$30 off During Our Annual Pro Sale. View Details »

What's Nnnnnew in Security Droidcon IT

Scott Alexander-Bown
April 07, 2017
Technology
1
68

What's Nnnnnew in Security Droidcon IT

Fresh from Droidcon IT. Android N brings a plethora of security enhancements to the platform and the SDK. Including Network Layer Security, Hardware-backed Keystore, APK Signing v2, Scoped Directory Access and Direct Boot. Come to this talk to get a concise update on the new features, practical tips and examples of how to implement in your app today!

Scott Alexander-Bown

April 07, 2017
Tweet

More Decks by Scott Alexander-Bown

See All by Scott Alexander-Bown
Fundamentals of creating Android mobile apps
scottyab
0
29
What's 'Q' in Android Security
scottyab
0
82
Faster mobile debugging using a HTTP Proxy
scottyab
0
19
I <3 Charles Proxy
scottyab
0
37
What_s_new_from_Google_IO_2018.pdf
scottyab
0
54
Doppl, an intro!
scottyab
0
37
OMG What's new in Security
scottyab
0
50
What's New from Google I/O 2017
scottyab
0
68
Android Things
scottyab
0
220

Other Decks in Technology

See All in Technology
Kaggle Tokyo Meetup2023 CommonLit Solutionの紹介と考え方 - Fulltrain戦略と(Seed/Model)Ensembleの可視化 -
chumajin
2
1.1k
更新”しない”ドキュメント管理 「イミュータブルドキュメントモデル」の実運用
kosui
8
910
ミチビク株式会社エンジニアカンパニーデック
knsg16
0
2.2k
コンテナ支部recapをrecapしよう_気になったコンテナの周りのアップデートを紹介.pdf
yoshiitaka
0
230
visionOSについてGlobeeが取り組んでいること
toshi0383
0
250
エンタープライズSaaSへの挑戦〜顧客の事業を成長させるプロダクトマネジメントとは?〜 / pmconf2023
route06
2
970
朝起こしてくれるメイドさんが欲しい (LT) - NIFTY Tech Day 2023
niftycorp
1
110
AWS re:Invent 2023 わざわざ現地まで行く意味あるの?→ありました
minorun365
PRO
5
910
開発組織の体制づくり、いつやるか問題
akiroom
0
1.9k
231116 あつまれ入力デバイスの沼 Ryu.Cyberさん
comucal
PRO
0
230
LLMエンジニアリングを加速させるソフトウェアアーキテクチャ
tkikuchi1002
0
520
Repro の開発組織体制の変遷そして Platform Engineering / Platform Engineering Meetup #6
a_bicky
2
360

Featured

See All Featured
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
26
5.7k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
500
140k
Scaling GitHub
holman
455
140k
Testing 201, or: Great Expectations
jmmastey
26
6.1k
A Philosophy of Restraint
colly
194
15k
Debugging Ruby Performance
tmm1
68
11k
Unsuck your backbone
ammeep
660
56k
Facilitating Awesome Meetings
lara
37
5.2k
Being A Developer After 40
akosma
52
580k
GraphQLとの向き合い方2022年版
quramy
26
12k
How STYLIGHT went responsive
nonsquared
89
4.5k
Intergalactic Javascript Robots from Outer Space
tanoku
264
26k

Transcript

  1. What’s NNNNew in Android Security?
    Scott Alexander-Bown
    Droidcon Italy
    2017 @ScottyAB

    View Slide

  2. View Slide

  3. At a glance
    Direct boot
    Android Keystore (Key Attestation)
    ‘Securer’ networking
    Misc system and app differences
    SafetyNet
    @ScottyAB
    Slides/Links
    https://goo.gl/sL5z7U

    View Slide

  4. Terms
    6.0 - M - API 23 - Marshmallow
    7.0 - N - API 24 - Nougat
    7.1 - N (MR1) - API 25 - Nougat
    @ScottyAB

    View Slide

  5. Direct Boot

    View Slide

  6. Booting encrypted device
    pre-7.0
    Boot halted for pin/password
    Device encrypted with same key
    Android used block-level
    encryption
    @ScottyAB

    View Slide

  7. Direct Boot mode
    Boot direct to lock screen
    Calls, SMS & Alarms work
    And your app too!
    @ScottyAB

    View Slide

  8. File based encryption
    Default
    @ScottyAB

    View Slide

  9. View Slide

  10. Direct Boot aware
    android:name=".directboot.MyDirectBootAwareReceiver"

    android:directBootAware="true">


    android:name="android.intent.action.ACTION_LOCKED_BOOT_COMPLETED" />



    @ScottyAB

    View Slide

  11. Direct Boot aware
    android:name=".directboot.MyDirectBootAwareReceiver"

    android:directBootAware="true">


    android:name="android.intent.action.ACTION_LOCKED_BOOT_COMPLETED" />



    @ScottyAB

    View Slide

  12. Accessing device encrypted storage
    @Override

    public void onReceive(Context context, Intent intent) {


    Context directBootContext =
    ContextCompat.createDeviceProtectedStorageContext(context);


    if (directBootContext != null) {

    SharedPreferences sharedPreferences =
    PreferenceManager.getDefaultSharedPreferences(directBootContext);


    String token = sharedPreferences.getString(READ_ONLY_OAUTH_TOKEN, null);


    //do read only API lookup

    ///...

