Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure data in Android

Secure data in Android

External Workshop carried out at GDG DevFest Ukraine 2017.

Here we will focus on API's 18+, such as AndroidKeyStore, Fingerprint API, Confirm Credentials API.

This workshop can help both, less experienced Developers who have created few Android Application, where was no security requirements, to learn basics of user sensitive data security and experienced Developers that want to know about Android SDK changes that was made to make data security easier.

Theoretical and Practical Part will be mixed.

Practical Part supported with already prepared, partly completed samples, followed by slides with instructions.

Prerequisites:

Kotlin Gradle Plugin 1.1.51

Android SDK 26

Android Studio 3.0 Beta 7

Android Virtual Device API 18

Android Virtual Device API 23

Fetch or download sample source code from GitHub https://github.com/TeamTechnologies/security-workshop-sample

1c111e138995ac8390c16b4139889fef?s=128

Yakiv Mospan

October 14, 2017
Tweet

Transcript

  1. Secure data in Android Remember to hard reset whenever you

    leave your device on the table Yakiv Mospan Author, Android Developer @ Team Technologies Svyatoslav Hromyak Android Developer @ Team Technologies
  2. Prerequisites Kotlin Gradle Plugin 1.1.51 Android SDK 26 Android Studio

    3.0 Beta 7 Android Virtual Device API 18 Android Virtual Device API 23 Fetch or download sample source code from GitHub https://github.com/TeamTechnologies/security-workshop-sample #dfua
  3. Overview #dfua Developing Secrets Keeper Application Encryption in Android Compatibility,

    Fingerprint and Confirm Credentials Encryption What is it? How it works ?
  4. Encryption The most effective way to achieve data security

  5. Key How it works Secret key Private key Public key

    sh7aertsca.. Сipher data Financial data Credentials Sensitive data Plain data Algorithm Asymmetric Symmetric RSA EC AES DES #dfua
  6. How it works Plain data #dfua sh7aertsca.. Сipher data Secret

    key Private key Public key Key RSA EC AES DES Financial data Credentials Sensitive data Algorithm Asymmetric Symmetric
  7. Secret key Private key Public key Key How it works

    Sensitive data Personal life information, physical or mental health details, criminal or civil offences, private photos, private user documents, etc. #dfua sh7aertsca.. Сipher data RSA EC AES DES Financial data Credentials Algorithm Asymmetric Symmetric Plain data
  8. How it works #dfua sh7aertsca.. Сipher data Secret key Private

    key Public key Key Accounts, transactions, reports, credit card information, etc. RSA EC AES DES Credentials Algorithm Asymmetric Symmetric Plain data Sensitive data Financial data
  9. How it works Sensitive data Financial data Credentials #dfua sh7aertsca..

    Сipher data Secret key Private key Public key Key Usernames, passwords, touch pincodes, fingerprint data, and all other stuff that can provide access to data above. RSA EC AES DES Algorithm Asymmetric Symmetric Plain data
  10. How it works Plain data Algorithm #dfua sh7aertsca.. Сipher data

    Secret key Private key Public key Key RSA EC AES DES Financial data Credentials Sensitive data Asymmetric Symmetric
  11. How it works The oldest and best-known technique. The encryption

    key and the decryption key are the same. #dfua sh7aertsca.. Сipher data Secret key Private key Public key Key RSA EC AES DES Financial data Credentials Sensitive data Plain data Asymmetric Algorithm Symmetric
  12. sh7aertsca.. Сipher data How it works #dfua A modern branch

    of cryptography. Also known as public-key cryptography in which the algorithms employ a pair of keys (a public key and a private key) and use a different component of the pair for different steps of the algorithm. Secret key Private key Public key Key RSA EC AES DES Financial data Credentials Sensitive data Plain data Algorithm Asymmetric Symmetric
  13. How it works #dfua sh7aertsca.. Сipher data Secret key Private

    key Public key Key EC DES Financial data Credentials Sensitive data RSA Plain data Algorithm Asymmetric Symmetric AES
  14. How it works #dfua sh7aertsca.. Сipher data Secret key Private

    key Public key Key Financial data Credentials Sensitive data Plain data EC RSA Algorithm Asymmetric Symmetric AES DES
  15. How it works #dfua sh7aertsca.. Сipher data Secret key Private

    key Public key Key Financial data Credentials Sensitive data Plain data EC Algorithm Asymmetric Symmetric RSA AES DES
  16. How it works Asymmetric Symmetric RSA EC AES DES #dfua

    sh7aertsca.. Сipher data Secret key Private key Public key Key Financial data Credentials Sensitive data Plain data Algorithm
  17. How it works Key #dfua sh7aertsca.. Сipher data Private key

    Public key Secret key Asymmetric Symmetric RSA EC AES DES Financial data Credentials Sensitive data Plain data Algorithm
  18. Private key Public key How it works Secret key A

    single secret key which is used in conventional symmetric encryption to encrypt and decrypt a message. Symmetric #dfua sh7aertsca.. Сipher data RSA EC AES DES Asymmetric Financial data Credentials Sensitive data Plain data Algorithm Key
  19. How it works Private key Public key Asymmetric Key Pair.

    #dfua sh7aertsca.. Сipher data Secret key RSA EC AES DES Symmetric Financial data Credentials Sensitive data Plain data Algorithm Asymmetric Key
  20. How it works A single secret key which is used

    in conventional symmetric encryption which is used to encrypt and decrypt a message. #dfua sh7aertsca.. Сipher data Secret key RSA EC AES DES Symmetric Financial data Credentials Sensitive data Plain data Algorithm Asymmetric Private key Public key Key
  21. How it works The public component of a pair of

    cryptographic keys used for encryption in asymmetric cryptography. Asymmetric #dfua sh7aertsca.. Сipher data Secret key RSA EC AES DES Symmetric Financial data Credentials Sensitive data Plain data Algorithm Private key Public key Key
  22. Сipher data How it works #dfua sh7aertsca.. Private key Public

    key Secret key RSA EC AES DES Asymmetric Symmetric Financial data Credentials Sensitive data Plain data Algorithm Key
  23. How it works sh7aertsca.. Сipher data Cipher Output #dfua Private

    key Public key Secret key RSA EC AES DES Asymmetric Symmetric Financial data Credentials Sensitive data Key Plain data Algorithm
  24. Key How it works Plain data Сipher data #dfua sh7aertsca..

    Private key Public key Secret key RSA EC AES DES Asymmetric Symmetric Financial data Credentials Sensitive data Algorithm
  25. Encryption in Android Java Cryptography Architecture & AndroidKeyStore API

  26. Android builds on the Java Cryptography Architecture (JCA), that provides

    API for digital signatures, certificates, encryption, keys generation and management. #dfua
  27. Architecture Provider #dfua KeyPair Generator Certificate Key Store Keys Secure

    Random Cipher Key Generator
  28. Keys KeyPair Generator Architecture Key Generator Provides the public API

    for generating symmetric cryptographic keys. #dfua Cipher Certificate Key Store Secure Random Provider
  29. Key Store Keys Certificate KeyPair Generator Architecture Key Generator An

    engine class which is capable of generating a private key and its related public key utilizing the algorithm it was initialized with. #dfua Cipher Secure Random Provider
  30. Provider KeyPair Generator Architecture Secure Random Key Generator Generates cryptographically

    secure pseudo-random numbers. #dfua Cipher Certificate Key Store Keys
  31. KeyPair Generator Secure Random Key Generator Provider Architecture Keys Keys

    created with Generators. #dfua Cipher Certificate Key Store
  32. KeyPair Generator Secure Random Key Generator Provider Architecture Key Store

    Keys #dfua Cipher Certificate Database with a well secured mechanism of data protection, that is used to save, get and remove keys. Requires entrance password and passwords for each of the keys.
  33. KeyPair Generator Secure Random Key Generator Provider Cipher Architecture Certificate

    Key Store Keys Certificate used to validate and save asymmetric keys. #dfua
  34. KeyPair Generator Secure Random Key Generator Provider Architecture Cipher Provides

    access to implementations of cryptographic ciphers for encryption and decryption. #dfua Certificate Key Store Keys
  35. KeyPair Generator Architecture Certificate Key Store Keys Secure Random Key

    Generator Provider Defines a set of extensible implementations - independent API’s. #dfua Cipher
  36. KeyPair Generator #dfua Architecture Certificate Provider Key Store Keys Secure

    Random Cipher Key Generator
  37. AndroidKeyStore JCA Provider implementation No Keystore passwords (really, at all)

    Key material never enters the application process Key material may be bound to the secure hardware Asymmetric keys available from 18 + Symmetric keys available from 23 + #dfua
  38. And as always happens, it is full of surprises. #dfua

  39. Stop this “bla-bla” talkings! We want to code something!

  40. Secrets Keeper Developing Sample Application

  41. Main goal of sample application is to to save user

    Secrets locally and keep them protected using Encryption, Fingerprint and Confirm Credentials API’s. #dfua
  42. Requirements Support Android 18 + Devices Allow user to access

    application only if Lock Screen is set Protect user password with Encryption Protect user Secrets with Encryption Allow user to access Secrets with Fingerprint Add additional Confirm Credentials protection #dfua
  43. None
  44. None
  45. Project Structure What to do next? Environment, Stages and Tips

  46. Project is separated on different Stages using gradle flavors. Stage

    represents some task, that need to be completed. Stage can have subtasks - levels.
  47. Encryption Stage

  48. Fingerprint Stage

  49. Confirm Credentials Stage

  50. Origination Stage. We are beginning from it and will update

    it during the workshop.
  51. Completed Workshop Flavor

  52. Classes that we will update during the workshop

  53. If during the session you went out of time, lost

    focus, came later than others or something just went wrong - select next Stage or Level and continue to work on it.
  54. Guides with more detailed information (what need to be done

    to complete the stage and full code snippets) are placed in Readme file . On each Stage you need to listen for explanations and follow by Guide steps.
  55. Encryption Stage - Level 1

  56. Lock Screen and Keyguard Choose a key Create storage for

    key Create master key and save it Use key to encrypt / decrypt Secrets and User Password Protect Data #dfua Checklist Encryption Stage - Level 1
  57. Lets open the Project itself, Workshop Guide from Readme file

    and continue our work there. #dfua
  58. Encryption Stage - Level 2

  59. Encrypt large data Create Symmetric Key with Default Provider Create

    Symmetric Key with Android Provider Wrap / Unwrap Key with Cipher #dfua Checklist Encryption Stage - Level 2
  60. Encryption Stage - Level 3

  61. Initialization Vector Encryption with Initialization Vector Decryption with Initialization Vector

    Protect Data with Initialization Vector #dfua Checklist Encryption Stage - Level 3
  62. Encryption Stage - Level 4

  63. Key Invalidation Issue Default Keystore Save Symmetric Key in Default

    Keystore Protect Data and Compatibility Issues #dfua Checklist Encryption Stage - Level 4
  64. Fingerprint Stage

  65. Fingerprint Fingerprint Manager Fingerprint Authentication Fingerprint key Fingerprint Crypto Object

    Validate Fingerprint Authentication #dfua Checklist Fingerprint Stage
  66. Confirm Credentials Stage

  67. Confirm Credentials Key Validate Confirm Credentials Authentication Confirm Credentials Intent

    #dfua Checklist Confirm Credentials Stage
  68. After words

  69. Summary Android provides various of possibilities to secure data But

    not all of them works as designed to Do not use Android Key Store API on pre M devices Use it only if you not scared to lose data (can be reloaded) Choose the Key Algorithm that is best for your needs Remember that asymmetric Keys are not good for large data #dfua
  70. Summary Android provides various of possibilities to secure data But

    not all of them works as designed to Do not use Android Key Store API on pre M devices Use it only if you not scared to lose data (can be reloaded) Choose the Key Algorithm that is best for your needs Remember that asymmetric Keys are not good for large data #dfua
  71. Summary Android provides various of possibilities to secure data But

    not all of them works as designed to Do not use Android Key Store API on pre M devices Use it only if you not scared to lose data (can be reloaded) Choose the Key Algorithm that is best for your needs Remember that asymmetric Keys are not good for large data #dfua
  72. Summary Android provides various of possibilities to secure data But

    not all of them works as designed to Do not use Android Key Store API on pre M devices Use it only if you not scared to lose data (can be reloaded) Choose the Key Algorithm that is best for your needs Remember that asymmetric Keys are not good for large data #dfua
  73. Summary Android provides various of possibilities to secure data But

    not all of them works as designed to Do not use Android Key Store API on pre M devices Use it only if you not scared to lose data (can be reloaded) Choose the Key Algorithm that is best for your needs Remember that asymmetric Keys are not good for large data #dfua
  74. Summary Android provides various of possibilities to secure data But

    not all of them works as designed to Do not use Android Key Store API on pre M devices Use it only if you not scared to lose data (can be reloaded) Choose the Key Algorithm that is best for your needs Remember that asymmetric Keys are not good for large data #dfua
  75. Summary Use Initialization Vectors and Salt value for better protection

    Fingerprint is not the main security option Always handle cases of key invalidation Remember that there is a fingerprint compatibility helper Use Confirm Credentials instead of custom screen locks #dfua
  76. Summary Use Initialization Vectors and Salt value for better protection

    Fingerprint is not the main security option Always handle cases of key invalidation Remember that there is a fingerprint compatibility helper Use Confirm Credentials instead of custom screen locks #dfua
  77. Summary Use Initialization Vectors and Salt value for better protection

    Fingerprint is not the main security option Always handle cases of key invalidation Remember that there is a fingerprint compatibility helper Use Confirm Credentials instead of custom screen locks #dfua
  78. Summary Use Initialization Vectors and Salt value for better protection

    Fingerprint is not the main security option Always handle cases of key invalidation Remember that there is a fingerprint compatibility helper Use Confirm Credentials instead of custom screen locks #dfua
  79. Summary Use Initialization Vectors and Salt value for better protection

    Fingerprint is not the main security option Always handle cases of key invalidation Remember that there is a fingerprint compatibility helper Use Confirm Credentials instead of custom screen locks #dfua
  80. Summary Use Initialization Vectors and Salt value for better protection

    Fingerprint is not the main security option Always handle cases of key invalidation Remember that there is a fingerprint compatibility helper Use Confirm Credentials instead of custom screen locks #dfua
  81. Security is a complex unit. All of that will not

    work if application is running on corrupted environment. #dfua
  82. What’s Next? Key Attestation Integrity check (Safetynet) #dfua

  83. Resources JCA Documentation http://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/CryptoSpec.html Android Keystore Documentation https://developer.android.com/training/articles/keystore.html Android Keystore

    Supported Algorithms http://developer.android.com/training/articles/keystore.html#SupportedAlgorithms Android Source https://source.android.com/security/keystore/ #dfua
  84. Resources Fingerprint & Confirm Credentials Authentication https://developer.android.com/about/versions/marshmallow/android-6.0.html Fingerprint Google Sample

    https://github.com/googlesamples/android-FingerprintDialog Confirm Credentials Google Sample https://github.com/googlesamples/android-ConfirmCredential Android Arsenal, Security and Fingerprint tags https://android-arsenal #dfua
  85. Resources Nikolay Elenkov, Book https://www.amazon.com/Android-Security-Internals-In-Depth-Architecture/dp/1593275811 Nikolay Elenkov, Blog http://nelenkov.blogspot.com/ Dorian

    Cussen, Blog https://doridori.github.io/android-security-the-forgetful-keystore/ Courses https://www.coursera.org/learn/crypto #dfua
  86. Thank You! Questions? Yakiv Mospan Author, Android Developer @ Team

    Technologies Svyatoslav Hromyak Android Developer @ Team Technologies