Android security enforcements

Similar documents
The Android security jungle: pitfalls, threats and survival tips. Scott

Weak Spots Enterprise Mobility Management. Dr. Johannes Hoffmann

Tale of a mobile application ruining the security of global solution because of a broken API design. SIGS Geneva 21/09/2016 Jérémy MATOS

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

ME?

Ch 1: The Mobile Risk Ecosystem. CNIT 128: Hacking Mobile Devices. Updated

MBFuzzer - MITM Fuzzing for Mobile Applications

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

When providing a native mobile app ruins the security of your existing web solution. CyberSec Conference /11/2015 Jérémy MATOS

Welcome to the OWASP TOP 10

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

Bank Infrastructure - Video - 1

CSCE 813 Internet Security Final Exam Preview

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

CPSC 467: Cryptography and Computer Security

The Attacker s POV Hacking Mobile Apps. in Your Enterprise to Reveal Real Vulns and Protect the Business. Tony Ramirez

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

تاثیرفناوری اطالعات برسازمان ومدیریت جلسه هشتم و نهم

Mobile hacking. Marit Iren Rognli Tokle

C1: Define Security Requirements

Security Enhancements in Informatica 9.6.x

Cisco Desktop Collaboration Experience DX650 Security Overview

DoD Wireless Smartphone Security Requirements Matrix Version January 2011

Man in the Middle Attacks and Secured Communications

Evaluating the Security Risks of Static vs. Dynamic Websites

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

Salesforce1 Mobile Security White Paper. Revised: April 2014

Information Security in Corporation

Connecting Securely to the Cloud

Contents. SSL-Based Services: HTTPS and FTPS 2. Generating A Certificate 2. Creating A Self-Signed Certificate 3. Obtaining A Signed Certificate 4

CS November 2018

1 About Web Security. What is application security? So what can happen? see [?]

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Zimperium Global Threat Data

Advanced Android Security APIs. KeyStore and Crypto VPN

Security. SWE 432, Fall 2017 Design and Implementation of Software for the Web

Most Common Security Threats (cont.)

Computers and Security

WHITE PAPER. Authentication and Encryption Design

MOBILE THREAT LANDSCAPE. February 2018

Network Security and Cryptography. December Sample Exam Marking Scheme

Effective Strategies for Managing Cybersecurity Risks

Crypto meets Web Security: Certificates and SSL/TLS

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Security Specification

e-commerce Study Guide Test 2. Security Chapter 10

CSE484 Final Study Guide

Security+ SY0-501 Study Guide Table of Contents

Abusing Android In-app Billing feature thanks to a misunderstood integration. Insomni hack 18 22/03/2018 Jérémy MATOS

Securing Internet Communication: TLS

Recommendations for Device Provisioning Security

CLX.MAP & Mobile Security

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Web Application Vulnerabilities: OWASP Top 10 Revisited

Defeating All Man-in-the-Middle Attacks

Web Application Penetration Testing

Course 834 EC-Council Certified Secure Programmer Java (ECSP)

Introduction and Overview. Why CSCI 454/554?

DreamFactory Security Guide

Authentication CHAPTER 17

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Radius, LDAP, Radius, Kerberos used in Authenticating Users

PracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam

Protecting app secrets in Android

Author: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

CPSC 467b: Cryptography and Computer Security

Software Vulnerability Assessment & Secure Storage

McAfee Certified Assessment Specialist Network

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Who Am I? Mobile Security chess board - Attacks & Defense. Mobile Top 10 - OWASP. Enterprise Mobile Cases

SECURITY ON PUBLIC WI-FI New Zealand. A guide to help you stay safe online while using public Wi-Fi

But where'd that extra "s" come from, and what does it mean?

