Security in Android Application

Transcript

1. SECURITY IN ANDROID APPLICATION 08/04/2016 ALEXANDER SMIRNOV v1.0

2. - 3+ years Android dev - 6+ years commercial dev

   - 1 year bank app dev - BlackHat friends since 2007 - DC7499 member WhoAmI 2

3. Why? 3

4. - Android Security Model - Reality - Vulnerabilities - One

   more sentence - Appendix Agenda 4

5. Security • I • Android Security Model 5

6. 6

7. Application Isolation 7

8. - Is the parent of all App processes - COW(Copy

   On Write) strategy - /dev/socket/zygote Zygote 8 App 1 App 2 App 3 Zygote fork() fork() fork() start new App

9. - Before M - After M - Custom permissions -

   Protection level Permissions 9

10. - Protect user data - Protect system resources - Provide

    application isolation Android Security Overview 10

11. • II • Android Security Model Reality Security 11

12. 12 Root

13. 13 TRIADA

14. Security 14 • III• Vulnerabilities

15. - Memory Cache - DB + SQLCipher - SharedPreference +

    MODE_PRIVATE + Cipher - 21+ setStorageEncryption for local files - KeyStore Data Storage 15

16. - MITM has you - Check network – why? -

    Diffie–Hellman key exchange - Certificate Pinning == SSL Pinning (okhttp 2.7.4 || 3.1.2) Transport 16

17. - Use explicit intents - Validate Input - Manifest: 


    intent-filter = exported=«yes» Intent 17

18. - Secure PUSH - Mobile application - SIMApplets - DCV

    (Dynamic Code Verification) 2FA: SMS 18

19. - Custom keyboard - Secure persistent datastore - No EditText

    - No immutable (Strings -> char[]) - Notify if root Insecure Device 19

20. - Check debug - Verify sign - Emulator check -

    Obfuscation - JNI Reverse Protection 20

21. Security 21 • IV • One more sentence

22. - Convenience vs Security - Socialization & Tools - Layered

    Security - Better than others - OWASP TOP 10 Mobile Risks One more sentence 22

23. Security 23 • V • Appendix

24. - Cyber Risk Report: bit.ly/1MuoIDS - OWASP Top 10 Mobile

    Risks: bit.ly/1FAIJiv - DefCon Groups List: bit.ly/1JQlNgC - Triada Malware: bit.ly/1qvyFqY - Obfuscation tools list: bit.ly/1XiHf6Z - Security Official Docs: bit.ly/1qvw1BK - Diffie–Hellman Video: bit.ly/23jV7Se - Tools for SA and Hacking: bit.ly/1qvxpUM Additional Information 24

25. - Android Security Model - Reality - Vulnerabilities - One

    more sentence Result 25

26. Thank you! [email protected] @_smred