Upgrade to Pro — share decks privately, control downloads, hide ads and more …

What's 'Q' in Android Security

What's 'Q' in Android Security

With the first decade now in the rearview mirror, Google launches us into the next decade of Android with Q. Consistent with the last few releases, Google is focusing ever more on privacy, updatablity and platform hardening.

Beyond the platform improvements, I’ll cover the breaking changes and what you’ll need to update to be compatible when running on, and/or targeting Q. This is particularly important if your app uses location, external storage or system alert windows.

We’ll also cover 2 exciting new encryption libraries from Google AndroidX Security and Adiantum, as well as security best practices that align with Android Q

Recording here -> https://www.youtube.com/watch?v=o7FisKhsLRM

Scott Alexander-Bown

November 02, 2019
Tweet

More Decks by Scott Alexander-Bown

Other Decks in Technology

Transcript

  1. What’s ‘Q’ in Android
    Security
    Scott Alexander-Bown
    @ScottyAB
    [email protected]

    View Slide

  2. @ScottyAB

    View Slide

  3. View Slide

  4. View Slide

  5. Updatablity
    Privacy
    Platform hardening
    @ScottyAB

    View Slide

  6. Updatablity
    Privacy
    Platform hardening
    @ScottyAB

    View Slide

  7. 8 devices
    7 device makers
    23 devices
    13 device makers
    Project: Treble
    @ScottyAB

    View Slide

  8. Project: Mainline aka Google Play System
    updates
    ● Updates/security patches faster
    ● Delivered via Google Play
    ● Components
    ○ Media Framework Components
    ○ Conscrypt
    Image from android-developers.googleblog.com
    @ScottyAB

    View Slide

  9. Updatablity
    Privacy
    Platform hardening
    @ScottyAB

    View Slide

  10. Location
    Storage
    Connectivity
    Device Ids
    and more
    @ScottyAB

    View Slide

  11. Access to Location in Background
    developer.android.com/training/location/receive-location-updates
    ● Tri state dialog
    ● System reminder about access to device
    location in the background
    ● Graceful degradation i.e handle “deny and
    don't ask again”

    View Slide

  12. Background permission
    android:name="android.permission.ACCESS_BACKGROUND_LOCATION"
    Must declare if targeting Q
    If targets P or lower system auto adds the permission during install
    developer.android.com/training/location/receive-location-updates
    @ScottyAB

    View Slide

  13. developer.android.com/about/versions/10/privacy/changes#app-access-device-location

    View Slide

  14. Location: Foreground Service
    developer.android.com/preview/privacy/device-location
    Remember to declare FOREGROUND_SERVICE permission if targeting
    P+
    ● New foreground Service Type
    @ScottyAB

    View Slide

  15. Location
    External Storage
    Connectivity
    Device Ids
    and more
    @ScottyAB

    View Slide

  16. What is the big change?
    ● You get a filtered view into external storage
    ● Use the MediaStore to access files from other apps

    View Slide

  17. Scoped storage on Q
    ● With READ_EXTERNAL_STORAGE
    ● Accessing other apps files only if there are in media collections
    ○ Photos -> MediaStore.Images
    ○ Videos -> MediaStore.Video
    ○ Music -> MediaStore.Audio
    @ScottyAB

    View Slide

  18. Do you need external
    storage permissions?

    View Slide

  19. @ScottyAB

    View Slide

  20. Fixed it
    Warning: Scoped storage will be required in next year's major platform release for all apps, independent of target SDK
    level.
    @ScottyAB

    View Slide

  21. Scoped storage will be required in
    Android R for all apps!

    View Slide

  22. Location
    Storage
    Connectivity restrictions
    Device Ids
    and more
    @ScottyAB

    View Slide

  23. ● Cannot change the connection settings programmatically
    ○ WifiManager.setWifiEnabled()
    ○ manual configuration of the list of Wi-Fi networks is now
    restricted to system apps*
    ● Suggest WiFi networks
    ○ WifiManager.addNetworkSuggestions(..)
    ○ Listen for broadcast
    WifiManager.ACTION_WIFI_NETWORK_SUGGESTION_POST_CONNECTION
    @ScottyAB

    View Slide

  24. Settings Panel
    Intent(Settings.Panel.ACTION_INTERNET_CONNECTIVITY)
    Start Intent
    AndroidX wrapper (TBC)
    @ScottyAB

