Android Security(Security library, Biometric Auth)

Transcript

1. Android Dev Summit 2019 extended Seoul AndroidX Security library Android

   Security kakaopay GDG Seoul Organizer Taehwan

2. য়ט ঌইࠅ ղਊ • AndroidX Security Library ࣗѐ • Library

   ࢎਊߨ • ࢎਊೞݶࢲ ઱੄ೡ ੼

3. ੉ ߊ಴ীࢲ ঌ ࣻ হח Ѫٜ • Security Libraryਸ ઁ৻

   ೠ ࠁউ਷ ঌ ࣽ হ׮.

4. ੉ ੗ܐٜਸ ଵҊೞࣁਃ • ࠶۽Ӓ • https://thdev.tech/android/2019/12/21/Android-Security-Library • ਬౚ࠳ •

   https://www.youtube.com/watch?v=0uG_RKiDmQY • https://youtu.be/W3mwSnF1n50 • ѐߊ ޙࢲ • https://developer.android.com/guide/topics/security/cryptography • https://developer.android.com/training/articles/keystore • https://github.com/google/tink • https://developer.android.com/topic/security/data • https://developer.android.com/training/sign-in/biometric-auth

5. Android Dev Summit 2019 extended Seoul Security Library

6. Android Security

7. Security Library • MinSdk • API 23 - Android 6.0

   (Marshmallow) • Last version • alpha2 (May 23, 2019) • ઁҕೞח Ѫٜ • ঐഐച ҙ۲ : EncryptedFile, EncryptedSharedPreferences • KeyAlias ࢤࢿ : Android KeyStore ੉ਊೠ MasterKeys generator https://developer.android.com/guide/topics/security/cryptography

8. ঐഐച ҙ۲(Google Tink ࢎਊ) • Open source project • Multi-language(Java,

   C++, Obj-c ١) • cross-platform ജ҃ ૑ਗ https://github.com/google/tink

9. Android Dev Summit 2019 extended Seoul Use Security library

10. Use Security library dependencies { implementation "androidx.security:security-crypto:1.0.0-alpha02" }

11. ߡ੹੉ ݏ૑ ঋਵݶ Manifest merger failed : uses-sdk:minSdkVersion 21 cannot

    be smaller than version 23 declared in library … Suggestion: use a compatible library with a minSdk of at most 21, or increase this project's minSdk version to at least 23, or use tools:overrideLibrary="androidx.security" to force usage (may lead to runtime failures)

12. Encrypted Shared Preferences

13. EncryptedSharedPreferences private val sharedPreferences: SharedPreferences by lazy { val keyGenParameterSpec

    = MasterKeys.AES256_GCM_SPEC val masterKeyAlias = MasterKeys.getOrCreate(keyGenParameterSpec) EncryptedSharedPreferences.create( "security_test", masterKeyAlias, requireContext(), EncryptedSharedPreferences .PrefKeyEncryptionScheme.AES256_SIV, EncryptedSharedPreferences .PrefValueEncryptionScheme.AES256_GCM) }

14. private val sharedPreferences: SharedPreferences by lazy { val keyGenParameterSpec =

    MasterKeys.AES256_GCM_SPEC val masterKeyAlias = MasterKeys.getOrCreate(keyGenParameterSpec) EncryptedSharedPreferences.create( "security_test", masterKeyAlias, requireContext(), EncryptedSharedPreferences .PrefKeyEncryptionScheme.AES256_SIV, EncryptedSharedPreferences .PrefValueEncryptionScheme.AES256_GCM) } EncryptedSharedPreferences 1. Alias ࢤࢿ ః spec ੿੄ 2. Alias ࢤࢿ 3. ୡӝച 4. Preferences ౵ੌ ݺ 5. ࢤࢿೠ Alias 6. Keyী ؀ೠ ঐഐച ߑध ૑੿ 7. Valueী ؀ೠ ঐഐച ߑध ૑੿

15. ௏٘ ੸ਊ sharedPreferences .edit() .putString("edit", binding.editQuery.text.toString()) .apply() sharedPreferences.getString("edit", "") binding.tvShowQuery.text

