Droidcon.NL - Hardening your Android app

Transcript

1. Hardening your app Droidcon.NL 2013 Scott Alexander-Bown @scottyab

2. Scott Alexander-Bown •  Senior Developer @viaForensics •  Co-author Android Security

   Cookbook •  Co-founder SWmobile meetup group ◦  meetup.com/swmobile

3. Hardening your Android App •  Reverse engineering 101 •  Encryption

   •  SSL •  Tamper detection •  Obfuscation

4. Not about… 100%

5. It’s on YOU!!! •  Android is No.1 •  Your role

   == protect data •  It’s your reputation

6. •  Tools ◦  Apktool - bit.ly/apktool ◦  Dex2jar- bit.ly/dex2jar ◦ 

   Apk to Java - bit.ly/apk2java Reverse engineering 101

7. Apktool: Let’s hack my app •  Measure your social influence

   with +1’s +Likes +retweet+mentions +recommendations +magic =Klout score

8. Apktool: Output $ apktool d myapp.apk

9. Santoku Linux •  Pre-installed: ◦  platform SDKs ◦  decompilation tools

   ◦  hacking tools •  Get it here: santoku-linux.com

10. VIA LAB viaforensics.com/products/vialab

11. Encryption

12. SpongyCastle •  Consistent cryptology across os versions •  Support ◦ 

    AES-GCM ◦  Elliptic Curve Cryptography (ECC) •  github.com/rtyley/spongycastle

13. Encryption: quick wins •  SQLCipher ◦  256-bit AES Encrypt SQLite

    database ◦  sqlcipher.net/sqlcipher-for-android •  Secure Preferences ◦  ‘obscure’ your app’s shared preferences ◦  github.com/scottyab/secure-preferences •  IOCipher ◦  Virtual encrypted disk ◦  guardianproject.info/code/iocipher

14. Generate key per app

15. Password based encryption •  Not store on the device, instead

    is derived ◦  Use algorithm “PBKDF2WithHmacSHA1” ◦  User entered password/code ◦  salt (i.e package name) ◦  iteration count (1000+) ◦  =Derived encryption key •  Tip: Ensure derivation method takes more than 100ms •  github.com/nelenkov/android-pbe

16. Keystore provider •  New in Android 4.3 •  Hardware backed

    keychain •  github.com/nelenkov/android-keystore

17. SSL / TLS

18. OnionKit •  StrongTrustManager ◦  Validate the whole cert chain and

    root ◦  Debian cert store (not Android’s) •  Use with Orbot •  guardianproject.info/code/onionkit

19. Self signed SSL 1. Download certificate (openssl) 2. Embed in app (/res/raw)

    3. Load into Keystore 4. Custom TrustManager (Keystore based) 5. Init the SSL context with our TrustManager 6. Make SSL connection bit.ly/anddevssl (Android developer blog)

20. Please don’t do this!! •  Trust all

21. Tamper Protection •  Licence Verification Library •  Installer location

22. Environment verification •  Emulator check ◦  System properties •  Debuggable

    check ◦  Package manager •  Root check ◦  Root apps/utils ◦  System properties ◦  RW system

23. Validate signing key •  Get SHA1 of signing cert (keytool)

    •  Embed in app •  Get at signature at runtime •  Compare

24. •  Code Obfuscator •  Older than Android! •  Part of

    the SDK •  it’s FREE! •  How to enable? ProGuard

25. ProGuard tips •  Only applied on release builds ◦  Test

    early! •  Save your mapping.txt! •  The good crashlytics services support ReTrace ◦  Critterism ◦  Bugsense ◦  HockeyApp ◦  Plus others...

26. Go pro-ProGuard = DexGuard

27. DexGuard •  ProGuard’s bad ass brother •  Same config as

    ProGuard •  Not free but 1 licence == ∞ apps •  Highlights ◦  One line tamper check ◦  ᅥ$ᳰ.smali, Œ$ᳰ.smali ◦  API hiding with String encryption == tough

28. Last but not least... •  Code reviews ◦  Lint warnings

    ◦  OWASP Mobile security recommendations •  Mobile app security certification ◦  bit.ly/androidcert

29. Thanks for listening

30. Q&A | Contact | Feedback •  @scottyab •  github/scottyab • 

    [email protected]