Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure data in Android

Secure data in Android

External Workshop carried out at GDG DevFest Ukraine 2017.

Here we will focus on API's 18+, such as AndroidKeyStore, Fingerprint API, Confirm Credentials API.

This workshop can help both, less experienced Developers who have created few Android Application, where was no security requirements, to learn basics of user sensitive data security and experienced Developers that want to know about Android SDK changes that was made to make data security easier.

Theoretical and Practical Part will be mixed.

Practical Part supported with already prepared, partly completed samples, followed by slides with instructions.

Prerequisites:

Kotlin Gradle Plugin 1.1.51

Android SDK 26

Android Studio 3.0 Beta 7

Android Virtual Device API 18

Android Virtual Device API 23

Fetch or download sample source code from GitHub https://github.com/TeamTechnologies/security-workshop-sample

Yakiv Mospan

October 14, 2017
Tweet

More Decks by Yakiv Mospan

Other Decks in Programming

Transcript

  1. Secure data in Android
    Remember to hard reset whenever you leave your device on the table
    Yakiv Mospan
    Author, Android Developer @ Team Technologies
    Svyatoslav Hromyak
    Android Developer @ Team Technologies

    View Slide

  2. Prerequisites
    Kotlin Gradle Plugin 1.1.51
    Android SDK 26
    Android Studio 3.0 Beta 7
    Android Virtual Device API 18
    Android Virtual Device API 23
    Fetch or download sample source code from GitHub
    https://github.com/TeamTechnologies/security-workshop-sample
    #dfua

    View Slide

  3. Overview
    #dfua
    Developing Secrets Keeper Application
    Encryption in Android
    Compatibility, Fingerprint and Confirm Credentials
    Encryption
    What is it? How it works ?

    View Slide

  4. Encryption
    The most effective way to achieve data security

    View Slide

  5. Key
    How it works
    Secret key
    Private key
    Public key
    sh7aertsca..
    Сipher data
    Financial data
    Credentials
    Sensitive data
    Plain data
    Algorithm
    Asymmetric
    Symmetric
    RSA
    EC
    AES
    DES
    #dfua

    View Slide

  6. How it works
    Plain data
    #dfua
    sh7aertsca..
    Сipher data
    Secret key
    Private key
    Public key
    Key
    RSA
    EC
    AES
    DES
    Financial data
    Credentials
    Sensitive data
    Algorithm
    Asymmetric
    Symmetric

    View Slide

  7. Secret key
    Private key
    Public key
    Key
    How it works
    Sensitive data
    Personal life information, physical or mental health details, criminal or
    civil offences, private photos, private user documents, etc.
    #dfua
    sh7aertsca..
    Сipher data
    RSA
    EC
    AES
    DES
    Financial data
    Credentials
    Algorithm
    Asymmetric
    Symmetric
    Plain data

    View Slide

  8. How it works
    #dfua
    sh7aertsca..
    Сipher data
    Secret key
    Private key
    Public key
    Key
    Accounts, transactions, reports, credit card information, etc.
    RSA
    EC
    AES
    DES
    Credentials
    Algorithm
    Asymmetric
    Symmetric
    Plain data
    Sensitive data
    Financial data

    View Slide

  9. How it works
    Sensitive data
    Financial data
    Credentials
    #dfua
    sh7aertsca..
    Сipher data
    Secret key
    Private key
    Public key
    Key
    Usernames, passwords, touch pincodes, fingerprint data,
    and all other stuff that can provide access to data above.
    RSA
    EC
    AES
    DES
    Algorithm
    Asymmetric
    Symmetric
    Plain data

    View Slide

  10. How it works
    Plain data
    Algorithm
    #dfua
    sh7aertsca..
    Сipher data
    Secret key
    Private key
    Public key
    Key
    RSA
    EC
    AES
    DES
    Financial data
    Credentials
    Sensitive data
    Asymmetric
    Symmetric

    View Slide

  11. How it works
    The oldest and best-known technique. The encryption
    key and the decryption key are the same.
    #dfua
    sh7aertsca..
    Сipher data
    Secret key
    Private key
    Public key
    Key
    RSA
    EC
    AES
    DES
    Financial data
    Credentials
    Sensitive data
    Plain data
    Asymmetric
    Algorithm
    Symmetric

