$30 off During Our Annual Pro Sale. View Details »

OMG What's new in Security

Scott Alexander-Bown
October 27, 2017
50

OMG What's new in Security

Android O brings a plethora of security enhancements to the platform and the SDK. Scott will share with you a concise update on these new security features as well as practical tips and examples of how to implement them and improve your app’s security.

You will learn about features such as Auto fill, restrictions on device hardware identification with the focus on user privacy, new permissions in telephony and updates to how apps can access user accounts.

Scott will discuss the major enhancements to Webview in Android O including isolating it’s process and ability to integrate with Google Safe Browsing API. Also the dropping of support for SSLv3 and enhancements to Network security config that was introduced in Android Nougat.

Scott will also share with you some security features you can implement when your apps is not running on Android O. This is where Google Play services can help. Several new SafteyNet APIs allow developers make smarter decisions about the trustworthiness of the devices their app is running on. You will also learn how easy it is to transition to Google Play App Signing which offers a new way to manage your app’s signing keys.

Scott Alexander-Bown

October 27, 2017
Tweet

Transcript

  1. What's new in Security?
    Scott Alexander-Bown
    @ScottyAB
    [email protected]
    MG

    View Slide

  2. It’s for developers
    Not security experts
    @ScottyAB

    View Slide

  3. Google Play Services
    Oreo
    Google Play Store

    View Slide

  4. You cannot trust the client

    View Slide

  5. What can you use today?

    View Slide

  6. SafetyNet
    part of Google Play Services
    ‘com.google.android.gms:play-services-safetynet:11.2.0’
    *Unofficial logo

    View Slide

  7. @ScottyAB
    .listHarmfulApps()

    View Slide

  8. .verifyWithRecaptcha()
    @ScottyAB

    View Slide

  9. Verify on secure server
    POST to https://www.google.com/recaptcha/api/siteverify
    ● TokenResult (from SafteyNet recaptchaTokenResponse)
    ● Your Racaptcha secret

    View Slide

  10. @ScottyAB
    .lookupUri(..)
    Images from safebrowsing.google.com

    View Slide

  11. .attest(..)
    @ScottyAB

    View Slide

  12. Device Status ctsProfileMatch basicIntegrity
    Certified, genuine device that passes CTS TRUE TRUE
    Certified device with unlocked bootloader FALSE TRUE
    Device with custom ROM (not rooted) FALSE TRUE
    Emulator FALSE FALSE
    Signs of system integrity compromise, (rooting) FALSE FALSE
    Signs of other active attacks (API hooking) FALSE FALSE
    SafetyNet Documentation https://goo.gl/uKd8Y6

    View Slide

  13. On your secure server!
    ➔ Validate JWS message SSL cert chain
    ➔ Android Device Verification API
    ➔ Validate JWS message content
    SafetyNet Samples: https://goo.gl/Th3bEm
    @ScottyAB

    View Slide

  14. FIDO U2F API
    Fast Identity Online Universal 2nd Factor
    ➔ Register
    ➔ Authenticate
    ➔ Bluetooth or NFC
    ➔ 'com.google.android.gms:play-services-fido:11.2.0'
    https://github.com/googlesamples/android-fido

    View Slide

  15. SMS Retriever API
    @ScottyAB
    Image from https://developers.google.com/identity/sms-retriever/overview

    View Slide

  16. Phone Number Verification With SMS Tokens
    ● Authenticate/verify a User
    ● Better UX
    ● Does not require the READ_SMS
    permission
    @ScottyAB

    View Slide

  17. Oreo!

    View Slide

  18. Platform
    ➔ Kernel Hardening
    ➔ Dev options req password
    ➔ Install unknown apps
    @ScottyAB

    View Slide

  19. Updating the platform
    ➔ Project Treble
    ➔ Streaming system updates
    ➔ Update "rollback protection”
    @ScottyAB

    View Slide

  20. Autofill framework
    ➔ It just works with standard UI widgets
    ➔ Add support for your own custom views
    ➔ autofillHints
    ➔ IMPORTANT_FOR_AUTOFILL_NO
    “It just works!”
    @ScottyAB

    View Slide

  21. Autofill service: security recommendations
    ➔ Partition data
    ➔ Field in focus
    ➔ Sensitive data restricted to the app that
    provided it
    AutofillFollies Whitepaper by Mark Murphy:- https://goo.gl/s1T33C
    @ScottyAB

    View Slide

  22. WebView: Isolated Process
    @ScottyAB

    View Slide

  23. WebView: Safe Browsing

    android:name="android.webkit.WebView.EnableSafeBrowsing"
    android:value="true" />

    View Slide

  24. Recap: Network Security Config
    ➔ Custom Truststore
    ➔ Block clear text
    ➔ SSL Pinning
    ➔ Debug only config
    A previous talk https://youtu.be/XzRbhfVyoKo
    @ScottyAB

    View Slide

  25. View Slide

  26. New Telephony Permissions
    ➔ READ_PHONE_NUMBERS
    ➔ ANSWER_PHONE_CALLS
    ➔ Part of android.permission-group.PHONE
    @ScottyAB

    View Slide

  27. Privacy improvements
    Nougat <=API25 Oreo API26+
    ANDROID_ID Per device Per app-signing key,
    user, and device
    Serial Number Build.Serial Build.getSerial()

    View Slide

  28. ANDROID_ID
    ➔ Does not change on package uninstall or reinstall*
    ◆ Signing keys the same
    ◆ Unless uninstalled and then reinstalled after the OTA
    ➔ Use Advertising ID
    Google Play Store Policy: Advertising ID https://goo.gl/P2e41N

    View Slide

  29. PlayStore

    View Slide

  30. Typical app signing
    @ScottyAB
    Image from Google Play console

    View Slide

  31. Google Play app signing
    @ScottyAB
    Image from Google Play console

    View Slide

  32. Advantages
    ➔ Upload key reset
    ➔ Streamlined migration
    ➔ Optimization (APK size)
    Google Dev video - https://youtu.be/5tdGAP927dk
    @ScottyAB

    View Slide

  33. But...
    ➔ Permanent enrollment
    ➔ Register the upload key hash with APIs
    ➔ What about other app stores?
    @ScottyAB

    View Slide

  34. What about the future?

    View Slide

  35. Network Security config

    View Slide

  36. Google Play Services
    Oreo
    Google Play Store

    View Slide

  37. Thanks
    Scott Alexander-Bown
    @ScottyAB
    [email protected]
    Available for hire
    (remote)
    MG

    View Slide

  38. App Security Improvement Program
    ➔ Security tips in Play console
    ➔ Apps scanned before publish
    ➔ Trustmanager. Various AD SDKs, OpenSSL etc

    View Slide

  39. Exclude devices

    View Slide