Hardening your Android app - Devoxx March2013

Transcript

1. Hardening your Android App Scott Alexander-Bown Head of Android Mubaloo

   @scottyab

2. me: Scott Alexander-Bown •  Head of Android at Mubaloo • 

   Passionate about Android and mobile security •  Co-run SWmobile meetup group •  Follow me @scottyab Favourite apps

3. It's not about... Fear!

4. It's not about... 100%

5. Agenda •  Why? o  Attacker motivations o  Reverse engineering • 

   Hardening techniques o  Android Permissions o  Encryption and key management on Android o  Using SSL better o  Make it harder to pirate/repackage your app o  Device Administration policies o  Miscellaneous tips

6. •  Different ads •  Different market •  Extract assets or

   API keys •  Insert malware •  Software piracy •  Malware and security research •  Fun! Motivations for hacking an app

7. Reverse engineering Android app

8. Apktool •  http://bit.ly/apktool •  Apktool o  apktool d myapp.apk o 

   apktool b myapp newmyapp.apk

9. Santoku Linux •  Linux ISO •  Pre-installed platform SDKs, drivers,

   and utilities •  Decompilation and disassembly tools •  Scripts to detect common issues in mobile applications •  Scripts to automate decrypting binaries, deploying apps, enumerating app details, and more •  https://santoku-linux.com/

10. *Disclaimer: I work for Via Forensics as of Monday

11. Techniques for hardening

12. Protecting internal storage Creating world-readable files is very dangerous • 

    Do o  File creation mode: Context.MODE_PRIVATE •  Don't use o  MODE_WORLD_READABLE o  MODE_WORLD_WRITEABLE o  (deprecated in API level 17)

13. Permissions •  Are all the permissions required? Instead of • 

    Permission types (protection level) o  Normal o  Dangerous o  Signature

14. Custom Permission example • Declared custom permission • Another app/component using the

    permission

15. Don't leak permissions •  Protect entry points (receivers, services, content

    providers) •  Exported=false •  Context.checkCallingPermission("android.permission. CAMERA") •  Context.enforceCallingPerrmissions(...) •  Tip: Local broadcast manager for in app notifications

16. Encryption: 3rd party libs •  SQL Cipher o  256-bit AES

    Encrypt SQLite database o  http://sqlcipher.net/sqlcipher-for-android •  Keyczar - Open source cryptographic toolkit o  http://www.keyczar.org o  https://github.com/kruton/android-keyczar-demo •  IO Chiper - virtual encrypted disk o  Clone of java.io o  https://guardianproject.info/code/iocipher

17. Encryption: Key management Two 'ideal world' solutions •  Don't store

    the key on the device •  Use a system service (such as keychain) •  Tip: Minimise keys time in ram (null after using them)

18. Encryption: Generate random key •  Note: New Implementation of SecureRandom

    in Android 4.2

19. • Use a key derivation algorithm: PBK2F2 • (secure)random salt and iteration

    count • Tip: Ensure derivation method takes more than 100ms • Code for what to do and what not to do: https://github.com/ nelenkov/android-pbe Password based encryption (PBE)

20. Password based encryption (PBE)

21. Encryption: no no's •  Store encryption keys in app • 

    Log/debug statements with encryption keys •  Rely on OS encryption •  Write your own encryption algorithms

22. SSL •  Use Https by default •  What about Man

    in the middle (MITM) attacks? o  Trusting all certificates o  Compromised CA

23. SSL Tips •  Pay attention to security exceptions •  Verify

    the certificate issuing hostname •  SSL Pinning (public key pinning) o Android pinning - https://github.com/moxie0/ AndroidPinning o Android 4.2 - X509TrustManagerExtensions

24. SSL: wipe the slate clean •  Don't use a CA!

    •  Server side o  create your own 4096bit signing certificate (keep offline) o  sign your certs for the web services •  Client/app o  include the signing cert (in a keystore) o  validate against it

25. Make your app harder to pirate •  Google License Verification

    Library o  Modify LVL source as much as possible o  com.android.vending.licensing.* o  Focus on core of the LVL logic: LicenseChecker and LicenseValidator. •  Offload license validation to a trusted server

26. Tamper resistance •  Checksum of the app code with validation

    check on server or unlocker app •  Reflection based tamper checks •  Check installer is from play store

27. Obfuscation: Proguard •  Proguard been around for 10+ years • 

    Project properties file, uncomment #proguard.config= •  Only applied when building release versions •  Entry points should be excluded -keep public class * extends android.app.Activity •  Most popular 3rd party libs/jars come with proguard config •  Bonus: ~50% reduction in .apk size

28. •  Optimize and obfuscate tuned for the Android platform/ Dalvik

    bytecode. •  Encrypt strings •  Encrypt entire classes •  Hide access to sensitive APIs •  Add tamper detection •  Thoroughly remove Android logging code •  More info: http://www.saikoa.com/ Obfuscation: Dexguard

29. Remove logging using Proguard

30. Device Management Policies •  Since Android 2.2 •  Enforce o 

    Device lock o  Passcode type (pin, pattern) o  Password complexity o  Device encryption (3.0+) o  Device wipe •  New policies are added in each release •  Policies set by different apps can only change policies to make them stronger •  Cannot uninstall an app while the device admin is still active

31. Device Management Policies •  Define a policy as an xml

    resource •  Reference in manifest •  Create a Device Administration broadcast receiver •  Implement a Device Policy Controller o  DevicePolicyManager.isAdminActive?

32. Misc tips Validation •  User input - SQL Injection Anti

    tamper •  Detect rooted device •  Detect emulator •  isDebuggable? Web views •  Disable Javascript •  Use https •  Validate URLS •  Restrict JavaScript interface

33. Misc tips Avoid unsecured components •  Don't use SMS for

    sensitive data •  Don't use SD card •  Avoid sensitive data in public intents •  Avoid sensitive data in sticky broadcasts •  allowBackups=“false” GUID (Privacy concern) •  Generate a large unique number •  Don't use phone number or IMEI

34. Misc tips: development practices Infrastructure •  Code •  Keystore and

    password •  App store user credentials o  Enable 2 step authentication o  Grant access rather than share account details Process •  Educate developers o  Don't ignore the lint warnings •  Audit / security code review

35. Summary •  Go hack your own apps •  Using https

    isn't enough pin your certs •  Encrypt app data •  Proguard your apps •  Android is getting more secure

36. Q&A @scottyab [email protected]

37. Bonus Slides Security features of Jelly Bean (Android 4.1 &

    4.2)

38. Security enhancements in Jelly Bean *Data collected during a 14-day

    period ending on March 4, 2013

39. Security enhancements in Jelly Bean •  New implementation of SecureRandom

    •  Javascript Interface methods in WebViews must now be annotated (@JavascriptInterface) •  Application verification

40. Security enhancements in Jelly Bean •  Content Provider default access

    has changed •  Remote blacklisting CAs •  Secure USB debugging •  Hidden developer options

41. Ref/More info... Using Cryptography to Store Credentials Safely http://android-developers.blogspot.co.uk/2013/02/using-cryptography-to-store-credentials.html Security

    Enhancements in Jelly Bean http://android-developers.blogspot.co.uk/2013/02/security-enhancements-in-jelly-bean.html Security Tips https://developer.android.com/training/articles/security-tips.html 42 tips on app security https://viaforensics.com/resources/reports/best-practices-ios-android-secure-mobile- development/ Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security http://www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf @scottyab [email protected]