    View Slide

  12. sh7aertsca..
    Сipher data
    How it works
    #dfua
    A modern branch of cryptography. Also known as public-key cryptography in which the algorithms employ a pair of
    keys (a public key and a private key) and use a different component of the pair for different steps of the algorithm.
    Secret key
    Private key
    Public key
    Key
    RSA
    EC
    AES
    DES
    Financial data
    Credentials
    Sensitive data
    Plain data
    Algorithm
    Asymmetric
    Symmetric

    View Slide

  13. How it works
    #dfua
    sh7aertsca..
    Сipher data
    Secret key
    Private key
    Public key
    Key
    EC
    DES
    Financial data
    Credentials
    Sensitive data
    RSA
    Plain data
    Algorithm
    Asymmetric
    Symmetric
    AES

    View Slide

  14. How it works
    #dfua
    sh7aertsca..
    Сipher data
    Secret key
    Private key
    Public key
    Key
    Financial data
    Credentials
    Sensitive data
    Plain data
    EC RSA
    Algorithm
    Asymmetric
    Symmetric
    AES
    DES

    View Slide

  15. How it works
    #dfua
    sh7aertsca..
    Сipher data
    Secret key
    Private key
    Public key
    Key
    Financial data
    Credentials
    Sensitive data
    Plain data
    EC
    Algorithm
    Asymmetric
    Symmetric
    RSA
    AES
    DES

    View Slide

  16. How it works
    Asymmetric
    Symmetric
    RSA
    EC
    AES
    DES
    #dfua
    sh7aertsca..
    Сipher data
    Secret key
    Private key
    Public key
    Key
    Financial data
    Credentials
    Sensitive data
    Plain data
    Algorithm

    View Slide

  17. How it works
    Key
    #dfua
    sh7aertsca..
    Сipher data
    Private key
    Public key
    Secret key
    Asymmetric
    Symmetric
    RSA
    EC
    AES
    DES
    Financial data
    Credentials
    Sensitive data
    Plain data
    Algorithm

    View Slide

  18. Private key
    Public key
    How it works
    Secret key
    A single secret key which is used in conventional symmetric
    encryption to encrypt and decrypt a message.
    Symmetric
    #dfua
    sh7aertsca..
    Сipher data
    RSA
    EC
    AES
    DES
    Asymmetric
    Financial data
    Credentials
    Sensitive data
    Plain data
    Algorithm Key

    View Slide

  19. How it works
    Private key
    Public key
    Asymmetric Key Pair.
    #dfua
    sh7aertsca..
    Сipher data
    Secret key
    RSA
    EC
    AES
    DES Symmetric
    Financial data
    Credentials
    Sensitive data
    Plain data
    Algorithm
    Asymmetric
    Key

    View Slide

  20. How it works
    A single secret key which is used in conventional symmetric
    encryption which is used to encrypt and decrypt a message.
    #dfua
    sh7aertsca..
    Сipher data
    Secret key
    RSA
    EC
    AES
    DES Symmetric
    Financial data
    Credentials
    Sensitive data
    Plain data
    Algorithm
    Asymmetric
    Private key
    Public key
    Key

    View Slide

  21. How it works
    The public component of a pair of cryptographic keys
    used for encryption in asymmetric cryptography.
    Asymmetric
    #dfua
    sh7aertsca..
    Сipher data
    Secret key
    RSA
    EC
    AES
    DES Symmetric
    Financial data
    Credentials
    Sensitive data
    Plain data
    Algorithm
    Private key
    Public key
    Key

    View Slide

  22. Сipher data
    How it works
    #dfua
    sh7aertsca..
    Private key
    Public key
    Secret key
    RSA
    EC
    AES
    DES
    Asymmetric
    Symmetric
    Financial data
    Credentials
    Sensitive data
    Plain data
    Algorithm Key

