In the Brain of Scott Alexander-Bown

Transcript

1. Android App Hardening Scott Alexander-Bown @scottyab In The Brain

2. Me: Scott Alexander-Bown •  Senior Developer at •  Consultancy &

   training for Independently Mobile limited •  Co-author Android Security Cookbook •  Co-founder SWmobile meetup group ◦  meetup.com/swmobile

3. You? •  Who is an Android developer?

4. Hardening your Android App •  Reverse engineering 101 •  Storing

   data (encryption) •  Network •  Apk ◦  Tamper detection ◦  Obfuscation

5. Not about…

6. Not about…

7. It’s on YOU!!! •  Android is No.1 •  Your role

   = Protect data •  It’s your reputation

8. •  Why? ◦  Easy / fun ◦  Lots of tools

   ◦  Replace Ads ◦  Trojanise app ◦  Software Piracy •  Tools ◦  Apktool - http://bit.ly/apktool ◦  Dex2jar- http://bit.ly/dex2jar ◦  Apk to Java - http://bit.ly/apk2java Reverse engineering 101

9. Apktool: Let’s hack my app •  Measure your social influence

   with +1’s +Likes +retweet+mentions +recommendations +magic =Klout score

10. Apktool: Output $ apktool d myapp.apk

11. Santoku Linux •  Pre-installed: ◦  platform SDKs ◦  decompilation tools

    ◦  hacking tools •  Get it here: santoku-linux.com

12. Encryption

13. Spongy Castle

14. Spongy Castle •  Bundle your own crypto libraries •  SpongyCastle

    adds support: o  AES-GCM o  Elliptic Curve Cryptography (ECC)

15. Encryption: quick wins •  SQLCipher o  256-bit AES Encrypt SQLite

    database •  Secure-Preferences o  ‘obscure’ your app’s shared preferences •  IOCipher o  Virtual encrypted disk •  Conceal o  Easy to use APIs for fast encryption and authentication of data

16. Generate key per app

17. Not storing the key •  Password Based Encryption (PBE) o 

    Generate a key from user pin/password o  KDF - more iterations the better o  Add app time out to clear from memory •  The KeyStore provider (Android 4.3+) o  Secured via device pin/pass code o  Hardware backed (on some devices)

18. Encryption fails •  Hardcode encryption key •  Log encryption key

    •  Write your own crypto

19. SSL / TLS

20. Man In The Middle

21. Hardening SSL •  Use secure SSL/TLS protocols •  i.e. SSL

    v3, TLS v1.1/1.2 •  Use secure ciphers (128 bit or higher) •  Validate the certificates •  NetCipher o  Whole chain validation o  Orbot: Proxy with Tor

22. Self signed SSL •  Download certificate (openssl) •  Embed in

    app (/res/raw) •  Load into Keystore •  Custom TrustManager (Keystore based) •  Init the SSL context with our TrustManager •  Make SSL connection •  https://developer.android.com/training/ articles/security-ssl.html

23. SSL fail •  Trust all

24. SSL Pinning •  2 types ◦  Certificate pinning ◦  public

    key pinning •  How to pin ◦  Get pin and hash it ◦  Embed in app ◦  Make SSL connection ◦  Get cert chain ◦  Verify pins match

25. Tamper Protection •  Installer app •  Emulator check ◦  System

    properties •  Debuggable check ◦  Package manager •  Root check ◦  Root apps/utils ◦  System properties ◦  RW system

26. Signing certificate check •  Get SHA1 of signing cert keytool

    -list -v -keystore debug.ketstore •  Embed in app •  Get at signature at runtime from the Package Manager •  Compare

27. •  Code Obfuscator •  Older than Android! •  Part of

    the SDK •  it’s FREE!) •  How to enable? ProGuard

28. ProGuard tips •  -keep class com.myapp.notworking.** { *; } • 

    Only applied on release builds ◦  Test early! •  Save your mapping.txt •  Some crashlytics services support ReTrace ◦  Crashlytics ◦  Critterism ◦  Bugsense (paid) ◦  HockeyApp (paid)

29. DexGuard •  Proguard’s bad ass brother •  www.saikoa.com/dexguard •  Not

    free but 1 licence == ∞ apps •  Personal Highlights ◦  One line tamper check ◦  ᅥ$ᳰ.smali, Œ$ᳰ.smali ◦  API hiding with String encryption == tough

30. WTF?

31. More???

32. Force update? •  What if security hole found?

33. Infrastructure and deployment •  Access to the code •  Google

    Play dev account ◦  Enable 2 factor auth ◦  Grant developer access •  Keystore/signing key ◦  min use -keysize 2048

34. More info… •  42+ Secure mobile development best practices o 

    http://bit.ly/viafor42 •  OWASP Mobile security recommendations o  http://bit.ly/owaspmobile •  Android security cookbook o  http://bit.ly/MscEFu o  BOGOF ebooks at packtpub.com

35. Get Certified •  Mobile app security certification ◦  http://bit.ly/androidcert

36. Summary

37. Q&A | Contact | Feedback •  @scottyab •  github/scottyab • 

    [email protected] •  Feedback o  http://bit.ly/inthebrainscott

38. Reference Slide: Dev libs •  Spongycastle - https://github.com/rtyley/spongycastle •  SQLCipher

    - http://sqlcipher.net/sqlcipher-for-android •  Secure-Preferences - http://github.com/scottyab/secure-preferences •  IOCipher - http://guardianproject.info/code/iocipher •  Conceal - http://facebook.github.io/conceal •  NetCipher - https://github.com/guardianproject/NetCipher

39. Reference Slide: Sample Projs •  http://github.com/nelenkov/android-pbe •  http://github.com/nelenkov/android-keystore •  http://github.com/moxie0/AndroidPinning

40. Reference Slide: Moro Info •  Android security cookbook ISBN:1782167161 o 

    http://bit.ly/MscEFu •  42+ Secure mobile development best practices http://bit.ly/viafor42 •  OWASP Mobile security recommendations o  http://bit.ly/owaspmobile •  Mobile app security certification ◦  http://bit.ly/androidcert