Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Don’t get stung by OWASP - An intro into writing code for greater Android Security

Don’t get stung by OWASP - An intro into writing code for greater Android Security

In this session, we will take a dive into OWASP's top threats for mobile security, the common Android security pitfalls we all succumb too and look how we may code in a more security-focused mindset going forwards.

Ed Holloway-George

January 23, 2022
Tweet

More Decks by Ed Holloway-George

Other Decks in Programming

Transcript

  1. Don’t get stung by OWASP


    An intro into writing code for greater
    Android Security


    @Sp4ghettiCode / spght.dev - Android Worldwide Jan 2022
    - Ed George

    View full-size slide

  2. @Sp4ghettiCode / spght.dev
    • Senior Android Dev @ ASOS


    • Dad to a Pomeranian 🐶


    • Security ‘enthusiast’


    (note: not expert)


    Find me on social:


    • @Sp4ghettiCode 🍝


    • spght.dev/talks


    • Follow me for more! (And dog pictures)
    Who am I?

    View full-size slide

  3. @Sp4ghettiCode / spght.dev
    Talk Agenda
    AKA - What I hope I have enough time to cover
    • Introduction to some of the OWASP Top 10


    • Address the most common mistakes in our apps


    • Look into securing data within Room / Shared Prefs


    • Q&A


    • Bonus: The time I was stung by 50 wasps IRL 🙈🐝

    View full-size slide

  4. @Sp4ghettiCode / spght.dev
    ⚠ MANDATORY LEGAL WARNING ⚠
    You know, just in case someone goofs up later.
    • Anything you learn here is to be used for
    educational purposes ONLY


    • Do NOT test on apps you are not authorised to use


    • Please consider seeking your company’s security
    advice from someone that knows a lot more than me!


    • This talk is NOT associated with and/or endorsed
    by the OWASP Foundation or my employer!

    View full-size slide

  5. @Sp4ghettiCode / spght.dev
    Why should we care about
    security?
    *
    * Mobile Developers

    View full-size slide

  6. @Sp4ghettiCode / spght.dev
    Why should we care?
    • The mobile attack surface is HUGE and growing


    • Mobile security is often neglected by organisations + devs


    • Growing financial incentives for malicious actors


    • Mobile security is not rocket science (as we shall see)!


    • Mobile’s own ‘Log4Shell’ is always right around the corner…

    View full-size slide

  7. @Sp4ghettiCode / spght.dev
    – Stéphane Nappo, ‘Global Chief Information Security Officer of the Year 2018’
    “It takes years to build a reputation and a
    few minutes of a cyber-incident to ruin it.”

    View full-size slide

  8. @Sp4ghettiCode / spght.dev
    Introducing OWASP

    View full-size slide

  9. @Sp4ghettiCode / spght.dev
    ‘Who’ or ‘What’ is OWASP?
    • Open Web Application Security Project


    • Non-profit OWASP Foundation created in 2001


    • Provides free security resources for developers &
    organisations alike


    • Also maintains ‘Top 10’ list(s) of the greatest security
    threats to application security

    View full-size slide

  10. @Sp4ghettiCode / spght.dev
    Top 10 Mobile Threats
    Source: owasp.org/www-project-mobile-top-10 (Last updated 2016)
    1. Improper Platform Usage


    2. Insecure Data Storage


    3. Insecure Communication


    4. Insecure Authentication


    5. Insufficient Cryptography
    6. Insecure Authorisation


    7. Client Code Quality


    8. Code Tampering


    9. Reverse Engineering


    10. Extraneous Functionality

    View full-size slide

  11. @Sp4ghettiCode / spght.dev
    Top 10 Mobile Threats
    Source: owasp.org/www-project-mobile-top-10 (Last updated 2016)
    1. Improper Platform Usage


    2. Insecure Data Storage


    3. Insecure Communication


    4. Insecure Authentication


    5. Insufficient Cryptography
    6. Insecure Authorisation


    7. Client Code Quality


    8. Code Tampering


    9. Reverse Engineering


    10. Extraneous Functionality
    5

    View full-size slide

  12. @Sp4ghettiCode / spght.dev
    Improper Platform Usage
    #1 OWASP Threat
    IT’S YOU.