    }

    }
    @ScottyAB

    View Slide

  13. Accessing device encrypted storage
    @Override

    public void onReceive(Context context, Intent intent) {


    Context directBootContext =
    ContextCompat.createDeviceProtectedStorageContext(context);


    if (directBootContext != null) {

    SharedPreferences sharedPreferences =
    PreferenceManager.getDefaultSharedPreferences(directBootContext);


    String token = sharedPreferences.getString(READ_ONLY_OAUTH_TOKEN, null);


    //do read only API lookup

    ///...

    }

    }
    @ScottyAB

    View Slide

  14. Accessing device encrypted storage
    @Override

    public void onReceive(Context context, Intent intent) {


    Context directBootContext =
    ContextCompat.createDeviceProtectedStorageContext(context);


    if (directBootContext != null) {

    SharedPreferences sharedPreferences =
    PreferenceManager.getDefaultSharedPreferences(directBootContext);


    String token = sharedPreferences.getString(READ_ONLY_OAUTH_TOKEN, null);


    //do read only API lookup

    ///...

    }

    }
    @ScottyAB

    View Slide

  15. Direct Boot, so what is it good for?
    Messaging apps, important user notifications.
    Already using a BootCompleted listener?
    Device encrypted storage for limited scope API
    tokens i.e Readonly
    @ScottyAB

    View Slide

  16. Android Keystore
    @ScottyAB
    Android 4.3

    View Slide

  17. What is the KeyStore?
    @ScottyAB

    View Slide

  18. What’s new?
    AES and HMAC (Android M)
    N+ must be hardware backed
    (new devices)
    @ScottyAB

    View Slide

  19. is the Keystore hardware backed?
    // deprecated
    KeyChain.isBoundKeyAlgorithm(“RSA”);
    // Recommended alternative
    PrivateKey key = ...; // private key from KeyChain
    KeyFactory keyFactory = KeyFactory.getInstance(key.getAlgorithm(),
    “AndroidKeyStore");
    KeyInfo keyInfo = keyFactory.getKeySpec(key, KeyInfo.class);
    if (keyInfo.isInsideSecureHardware()) {
    // The key is bound to the secure hardware of this Android
    @ScottyAB

    View Slide

  20. Key Attestation
    verify key is stored in hardware-
    backed keystore
    N+ (New devices)
    Special key is baked into the
    firmware
    @ScottyAB

    View Slide

  21. Code
    keyStore.getCertificateChain(alias)
    Send cert chain to your server
    validate the cert chain (on your server!)
    @ScottyAB

    View Slide

  22. By @doriancussen
    Updated April 2017

    View Slide


  23. @ScottyAB

    View Slide

  24. Securer Networking
    Custom trust store / anchors
    Debug only Overrides CA
    Block non https traffic
    Limit the certs you trust
    @ScottyAB

    View Slide

  25. minSdkVersion=24?

    View Slide

  26. CWAC-NetSecurity by Mark Murphy
    https://github.com/commonsguy/cwac-netsecurity
    @ScottyAB

    View Slide

  27. Configuring CAs for Debugging
    Self signed certs in development
    Only enabled when android:debuggable=true
    Safer that conditional code
    @ScottyAB

    View Slide

  28. Configuring CAs for Debugging







    @ScottyAB

    View Slide

  29. Manifest
    android:icon="@mipmap/ic_launcher"

    android:label="@string/app_name"

    android:networkSecurityConfig=
    “@xml/network_security_config_debug_ca" />
    @ScottyAB

    View Slide

  30. User certs not trusted by default*
    *Running on API 24+ and targeting API 24+
    @ScottyAB
    mitmproxy

    View Slide

  31. Trusting user installed certs







    @ScottyAB
    Gist: https://goo.gl/KN1QLp

    View Slide

  32. Pinning Certificates
    SSL pinning lets apps limit the set of certificates they
    accept
    Pin a hash of the SubjectPublicKeyInfo of the X.509
    certificate.
    @ScottyAB
    https://youtu.be/
    AO5tpN073As

