The Android security jungle: pitfalls, threats and survival tips Scott Alexander-Bown @scottyab
The Jungle Ecosystem Google s protection Threats Risks
Survival Network Data protection (encryption) App/device integrity App binary security Testing
Scott Alexander-Bown Lead Android Dev (remote) at Intohand Co-Author - Android Security Cookbook Co-Founder of SWmobile
1.4 Billion users
OpenSignals.com
Security Services Google Play Approval process (human approval since 2015) Developer security notifications Android Bouncer Android device manager (Device security) Safety net (intrusion detection) Android at Work
Slide Adrian Ludwig s - Android Security State of the Union
Newer version of Android are more secure 1.5 stack buffer, integer overflow protection 2.3+ null pointer dereference mitigation, NX 4.0+ ASLR 4.1+ ASLR strengthened 4.3 Security-Enhanced Linux 5.0 Security-Enhanced Linux - enforcing Updatabled Webview (via playstore)
Threats
Threats: App Hijacking Taking an app and adding malware Concerns Reversing Android apps is easy No need for certificate authority Sideload
I ain t got time to (heart)bleed
OWASP Mobile Security Project ios and Android Top 10 risks attack vectors threat agents impacts
OWASP top 10 risks M1: Weak Server Side M6: Broken Cryptography Controls M7: Client Side Injection M2: Insecure Data Storage M8: Security Decisions Via M3: Insufficient Transport Untrusted Inputs Layer Protection M9: Improper Session Handling M4: Unintended Data Leakage M10: Lack of Binary Protections M5: Poor Authorization and Authentication
Survival kit
Survival tips 1. Harden the network communications 2. Protect stored data (encryption) 3. Validate the device and app integrity 4. Increase binary security
Network communications Use SSL / TLS! Use the platform SSL/TLS validation (i.e don t disable it!) Use only strong cipher suites (128bit+) and TLS versions (TLS v1.2) OkHttp 2.1 - https://publicobject.com/2014/11/12/okhttp-2-1/
Looks like you re not using SSL pinning? Devices ship with 100+ Certificate Authorities (CA) and users can install their own Pinning limits the trusted root CA s Two types Certificate pinning Public Key pinning
Public key pinning
Patch against SSL exploits Google Play Services provides a dynamic security provider ProviderInstaller.installIfNeeded(getContext()); https://developer.android.com/training/articles/security-gmsprovider.html#patching
Tips
Code in a slide : ( Password based encryption
Encryption libraries Conceal https://facebook.github.io/conceal SQL cipher https://www.zetetic.net/sqlcipher/sqlcipher-for-android/ Secure-Preferences (or Hawk) https://github.com/scottyab/secure-preferences
Hardcoded encryption key
Verifying App integrity Debuggable check Apk Checksum Signing certificate verification
Signing Certificate Verification Build-time Runtime 1. Get you certificate signature 3. Get the Signature from the PackageManager $keytool -list -v -keystore your_app.keystore 4. Hash the Signature 2. Embed in app String CERTIFICATE_SHA1 = 71920AC9486E087DCBCF5C7F6F ; 5. Compare the signature hashes strings
Verifying device integrity Emulator check https://github.com/strazzere/a nti-emulator Google SafteyNet test https://github.com/scottyab/sa fetynethelper
root@android:/ # Root apps / Dangerous apps Suspect system properties SU/BusyBox binaries RW /system https://github.com/scottyab/rootbeer
Obfuscation
ProGuard Java code obfuscator Part of the Android SDK Free as in Beer! ReTrace - Supported by Error handling services such as Crashlytics
DexGuard Commercial version of ProGuard Designed for Android and protection Useful security utils - SSL Pinning, Root check, logging removal etc My favourite features String Encryption API hiding
Quick Android Review Kit (Quak) Python script Works with.apk or source code Automated tests weaknesses exploits Creates exploit.apks https://github.com/linkedin/qark
Click here for more! 42+ Secure mobile development tips http://bit.ly/viafor42 OWASP Mobile security risks http://bit.ly/owaspmobile Android security cookbook [book] http://bit.ly/mscefu Android security internals [book] http://bit.ly/andsecint Droidsec (whitepapers) droidsec.org/wiki
Thanks @gotocph @intohand 20th Century Fox Android security team
Questions? dev@scottyab.com @scottyab Please github.com/scottyab Remember to rate this session Thank you
WebView Before getsettings().setjavascriptenabled(false) getsettings().setallowfileaccess(false) During WebViewClient.shouldOverrideUrlLoading() enforce local content or Https Whitelisted hosts/urls.shouldinterceptrequest() to intercept XmlHttpRequests After webview.clearcache(true)