Transcript

  1. ANDROID APP SECURITY:
    ON A BUDGET
    SCOTT ALEXANDER-BOWN
    ANDROID FREELANCER
    @SCOTTYAB

    View Slide

  2. DEVELOPER - ANDROID
    AUTHOR - ANDROID SECURITY COOKBOOK
    ORGANISER - SWMOBILE GROUP
    @SCOTTYAB
    SCOTT ALEXANDER-BOWN

    View Slide

  3. TL;DR
    STORY OF IMPROVING APP SECURITY.
    MIN EFFORT. MAX IMPACT
    @SCOTTYAB

    View Slide

  4. APP: ACME CORP
    DISCLAIMER:
    ALL CHARACTERS APPEARING IN THIS
    WORK ARE FICTITIOUS. ANY
    RESEMBLANCE TO REAL PERSONS, LIVING
    OR DEAD, IS PURELY COINCIDENTAL.
    @SCOTTYAB

    View Slide

  5. View Slide

  6. View Slide

  7. View Slide

  8. View Slide

  9. OUR REPUTATION!
    @SCOTTYAB

    View Slide

  10. WHAT CAN YOU DO?
    @SCOTTYAB

    View Slide

  11. @SCOTTYAB

    View Slide

  12. 3 Sneaky Sprints
    1. Connection between app and api/server

    2. Device integrity and Data

    3. Apk integrity and protection.
    @SCOTTYAB

    View Slide

  13. SNEAK SPRINT 1:
    NETWORK
    @SCOTTYAB

    View Slide

  14. Let’s make
    SSL
    Stronger!
    @SCOTTYAB

    View Slide

  15. SSL Connection spec
    Use only strong cipher suites (128bit+)

    TLS versions (TLS v1.2)
    @SCOTTYAB

    View Slide

  16. Patch against SSL exploits
    • Android relies on a security ‘Provider’ to provide secure network
    communications.
    • Google Play Services provides a way to update the device security
    provider
    • ProviderInstaller.installIfNeeded(getContext());
    @SCOTTYAB

    View Slide

  17. SSL/TLS Pinning
    Pinning limits the trusted root CA’s
    Devices ship with 100+ Certificate Authorities (CA) and
    users can install their own
    Two types of pinning
    * Certificate pinning
    * Public Key pinning
    What is SSL pinning?
    @SCOTTYAB

    View Slide

  18. SSL Pinning with OKhttp
    SSL pin generator

    http://bit.ly/sslpin

    OKHttp Version

    OkHttp 3.1.2+

    OkHttp 2.7.4+
    @SCOTTYAB

    View Slide

  19. Let’s make Webview less shit
    safer

    View Slide

  20. Webview
    Disable risky settings

    Javascript

    File access

    White list urls / domains

    https://gist.github.com/scottyab/6f51bbd82a0ffb08ac7a
    @SCOTTYAB

    View Slide

  21. SNEAK SPRINT 2:
    DEVICE INTEGRITY AND DATA
    @SCOTTYAB

    View Slide

  22. View Slide

  23. Device Integrity
    Check the execution environment

    Root Check

    Root Beer - https://github.com/scottyab/rootbeer

    SafteyNet API (Google Play services)

    SafetyNet Wrapper - https://github.com/scottyab/safetynethelper
    @SCOTTYAB

    View Slide

  24. Encrypt (obfuscate) Data
    Shared preferences - replaces with secure-preferences (or Hawk)

    https://github.com/scottyab/secure-preferences

    SQLlite - replaced with SQL Cipher for Android

    https://github.com/sqlcipher/android-database-sqlcipher

    Realm - has an encryption option

    https://github.com/realm/realm-java/tree/master/examples/
    encryptionExample
    @SCOTTYAB

    View Slide

  25. Encryption without storing key
    App pin code

    Android Keystore

    Device pin

    Finger printreader

    View Slide

  26. SNEAK SPRINT 3:
    APK INTEGRITY & PROTECTION
    @SCOTTYAB

    View Slide

  27. Tamper check
    Android requires all apps to be
    digitally signed

    Consistent for life of app

    Needed to publish app updates
    @SCOTTYAB

    View Slide

  28. Build time
    1. Get you certificate signature
    $keytool -list -v -keystore your_app.keystore
    2. Embed in app
    String CERTIFICATE_SHA1 = “71920AC9486E087DCBCF5C7F6F…”
    @SCOTTYAB

    View Slide

  29. Run time
    3. Get the Signature from the
    PackageManager
    4. Hash the Signature
    5. Compare the signature hashes strings
    @SCOTTYAB

    View Slide

  30. Obfuscation: ProGuard
    Java code obfuscator

    Part of the Android SDK (free!)

    To turn on: minifyEnabled=true
    @SCOTTYAB

    View Slide

  31. View Slide

  32. ProGuard tips
    Add to config when you add a new lib

    Strip Log statements

    Crash stack traces

    Gradle Proguard plugin

    https://github.com/hotchemi/gradle-proguard-plugin

    Consider: DexGuard (paid)
    @SCOTTYAB

    View Slide

  33. View Slide

  34. View Slide

  35. View Slide

  36. Cons
    More code==more complexity

    APK file size was larger

    Slower to start up

    Encrypted data is really only obfuscated

    ProGuard config was time consuming

    No credit for our hard work
    @SCOTTYAB

    View Slide

  37. Pros
    Less vulnerable to MITM

    Webviews are less vulnerable to XSS attacks

    Curious rooted users cannot simply edit our db and pref data

    Rooted users will struggle

    Re-complication is hampered tamper check

    Understanding the decompiled code is hampered by the obfuscation
    @SCOTTYAB

    View Slide

  38. DID WE WIN?

    View Slide

  39. DID WE WIN?

    View Slide

  40. DID WE WIN?

    View Slide

  41. DID WE WIN?
    Much
    Win
    wow
    so security

    View Slide

  42. WHAT CAN YOU DO?
    @SCOTTYAB

    View Slide

  43. @SCOTTYAB
    STRENGTH SSL/TLS
    SSL PINNING
    WHITE LIST WEBVIEW
    CHECK FOR ROOT
    ENCRYPT DATA AT REST
    TAMPER CHECK
    OBFUSCATE

    View Slide

  44. View Slide

  45. View Slide

  46. Resources
    Secure mobile development best practices - https://github.com/
    nowsecure/secure-mobile-development

    OWASP Mobile security risks - http://bit.ly/owaspmobile

    Android security cookbook - http://bit.ly/MscEFu

    Best Practices for Security & Privacy - https://developer.android.com/
    training/best-security.html

    Adding Tamper detection to your apps - https://www.airpair.com/android/
    posts/adding-tampering-detection-to-your-android-app
    @SCOTTYAB

    View Slide

  47. THANKS… @SCOTTYAB
    [email protected]

    View Slide

  48. Good practices…
    Using SSL for API

    Using Context.MODE_PRIVATE

    Not using the SDcard to store anything

    Not logging user details to Android.Log

    View Slide