Security in Android Application #Secon

SECURITY IN ANDROID APPLICATION 22/04/2016 ALEXANDER SMIRNOV

- 3+ years Android dev - 6+ years commercial dev
- 1 year bank app dev - BlackHat friends since 2007 - DC7499 member WhoAmI 2

Why? 3

- Android Security Model - Reality - Vulnerabilities - One
more sentence - Appendix Agenda 4

Security • I • Android Security Model 5

Application Isolation 7 - isolate CPU, RAM, devices, ﬁles in
private directory - every app run in own process - every app has own UserID and GroupID - every app run in own instance of Dalvik VM

Application Isolation 8

- Is the parent of all App processes - COW(Copy
On Write) strategy - /dev/socket/zygote Zygote 9 App 1 App 2 App 3 Zygote fork() fork() fork() start new App

- Before M - After M - Custom permissions -
Protection level Permissions 10

- Protect user data - Protect system resources - Provide
application isolation Android Security Overview 11

• II • Android Security Model Reality Security 12

13 Root

14 TRIADA

Security 15 • III• Vulnerabilities

- Memory Cache - DB + SQLCipher - SharedPreference +
MODE_PRIVATE + Cipher - 21+ setStorageEncryption for local ﬁles - KeyStore Data Storage 16

- MITM has you - Check network – why? -
Diffie–Hellman key exchange - Certiﬁcate Pinning == SSL Pinning (okhttp 2.7.4 || 3.1.2) Transport 17

- Use explicit intents - Validate Input - Manifest:  
intent-ﬁlter = exported="true" Intent 18

- Secure PUSH - Mobile application - SIMApplets - DCV
(Dynamic Code Veriﬁcation) 2FA: SMS 19

- Custom keyboard - Secure persistent datastore - No EditText
- No immutable (Strings -> char[]) - Notify if root Insecure Device 20

- Check debug - Verify sign - Emulator check -
Obfuscation - JNI Reverse Protection 21

Security 22 • IV • One more sentence

- Convenience vs Security - Socialization & Tools - Layered
Security - Better than others - OWASP TOP 10 Mobile Risks One more sentence 23

Security 24 • V • Appendix

- Cyber Risk Report: bit.ly/1MuoIDS - OWASP Top 10 Mobile
Risks: bit.ly/1FAIJiv - DefCon Groups List: bit.ly/1JQlNgC - Triada Malware: bit.ly/1qvyFqY - Obfuscation tools list: bit.ly/1XiHf6Z - Security Official Docs: bit.ly/1qvw1BK - Diffie–Hellman Video: bit.ly/23jV7Se - Tools for SA and Hacking: bit.ly/1qvxpUM Additional Information 25

- Android Security Model - Reality - Vulnerabilities - One
more sentence Result 26

Thank you! [email protected] @_smred

Security in Android Application #Secon

Security in Android Application #Secon

Alexander Smirnov

More Decks by Alexander Smirnov

Other Decks in Programming

Featured

Transcript

SECURITY IN ANDROID APPLICATION 22/04/2016 ALEXANDER SMIRNOV

- 3+ years Android dev - 6+ years commercial dev

Why? 3

- Android Security Model - Reality - Vulnerabilities - One

Security • I • Android Security Model 5

6

Application Isolation 7 - isolate CPU, RAM, devices, ﬁles in

Application Isolation 8

- Is the parent of all App processes - COW(Copy

- Before M - After M - Custom permissions -

- Protect user data - Protect system resources - Provide

• II • Android Security Model Reality Security 12

13 Root

14 TRIADA

Security 15 • III• Vulnerabilities

- Memory Cache - DB + SQLCipher - SharedPreference +

- MITM has you - Check network – why? -

- Use explicit intents - Validate Input - Manifest:

- Secure PUSH - Mobile application - SIMApplets - DCV

- Custom keyboard - Secure persistent datastore - No EditText

- Check debug - Verify sign - Emulator check -

Security 22 • IV • One more sentence

- Convenience vs Security - Socialization & Tools - Layered

Security 24 • V • Appendix

- Cyber Risk Report: bit.ly/1MuoIDS - OWASP Top 10 Mobile

- Android Security Model - Reality - Vulnerabilities - One

Thank you! [email protected] @_smred