Upgrade to Pro — share decks privately, control downloads, hide ads and more …

What's 'Q' in Android Security

Scott Alexander-Bown
November 02, 2019
Technology
0
58

What's 'Q' in Android Security

With the first decade now in the rearview mirror, Google launches us into the next decade of Android with Q. Consistent with the last few releases, Google is focusing ever more on privacy, updatablity and platform hardening.

Beyond the platform improvements, I’ll cover the breaking changes and what you’ll need to update to be compatible when running on, and/or targeting Q. This is particularly important if your app uses location, external storage or system alert windows.

We’ll also cover 2 exciting new encryption libraries from Google AndroidX Security and Adiantum, as well as security best practices that align with Android Q

Recording here -> https://www.youtube.com/watch?v=o7FisKhsLRM

Scott Alexander-Bown

November 02, 2019
Tweet

More Decks by Scott Alexander-Bown

See All by Scott Alexander-Bown
Fundamentals of creating Android mobile apps
scottyab
0
26
Faster mobile debugging using a HTTP Proxy
scottyab
0
16
I <3 Charles Proxy
scottyab
0
36
What_s_new_from_Google_IO_2018.pdf
scottyab
0
49
Doppl, an intro!
scottyab
0
34
OMG What's new in Security
scottyab
0
47
What's New from Google I/O 2017
scottyab
0
56
What's Nnnnnew in Security Droidcon IT
scottyab
1
55
Android Things
scottyab
0
220

Other Decks in Technology

See All in Technology
ジェネレーティブAI実践入門/20230524
yoshidashingo
4
2.5k
ShowNet2022 Topology
shownet
PRO
0
650
Vision.framework - 商品画像からのテキスト検出と並列化実装への試み
hcrane
0
200
Oracle Database Technology Night #67 Oracle Database High Availability concept
oracle4engineer
PRO
0
460
心理的安全性に対して個人とチームで取り組んできたこと
hiro_torii
1
560
AWS CDKにテストは必要?試行錯誤したスクラム開発事例を紹介!/CdkConJp2023
mhrtech
2
860
開発生産性を採用の武器にする
naoto_pq
0
500
Антихрупкость в IT или как полюбить изменения
alexanderbyndyu
0
100
20230519_企業でのChatGPT活用と注意点(15min版)_v1.00_共有用
doradora09
0
240
これから始める継続的インテグレーション - GitHub Actions編
devops_vtj
0
130
Save the state
keithyokoma
0
180
Mirror mirror... what am I typing next?
spinscale
0
150

Featured

See All Featured
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
5
6.4k
[RailsConf 2023] Rails as a piece of cake
palkan
6
1.4k
Designing Experiences People Love
moore
130
22k
The World Runs on Bad Software
bkeepers
PRO
59
5.9k
Designing on Purpose - Digital PM Summit 2013
jponch
108
6k
Producing Creativity
orderedlist
PRO
335
38k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
217
21k
Rails Girls Zürich Keynote
gr2m
89
12k
Fashionably flexible responsive web design (full day workshop)
malarkey
395
64k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
32
8.3k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
3
540
Being A Developer After 40
akosma
49
580k

Transcript

  1. What’s ‘Q’ in Android
    Security
    Scott Alexander-Bown
    @ScottyAB
    [email protected]

    View Slide

  2. @ScottyAB

    View Slide

  3. View Slide

  4. View Slide

  5. Updatablity
    Privacy
    Platform hardening
    @ScottyAB

    View Slide

  6. Updatablity
    Privacy
    Platform hardening
    @ScottyAB

    View Slide

  7. 8 devices
    7 device makers
    23 devices
    13 device makers
    Project: Treble
    @ScottyAB

    View Slide

  8. Project: Mainline aka Google Play System
    updates
    ● Updates/security patches faster
    ● Delivered via Google Play
    ● Components
    ○ Media Framework Components
    ○ Conscrypt
    Image from android-developers.googleblog.com
    @ScottyAB

    View Slide

  9. Updatablity
    Privacy
    Platform hardening
    @ScottyAB

    View Slide

  10. Location
    Storage
    Connectivity
    Device Ids
    and more
    @ScottyAB

    View Slide

  11. Access to Location in Background
    developer.android.com/training/location/receive-location-updates
    ● Tri state dialog
    ● System reminder about access to device
    location in the background
    ● Graceful degradation i.e handle “deny and
    don't ask again”

    View Slide

  12. Background permission
    android:name="android.permission.ACCESS_BACKGROUND_LOCATION"
    Must declare if targeting Q
    If targets P or lower system auto adds the permission during install
    developer.android.com/training/location/receive-location-updates
    @ScottyAB

    View Slide

  13. developer.android.com/about/versions/10/privacy/changes#app-access-device-location

    View Slide

  14. Location: Foreground Service
    developer.android.com/preview/privacy/device-location
    Remember to declare FOREGROUND_SERVICE permission if targeting
    P+
    ● New foreground Service Type
    @ScottyAB

    View Slide

  15. Location
    External Storage
    Connectivity
    Device Ids
    and more
    @ScottyAB

    View Slide

  16. What is the big change?
    ● You get a filtered view into external storage
    ● Use the MediaStore to access files from other apps

    View Slide

  17. Scoped storage on Q
    ● With READ_EXTERNAL_STORAGE
    ● Accessing other apps files only if there are in media collections
    ○ Photos -> MediaStore.Images
    ○ Videos -> MediaStore.Video
    ○ Music -> MediaStore.Audio
    @ScottyAB

