New Privacy in Android 11 and OWASP Mobile Security Albert Hsieh - - PowerPoint PPT Presentation

new privacy in android 11 and owasp mobile security
SMART_READER_LITE
LIVE PREVIEW

New Privacy in Android 11 and OWASP Mobile Security Albert Hsieh - - PowerPoint PPT Presentation

Dec 02, 2022 197 likes •756 views

New Privacy in Android 11 and OWASP Mobile Security Albert Hsieh OWASP 200 OWASP Flagship Projects Tool Projects OWASP Amass OWASP CSRFGuard OWASP Defectdojo OWASP Dependency-Check OWASP Dependency-Track

slide-1
SLIDE 1

New Privacy in Android 11 and OWASP Mobile Security

Albert Hsieh

slide-2
SLIDE 2

OWASP現有大約200個開源免費專案

slide-3
SLIDE 3

OWASP Flagship Projects

Tool Projects

OWASP Amass OWASP CSRFGuard OWASP Defectdojo OWASP Dependency-Check OWASP Dependency-Track OWASP Juice Shop OWASP OWTF OWASP Security Shepherd OWASP ZAP

Code Projects

OWASP ModSecurity Core Rule Set

Documentation Projects

OWASP Application Security Verification Standard OWASP Cheat Sheet Series OWASP Mobile Security Testing Guide OWASP SAMM OWASP Top Ten OWASP Web Security Testing Guide

slide-4
SLIDE 4

OWASP.Mobile

slide-5
SLIDE 5

What’s new on Android 11

  • 1. Scoped storage enforcement
  • 2. One-time permissions
  • 3. Permissions auto-reset
  • 4. Background location access
  • 5. Package visibility
  • 6. Foreground service types

https://developer.android.com/preview/privacy

slide-6
SLIDE 6

Is That Security Or Privacy?

保護可辨識個人之 非公開資訊

Privacy

保護所有資訊 and more!

Security

slide-7
SLIDE 7

Permissions

slide-8
SLIDE 8

How Powerful is Your Flashlight?

slide-9
SLIDE 9

https://www.zdnet.com/article/most-android-flashlight- apps-request-an-absurd-number-of-permissions/

Permissions, Permissions Everywhere!

slide-10
SLIDE 10

One-time Permissions

slide-11
SLIDE 11

Only this time!

slide-12
SLIDE 12

Only this time!

slide-13
SLIDE 13

Only this time!

slide-14
SLIDE 14

Background Location Access

slide-15
SLIDE 15

Foreground access (App is visible or running a Foreground Service with

Location type)

  • ACCESS_COARSE_LOCATION
  • ACCESS_FINE_LOCATION (accurate location)

Background access (i.e Geofence or WorkManager/AlarmManager in BG)

  • ACCESS_BACKGROUND_LOCATION

Location Permission is special

it’s split in Foreground and Background access

slide-16
SLIDE 16

Foreground location access

ACCESS_COARSE_LOCATION or ACCESS_FINE_LOCATION

  • On all versions, this requests foreground access.
  • On pre-Android 10, background access is implied.

Activi vityC yCom

  • mpa

pat.reque uest stPerm rmis issi sions ns( /* Activity */ this, /* Request BG alone */ arrayOf(ACCE CCESS_CO COAR ARSE_LOCA CATIO TION), /* * Requ questCode de */ */ 100 100 )

slide-17
SLIDE 17

Request ACCESS_BACKGROUND_LOCATION

At some point ACCESS_COARSE_LOCATION

My App

Target API level

'R'

If show rational is true: IN-CONTEXT UI (you define it)

Background location access

request incrementally only after Foreground has been granted

slide-18
SLIDE 18

Permissions Auto-reset

slide-19
SLIDE 19

Target API level

'R'

Auto-reset permissions

slide-20
SLIDE 20

Target API level

'R'

Auto-reset permissions

Provide family safety Sync data Smart device connectivity app Paired to companion devices

Setti ting ngs. s.ACT ACTIO ION_A _APPLIC PLICATION_DETA TION_DETAILS_ ILS_SET ETTIN TINGS GS

slide-21
SLIDE 21

Foreground Service Types

slide-22
SLIDE 22

Companion device Media Projection Location

Foreground Service Types

Android 10

  • Introduced the concept of types

Sync Media Player Phone Call

c

Enforced to ensure accountability for access

slide-23
SLIDE 23

Foreground Service Types

Android 11 Target API level

'R'