    View full-size slide

  13. @Sp4ghettiCode / spght.dev
    Improper Platform Usage
    #1 OWASP Threat
    • Misuse of Android features by YOU, the developer


    • Intents


    • Android Keychain


    • App Security Features


    • Basically, anytime you use the Android framework and
    mess it up 🤪

    View full-size slide

  14. @Sp4ghettiCode / spght.dev
    Improper Platform Usage
    Example
    • Introducing: My Secure App™


    • Simple ‘Login Flow’


    • “Login Activity”


    • “Home/Main Activity”


    • Home is ‘only accessible’ with PIN 1234


    Source available @ spght.dev/talks

    View full-size slide

  15. @Sp4ghettiCode / spght.dev
    Improper Platform Usage
    Can you spot the mistake?





    android:name=".login.LoginActivity"


    android:exported="true"


    android:label="@string/app_name"


    android:screenOrientation="portrait"


    android:theme="@style/Theme.OWASPDemo.NoActionBar">



















    android:name=".home.MainActivity"


    android:screenOrientation="portrait"


    android:exported="true"


    android:theme="@style/Theme.OWASPDemo.NoActionBar" />





    View full-size slide

  16. @Sp4ghettiCode / spght.dev
    Improper Platform Usage
    Can you spot the mistake?





    android:name=".login.LoginActivity"


    android:exported="true"


    android:label="@string/app_name"


    android:screenOrientation="portrait"


    android:theme="@style/Theme.OWASPDemo.NoActionBar">



















    android:name=".home.MainActivity"


    android:screenOrientation="portrait"


    android:exported="true"


    android:theme="@style/Theme.OWASPDemo.NoActionBar" />





    View full-size slide

  17. @Sp4ghettiCode / spght.dev
    Improper Platform Usage
    How is this exploited?
    • Use a tool like ‘drozer’ to scan app for vulnerable
    activities, broadcast receivers and content providers




    • github.com/FSecureLABS/drozer


    • Run ADB to exploit
    Source: securitygrind.com

    View full-size slide

  18. @Sp4ghettiCode / spght.dev
    Improper Platform Usage
    Exploit Demo
    adb shell am start -n dev.spght.owasp/dev.spght.owasp.home.MainActivity

    View full-size slide

  19. @Sp4ghettiCode / spght.dev
    Improper Platform Usage
    Fixing the exploit





    android:name=".login.LoginActivity"


    android:exported="true"


    android:label="@string/app_name"


    android:screenOrientation="portrait"


    android:theme="@style/Theme.OWASPDemo.NoActionBar">



















    android:name=".home.MainActivity"


    android:screenOrientation="portrait"


    android:exported="false"


    android:theme="@style/Theme.OWASPDemo.NoActionBar" />





    View full-size slide

  20. @Sp4ghettiCode / spght.dev
    Improper Platform Usage
    Example #2
    • ‘Tap-jacking’ vulnerability


    • Apps can draw over other apps and monitor their contents


    • They can also pass spoofed touch events


    • Combined, this can be used maliciously to trick users
    into entering passwords, accepting permissions, etc


    • Permission required for these apps, but only recently

    View full-size slide

  21. @Sp4ghettiCode / spght.dev
    Improper Platform Usage
    Exploit Demo
    • ‘Tap-jacking’ example


    • Bypassed any need for permission!


    • Patched as of Android N (Dec 2017)


    • This could have happened silently!
    Credit: Constantinos Patsakis


    Source: youtu.be/zSb_QcDgJ64

    View full-size slide

  22. @Sp4ghettiCode / spght.dev
    Improper Platform Usage
    Fixing the exploit #2


    android:id="@+id/example"


    android:layout_width="match_parent"


    android:layout_height="wrap_content"


    android:filterTouchesWhenObscured="true"


    android:text=“Hello World"


    />


    View full-size slide

  23. @Sp4ghettiCode / spght.dev
    Insecure Data Storage
    #2 OWASP Threat
    IT’S YOUR
    DATA.

    View full-size slide

  24. @Sp4ghettiCode / spght.dev
    Insecure Data Storage
    #2 OWASP Threat
    • SharedPreferences


    • Stores KVPs in plaintext XML


    • Trivial to access


    • Room Database


    • SQLite Database


    • Again, trivial to access stored data

    View full-size slide

  25. @Sp4ghettiCode / spght.dev
    Insecure Data Storage
    Exploit
    • Possible to reverse engineer app to make it ‘debuggable’


    • Rooted phones… have root! 🪱🥫


    • XML file stored in /data/data//shared_prefs


    • Databases in /data/data//databases


    View full-size slide

  26. @Sp4ghettiCode / spght.dev
    Insecure Data Storage
    Jetpack Security Library
    • developer.android.com/topic/security/data


    • Provides EncryptedSharedPreferences


    • Utilises Google’s Tink security lib


    • Currently in v1.0.0 stable (April 2021)


    • v1.1.0 alpha-03 (May 2021) provides support for API 21+

    View full-size slide

  27. @Sp4ghettiCode / spght.dev
    Insecure Data Storage
    EncryptedSharedPreferences Migration
    EncryptedSharedPreferences.create(


    context,


    "my_secure_app_prefs",


    MasterKey.Builder(context)


    .setKeyScheme(MasterKey.KeyScheme.AES256_GCM)


    .build(),


    EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,


    EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM


    )


