The Android security jungle: pitfalls, threats and survival tips. Scott

Similar documents
Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Tale of a mobile application ruining the security of global solution because of a broken API design. SIGS Geneva 21/09/2016 Jérémy MATOS

Bank Infrastructure - Video - 1

Android security enforcements

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

MBFuzzer - MITM Fuzzing for Mobile Applications

C1: Define Security Requirements

IBM Future of Work Forum

Certified Secure Web Application Engineer

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

The Attacker s POV Hacking Mobile Apps. in Your Enterprise to Reveal Real Vulns and Protect the Business. Tony Ramirez

C and C++ Secure Coding 4-day course. Syllabus

Training Program Catalog SECURITY INNOVATION

CSWAE Certified Secure Web Application Engineer

Understanding Cisco Cybersecurity Fundamentals

Mobile Payment Application Security. Security steps to take while developing Mobile Application s. SISA Webinar.

How to secure your mobile application with RASP

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Engineering Your Software For Attack

Ch 1: The Mobile Risk Ecosystem. CNIT 128: Hacking Mobile Devices. Updated

1 About Web Security. What is application security? So what can happen? see [?]

CLX.MAP & Mobile Security

Coordinated Disclosure of Vulnerabilities in AVG Antivirus Free Android

OWASP Top 10 The Ten Most Critical Web Application Security Risks

RISKS HIDING IN PLAIN SIGHT: MOBILE APP CYBER THREAT & VULNERABILITY BENCHMARKS. BRIAN LAWRENCE SENIOR SECURITY ENGINEER

Most Common Security Threats (cont.)

ME?

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Copyright

Key Threats Melissa (1999), Love Letter (2000) Mainly leveraging social engineering. Key Threats Internet was just growing Mail was on the verge

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

When providing a native mobile app ruins the security of your existing web solution. CyberSec Conference /11/2015 Jérémy MATOS

Web Application Vulnerabilities: OWASP Top 10 Revisited

Consolidated Edition. 5th Annual State of Application Security Report Perception vs. Reality

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Security Best Practices. For DNN Websites

Embedded/Connected Device Secure Coding. 4-Day Course Syllabus

Foreword by Katie Moussouris... Acknowledgments... xvii. Introduction...xix. Chapter 1: The Basics of Networking... 1

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

SSL Visibility and Troubleshooting

Vidder PrecisionAccess

Fortify Software Security Content 2017 Update 4 December 15, 2017

Secure Coding, some simple steps help. OWASP EU Tour 2013

Coordinated Disclosure of Vulnerabilities in McAfee Security Android

Course 834 EC-Council Certified Secure Programmer Java (ECSP)

Symlink attacks. Do not assume that symlinks are trustworthy: Example 1

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

Managed Application Security trends and best practices in application security

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

Man in the Middle Attacks and Secured Communications

SECURE CODING PART 1 MAGDA LILIA CHELLY ENTREPRENEUR CISO ADVISOR CYBERFEMINIST PEERLYST BRAND AMBASSADOR TOP 50 CYBER CYBER

Weak Spots Enterprise Mobility Management. Dr. Johannes Hoffmann

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Information Security. Gabriel Lawrence Director, IT Security UCSD

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

About DPI-SSL. About DPI-SSL. Functionality. Deployment Scenarios

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Mitigating Security Breaches in Retail Applications WHITE PAPER

Web Application Whitepaper

Abusing Android In-app Billing feature thanks to a misunderstood integration. Insomni hack 18 22/03/2018 Jérémy MATOS

Getting Into Mobile Without Getting Into Trouble

Information Security CS 526

Evaluating the Security Risks of Static vs. Dynamic Websites

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

TECHNICAL WHITE PAPER Penetration Test. Penetration Test. We help you build security into your software at every stage. 1 Page

SSL/TLS Vulnerability Detection Using Black Box Approach

COMP9321 Web Application Engineering

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

LET S TALK MONEY. Fahad Pervaiz. Sam Castle, Galen Weld, Franziska Roesner, Richard Anderson

How NOT To Get Hacked

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Secure Programming Techniques

Deliver Strong Mobile App Security and the Ultimate User Experience

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

SECURITY OF VEHICLE TELEMATICS SYSTEMS. Daniel Xiapu Luo Department of Computing The Hong Kong Polytechnic University

Application Layer Security

Welcome to the OWASP TOP 10

SQL Injection Attacks and Defense

CASP CompTIA Advanced Security Practitioner Study Guide: (Exam CAS-001)

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Cyber Moving Targets. Yashar Dehkan Asl

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

TIBCO Cloud Integration Security Overview

Ch 7: Mobile Device Management. CNIT 128: Hacking Mobile Devices. Updated

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Breaking and Securing Mobile Apps

