Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Hardening your Android app Droidcon uk 2013
Search
Scott Alexander-Bown
October 25, 2013
Technology
1
460
Hardening your Android app Droidcon uk 2013
Scott Alexander-Bown
October 25, 2013
Tweet
Share
More Decks by Scott Alexander-Bown
See All by Scott Alexander-Bown
Fundamentals of creating Android mobile apps
scottyab
0
31
What's 'Q' in Android Security
scottyab
0
120
Faster mobile debugging using a HTTP Proxy
scottyab
0
21
I <3 Charles Proxy
scottyab
0
37
What_s_new_from_Google_IO_2018.pdf
scottyab
0
55
Doppl, an intro!
scottyab
0
40
OMG What's new in Security
scottyab
0
51
What's New from Google I/O 2017
scottyab
0
79
What's Nnnnnew in Security Droidcon IT
scottyab
1
79
Other Decks in Technology
See All in Technology
元インフラエンジニアに成る / Human Resources to Human Relations
bobtani
4
880
Compose Compiler Metricsを使った実践的なコードレビュー
tomorrowkey
1
210
ここが嬉しいABAC ここが辛いよABAC #再解説+補足編
masahirokawahara
1
260
JAWS-UG Bedrock Claude Night
yamahiro
3
400
EMとして2023年度に頑張ったこと / What we did well in FY2023 as a EM
pauli
1
130
プロデザ! BY リクルート vol.18_リクルートのリサーチ実践組織「リサーチブーストコミュニティ」
recruitengineers
PRO
3
260
データベース02: データベースの概念
trycycle
0
130
Hands-on Gemini, the Google DeepMind LLM
meteatamel
1
110
Postman v10リリース後を振り返る
nagix
0
170
KubeCon EU 2024 Recap “Kubernetes Policy Time Machine: Where to Next?”
ryysud
0
180
MapLibreとAmazon Location Service
dayjournal
1
120
開発生産性向上サービスを作るFindyが自分たちで開発生産性を爆上げした組織づくりの歩み / Findy's path to boosting its own development productivity 2024-04-17
ma3tk
3
430
Featured
See All Featured
The Pragmatic Product Professional
lauravandoore
24
5.8k
Being A Developer After 40
akosma
56
580k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
15
1.4k
Stop Working from a Prison Cell
hatefulcrawdad
266
19k
The Power of CSS Pseudo Elements
geoffreycrofte
59
5k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
115
18k
BBQ
matthewcrist
80
8.8k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
154
14k
Bootstrapping a Software Product
garrettdimon
PRO
301
110k
Done Done
chrislema
178
15k
What's new in Ruby 2.0
geeforr
337
31k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
60
14k
Transcript
Hardening your app Scott Alexander-Bown @scottyab
Scott Alexander-Bown • Senior Developer @viaForensics • Co-author Android Security
Cookbook • Co-founder SWmobile meetup group ◦ meetup.com/swmobile
Hardening your Android App • Reverse engineering 101 • Encryption
• SSL • Tamper detection • Obfuscation
Not about… 100%
It’s on YOU!!! • Android is No.1 • Your role
== protect data • It’s your reputation
• Why? ◦ Easy / fun ◦ Lots of tools
◦ Replace Ads ◦ Trojanise app ◦ Software Piracy • Tools ◦ Apktool - bit.ly/apktool ◦ Dex2jar- bit.ly/dex2jar ◦ Apk to Java - bit.ly/apk2java Reverse engineering 101
Apktool: Let’s hack my app • Measure your social influence
with +1’s +Likes +retweet+mentions +recommendations +magic =Klout score
Apktool: Output $ apktool d myapp.apk
Santoku Linux • Pre-installed: ◦ platform SDKs ◦ decompilation tools
◦ hacking tools • Get it here: santoku-linux.com
VIA LAB viaforensics.com/products/vialab
Encryption
SpongyCastle • Consistent cryptology across os versions • Support ◦
AES-GCM ◦ Elliptic Curve Cryptography (ECC) • github.com/rtyley/spongycastle
Encryption: quick wins • SQLCipher ◦ 256-bit AES Encrypt SQLite
database ◦ sqlcipher.net/sqlcipher-for-android • IOCipher ◦ Virtual encrypted disk ◦ guardianproject.info/code/iocipher
Generate key per app
Ob-Secure Preferences • Library to ‘obscure’ your shared prefs •
Stops cheats • Quick win! • github.com/scottyab/secure-preferences
Password based encryption • Not store on the device, instead
is derived ◦ Use algorithm “PBKDF2WithHmacSHA1” ◦ User entered password/code ◦ salt (i.e package name) ◦ iteration count (1000+) ◦ =Derived encryption key • Tip: Ensure derivation method takes more than 100ms • github.com/nelenkov/android-pbe
Keystore provider • New in Android 4.3 • Hardware backed
keychain • github.com/nelenkov/android-keystore
SSL / TLS
OnionKit • StrongTrustManager ◦ Validate the whole cert chain and
root ◦ Debian cert store (not Android’s) • Use with Orbot • guardianproject.info/code/onionkit
Self signed SSL • Download certificate (openssl) • Embed in
app (/res/raw) • Load into Keystore • Custom TrustManager (Keystore based) • Init the SSL context with our TrustManager • Make SSL connection • bit.ly/anddevssl (Android developer blog)
Please don’t do this!! • Trust all
Tamper Protection • Licence Verification Library • Installer location
Environment verification • Emulator check ◦ System properties • Debuggable
check ◦ Package manager • Root check ◦ Root apps/utils ◦ System properties ◦ RW system
Validate signing key • Get SHA1 of signing cert (keytool)
• Embed in app • Get at signature at runtime • Compare
• Code Obfuscator • Older than Android! • Part of
the SDK • it’s FREE! • How to enable? ProGuard
ProGuard tips • Only applied on release builds ◦ Test
early! • Save your mapping.txt! • The good crashlytics services support ReTrace ◦ Critterism ◦ Bugsense ◦ HockeyApp ◦ Plus others...
Go pro-ProGuard = DexGuard
DexGuard • ProGuard’s bad ass brother • Same config as
ProGuard • Not free but 1 licence == ∞ apps • One line tamper check • wtf??? 囃$鷭.smali, Œ$鷭.smali • API hiding with String encryption == tough • Check out Eric Lafortune’s talk
Last but not least... • Code reviews ◦ Lint warnings
◦ OWASP Mobile security recommendations • Mobile app security certification ◦ bit.ly/androidcert
Thanks for listening
Q&A | Contact | Feedback • @scottyab • gplus.to/scottyab •
github/scottyab •
[email protected]