    View full-size slide

  28. @Sp4ghettiCode / spght.dev
    Insecure Data Storage
    SQLCipher
    • github.com/sqlcipher/android-database-sqlcipher


    • Provides custom SupportSQLiteOpenHelper.Factory
    implementation


    • Implements 256-bit AES encryption of database files


    • Uses ‘passphrase’ to unlock files to allow read/write

    View full-size slide

  29. @Sp4ghettiCode / spght.dev
    Insecure Data Storage
    SQLCipher
    val passphrase: ByteArray = SQLiteDatabase.getBytes(userEnteredPassphrase)


    val factory = SupportFactory(passphrase)


    val room: MyDatabase = Room.databaseBuilder(ctx, MyDatabase::class.java, DB_NAME)
    .openHelperFactory(factory)


    .build()


    View full-size slide

  30. @Sp4ghettiCode / spght.dev
    Insecure Data Storage Cheatsheet
    SharedPreferences Room Realm EncryptedSharedPreferences SQLCipher
    Stores data in
    plaintext (default)
    ✅ ✅ ✅ ❌ ❌
    Provides encryption
    functionality
    ❌ ❌



    Not by default
    ✅ ✅
    Min API 1 14 16
    v1.0.0: 23


    v1.1.0 (alpha): 21
    16
    First Party Support ✅ ✅ ❌ ✅ ❌
    Note: DataStore omitted here, but at time of writing (Jan 2022) has no support for encryption

    View full-size slide

  31. @Sp4ghettiCode / spght.dev
    Insecure Communication
    #3 OWASP Threat
    IT’S YOUR
    NETWORKING.

    View full-size slide

  32. @Sp4ghettiCode / spght.dev
    Insecure Communication
    #3 OWASP Threat
    • Misconfigured Network Security Configuration


    • Allowing clear-text traffic (i.e.HTTPS HTTP)


    • User Certificates allowed


    • Logging network traffic in LogCat


    • No Certificate Pinning / Certificate Transparency

    View full-size slide

  33. @Sp4ghettiCode / spght.dev
    Insecure Communication
    Exploit
    • Use tools such as Charles


    • Breakpoints allow for
    modification of request /
    response


    • SSL proxy possible when user
    certificates are allowed

    View full-size slide

  34. @Sp4ghettiCode / spght.dev
    Insecure Communication
    Network Security Config
























    View full-size slide

  35. @Sp4ghettiCode / spght.dev
    Insecure Communication
    Network Security Config






























    View full-size slide

  36. @Sp4ghettiCode / spght.dev
    Insecure Authentication
    #4 OWASP Threat
    IT’S YOUR
    IDENTITY.

    View full-size slide

  37. @Sp4ghettiCode / spght.dev
    Insecure Authentication
    #4 OWASP Threat
    • APIs that don’t utilise access tokens


    • Storing passwords / PINs locally


    • Weak password policies


    • Persistent authentication enabled by default

    View full-size slide

  38. @Sp4ghettiCode / spght.dev
    Insecure Authentication
    #4 OWASP Threat
    • Use revokable tokens in your APIs


    • Don’t do any authentication locally if possible


    • PINs should be length of 5+


    • Opt-in for ‘remember me’ functionality

    View full-size slide

  39. @Sp4ghettiCode / spght.dev
    Insecure Cryptography
    #5 OWASP Threat
    IT’S YOUR
    ALGORITHMS.

    View full-size slide

  40. @Sp4ghettiCode / spght.dev
    Insecure Cryptography
    #5 OWASP Threat
    • Do NOT use outdated algorithms


    • SHA-1, MD5, MD4, RC2


    • Encoding != Hashing != Encrypting


    • BASE64-ing something is not cryptography


    • Don’t come up with your own solutions


    • (Unless you are a cryptographer)

    View full-size slide

  41. @Sp4ghettiCode / spght.dev
    Insecure Cryptography
    #5 OWASP Threat
    • Consider using Google’s Tink library


    • AES-256 for symmetric encryption


    • RSA-2048 or ECC for asymmetric encryption


    • BONUS: Avoid storing sensitive data locally!

    View full-size slide

  42. @Sp4ghettiCode / spght.dev
    Recap
    Top threats!
    • YOU


    • YOUR DATA


    • YOUR NETWORK


    • YOUR IDENTITY


    • YOUR ALGORITHMS

    View full-size slide

  43. @Sp4ghettiCode / spght.dev
    Thanks for watching!
    • Find me on Twitter @Sp4ghettiCode


    • More resources and links at spght.dev/talks


    • Please do reach out if you are interested in learning
    more or have knowledge to share with the community!


    • Questions and Answers to follow…

    View full-size slide

  44. @Sp4ghettiCode / spght.dev
    EOF

    View full-size slide