    View Slide

  18. Do you need external
    storage permissions?

    View Slide

  19. @ScottyAB

    View Slide

  20. Fixed it
    Warning: Scoped storage will be required in next year's major platform release for all apps, independent of target SDK
    level.
    @ScottyAB

    View Slide

  21. Scoped storage will be required in
    Android R for all apps!

    View Slide

  22. Location
    Storage
    Connectivity restrictions
    Device Ids
    and more
    @ScottyAB

    View Slide

  23. ● Cannot change the connection settings programmatically
    ○ WifiManager.setWifiEnabled()
    ○ manual configuration of the list of Wi-Fi networks is now
    restricted to system apps*
    ● Suggest WiFi networks
    ○ WifiManager.addNetworkSuggestions(..)
    ○ Listen for broadcast
    WifiManager.ACTION_WIFI_NETWORK_SUGGESTION_POST_CONNECTION
    @ScottyAB

    View Slide

  24. Settings Panel
    Intent(Settings.Panel.ACTION_INTERNET_CONNECTIVITY)
    Start Intent
    AndroidX wrapper (TBC)
    @ScottyAB

    View Slide

  25. Location
    Storage
    Connectivity
    Non resettable hardware IDs
    And more
    @ScottyAB

    View Slide

  26. ‍♀ Now require READ_PRIVILEGED_PHONE_STATE
    If your app targets Android Q -> SecurityException
    If your app targets API level 28 or below -> null or placeholder data (if
    hold READ_PHONE_STATE permission) Otherwise, a
    SecurityException occurs.
    Restricted access to Device serial and IMEI
    @ScottyAB

    View Slide

  27. Location
    Storage
    Connectivity
    Device Ids
    And a whole lot more...
    @ScottyAB

    View Slide

  28. TLS 1.3 supported by default in Android Q
    Enhanced security
    40% faster with TLS 1.3 compared to TLS 1.2
    Disable TLS 1.3 (only if you need to)
    ○ SSLContext.getInstance("TLSv1.2")
    ○ SSLSocket.setEnabledProtocols(..)
    @ScottyAB

    View Slide

  29. Oh, BTW
    val url = URL("https://scottyab.com")
    val httpsURLConnection = url.openConnection() as HttpsURLConnection
    httpsURLConnection.sslSocketFactory = null
    ● HttpsURLConnection.setSSLSocketFactory(null) throws an
    IllegalArgumentException
    @ScottyAB

    View Slide

  30. Run embedded DEX code directly from APK
    ● android:useEmbeddedDex=”true” in the
    ● Cannot use compressed DEX code
    ○ Reduced performance
    ○ Gradle: aaptOptions { noCompress 'dex' }
    @ScottyAB

    View Slide

  31. More non-SDK interface restrictions
    Are you using reflection or JNI?
    More restrictions in Q! (also some whitelisted)
    StrictMode.VmPolicy.Builder().detectNonSdkApiUsage()
    developer.android.com/preview/non-sdk-q
    @ScottyAB

    View Slide

  32. Misc Restrictions
    Background activity starts blocked
    Access to clipboard data
    ⚠ SYSTEM_ALERT_WINDOW on Android Q Go devices
    @ScottyAB

    View Slide

  33. Encryption libraries
    @ScottyAB

    View Slide

  34. Android X: Security
    ● minSdk: 23 (M)
    ● Safe and easy to use (based on Tink)
    ● AES256 GCM
    ● Implementations
    ○ EncryptedFile
    ○ EncryptedSharedPreferences
    developer.android.com/topic/security/data
    @ScottyAB

    View Slide

  35. "androidx.security:security-crypto:1.0.0-alpha02"
    https://gist.github.com/scottyab/5012ab75454a777a60ec433661aafa8b
    @ScottyAB
    Generate the Key/Alias

    View Slide

  36. "androidx.security:security-crypto:1.0.0-alpha02"
    https://gist.github.com/scottyab/5012ab75454a777a60ec433661aafa8b
    @ScottyAB
    Create

    View Slide

  37. Under the hood
    facebook.github.io/stetho/
    @ScottyAB

    View Slide

  38. Migrating from regular shared prefs
    Do you need to migrate all prefs?
    ‍♂ What if decrypt fails? recover options?
    @ScottyAB

    View Slide

  39. Updatablity
    Privacy
    Platform hardening
    @ScottyAB

    View Slide

  40. android-developers.googleblog.com/2019/05/queue-hardening-enhancements.html
    @ScottyAB

    View Slide

  41. Adiantum: Encryption for the Next Billion Users
    ● For Devices without AES hardware support
    ○ Android Go Devices
    ○ Smartwatches
    ○ TVs
    ● File/Disk encryption
    ● Now part of the Android platform
    @ScottyAB

    View Slide

  42. @ScottyAB

    View Slide

  43. Privacy Checklist
    developer.android.com/about/versions/10/privacy
    @ScottyAB

    View Slide

  44. developer.android.com/about/versions/10/privacy

    View Slide

  45. Thank ‘Q’
    Scott Alexander-Bown
    @ScottyAB
    [email protected] If you dig mobile come to SW mobile meetup.

    View Slide

  46. References
    - android-developers.googleblog.com/2019/05/queue-hardening-enhancements.html
    - developer.android.com/preview/privacy
    - source.android.com/security/enhancements

    View Slide