Hardening your Android app Droidcon uk 2013

Transcript

1. Hardening your app Scott Alexander-Bown @scottyab

2. Scott Alexander-Bown • Senior Developer @viaForensics • Co-author Android Security

   Cookbook • Co-founder SWmobile meetup group ◦ meetup.com/swmobile

3. Hardening your Android App • Reverse engineering 101 • Encryption

   • SSL • Tamper detection • Obfuscation

4. Not about… 100%

5. It’s on YOU!!! • Android is No.1 • Your role

   == protect data • It’s your reputation

6. • Why? ◦ Easy / fun ◦ Lots of tools

   ◦ Replace Ads ◦ Trojanise app ◦ Software Piracy • Tools ◦ Apktool - bit.ly/apktool ◦ Dex2jar- bit.ly/dex2jar ◦ Apk to Java - bit.ly/apk2java Reverse engineering 101

7. Apktool: Let’s hack my app • Measure your social influence

   with +1’s +Likes +retweet+mentions +recommendations +magic =Klout score

8. Apktool: Output $ apktool d myapp.apk

9. Santoku Linux • Pre-installed: ◦ platform SDKs ◦ decompilation tools

   ◦ hacking tools • Get it here: santoku-linux.com

10. VIA LAB viaforensics.com/products/vialab

11. Encryption

12. SpongyCastle • Consistent cryptology across os versions • Support ◦

    AES-GCM ◦ Elliptic Curve Cryptography (ECC) • github.com/rtyley/spongycastle

13. Encryption: quick wins • SQLCipher ◦ 256-bit AES Encrypt SQLite

    database ◦ sqlcipher.net/sqlcipher-for-android • IOCipher ◦ Virtual encrypted disk ◦ guardianproject.info/code/iocipher

14. Generate key per app

15. Ob-Secure Preferences • Library to ‘obscure’ your shared prefs •

    Stops cheats • Quick win! • github.com/scottyab/secure-preferences

16. Password based encryption • Not store on the device, instead

    is derived ◦ Use algorithm “PBKDF2WithHmacSHA1” ◦ User entered password/code ◦ salt (i.e package name) ◦ iteration count (1000+) ◦ =Derived encryption key • Tip: Ensure derivation method takes more than 100ms • github.com/nelenkov/android-pbe

17. Keystore provider • New in Android 4.3 • Hardware backed

    keychain • github.com/nelenkov/android-keystore

18. SSL / TLS

19. OnionKit • StrongTrustManager ◦ Validate the whole cert chain and

    root ◦ Debian cert store (not Android’s) • Use with Orbot • guardianproject.info/code/onionkit

20. Self signed SSL • Download certificate (openssl) • Embed in

    app (/res/raw) • Load into Keystore • Custom TrustManager (Keystore based) • Init the SSL context with our TrustManager • Make SSL connection • bit.ly/anddevssl (Android developer blog)

21. Please don’t do this!! • Trust all

22. Tamper Protection • Licence Verification Library • Installer location

23. Environment verification • Emulator check ◦ System properties • Debuggable

    check ◦ Package manager • Root check ◦ Root apps/utils ◦ System properties ◦ RW system

24. Validate signing key • Get SHA1 of signing cert (keytool)

    • Embed in app • Get at signature at runtime • Compare

25. • Code Obfuscator • Older than Android! • Part of

    the SDK • it’s FREE! • How to enable? ProGuard

26. ProGuard tips • Only applied on release builds ◦ Test

    early! • Save your mapping.txt! • The good crashlytics services support ReTrace ◦ Critterism ◦ Bugsense ◦ HockeyApp ◦ Plus others...

27. Go pro-ProGuard = DexGuard

28. DexGuard • ProGuard’s bad ass brother • Same config as

    ProGuard • Not free but 1 licence == ∞ apps • One line tamper check • wtf??? 囃$鷭.smali, Œ$鷭.smali • API hiding with String encryption == tough • Check out Eric Lafortune’s talk

29. Last but not least... • Code reviews ◦ Lint warnings

    ◦ OWASP Mobile security recommendations • Mobile app security certification ◦ bit.ly/androidcert

30. Thanks for listening

31. Q&A | Contact | Feedback • @scottyab • gplus.to/scottyab •

    github/scottyab • [email protected]