Upgrade to Pro — share decks privately, control downloads, hide ads and more …

What's NNNNNNNNew in Android Security? - Oct 2016

What's NNNNNNNNew in Android Security? - Oct 2016

Android N brings a plethora of security enhancements to the platform and the SDK. Including Network Layer Security, Hardware-backed Keystore, APK Signing v2, Scoped Directory Access and Direct Boot.

Links in more clickable form on https://scottyab.com/2016/10/whats-new-in-android-security-oct-2016/

Scott Alexander-Bown

October 27, 2016
Tweet

More Decks by Scott Alexander-Bown

Other Decks in Technology

Transcript

  1. What’s NNNNew in Android Security?
    Scott Alexander-Bown
    droidcon
    London 2016 @ScottyAB

    View Slide

  2. View Slide

  3. At a glance
    Direct boot
    Keystore
    ‘Securer’ networking
    Misc system and app differences
    Permissions in M
    @ScottyAB

    View Slide

  4. Terms
    6.0 - M - API 23 - Marshmallow
    7.0 - N - API 24 - Nougat
    @ScottyAB

    View Slide

  5. Direct Boot

    View Slide

  6. Booting encrypted device
    pre-7.0
    Boot halted for pin/password
    Device encrypted with same key
    Android used block-level
    encryption
    @ScottyAB

    View Slide

  7. Direct Boot mode
    Boot direct to lock screen
    Calls, SMS & Alarms work
    And your app too!
    @ScottyAB

    View Slide

  8. File based encryption
    Default
    @ScottyAB

    View Slide

  9. View Slide

  10. Direct Boot aware
    android:name=".directboot.MyDirectBootAwareReceiver"

    android:directBootAware="true">





    @ScottyAB

    View Slide

  11. Direct Boot aware
    android:name=".directboot.MyDirectBootAwareReceiver"

    android:directBootAware="true">





    @ScottyAB

    View Slide

  12. Accessing device encrypted storage
    @Override

    public void onReceive(Context context, Intent intent) {


    Context directBootContext =
    ContextCompat.createDeviceProtectedStorageContext(context);


    if (directBootContext != null) {

    SharedPreferences sharedPreferences =
    PreferenceManager.getDefaultSharedPreferences(directBootContext);


    String token = sharedPreferences.getString(READ_ONLY_OAUTH_TOKEN, null);


    //do read only API lookup

    ///...

    }

    }
    @ScottyAB

    View Slide

  13. Accessing device encrypted storage
    @Override

    public void onReceive(Context context, Intent intent) {


    Context directBootContext =
    ContextCompat.createDeviceProtectedStorageContext(context);


    if (directBootContext != null) {

    SharedPreferences sharedPreferences =
    PreferenceManager.getDefaultSharedPreferences(directBootContext);


    String token = sharedPreferences.getString(READ_ONLY_OAUTH_TOKEN, null);


    //do read only API lookup

    ///...

    }

    }
    @ScottyAB

    View Slide

  14. Accessing device encrypted storage
    @Override

    public void onReceive(Context context, Intent intent) {


    Context directBootContext =
    ContextCompat.createDeviceProtectedStorageContext(context);


    if (directBootContext != null) {

    SharedPreferences sharedPreferences =
    PreferenceManager.getDefaultSharedPreferences(directBootContext);


    String token = sharedPreferences.getString(READ_ONLY_OAUTH_TOKEN, null);


    //do read only API lookup

    ///...

    }

    }
    @ScottyAB

    View Slide

  15. Direct Boot, so what is it good for?
    Messaging apps, important user notifications.
    Already using a BootCompleted listener?
    Recommended limited scope i.e Readonly API tokens
    @ScottyAB

    View Slide

  16. Android Keystore
    @ScottyAB
    Android 4.3

    View Slide

  17. What is the KeyStore?
    Originally for unlocking DRM content
    App’s can securely create and store
    their crypto keys.
    Requires device pin or password (or
    fingerprint)
    Ideally secure element / Trust zone
    (hardware-based)
    @ScottyAB

    View Slide

  18. What’s new?
    Android M introduced broader
    range of capabilities.
    N+ must be hardware backed
    (new devices)
    Time sensitive (Android M)
    @ScottyAB

    View Slide

  19. Attestation
    Key is baked into the firmware
    Create a Key
    Remotely validate its cert chain
    N+ (New hardware)
    @ScottyAB

    View Slide

  20. By @doriancussen

    View Slide


  21. @ScottyAB

    View Slide

  22. Securer Networking
    Custom trust store / anchors
    Debug only Overrides CA
    Block non https traffic
    Limit the certs you trust
    @ScottyAB

    View Slide

  23. minSdkVersion=24?