<manifest> ... <service ... android: droid:for foreg eground roundServi ervice ceTy Type pe="camera

"camera" />

</manifest>

slide-24
SLIDE 24

Foreground Service Types

Android 11 Target API level

'R'

<manifest> ... <service ... android: droid:for foreg eground roundServi ervice ceTy Type pe="camera|m

"camera|mic icrop rophone" hone" />

</manifest>

slide-25
SLIDE 25

Package Visibility

slide-26
SLIDE 26

Seeing all installed apps

package kageManage Manager. r.getInstalledP getInstalledPackage ckages( s(0) On Android 10 and older….

slide-27
SLIDE 27

Default behavior

getPackageInfo("another. er.app" app", 0)

NameNotFound Exception

'R'

Target API level

slide-28
SLIDE 28

Query and interact with specific apps

Declare package names in <queries> element of manifest to ‘see’ specific apps.

<manifest> <queries> <package android:name="com.example.store" /> <package android:name="com.example.service" /> ... </queries> ... </manifest>

slide-29
SLIDE 29

Query and interact with apps based on intent filters

Declare intents in <queries> element to ‘see’ apps that handle certain intents.

<manifest> <queries> <intent> <action android:name="android.intent.action.SEND" /> <data android:mimeType="image/jpeg" /> </intent> </queries> ... </manifest>

slide-30
SLIDE 30

Interacting with all apps

  • Shouldn’t be necessary for most apps.
  • Available “Normal” permission that allows querying and interacting with all

installed apps.

<uses-permission android:name="andro

roid id.pe .permi rmissio ion.QUE

UERY RY_AL _ALL_PA L_PACKAG KAGES ES">

Look for Google Play to provide upcoming guidelines for apps that need this permission.

"Let us know your use cases” by Google….

slide-31
SLIDE 31

Scoped Storage

slide-32
SLIDE 32

Exactly the data that user wants to share and no more

slide-33
SLIDE 33

New in Android 11

slide-34
SLIDE 34

OWASP.Mobile

slide-35
SLIDE 35

OWASP.Mobile

https://owasp.org/www-project-mobile-security/

slide-36
SLIDE 36

Secure Software Development Life Cycle (SSDLC)

M Top 10 MASVS MSTG Response M Security Chklst Hacking Playground

slide-37
SLIDE 37

Mobile Application Security Verification Standard (MASVS)

  • Forked from OWASP ASVS
  • Best practices for security requirements
  • Mobile-specific
  • high-level
  • OS-agnostic
slide-38
SLIDE 38

Security Requirements

  • V1: Architecture, Design and Threat Modeling
  • V2: Data Storage and Privacy
  • V3: Cryptography
  • V4: Authentication and Session Management
  • V5: Network Communication
  • V6: Platform Interaction
  • V7: Code Quality and Build Setting
  • V8: Resilience
slide-39
SLIDE 39

Levels

MASVS-L1: all mobile apps. MASVS-L2: apps handling sensitive data and/or functionality. MASVS-R: apps handling highly sensitive data and may serve as a means

  • f protecting intellectual

property or tamper-proofing an app.

▪ L1 Alarm App ▪ L2 Health App ▪ L1+R Game App ▪ L2+R Banking App

slide-40
SLIDE 40

V2: Data Storage and Privacy (part)

slide-41
SLIDE 41

V3: Cryptography (part)

slide-42
SLIDE 42

V5: Network Communication (part)

slide-43
SLIDE 43

V5: Network Communication (part)

slide-44
SLIDE 44

V6: Platform Interaction (part)

slide-45
SLIDE 45

Yes, resilience!

RESILIENCE?

slide-46
SLIDE 46

V8: Resilience (part)

slide-47
SLIDE 47

HOW TO USE THE MASVS?

Bring Security to system requirement phase!

▸ As secure coding checklist ▸ As security testing methodologies ▸ For secure development training

slide-48
SLIDE 48

To Conclude….

slide-49
SLIDE 49

Why do we need security?

slide-50
SLIDE 50

How much does that cost

slide-51
SLIDE 51

Find the bugs earlier

slide-52
SLIDE 52

Create fewer bugs

https://blog.parasoft.com/what-is-the-shift-left-approach-to-software-testing

slide-53
SLIDE 53

OWASP.Mobile

https://owasp.org/www-project-mobile-security/

slide-54
SLIDE 54

SHIFT LEFT!

M Top 10 MASVS MSTG Response M Security Chklst Hacking Playground

Shift Left for Security!

slide-55
SLIDE 55

Thank you!