    View Slide

  23. How it works
    sh7aertsca..
    Сipher data
    Cipher Output
    #dfua
    Private key
    Public key
    Secret key
    RSA
    EC
    AES
    DES
    Asymmetric
    Symmetric
    Financial data
    Credentials
    Sensitive data
    Key
    Plain data
    Algorithm

    View Slide

  24. Key
    How it works
    Plain data
    Сipher data
    #dfua
    sh7aertsca..
    Private key
    Public key
    Secret key
    RSA
    EC
    AES
    DES
    Asymmetric
    Symmetric
    Financial data
    Credentials
    Sensitive data
    Algorithm

    View Slide

  25. Encryption in Android
    Java Cryptography Architecture & AndroidKeyStore API

    View Slide

  26. Android builds on the Java Cryptography Architecture (JCA), that provides API for
    digital signatures, certificates, encryption, keys generation and
    management.
    #dfua

    View Slide

  27. Architecture
    Provider
    #dfua
    KeyPair
    Generator
    Certificate
    Key Store
    Keys
    Secure
    Random
    Cipher
    Key
    Generator

    View Slide

  28. Keys
    KeyPair
    Generator
    Architecture
    Key
    Generator
    Provides the public API for generating
    symmetric cryptographic keys.
    #dfua
    Cipher
    Certificate
    Key Store
    Secure
    Random
    Provider

    View Slide

  29. Key Store
    Keys
    Certificate
    KeyPair
    Generator
    Architecture
    Key
    Generator
    An engine class which is capable of generating a private key and its
    related public key utilizing the algorithm it was initialized with.
    #dfua
    Cipher
    Secure
    Random
    Provider

    View Slide

  30. Provider
    KeyPair
    Generator
    Architecture
    Secure
    Random
    Key
    Generator
    Generates cryptographically secure
    pseudo-random numbers.
    #dfua
    Cipher
    Certificate
    Key Store
    Keys

    View Slide

  31. KeyPair
    Generator
    Secure
    Random
    Key
    Generator
    Provider
    Architecture
    Keys
    Keys created with Generators.
    #dfua
    Cipher
    Certificate
    Key Store

    View Slide

  32. KeyPair
    Generator
    Secure
    Random
    Key
    Generator
    Provider
    Architecture
    Key Store
    Keys
    #dfua
    Cipher
    Certificate
    Database with a well secured mechanism of data protection, that is used to save, get
    and remove keys. Requires entrance password and passwords for each of the keys.

    View Slide

  33. KeyPair
    Generator
    Secure
    Random
    Key
    Generator
    Provider
    Cipher
    Architecture
    Certificate
    Key Store
    Keys
    Certificate used to validate and save asymmetric keys.
    #dfua

    View Slide

  34. KeyPair
    Generator
    Secure
    Random
    Key
    Generator
    Provider
    Architecture
    Cipher
    Provides access to implementations of cryptographic
    ciphers for encryption and decryption.
    #dfua
    Certificate
    Key Store
    Keys

    View Slide

  35. KeyPair
    Generator
    Architecture
    Certificate
    Key Store
    Keys
    Secure
    Random
    Key
    Generator
    Provider
    Defines a set of extensible implementations -
    independent API’s.
    #dfua
    Cipher

    View Slide

  36. KeyPair
    Generator
    #dfua
    Architecture
    Certificate
    Provider
    Key Store
    Keys
    Secure
    Random
    Cipher
    Key
    Generator

    View Slide

  37. AndroidKeyStore
    JCA Provider implementation
    No Keystore passwords (really, at all)
    Key material never enters the application process
    Key material may be bound to the secure hardware
    Asymmetric keys available from 18 +
    Symmetric keys available from 23 +
    #dfua

    View Slide

  38. And as always happens, it is full of surprises.
    #dfua

    View Slide

  39. Stop this “bla-bla”
    talkings! We want
    to code something!

    View Slide

  40. Secrets Keeper
    Developing Sample Application

    View Slide

  41. Main goal of sample application is to to save user Secrets locally and keep them
    protected using Encryption, Fingerprint and Confirm Credentials API’s.
    #dfua

    View Slide

  42. Requirements
    Support Android 18 + Devices
    Allow user to access application only if Lock Screen is set
    Protect user password with Encryption
    Protect user Secrets with Encryption
    Allow user to access Secrets with Fingerprint
    Add additional Confirm Credentials protection
    #dfua

    View Slide

  43. View Slide

  44. View Slide

  45. Project Structure
    What to do next? Environment, Stages and Tips

    View Slide

  46. Project is separated on different Stages using gradle flavors.
    Stage represents some task, that need to be completed. Stage
    can have subtasks - levels.