    =

16. ز੘ ഛੋ • Input • Encryption • SharedPreferences • Decryption

    • TextView.text update

17. ؘ੉ఠ ਤ஖ ഛੋ • Device File Explorerܳ ੉ਊೠ ഛੋ •

    data/data/packageName/shared_prefs/fileName.xml

18. ੿݈ ੜ ঐഐചغ঻ա? <?xml version='1.0' encoding='utf-8' standalone='yes' ?> <map> <string

    name=“__androidx_security_crypto_encrypted_prefs_key_keyset__”>12a9012625bdf450e290a64e2d986fef7dfc1eeb 2bbd155284109e023154109143a090d5cdcd013d7baa0e5a8a711bc2be890…001</string> <string name=“__androidx_security_crypto_encrypted_prefs_value_keyset__”>128801a126068a44b9c8d90f866c9ad39506d 7c878dcd1933afb0555993979cee6078d131cb2b197439c7054….e9b90072001</string> <string name="ATL2UNefXJWYrZ1WL6QlgOVHj0zdG6R7Uw==">AXIG/ 0eBMc6MsQjaAbOQUY8QijYBYnl4TKWnH+dcNIjKBfZqlyJtgbcMEcorjP71Vcc=</string> </map> Key editী ؀ೠ key/value

19. EncryptedFile

20. EncryptedFile val keyGenParameterSpec = MasterKeys.AES256_GCM_SPEC val masterKeyAlias = MasterKeys.getOrCreate(keyGenParameterSpec) val

    fileToRead = "my_sensitive_data.txt" val encryptedFile = EncryptedFile.Builder( File(requireContext().cacheDir, fileToRead), requireContext(), masterKeyAlias, EncryptedFile .FileEncryptionScheme .AES256_GCM_HKDF_4KB ).build()

21. EncryptedFile val keyGenParameterSpec = MasterKeys.AES256_GCM_SPEC val masterKeyAlias = MasterKeys.getOrCreate(keyGenParameterSpec) val

    fileToRead = "my_sensitive_data.txt" val encryptedFile = EncryptedFile.Builder( File(requireContext().cacheDir, fileToRead), requireContext(), masterKeyAlias, EncryptedFile .FileEncryptionScheme .AES256_GCM_HKDF_4KB ).build() 1. Alias ࢤࢿ ః spec ੿੄ 2. Alias ࢤࢿ 3. ࢎਊೡ file name 4. EncryptedFile ୡӝച 5. ࢎਊೡ ౵ੌ ୡӝച 6. Key Alias 7. ࢎਊೡ ঐഐച ؘ੉ఠ

22. Read/Write encryptedFile.openFileOutput().bufferedWriter().use { it.write(binding.editQuery.text.toString()) } val content = encryptedFile.openFileInput() .bufferedReader().useLines

    { lines -> lines.fold(" ") { working, line -> "$working $line" } } // Use content

23. ز੘ ഛੋ • Input • Encryption • SharedPreferences • Decryption

    • TextView.text update

24. ؘ੉ఠ ਤ஖ ഛੋ • Device File Explorerܳ ੉ਊೠ ഛੋ •

    ੷੢ೠ ҃۽۽ ੉ز • ৈӝࢲח data/data/packageName/cache/fileName.txt

25. ੿݈ ੜ ঐഐചغ঻ա?

26. Warning

27. KeyAlias ߸҃? @NonNull public static String getOrCreate( @NonNull KeyGenParameterSpec spec)

    throws GeneralSecurityException, IOException { validate(spec); if (!MasterKeys.keyExists(spec.getKeystoreAlias())) { generateKey(spec); } return spec.getKeystoreAlias(); } • masterKeyAliasח String ߸ࣻ੉׮ • ߸҃ оמೞҊ, ز੘ী ޙઁহ׮. • ೞ૑݅ MasterKeys ࢎਊਸ ӂ੢ validate(spec); if (!MasterKeys.keyExists(spec.getKeystoreAlias())) { generateKey(spec); }