    View Slide

  24. CWAC-NetSecurity
    https://github.com/commonsguy/cwac-netsecurity
    @ScottyAB

    View Slide

  25. Configuring CAs for Debugging
    Self signed certs in development
    Only enabled when android:debuggable=true
    Safer that conditional code
    @ScottyAB

    View Slide

  26. Configuring CAs for Debugging







    @ScottyAB

    View Slide

  27. Manifest
    android:icon="@mipmap/ic_launcher"

    android:label="@string/app_name"

    android:networkSecurityConfig=“@xml/
    network_security_config_debug_ca" />
    @ScottyAB

    View Slide

  28. User certs no longer trusted by default
    @ScottyAB

    View Slide

  29. Trusting user installed certs







    @ScottyAB

    View Slide

  30. Pinning Certificates
    SSL pinning lets apps limit the set of certificates they
    accept
    Pin a hash of the SubjectPublicKeyInfo of the X.509
    certificate.
    @ScottyAB

    View Slide

  31. SSL Pinning


    scottyab.com


    7HIpactkIAq2Y49…Y=


    fwza0LRMXouZHR…E=





    @ScottyAB

    View Slide

  32. How to get the Pin?

    View Slide

  33. How to get the Pin?
    $ openssl s_client -servername scottyab.com
    -connect scottyab.com:443 | openssl x509 -
    pubkey -noout | openssl rsa -pubin -outform
    der | openssl dgst -sha256 -binary | openssl
    enc -base64
    Thanks to John Kozyrakis @ikoz
    @ScottyAB

    View Slide

  34. Misc
    Misc
    @ScottyAB

    View Slide

  35. Under the hood
    The media stack and
    platform hardening
    Kernel hardening (with error
    correction)
    @ScottyAB

    View Slide

  36. Seamless OTA updates
    @ScottyAB

    View Slide

  37. App data directory
    App data directory now user
    only 700 permissions
    Sharing files is explicitly opt-in
    Use FileProvider (support-lib)
    Training article “Sharing Files”
    @ScottyAB

    View Slide

  38. APK signing schema v1
    Problems
    Deleting files
    adding files to meta-inf
    DOS app
    @ScottyAB

    View Slide

  39. APK signing schema v2
    Faster
    More Secure
    You’re already using both?
    zipalign before (not after)
    @ScottyAB

    View Slide

  40. Scoped directory access
    Access common external storage
    directories
    Storage Access Framework
    Environment.DIRECTORY_MOVIES
    Remember to call
    takePersistableUriPermission()
    @ScottyAB

    View Slide

  41. Misc differences
    No more access to MAC
    addresses
    Overlays can no longer be
    displayed on top of
    permissions dialogs
    Reduced the power of
    device admin applications
    @ScottyAB

    View Slide

  42. @ScottyAB

    View Slide

  43. Runtime Permissions
    •Permissions that users “get”
    •Control on specific permissions
    •Easy for users
    •Updates don’t require approval
    @ScottyAB

    View Slide

  44. Tips of Working with Android Permissions
    Only use the permissions
    necessary for your app to work
    Be transparent
    Make system accesses
    explicit
    Context, Context, Context!
    @ScottyAB

    View Slide

  45. Permissions required by libraries.
    @ScottyAB

    View Slide

  46. Checking Device health - SafetyNet API
    Read device?
    Vulnerable?
    Rooted?
    @ScottyAB

    View Slide

  47. https://github.com/scottyab/safetynethelper

    View Slide

  48. play.google.com/store/apps/details?id=com.scottyab.safetynet.sample

    View Slide

  49. SafetyNetApi - SafeBrowsing
    Social Engineering
    Potentially Harmful Apps
    @ScottyAB

    View Slide

  50. Recap
    Direct boot
    Keystore
    Securer networking
    Misc system and app differences
    Permissions in M
    @ScottyAB

    View Slide

  51. Thanks!
    Questions?
    Scott Alexander-Bown
    @ScottyAB
    [email protected]
    Shout outs:
    @commonsguy
    @ikoz
    +AdrianLudwig
    @doriancussen
    @niallscott
    @trionkidnapper
    @subsymbolics

    View Slide

  52. Resources
    https://www.blackhat.com/ldn-15/summit.html#what-can-you-do-to-an-apk-without-its-private-key-except-
    repacking
    https://doridori.github.io/android-security-the-forgetful-keystore/#sthash.hFHQpV3A.5WcUVfYk.dpbs
    http://android-developers.blogspot.co.uk/2016/09/security-enhancements-in-nougat.html
    https://developer.android.com/about/versions/nougat/android-7.0.html#apk_signature_v2
    https://blog.stylingandroid.com/nougat-direct-boot/
    SafetyNet Helper library https://github.com/scottyab/safetynethelper
    Security patch date util - https://gist.github.com/scottyab/77bac6600986eb6a619e07a3d0abae3f
    *Adrian Ludwig’s Google IO talk - What’s new in Android Security (M &N) - https://www.youtube.com/watch?
    v=XZzLjllizYs
    @ScottyAB

    View Slide

  53. Training / Developer Docs
    https://developer.android.com/training/articles/security-key-
    attestation.html
    https://developer.android.com/training/articles/scoped-
    directory-access.html#accessing
    https://developer.android.com/training/articles/user-data-
    permissions.html#tenets_of_working_with_android_permissions
    https://developer.android.com/training/articles/direct-boot.html
    @ScottyAB

    View Slide