    View Slide

  25. Location
    Storage
    Connectivity
    Non resettable hardware IDs
    And more
    @ScottyAB

    View Slide

  26. ‍♀ Now require READ_PRIVILEGED_PHONE_STATE
    If your app targets Android Q -> SecurityException
    If your app targets API level 28 or below -> null or placeholder data (if
    hold READ_PHONE_STATE permission) Otherwise, a
    SecurityException occurs.
    Restricted access to Device serial and IMEI
    @ScottyAB

    View Slide

  27. Location
    Storage
    Connectivity
    Device Ids
    And a whole lot more...
    @ScottyAB

    View Slide

  28. TLS 1.3 supported by default in Android Q
    Enhanced security
    40% faster with TLS 1.3 compared to TLS 1.2
    Disable TLS 1.3 (only if you need to)
    ○ SSLContext.getInstance("TLSv1.2")
    ○ SSLSocket.setEnabledProtocols(..)
    @ScottyAB

    View Slide

  29. Oh, BTW
    val url = URL("https://scottyab.com")
    val httpsURLConnection = url.openConnection() as HttpsURLConnection
    httpsURLConnection.sslSocketFactory = null
    ● HttpsURLConnection.setSSLSocketFactory(null) throws an
    IllegalArgumentException
    @ScottyAB

    View Slide

  30. Run embedded DEX code directly from APK
    ● android:useEmbeddedDex=”true” in the
    ● Cannot use compressed DEX code
    ○ Reduced performance
    ○ Gradle: aaptOptions { noCompress 'dex' }
    @ScottyAB

    View Slide

  31. More non-SDK interface restrictions
    Are you using reflection or JNI?
    More restrictions in Q! (also some whitelisted)
    StrictMode.VmPolicy.Builder().detectNonSdkApiUsage()
    developer.android.com/preview/non-sdk-q
    @ScottyAB

    View Slide

  32. Misc Restrictions
    Background activity starts blocked
    Access to clipboard data
    ⚠ SYSTEM_ALERT_WINDOW on Android Q Go devices
    @ScottyAB

    View Slide

  33. Encryption libraries
    @ScottyAB

    View Slide

  34. Android X: Security
    ● minSdk: 23 (M)
    ● Safe and easy to use (based on Tink)
    ● AES256 GCM
    ● Implementations
    ○ EncryptedFile
    ○ EncryptedSharedPreferences
    developer.android.com/topic/security/data
    @ScottyAB

    View Slide

  35. "androidx.security:security-crypto:1.0.0-alpha02"
    https://gist.github.com/scottyab/5012ab75454a777a60ec433661aafa8b
    @ScottyAB
    Generate the Key/Alias

    View Slide

  36. "androidx.security:security-crypto:1.0.0-alpha02"
    https://gist.github.com/scottyab/5012ab75454a777a60ec433661aafa8b
    @ScottyAB
    Create

    View Slide

  37. Under the hood
    facebook.github.io/stetho/
    @ScottyAB

    View Slide

  38. Migrating from regular shared prefs
    Do you need to migrate all prefs?
    ‍♂ What if decrypt fails? recover options?
    @ScottyAB

    View Slide

  39. Updatablity
    Privacy
    Platform hardening
    @ScottyAB

    View Slide

  40. android-developers.googleblog.com/2019/05/queue-hardening-enhancements.html
    @ScottyAB

    View Slide

  41. Adiantum: Encryption for the Next Billion Users
    ● For Devices without AES hardware support
    ○ Android Go Devices
    ○ Smartwatches
    ○ TVs
    ● File/Disk encryption
    ● Now part of the Android platform
    @ScottyAB

    View Slide

  42. @ScottyAB

    View Slide

  43. Privacy Checklist
    developer.android.com/about/versions/10/privacy
    @ScottyAB

    View Slide

  44. developer.android.com/about/versions/10/privacy

    View Slide

  45. Thank ‘Q’
    Scott Alexander-Bown
    @ScottyAB
    [email protected] If you dig mobile come to SW mobile meetup.

    View Slide

  46. References
    - android-developers.googleblog.com/2019/05/queue-hardening-enhancements.html
    - developer.android.com/preview/privacy
    - source.android.com/security/enhancements

    View Slide