Secure data in Android

Transcript

1. Secure data in Android Remember to hard reset whenever you

   leave your device on the table Yakiv Mospan Author, Android Developer @ Team Technologies Svyatoslav Hromyak Android Developer @ Team Technologies

2. Prerequisites Kotlin Gradle Plugin 1.1.51 Android SDK 26 Android Studio

   3.0 Beta 7 Android Virtual Device API 18 Android Virtual Device API 23 Fetch or download sample source code from GitHub https://github.com/TeamTechnologies/security-workshop-sample #dfua

3. Overview #dfua Developing Secrets Keeper Application Encryption in Android Compatibility,

   Fingerprint and Confirm Credentials Encryption What is it? How it works ?

4. Encryption The most effective way to achieve data security

5. Key How it works Secret key Private key Public key

   sh7aertsca.. Сipher data Financial data Credentials Sensitive data Plain data Algorithm Asymmetric Symmetric RSA EC AES DES #dfua

6. How it works Plain data #dfua sh7aertsca.. Сipher data Secret

   key Private key Public key Key RSA EC AES DES Financial data Credentials Sensitive data Algorithm Asymmetric Symmetric

7. Secret key Private key Public key Key How it works

   Sensitive data Personal life information, physical or mental health details, criminal or civil offences, private photos, private user documents, etc. #dfua sh7aertsca.. Сipher data RSA EC AES DES Financial data Credentials Algorithm Asymmetric Symmetric Plain data

8. How it works #dfua sh7aertsca.. Сipher data Secret key Private

   key Public key Key Accounts, transactions, reports, credit card information, etc. RSA EC AES DES Credentials Algorithm Asymmetric Symmetric Plain data Sensitive data Financial data

9. How it works Sensitive data Financial data Credentials #dfua sh7aertsca..

   Сipher data Secret key Private key Public key Key Usernames, passwords, touch pincodes, fingerprint data, and all other stuff that can provide access to data above. RSA EC AES DES Algorithm Asymmetric Symmetric Plain data

10. How it works Plain data Algorithm #dfua sh7aertsca.. Сipher data

    Secret key Private key Public key Key RSA EC AES DES Financial data Credentials Sensitive data Asymmetric Symmetric

11. How it works The oldest and best-known technique. The encryption

    key and the decryption key are the same. #dfua sh7aertsca.. Сipher data Secret key Private key Public key Key RSA EC AES DES Financial data Credentials Sensitive data Plain data Asymmetric Algorithm Symmetric

12. sh7aertsca.. Сipher data How it works #dfua A modern branch

    of cryptography. Also known as public-key cryptography in which the algorithms employ a pair of keys (a public key and a private key) and use a different component of the pair for different steps of the algorithm. Secret key Private key Public key Key RSA EC AES DES Financial data Credentials Sensitive data Plain data Algorithm Asymmetric Symmetric

13. How it works #dfua sh7aertsca.. Сipher data Secret key Private

    key Public key Key EC DES Financial data Credentials Sensitive data RSA Plain data Algorithm Asymmetric Symmetric AES

14. How it works #dfua sh7aertsca.. Сipher data Secret key Private

    key Public key Key Financial data Credentials Sensitive data Plain data EC RSA Algorithm Asymmetric Symmetric AES DES

15. How it works #dfua sh7aertsca.. Сipher data Secret key Private

    key Public key Key Financial data Credentials Sensitive data Plain data EC Algorithm Asymmetric Symmetric RSA AES DES

16. How it works Asymmetric Symmetric RSA EC AES DES #dfua

    sh7aertsca.. Сipher data Secret key Private key Public key Key Financial data Credentials Sensitive data Plain data Algorithm

17. How it works Key #dfua sh7aertsca.. Сipher data Private key

    Public key Secret key Asymmetric Symmetric RSA EC AES DES Financial data Credentials Sensitive data Plain data Algorithm

18. Private key Public key How it works Secret key A

    single secret key which is used in conventional symmetric encryption to encrypt and decrypt a message. Symmetric #dfua sh7aertsca.. Сipher data RSA EC AES DES Asymmetric Financial data Credentials Sensitive data Plain data Algorithm Key

19. How it works Private key Public key Asymmetric Key Pair.

    #dfua sh7aertsca.. Сipher data Secret key RSA EC AES DES Symmetric Financial data Credentials Sensitive data Plain data Algorithm Asymmetric Key

20. How it works A single secret key which is used

    in conventional symmetric encryption which is used to encrypt and decrypt a message. #dfua sh7aertsca.. Сipher data Secret key RSA EC AES DES Symmetric Financial data Credentials Sensitive data Plain data Algorithm Asymmetric Private key Public key Key

21. How it works The public component of a pair of

    cryptographic keys used for encryption in asymmetric cryptography. Asymmetric #dfua sh7aertsca.. Сipher data Secret key RSA EC AES DES Symmetric Financial data Credentials Sensitive data Plain data Algorithm Private key Public key Key

22. Сipher data How it works #dfua sh7aertsca.. Private key Public

    key Secret key RSA EC AES DES Asymmetric Symmetric Financial data Credentials Sensitive data Plain data Algorithm Key

23. How it works sh7aertsca.. Сipher data Cipher Output #dfua Private

    key Public key Secret key RSA EC AES DES Asymmetric Symmetric Financial data Credentials Sensitive data Key Plain data Algorithm

24. Key How it works Plain data Сipher data #dfua sh7aertsca..

    Private key Public key Secret key RSA EC AES DES Asymmetric Symmetric Financial data Credentials Sensitive data Algorithm

25. Encryption in Android Java Cryptography Architecture & AndroidKeyStore API

26. Android builds on the Java Cryptography Architecture (JCA), that provides

    API for digital signatures, certificates, encryption, keys generation and management. #dfua

27. Architecture Provider #dfua KeyPair Generator Certificate Key Store Keys Secure

    Random Cipher Key Generator

28. Keys KeyPair Generator Architecture Key Generator Provides the public API

    for generating symmetric cryptographic keys. #dfua Cipher Certificate Key Store Secure Random Provider

29. Key Store Keys Certificate KeyPair Generator Architecture Key Generator An

    engine class which is capable of generating a private key and its related public key utilizing the algorithm it was initialized with. #dfua Cipher Secure Random Provider

30. Provider KeyPair Generator Architecture Secure Random Key Generator Generates cryptographically

    secure pseudo-random numbers. #dfua Cipher Certificate Key Store Keys

31. KeyPair Generator Secure Random Key Generator Provider Architecture Keys Keys

    created with Generators. #dfua Cipher Certificate Key Store

32. KeyPair Generator Secure Random Key Generator Provider Architecture Key Store

    Keys #dfua Cipher Certificate Database with a well secured mechanism of data protection, that is used to save, get and remove keys. Requires entrance password and passwords for each of the keys.

33. KeyPair Generator Secure Random Key Generator Provider Cipher Architecture Certificate

    Key Store Keys Certificate used to validate and save asymmetric keys. #dfua

34. KeyPair Generator Secure Random Key Generator Provider Architecture Cipher Provides

    access to implementations of cryptographic ciphers for encryption and decryption. #dfua Certificate Key Store Keys

35. KeyPair Generator Architecture Certificate Key Store Keys Secure Random Key

    Generator Provider Defines a set of extensible implementations - independent API’s. #dfua Cipher

36. KeyPair Generator #dfua Architecture Certificate Provider Key Store Keys Secure

    Random Cipher Key Generator

37. AndroidKeyStore JCA Provider implementation No Keystore passwords (really, at all)

    Key material never enters the application process Key material may be bound to the secure hardware Asymmetric keys available from 18 + Symmetric keys available from 23 + #dfua

38. And as always happens, it is full of surprises. #dfua

39. Stop this “bla-bla” talkings! We want to code something!

40. Secrets Keeper Developing Sample Application

41. Main goal of sample application is to to save user

    Secrets locally and keep them protected using Encryption, Fingerprint and Confirm Credentials API’s. #dfua

42. Requirements Support Android 18 + Devices Allow user to access

    application only if Lock Screen is set Protect user password with Encryption Protect user Secrets with Encryption Allow user to access Secrets with Fingerprint Add additional Confirm Credentials protection #dfua
43. None
44. None

45. Project Structure What to do next? Environment, Stages and Tips

46. Project is separated on different Stages using gradle flavors. Stage

    represents some task, that need to be completed. Stage can have subtasks - levels.

47. Encryption Stage

48. Fingerprint Stage

49. Confirm Credentials Stage

50. Origination Stage. We are beginning from it and will update

    it during the workshop.

51. Completed Workshop Flavor

52. Classes that we will update during the workshop

53. If during the session you went out of time, lost

    focus, came later than others or something just went wrong - select next Stage or Level and continue to work on it.

54. Guides with more detailed information (what need to be done

    to complete the stage and full code snippets) are placed in Readme file . On each Stage you need to listen for explanations and follow by Guide steps.

55. Encryption Stage - Level 1

56. Lock Screen and Keyguard Choose a key Create storage for

    key Create master key and save it Use key to encrypt / decrypt Secrets and User Password Protect Data #dfua Checklist Encryption Stage - Level 1

57. Lets open the Project itself, Workshop Guide from Readme file

    and continue our work there. #dfua

58. Encryption Stage - Level 2

59. Encrypt large data Create Symmetric Key with Default Provider Create

    Symmetric Key with Android Provider Wrap / Unwrap Key with Cipher #dfua Checklist Encryption Stage - Level 2

60. Encryption Stage - Level 3

61. Initialization Vector Encryption with Initialization Vector Decryption with Initialization Vector

    Protect Data with Initialization Vector #dfua Checklist Encryption Stage - Level 3

62. Encryption Stage - Level 4

63. Key Invalidation Issue Default Keystore Save Symmetric Key in Default

    Keystore Protect Data and Compatibility Issues #dfua Checklist Encryption Stage - Level 4

64. Fingerprint Stage

65. Fingerprint Fingerprint Manager Fingerprint Authentication Fingerprint key Fingerprint Crypto Object

    Validate Fingerprint Authentication #dfua Checklist Fingerprint Stage

66. Confirm Credentials Stage

67. Confirm Credentials Key Validate Confirm Credentials Authentication Confirm Credentials Intent

    #dfua Checklist Confirm Credentials Stage

68. After words

69. Summary Android provides various of possibilities to secure data But

    not all of them works as designed to Do not use Android Key Store API on pre M devices Use it only if you not scared to lose data (can be reloaded) Choose the Key Algorithm that is best for your needs Remember that asymmetric Keys are not good for large data #dfua

70. Summary Android provides various of possibilities to secure data But

    not all of them works as designed to Do not use Android Key Store API on pre M devices Use it only if you not scared to lose data (can be reloaded) Choose the Key Algorithm that is best for your needs Remember that asymmetric Keys are not good for large data #dfua

71. Summary Android provides various of possibilities to secure data But

    not all of them works as designed to Do not use Android Key Store API on pre M devices Use it only if you not scared to lose data (can be reloaded) Choose the Key Algorithm that is best for your needs Remember that asymmetric Keys are not good for large data #dfua

72. Summary Android provides various of possibilities to secure data But

    not all of them works as designed to Do not use Android Key Store API on pre M devices Use it only if you not scared to lose data (can be reloaded) Choose the Key Algorithm that is best for your needs Remember that asymmetric Keys are not good for large data #dfua

73. Summary Android provides various of possibilities to secure data But

    not all of them works as designed to Do not use Android Key Store API on pre M devices Use it only if you not scared to lose data (can be reloaded) Choose the Key Algorithm that is best for your needs Remember that asymmetric Keys are not good for large data #dfua

74. Summary Android provides various of possibilities to secure data But

    not all of them works as designed to Do not use Android Key Store API on pre M devices Use it only if you not scared to lose data (can be reloaded) Choose the Key Algorithm that is best for your needs Remember that asymmetric Keys are not good for large data #dfua

75. Summary Use Initialization Vectors and Salt value for better protection

    Fingerprint is not the main security option Always handle cases of key invalidation Remember that there is a fingerprint compatibility helper Use Confirm Credentials instead of custom screen locks #dfua

76. Summary Use Initialization Vectors and Salt value for better protection

    Fingerprint is not the main security option Always handle cases of key invalidation Remember that there is a fingerprint compatibility helper Use Confirm Credentials instead of custom screen locks #dfua

77. Summary Use Initialization Vectors and Salt value for better protection

    Fingerprint is not the main security option Always handle cases of key invalidation Remember that there is a fingerprint compatibility helper Use Confirm Credentials instead of custom screen locks #dfua

78. Summary Use Initialization Vectors and Salt value for better protection

    Fingerprint is not the main security option Always handle cases of key invalidation Remember that there is a fingerprint compatibility helper Use Confirm Credentials instead of custom screen locks #dfua

79. Summary Use Initialization Vectors and Salt value for better protection

    Fingerprint is not the main security option Always handle cases of key invalidation Remember that there is a fingerprint compatibility helper Use Confirm Credentials instead of custom screen locks #dfua

80. Summary Use Initialization Vectors and Salt value for better protection

    Fingerprint is not the main security option Always handle cases of key invalidation Remember that there is a fingerprint compatibility helper Use Confirm Credentials instead of custom screen locks #dfua

81. Security is a complex unit. All of that will not

    work if application is running on corrupted environment. #dfua

82. What’s Next? Key Attestation Integrity check (Safetynet) #dfua

83. Resources JCA Documentation http://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/CryptoSpec.html Android Keystore Documentation https://developer.android.com/training/articles/keystore.html Android Keystore

    Supported Algorithms http://developer.android.com/training/articles/keystore.html#SupportedAlgorithms Android Source https://source.android.com/security/keystore/ #dfua

84. Resources Fingerprint & Confirm Credentials Authentication https://developer.android.com/about/versions/marshmallow/android-6.0.html Fingerprint Google Sample

    https://github.com/googlesamples/android-FingerprintDialog Confirm Credentials Google Sample https://github.com/googlesamples/android-ConfirmCredential Android Arsenal, Security and Fingerprint tags https://android-arsenal #dfua

85. Resources Nikolay Elenkov, Book https://www.amazon.com/Android-Security-Internals-In-Depth-Architecture/dp/1593275811 Nikolay Elenkov, Blog http://nelenkov.blogspot.com/ Dorian

    Cussen, Blog https://doridori.github.io/android-security-the-forgetful-keystore/ Courses https://www.coursera.org/learn/crypto #dfua

86. Thank You! Questions? Yakiv Mospan Author, Android Developer @ Team

    Technologies Svyatoslav Hromyak Android Developer @ Team Technologies