28. EncryptedFile • File openFileOutput ࢎਊ द ઱੄೧ঠ ೠ׮. • ੉޷

    ࢤࢿػ زੌ ౵ੌ੉ ੓ਵݶ Exception ߊࢤ

29. EncryptedFile @NonNull public FileOutputStream openFileOutput() throws GeneralSecurityException, IOException { if

    (mFile.exists()) { throw new IOException("output file already exists, please use a new file: " + mFile.getName()); } FileOutputStream fileOutputStream = new FileOutputStream(mFile); OutputStream encryptingStream = mStreamingAead.newEncryptingStream( fileOutputStream, mFile.getName().getBytes(UTF_8)); return new EncryptedFileOutputStream(fileOutputStream.getFD(), encryptingStream); }

30. EncryptedFile @NonNull public FileOutputStream openFileOutput() throws GeneralSecurityException, IOException { if

    (mFile.exists()) { throw new IOException("output file already exists, please use a new file: " + mFile.getName()); } FileOutputStream fileOutputStream = new FileOutputStream(mFile); OutputStream encryptingStream = mStreamingAead.newEncryptingStream( fileOutputStream, mFile.getName().getBytes(UTF_8)); return new EncryptedFileOutputStream(fileOutputStream.getFD(), encryptingStream); } if (mFile.exists()) { throw new IOException("output file already exists, please use a new file: " + mFile.getName()); } زੌ ౵ੌ ݺਵ۽ Output ೡ ҃਋ Exception ߊࢤ

31. ౵ੌ ॳӝ ೧Ѿ ߑߨ val file = File(requireContext() .cacheDir, fileToRead)

    if (file.exists()) { file.delete() } • ӝઓ ౵ੌਸ ઁѢ • ৮੹ೠ ؘ੉ఠ ࣚप ઱੄ ೙ਃ • ӝઓ ౵ੌਸ ੍য ׮द ੷੢ • ࢜۽਍ ؘ੉ఠ append റ ੷੢

32. Biometric Authentication

33. Biometric Authentication • MinSdk • API 23 - Android 6.0

    (Marshmallow) • Last version • 1.0.1 (December 18, 2019) https://developer.android.com/training/sign-in/biometric-auth

34. Use Security library dependencies { implementation "androidx.biometric:biometric:1.0.1" }

35. Biometric Authentication val biometricPrompt = BiometricPrompt.PromptInfo.Builder() .setTitle("Biometric login for my

    app") .setSubtitle("Log in using your biometric credential") .setNegativeButtonText("Use account password") .setConfirmationRequired(true) .build() val biometric = BiometricPrompt( requireActivity(), ContextCompat.getMainExecutor(requireContext()), listener ) biometric.authenticate(biometricPrompt)

36. Biometric Authentication val biometricPrompt = BiometricPrompt.PromptInfo.Builder() .setTitle("Biometric login for my

    app") .setSubtitle("Log in using your biometric credential") .setNegativeButtonText("Use account password") .build() val biometric = BiometricPrompt( requireActivity(), ContextCompat.getMainExecutor(requireContext()), listener ) biometric.authenticate(biometricPrompt) .setConfirmationRequired(true) ঴ҷ ੋध੄ ҃਋ ୶о ߡౡ ഝࢿച ২࣌ ࢎਊ

37. Biometric Authentication val listener = object : BiometricPrompt.AuthenticationCallback() { override

    fun onAuthenticationError(errorCode: Int, errString: CharSequence) { super.onAuthenticationError(errorCode, errString) android.util.Log.i("TEMP", "Unlock error errorCode $errorCode errString $errString") } override fun onAuthenticationSucceeded(result: BiometricPrompt.AuthenticationResult) { super.onAuthenticationSucceeded(result) // Unlocked android.util.Log.i("TEMP", "Unlock success") } override fun onAuthenticationFailed() { super.onAuthenticationFailed() android.util.Log.i("TEMP", "Unlock failed") } }

38. Biometric Authentication • onAuthenticationError • ஂࣗ, ࠺޻ߣഐ ࢎਊ, ײӝ ١

    ݽٚ ী۞ח ৈӝ۽ • onAuthenticationSucceeded • Biometric ੋૐ ࢿҕ द ৈӝ۽ • onAuthenticationFailed • ੋૐ җ੿ীࢲ पಁೠ ҃਋ ৈӝ۽

39. Android Dev Summit 2019 extended Seoul End Taehwan taehwan@thdev.net