WAP Security. Helsinki University of Technology S Security of Communication Protocols

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Lecture 08: Networking services: there s no place like

Linux Network Administration

Sichere Software vom Java-Entwickler

Android Application Sandbox. Thomas Bläsing DAI-Labor TU Berlin

SSH. Partly a tool, partly an application Features:

Mobile Security Fall 2014

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Contents. xvii xix xxiil. xxvii

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

TECHNICAL WHITE PAPER Penetration Test. Penetration Test. We help you build security into your software at every stage. 1 Page

Enterprise Ready. Sean Yarger. Sr. Manager, Mobility and Identity. Making Android Enterprise Ready 1

Mobile Devices prioritize User Experience

Security & Privacy. Web Architecture and Information Management [./] Spring 2009 INFO (CCN 42509) Contents. Erik Wilde, UC Berkeley School of

RISKS HIDING IN PLAIN SIGHT: MOBILE APP CYBER THREAT & VULNERABILITY BENCHMARKS. BRIAN LAWRENCE SENIOR SECURITY ENGINEER

Studying TLS Usage in Android Apps

Uniform Resource Locators (URL)

Securing Connections for IBM Traveler Apps. Bill Wimer STSM for IBM Collaboration Solutions December 13, 2016

Web Tap Payment Authentication and Encryption With Zero Customer Effort

Ethical Hacking and Prevention

Mobile Security Fall 2013

Securing Connections with Digital Certificates in Router OS. By Ezugu Magnus PDS Nigeria

Vidder PrecisionAccess

Scan Report Executive Summary

Findings for

Transcription:

Android security enforcements

Hello DroidCon! Javier Cuesta Gómez Android Engineer manager @Grab

Android 2017 security 450 reports $1.1 payout The most difficult OWASP security risks: Unintended data leakage - 65% Weak server side controls - 62% Client side injections - 60% Poor Authorization and Authentication - 50% Insufficient transport layer protection - 47%

Main vulnerable code reasons 1 Rush to release 2 Accidental coding errors 3 Lack of policies requirements

ANDROID

SOFTWARE ARCHITECTURE Android application perimeter S E C U R I T Y PRESENTATION Information, display DOMAIN Business logic, calculations DATA Database, messaging systems

SECURITY ENHANCED ARCHITECTURE Android application perimeter SECURITY Threat prevention, authentication, authorisation, sla PRESENTATION Information, display DOMAIN Business logic, calculations DATA Database, messaging systems

ANDROID O - PROJECT TREBLE Android Apps CTS Developer api Android OS framework VTS Vendor Interface Vendor implementation

CODE DATA COMMS ROOT

Enforce security... In your code

REVERSE ENGINEERING extracting knowledge or design information from anything man-made. Download APK from black markets APK MIRROR Use reverse engineering tools APK TOOL Knowledge taking: Consumer basis: Analysing and understanding behaviour White hat: security analysis, penetration tests, bug detection, reporting Black hat: updating features, malware, exploits, virus

REVERTING TESTAPP.APK decode resources to nearly original form rebuild them after making some modifications Apktool UNZIP Apks are nothing more than a zip file containing resources and assembled java code. classes.dex and resources.arsc. DECODING: apktool d testapp.apk apktool d foo.jar BEHAVIOURAL MODIFICATION. Check bypass BUILDING: apktool b foo.jar.out

WhatsApp PLUS became one of the best and most used unofficial modes for WhatsApp, allowing users to customize many aspects of the popular instant messaging service with features that the official client doesn't include by default. WhatsApp Plus has been forced to shut down by WhatsApp in January 2015 due to a cease and desist order.

Proguard & DexGuard Smaller sized.apk file that is more difficult to Reverse engineer Build.gradle MinifyEnabled true proguard-rules.txt create proguard-rule -keepattributes *Annotation* -keep public class * extends java.lang.exception -dontwarn com.crashlytics.** -printmapping mapping.txt

NEW IN ANDROID O Better App Management and Controls - malware Lot of verification at Play Store to ensure no malware is present, but users can side-load an application from a third-party app store. setting permissions on a per-app basis, instead of globally allowing all applications to install if the checkbox is enabled, will forced to decide whether they want to download it and what it s permissions should be.

Enforce security... In your data

CRYPTOGRAPHY Techniques for secure data in the presence of third parties called intruders Keychain or Android Keystore Provider? KeyChain API, system-wide credentials Android Keystore provider, individual app store its own credentials. only the app itself can access Common usages Android lock up screen methods. Pattern, Pin, FingerPrint Android pay

CRYPTOGRAPHY Keystore and fingerprint APIs Javax.crypto Ciphers Java.security (available since Android API 1) Algorithms Symmetric: same key (secret), to encrypt and decrypt. AES, DES, Blowfish Asymmetric: different keys. Public and Private. RSA, SHA-512 Passphrase & seeds Preprocessed hashed (gradle scripts) App specific Os information Where to store the keys KeyChain, KeyStore (API 18 4.3 Jelly Bean) SP, DB (being keys encrypted symmetric)