    View Slide

  33. SSL Pinning


    scottyab.com


    7HIpactkIAq2Y49…Y=


    fwza0LRMXouZHR…E=





    @ScottyAB

    View Slide

  34. How to get the Pin?
    https://goo.gl/mupcRk

    View Slide

  35. How to get the Pin?
    $ openssl s_client -servername scottyab.com
    -connect scottyab.com:443 | openssl x509 -
    pubkey -noout | openssl rsa -pubin -outform
    der | openssl dgst -sha256 -binary | openssl
    enc -base64
    Thanks to John Kozyrakis @ikoz
    @ScottyAB

    View Slide

  36. Misc
    Misc
    @ScottyAB

    View Slide

  37. Under the hood
    The media stack and
    platform hardening
    Kernel hardening (with error
    correction)
    @ScottyAB

    View Slide

  38. Seamless OTA updates
    @ScottyAB

    View Slide

  39. Iwo Banaś - https://github.com/iwo/marshmallow-tapjacking

    View Slide

  40. Scoped directory access
    Storage Access Framework
    Environment.DIRECTORY_MOVIES
    Remember to call
    takePersistableUriPermission()
    @ScottyAB

    View Slide

  41. App data directory
    Sharing files is explicitly opt-in
    content:// URI instead of file://
    Use FileProvider (support-lib)
    @ScottyAB

    View Slide

  42. APK signing schema v1
    Problems
    Deleting files
    adding files to meta-inf
    DOS app
    @ScottyAB

    View Slide

  43. APK signing schema v2
    Faster
    More Secure
    You’re already using both?
    zipalign before (not after)
    @ScottyAB

    View Slide

  44. Permissions required by libraries.
    @ScottyAB

    View Slide

  45. Read device?
    Vulnerable?
    Rooted?
    @ScottyAB
    SafetyNet API

    View Slide

  46. SafetyNetApi.attest(..)
    Read device?
    Vulnerable?
    Rooted?
    @ScottyAB

    View Slide

  47. https://github.com/scottyab/safetynethelper

    View Slide

  48. play.google.com/store/apps/details?id=com.scottyab.safetynet.sample

    View Slide

  49. SafetyNetApi.lookupUri(..)
    Social Engineering
    Potentially Harmful Apps
    @ScottyAB

    View Slide

  50. SafetyNetApi - Misc
    Check Verified Apps status
    Enable Verified Apps
    List installed Potentially
    Harmful Apps (PHA)
    reCAPTCHA Integration
    @ScottyAB

    View Slide

  51. Android O
    SSLv3 dropped
    Webview isolated process
    Android_ID and Build.Serial
    Native libraries (writable and executable)
    @ScottyAB
    Bonus slide!

    View Slide

  52. Recap
    Direct boot
    Android Keystore (Key Attestation)
    ‘Securer’ networking
    Misc system and app differences
    SafetyNet
    @ScottyAB

    View Slide

  53. Thanks for listening
    Scott Alexander-Bown
    @ScottyAB
    [email protected]
    Shout outs:
    @commonsguy
    @ikoz
    +AdrianLudwig
    @doriancussen
    @niallscott
    @trionkidnapper
    @subsymbolics
    Slides/Links
    https://goo.gl/sL5z7U
    Hire me

    View Slide

  54. Resources
    https://www.blackhat.com/ldn-15/summit.html#what-can-you-do-to-an-apk-without-its-private-key-except-
    repacking
    https://doridori.github.io/android-security-the-forgetful-keystore/#sthash.hFHQpV3A.5WcUVfYk.dpbs
    http://android-developers.blogspot.co.uk/2016/09/security-enhancements-in-nougat.html
    https://developer.android.com/about/versions/nougat/android-7.0.html#apk_signature_v2
    https://blog.stylingandroid.com/nougat-direct-boot/
    SafetyNet Helper library https://github.com/scottyab/safetynethelper
    Security patch date util - https://gist.github.com/scottyab/77bac6600986eb6a619e07a3d0abae3f
    *Adrian Ludwig’s Google IO talk - What’s new in Android Security (M &N) - https://www.youtube.com/watch?
    v=XZzLjllizYs
    @ScottyAB

    View Slide

  55. Training / Developer Docs
    https://developer.android.com/training/articles/security-key-
    attestation.html
    https://developer.android.com/training/articles/scoped-
    directory-access.html#accessing
    https://developer.android.com/training/articles/user-data-
    permissions.html#tenets_of_working_with_android_permissions
    https://developer.android.com/training/articles/direct-boot.html
    @ScottyAB

    View Slide

  56. Access to Hardware Identifier
    @ScottyAB
    wifiManager.getConnectionInfo().getMacAddress()
    BluetoothAdapter.getDefaultAdapter().getAddress()
    Gist: https://goo.gl/ZRDe2g

    View Slide