    View Slide

  47. Encryption Stage

    View Slide

  48. Fingerprint Stage

    View Slide

  49. Confirm Credentials Stage

    View Slide

  50. Origination Stage. We are beginning from it and will update it
    during the workshop.

    View Slide

  51. Completed Workshop Flavor

    View Slide

  52. Classes that we will update during the workshop

    View Slide

  53. If during the session you went out of time, lost focus,
    came later than others or something just went wrong -
    select next Stage or Level and continue to work on it.

    View Slide

  54. Guides with more detailed information (what need to be done
    to complete the stage and full code snippets) are placed in
    Readme file .
    On each Stage you need to listen for explanations and follow by
    Guide steps.

    View Slide

  55. Encryption Stage - Level 1

    View Slide

  56. Lock Screen and Keyguard
    Choose a key
    Create storage for key
    Create master key and save it
    Use key to encrypt / decrypt Secrets and User Password
    Protect Data
    #dfua
    Checklist
    Encryption Stage - Level 1

    View Slide

  57. Lets open the Project itself, Workshop Guide from Readme file and continue our
    work there.
    #dfua

    View Slide

  58. Encryption Stage - Level 2

    View Slide

  59. Encrypt large data
    Create Symmetric Key with Default Provider
    Create Symmetric Key with Android Provider
    Wrap / Unwrap Key with Cipher
    #dfua
    Checklist
    Encryption Stage - Level 2

    View Slide

  60. Encryption Stage - Level 3

    View Slide

  61. Initialization Vector
    Encryption with Initialization Vector
    Decryption with Initialization Vector
    Protect Data with Initialization Vector
    #dfua
    Checklist
    Encryption Stage - Level 3

    View Slide

  62. Encryption Stage - Level 4

    View Slide

  63. Key Invalidation Issue
    Default Keystore
    Save Symmetric Key in Default Keystore
    Protect Data and Compatibility Issues
    #dfua
    Checklist
    Encryption Stage - Level 4

    View Slide

  64. Fingerprint Stage

    View Slide

  65. Fingerprint
    Fingerprint Manager
    Fingerprint Authentication
    Fingerprint key
    Fingerprint Crypto Object
    Validate Fingerprint Authentication
    #dfua
    Checklist
    Fingerprint Stage

    View Slide

  66. Confirm Credentials Stage

    View Slide

  67. Confirm Credentials Key
    Validate Confirm Credentials Authentication
    Confirm Credentials Intent
    #dfua
    Checklist
    Confirm Credentials Stage

    View Slide

  68. After words

    View Slide

  69. Summary
    Android provides various of possibilities to secure data
    But not all of them works as designed to
    Do not use Android Key Store API on pre M devices
    Use it only if you not scared to lose data (can be reloaded)
    Choose the Key Algorithm that is best for your needs
    Remember that asymmetric Keys are not good for large data
    #dfua

    View Slide

  70. Summary
    Android provides various of possibilities to secure data
    But not all of them works as designed to
    Do not use Android Key Store API on pre M devices
    Use it only if you not scared to lose data (can be reloaded)
    Choose the Key Algorithm that is best for your needs
    Remember that asymmetric Keys are not good for large data
    #dfua

    View Slide

  71. Summary
    Android provides various of possibilities to secure data
    But not all of them works as designed to
    Do not use Android Key Store API on pre M devices
    Use it only if you not scared to lose data (can be reloaded)
    Choose the Key Algorithm that is best for your needs
    Remember that asymmetric Keys are not good for large data
    #dfua

    View Slide

  72. Summary
    Android provides various of possibilities to secure data
    But not all of them works as designed to
    Do not use Android Key Store API on pre M devices
    Use it only if you not scared to lose data (can be reloaded)
    Choose the Key Algorithm that is best for your needs
    Remember that asymmetric Keys are not good for large data
    #dfua