RECOMMENDED Do not save data on the device Android EXTERNAL data storage Use a binary serialized format Secure sensitive data that does not need to be displayed (such as passwords) as a hash. A hash is one-way, it cannot be un-hashed or decrypted. encrypt all sensitive information. Facebook conceal library. Android INTERNAL data storage secure because of Android sand boxing its apps. UID level control on the files. Unprotected against rooting and ADB allowing developers to copy data off devices,

NEW IN ANDROID O SANDBOXING STRATEGY Separating general Android functionality from manufacturer-specific code has tangible security benefits. Updatability is a big part of it, but Treble is also really good for helping us sandbox different parts of the operating system There s now this contrast between the [pure Android] pieces and the device-dependent pieces. If you have an exploit in one side, it is now much harder for that to then exploit the other

Enforce security... In your Communications

MAN-IN-THE-MIDDLE middle between client and server. eavesdropping or changing the data. WiFi Analyzer: helps you find a good spot Wireless Tether: create free_wifi hotspot ConnectBot: figure out what the WiFi interface is actually called Shark for Root: logging packets A STEP FURTHER Data Siphon: redirects all traffic from his rogue AP to a network which housed machines. (Real Time)

CERTIFICATE PINNING storing the information for digital certificates/public keys Store server certificate within app. What if server certificate gets updated/renewed? Replacing the system s TrustStore with one that only contains specific white-listed certificates. ping against public certificate Hash

CERTIFICATE PINNING public OkHttpClient.Builder gethttpclientbuilder(boolean addsessionid) { CertificatePinner certificatepinner = new CertificatePinner.Builder().add(getPassengerAPIHost(), BuildConfigHelper.CA_CERT).build(); OkHttpClient.Builder builder = new OkHttpClient.Builder().connectTimeout(CONNECTION_TIMEOUT, TimeUnit.MILLISECONDS).addInterceptor(mLoggingInterceptor).addInterceptor(HttpHeaderUtils.createRequestInterceptor(addSessionId)); if (getcertpinswitch().iscertpinon()) { builder.certificatepinner(certificatepinner); } } return builder;

RECOMMENDED 1. Always use SSL connections if there is anything sensitive - apps data. 2. Never use self signed certificates in production. 3. Disable HTTP redirects in your networking library/code. Some libraries disable this by default. Having these enabled can make MITM attacks a lot easier. 4. If the user is inputting data, always escape it using URLEncoder.encode (userinput, UTF-8 ); if the data will be used as part of a URL, DB queries as well as if you re saving the input to a JSON or XML file. 5. Set a maximum length on every field that requires user input. 6. Validate the input.

NEW IN ANDROID O Better, More Secure Protocols Oreo s attention to deprecating older insecure protocols for network connections. The use of SSLv3 for secure HTTPS connections is being discontinued, this prevents the device and its apps from using a known insecure protocol that could leak sensitive data, Google has also hardened certain network connection APIs from not falling back to older TLS versions that can leak sensitive data.

Enforce security... In android os

ROOTING DEVICES Unlocking the operating system Custom ROM Flashing Flash a ROM with a modified operating system Advantages: root access is permanent Disadvantages: updates must be shipped by the ROM provider Risks: trust the ROM provider Soft Flashing keep the factory ROM provided by the manufacturer, modifying it How: custom recovery image to the smartphone Exploiting Advantages: normally gained through a special one click application. Unroot the device by simply update Disadvantages: root access is just gained temporary

ROOT DETECTION specific packages and files, directory permissions, running certain commands. Checking the BUILD tag for test-keys. By default, stock Android ROMs from Google are built with release-keys tags Checking for Over The Air (OTA) certs. Existence of su in the path and some other hard-coded directories Multiple libraries available in Github, most common RootTools Installed files and packages Superuser.apk Com.noshufou.android.su / com.thirdparty.superuser/ eu.chainfire.supersu.

NEW IN ANDROID O Verified Boot System Verified Boot goes a step further and prevents users or hackers from booting to older more vulnerable versions of the OS an adversary may have rolled the system back to. The feature also supports the ability for apps and mobile device management firms to secure hardware areas of an Android device upon boot.

thanks

QUESTIONS @javicuesta javier.cuesta.gomez@gmail.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback