Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hardening your Android app - Devoxx March2013

Hardening your Android app - Devoxx March2013

Talk for Android developers about improving their app security using built in platform features and 3rd party libraries. This session won’t just talk about the issues it will arm you with practical solutions and sample code to harden your app. I’ll also cover off some quick wins suitable of all levels of programmer.

#Encryption and key management on Android
#Using SSL better
#Android Permissions made easy
#Make it harder to pirate/repackage your app
#Commercial tools

Scott Alexander-Bown

March 27, 2013
Tweet

More Decks by Scott Alexander-Bown

Other Decks in Technology

Transcript

  1. me: Scott Alexander-Bown •  Head of Android at Mubaloo • 

    Passionate about Android and mobile security •  Co-run SWmobile meetup group •  Follow me @scottyab Favourite apps
  2. Agenda •  Why? o  Attacker motivations o  Reverse engineering • 

    Hardening techniques o  Android Permissions o  Encryption and key management on Android o  Using SSL better o  Make it harder to pirate/repackage your app o  Device Administration policies o  Miscellaneous tips
  3. •  Different ads •  Different market •  Extract assets or

    API keys •  Insert malware •  Software piracy •  Malware and security research •  Fun! Motivations for hacking an app
  4. Santoku Linux •  Linux ISO •  Pre-installed platform SDKs, drivers,

    and utilities •  Decompilation and disassembly tools •  Scripts to detect common issues in mobile applications •  Scripts to automate decrypting binaries, deploying apps, enumerating app details, and more •  https://santoku-linux.com/
  5. Protecting internal storage Creating world-readable files is very dangerous • 

    Do o  File creation mode: Context.MODE_PRIVATE •  Don't use o  MODE_WORLD_READABLE o  MODE_WORLD_WRITEABLE o  (deprecated in API level 17)
  6. Permissions •  Are all the permissions required? Instead of • 

    Permission types (protection level) o  Normal o  Dangerous o  Signature
  7. Don't leak permissions •  Protect entry points (receivers, services, content

    providers) •  Exported=false •  Context.checkCallingPermission("android.permission. CAMERA") •  Context.enforceCallingPerrmissions(...) •  Tip: Local broadcast manager for in app notifications
  8. Encryption: 3rd party libs •  SQL Cipher o  256-bit AES

    Encrypt SQLite database o  http://sqlcipher.net/sqlcipher-for-android •  Keyczar - Open source cryptographic toolkit o  http://www.keyczar.org o  https://github.com/kruton/android-keyczar-demo •  IO Chiper - virtual encrypted disk o  Clone of java.io o  https://guardianproject.info/code/iocipher
  9. Encryption: Key management Two 'ideal world' solutions •  Don't store

    the key on the device •  Use a system service (such as keychain) •  Tip: Minimise keys time in ram (null after using them)
  10. • Use a key derivation algorithm: PBK2F2 • (secure)random salt and iteration

    count • Tip: Ensure derivation method takes more than 100ms • Code for what to do and what not to do: https://github.com/ nelenkov/android-pbe Password based encryption (PBE)
  11. Encryption: no no's •  Store encryption keys in app • 

    Log/debug statements with encryption keys •  Rely on OS encryption •  Write your own encryption algorithms
  12. SSL •  Use Https by default •  What about Man

    in the middle (MITM) attacks? o  Trusting all certificates o  Compromised CA
  13. SSL Tips •  Pay attention to security exceptions •  Verify

    the certificate issuing hostname •  SSL Pinning (public key pinning) o Android pinning - https://github.com/moxie0/ AndroidPinning o Android 4.2 - X509TrustManagerExtensions
  14. SSL: wipe the slate clean •  Don't use a CA!

    •  Server side o  create your own 4096bit signing certificate (keep offline) o  sign your certs for the web services •  Client/app o  include the signing cert (in a keystore) o  validate against it
  15. Make your app harder to pirate •  Google License Verification

    Library o  Modify LVL source as much as possible o  com.android.vending.licensing.* o  Focus on core of the LVL logic: LicenseChecker and LicenseValidator. •  Offload license validation to a trusted server
  16. Tamper resistance •  Checksum of the app code with validation

    check on server or unlocker app •  Reflection based tamper checks •  Check installer is from play store
  17. Obfuscation: Proguard •  Proguard been around for 10+ years • 

    Project properties file, uncomment #proguard.config= •  Only applied when building release versions •  Entry points should be excluded -keep public class * extends android.app.Activity •  Most popular 3rd party libs/jars come with proguard config •  Bonus: ~50% reduction in .apk size
  18. •  Optimize and obfuscate tuned for the Android platform/ Dalvik

    bytecode. •  Encrypt strings •  Encrypt entire classes •  Hide access to sensitive APIs •  Add tamper detection •  Thoroughly remove Android logging code •  More info: http://www.saikoa.com/ Obfuscation: Dexguard
  19. Device Management Policies •  Since Android 2.2 •  Enforce o 

    Device lock o  Passcode type (pin, pattern) o  Password complexity o  Device encryption (3.0+) o  Device wipe •  New policies are added in each release •  Policies set by different apps can only change policies to make them stronger •  Cannot uninstall an app while the device admin is still active
  20. Device Management Policies •  Define a policy as an xml

    resource •  Reference in manifest •  Create a Device Administration broadcast receiver •  Implement a Device Policy Controller o  DevicePolicyManager.isAdminActive?
  21. Misc tips Validation •  User input - SQL Injection Anti

    tamper •  Detect rooted device •  Detect emulator •  isDebuggable? Web views •  Disable Javascript •  Use https •  Validate URLS •  Restrict JavaScript interface
  22. Misc tips Avoid unsecured components •  Don't use SMS for

    sensitive data •  Don't use SD card •  Avoid sensitive data in public intents •  Avoid sensitive data in sticky broadcasts •  allowBackups=“false” GUID (Privacy concern) •  Generate a large unique number •  Don't use phone number or IMEI
  23. Misc tips: development practices Infrastructure •  Code •  Keystore and

    password •  App store user credentials o  Enable 2 step authentication o  Grant access rather than share account details Process •  Educate developers o  Don't ignore the lint warnings •  Audit / security code review
  24. Summary •  Go hack your own apps •  Using https

    isn't enough pin your certs •  Encrypt app data •  Proguard your apps •  Android is getting more secure
  25. Security enhancements in Jelly Bean •  New implementation of SecureRandom

    •  Javascript Interface methods in WebViews must now be annotated (@JavascriptInterface) •  Application verification
  26. Security enhancements in Jelly Bean •  Content Provider default access

    has changed •  Remote blacklisting CAs •  Secure USB debugging •  Hidden developer options
  27. Ref/More info... Using Cryptography to Store Credentials Safely http://android-developers.blogspot.co.uk/2013/02/using-cryptography-to-store-credentials.html Security

    Enhancements in Jelly Bean http://android-developers.blogspot.co.uk/2013/02/security-enhancements-in-jelly-bean.html Security Tips https://developer.android.com/training/articles/security-tips.html 42 tips on app security https://viaforensics.com/resources/reports/best-practices-ios-android-secure-mobile- development/ Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security http://www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf @scottyab [email protected]