    View Slide

  73. Summary
    Android provides various of possibilities to secure data
    But not all of them works as designed to
    Do not use Android Key Store API on pre M devices
    Use it only if you not scared to lose data (can be reloaded)
    Choose the Key Algorithm that is best for your needs
    Remember that asymmetric Keys are not good for large data
    #dfua

    View Slide

  74. Summary
    Android provides various of possibilities to secure data
    But not all of them works as designed to
    Do not use Android Key Store API on pre M devices
    Use it only if you not scared to lose data (can be reloaded)
    Choose the Key Algorithm that is best for your needs
    Remember that asymmetric Keys are not good for large data
    #dfua

    View Slide

  75. Summary
    Use Initialization Vectors and Salt value for better protection
    Fingerprint is not the main security option
    Always handle cases of key invalidation
    Remember that there is a fingerprint compatibility helper
    Use Confirm Credentials instead of custom screen locks
    #dfua

    View Slide

  76. Summary
    Use Initialization Vectors and Salt value for better protection
    Fingerprint is not the main security option
    Always handle cases of key invalidation
    Remember that there is a fingerprint compatibility helper
    Use Confirm Credentials instead of custom screen locks
    #dfua

    View Slide

  77. Summary
    Use Initialization Vectors and Salt value for better protection
    Fingerprint is not the main security option
    Always handle cases of key invalidation
    Remember that there is a fingerprint compatibility helper
    Use Confirm Credentials instead of custom screen locks
    #dfua

    View Slide

  78. Summary
    Use Initialization Vectors and Salt value for better protection
    Fingerprint is not the main security option
    Always handle cases of key invalidation
    Remember that there is a fingerprint compatibility helper
    Use Confirm Credentials instead of custom screen locks
    #dfua

    View Slide

  79. Summary
    Use Initialization Vectors and Salt value for better protection
    Fingerprint is not the main security option
    Always handle cases of key invalidation
    Remember that there is a fingerprint compatibility helper
    Use Confirm Credentials instead of custom screen locks
    #dfua

    View Slide

  80. Summary
    Use Initialization Vectors and Salt value for better protection
    Fingerprint is not the main security option
    Always handle cases of key invalidation
    Remember that there is a fingerprint compatibility helper
    Use Confirm Credentials instead of custom screen locks
    #dfua

    View Slide

  81. Security is a complex unit. All of that will not work if application is
    running on corrupted environment.
    #dfua

    View Slide

  82. What’s Next?
    Key Attestation
    Integrity check (Safetynet)
    #dfua

    View Slide

  83. Resources
    JCA Documentation
    http://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/CryptoSpec.html
    Android Keystore Documentation
    https://developer.android.com/training/articles/keystore.html
    Android Keystore Supported Algorithms
    http://developer.android.com/training/articles/keystore.html#SupportedAlgorithms
    Android Source
    https://source.android.com/security/keystore/
    #dfua

    View Slide

  84. Resources
    Fingerprint & Confirm Credentials Authentication
    https://developer.android.com/about/versions/marshmallow/android-6.0.html
    Fingerprint Google Sample
    https://github.com/googlesamples/android-FingerprintDialog
    Confirm Credentials Google Sample
    https://github.com/googlesamples/android-ConfirmCredential
    Android Arsenal, Security and Fingerprint tags
    https://android-arsenal
    #dfua

    View Slide

  85. Resources
    Nikolay Elenkov, Book
    https://www.amazon.com/Android-Security-Internals-In-Depth-Architecture/dp/1593275811
    Nikolay Elenkov, Blog
    http://nelenkov.blogspot.com/
    Dorian Cussen, Blog
    https://doridori.github.io/android-security-the-forgetful-keystore/
    Courses
    https://www.coursera.org/learn/crypto
    #dfua

    View Slide

  86. Thank You!
    Questions?
    Yakiv Mospan
    Author, Android Developer @ Team Technologies
    Svyatoslav Hromyak
    Android Developer @ Team Technologies

    View Slide