RiskSense Attack Surface Validation for Web Applications

PCI DSS and VNC Connect

Ethical Hacking and Prevention

epldt Web Builder Security March 2017

CSE484 Final Study Guide

En partenariat avec CA Technologies. Genève, Hôtel Warwick,

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

BraindumpsVCE. Best vce braindumps-exam vce pdf free download

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Transcription:

The Android security jungle: pitfalls, threats and survival tips Scott Alexander-Bown @scottyab

The Jungle Ecosystem Google s protection Threats Risks

Survival Network Data protection (encryption) App/device integrity App binary security Testing

Scott Alexander-Bown Lead Android Dev (remote) at Intohand Co-Author - Android Security Cookbook Co-Founder of SWmobile

1.4 Billion users

OpenSignals.com

Security Services Google Play Approval process (human approval since 2015) Developer security notifications Android Bouncer Android device manager (Device security) Safety net (intrusion detection) Android at Work

Slide Adrian Ludwig s - Android Security State of the Union

Newer version of Android are more secure 1.5 stack buffer, integer overflow protection 2.3+ null pointer dereference mitigation, NX 4.0+ ASLR 4.1+ ASLR strengthened 4.3 Security-Enhanced Linux 5.0 Security-Enhanced Linux - enforcing Updatabled Webview (via playstore)

Threats

Threats: App Hijacking Taking an app and adding malware Concerns Reversing Android apps is easy No need for certificate authority Sideload

I ain t got time to (heart)bleed

OWASP Mobile Security Project ios and Android Top 10 risks attack vectors threat agents impacts

OWASP top 10 risks M1: Weak Server Side M6: Broken Cryptography Controls M7: Client Side Injection M2: Insecure Data Storage M8: Security Decisions Via M3: Insufficient Transport Untrusted Inputs Layer Protection M9: Improper Session Handling M4: Unintended Data Leakage M10: Lack of Binary Protections M5: Poor Authorization and Authentication

Survival kit

Survival tips 1. Harden the network communications 2. Protect stored data (encryption) 3. Validate the device and app integrity 4. Increase binary security

Network communications Use SSL / TLS! Use the platform SSL/TLS validation (i.e don t disable it!) Use only strong cipher suites (128bit+) and TLS versions (TLS v1.2) OkHttp 2.1 - https://publicobject.com/2014/11/12/okhttp-2-1/

Looks like you re not using SSL pinning? Devices ship with 100+ Certificate Authorities (CA) and users can install their own Pinning limits the trusted root CA s Two types Certificate pinning Public Key pinning

Public key pinning

Patch against SSL exploits Google Play Services provides a dynamic security provider ProviderInstaller.installIfNeeded(getContext()); https://developer.android.com/training/articles/security-gmsprovider.html#patching

Tips

Code in a slide : ( Password based encryption

Encryption libraries Conceal https://facebook.github.io/conceal SQL cipher https://www.zetetic.net/sqlcipher/sqlcipher-for-android/ Secure-Preferences (or Hawk) https://github.com/scottyab/secure-preferences

Hardcoded encryption key

Verifying App integrity Debuggable check Apk Checksum Signing certificate verification

Signing Certificate Verification Build-time Runtime 1. Get you certificate signature 3. Get the Signature from the PackageManager $keytool -list -v -keystore your_app.keystore 4. Hash the Signature 2. Embed in app String CERTIFICATE_SHA1 = 71920AC9486E087DCBCF5C7F6F ; 5. Compare the signature hashes strings

Verifying device integrity Emulator check https://github.com/strazzere/a nti-emulator Google SafteyNet test https://github.com/scottyab/sa fetynethelper

root@android:/ # Root apps / Dangerous apps Suspect system properties SU/BusyBox binaries RW /system https://github.com/scottyab/rootbeer

Obfuscation

ProGuard Java code obfuscator Part of the Android SDK Free as in Beer! ReTrace - Supported by Error handling services such as Crashlytics

DexGuard Commercial version of ProGuard Designed for Android and protection Useful security utils - SSL Pinning, Root check, logging removal etc My favourite features String Encryption API hiding

Quick Android Review Kit (Quak) Python script Works with.apk or source code Automated tests weaknesses exploits Creates exploit.apks https://github.com/linkedin/qark

Click here for more! 42+ Secure mobile development tips http://bit.ly/viafor42 OWASP Mobile security risks http://bit.ly/owaspmobile Android security cookbook [book] http://bit.ly/mscefu Android security internals [book] http://bit.ly/andsecint Droidsec (whitepapers) droidsec.org/wiki

Thanks @gotocph @intohand 20th Century Fox Android security team

Questions? dev@scottyab.com @scottyab Please github.com/scottyab Remember to rate this session Thank you

WebView Before getsettings().setjavascriptenabled(false) getsettings().setallowfileaccess(false) During WebViewClient.shouldOverrideUrlLoading() enforce local content or Https Whitelisted hosts/urls.shouldinterceptrequest() to intercept XmlHttpRequests After webview.clearcache(true)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback