Secure Communication in Client-Server Android Apps

Transcription

1 Secure Communication in Client-Server Android Apps With a bias towards mobile banking applications. AFRICA HACKON CONFERENCE, Convergent Security.

2 whoami Masters Candidate Ethical Hacker Web Developer Jazz fan (before Safaricom made everyone a jazz fan). Information Security consultant. Government and private sector experience. Former student leader.

3 USIU Student Government No demonstrations during our time. Wanted to create app to solve communication problem. Needed to convey sensitive information. CIA was key but mostly CI. Should support devices all the way to 1.6. Ideos especially (back then it was the ish). Corptabs was born.

4 Agile-ish development. Lots of Google-Stackoverflowing Non-secure P.O.C was formed. Set up SSL on localhost which Android declined. Purchased SSL certificate from namecheap. Set it up based on my own knowledge. Worked only on later Android devices (4.0 and above). Failed to work on my humble Android 2.1 device. Back to Google-Stackoverflowing.

5 With a web browser, it is generally quite easy to recognize when a third party is tampering with a secure connection. This is due to warning pages presented by browsers when something is fishy with the SSL certificate, such as a certificate that has not been signed by a trusted authority. Mobile applications, on the other hand, cannot always be counted on to display such a warning or even recognize when something is amiss.

6 TrustAllHosts(). Demo

7 Onward Figured out the problem was the certificate chain and fixed. These days the certificate chain is no longer a problem. Two intermediate certs in the store. Now supported almost all Android phones with a $10 certificate. Hardened server to A+ standard by removing outdated cipher suites and outdated protocols especially SSL. This is to protect against SSL Downgrade Attack.

8 Problems with SSL: Trusting all Certificates - The TrustManager interface can be implemented to trust all certificates, irrespective of who signed them or even for what subject they were issued. Trusting many Certificate Authorities (CA) Allowing all Hostnames Self-signed server certificate

9 A+ standard?

10 F Standard

11 NoSSLV3 Phone still downgrading to SSLv3. Mostly when network is low. Removed SSLv3 with the NoSSLv3 class. So far so Good.

12 Success? Not quite. If an intruder still wanted to read the contents being sent to the server, they could. Install root CA and set up device on proxy server. How can this be done? Remotely? Possibly. Finfisher and the likes. IT Department on Corporate network and corporate phone? Absolutely. Convergent Security. Can I borrow your phone for a sec? While on a public network, NO! Demo. Stolen root intermediate and root certificates ( By default, your App likely validates against all of the CA certificates that ship with Android, but that means any single compromised CA in the total set can potentially compromise your communication (even if it s not the CA you re using) Solution?

13 MITM Proxy Demo In order to be able to observe HTTPS traffic, we install the root CA certificate on the device. This allows the app to verify certificates that were signed allowing the TLS handshake to happen between the app and Charles. We then forwards the app s request to the backend using normal HTTPS protocols. Demo with live banking app.

14 Damn Customers want apps. What to do?

15 Remediation Certificate pinning done right. For f*cks sake, hash and salt passwords. Don t send password with every request (Guilty as charged). Use cookies instead (will only support 2.3 and above on Android). All these solutions available on Constantly check the certificates installed on your device. Obfuscate URLs. Demo of soln.

16 Remediation: Certificate Pinning Pinning is the process of associating a host with their expected X509 certificate or public key. Once a certificate or public key is known or seen for a host, the certificate or public key is associated or 'pinned' to the host. Certificate Pinning can be done two different ways: by pinning the certificate itself, or by pinning just the public key.

17 Pinning

18 Future Do this on a self signed setup. Improvements as they come.

19 Thankyou

20 Emmanuel Chebukati, CEH, ISA.