Secure Communication in Client-Server Android Apps With a bias - - PowerPoint PPT Presentation
Secure Communication in Client-Server Android Apps With a bias towards mobile banking applications. AFRICA HACKON CONFERENCE, 2016. Convergent Security. whoami Masters Candidate Ethical Hacker Web Developer Jazz fan
With a bias towards mobile banking applications. AFRICA HACKON CONFERENCE, 2016. “Convergent Security”.
Masters Candidate Ethical Hacker Web Developer Jazz fan (before Safaricom made everyone a ‘jazz’ fan). Information Security consultant. Government and private sector experience. Former student leader.
No demonstrations during our time. Wanted to create app to solve communication problem. Needed to convey sensitive information. CIA was key…but mostly CI. Should support devices all the way to 1.6. Ideos especially (back then it was the ish). Corptabs was born.
Lots of Google-Stackoverflowing Non-secure P.O.C was formed. Set up SSL on localhost which Android declined. Purchased SSL certificate from namecheap. Set it up based on my own knowledge. Worked only on later Android devices (4.0 and above). Failed to work on my humble Android 2.1 device. Back to Google-Stackoverflowing.
With a web browser, it is generally quite easy to recognize when a third party is tampering with a secure connection. This is due to warning pages presented by browsers when something is fishy with the SSL certificate, such as a certificate that has not been signed by a trusted authority. Mobile applications, on the other hand, cannot always be counted on to display such a warning or even recognize when something is amiss.
TrustAllHosts().
Figured out the problem was the certificate chain and fixed. These days the certificate chain is no longer a problem. Two intermediate certs in the store. Now supported almost all Android phones with a $10 certificate. Hardened server to A+ standard by removing outdated cipher suites and
This is to protect against SSL Downgrade Attack.
Trusting all Certificates - The TrustManager interface can be implemented to trust all certificates, irrespective of who signed them or even for what subject they were issued. Trusting many Certificate Authorities (CA) Allowing all Hostnames Self-signed server certificate
Phone still downgrading to SSLv3. Mostly when network is low. Removed SSLv3 with the NoSSLv3 class. So far so Good.
If an intruder still wanted to read the contents being sent to the server, they could. Install root CA and set up device on proxy server. How can this be done?
Remotely? Possibly. Finfisher and the likes. IT Department on Corporate network and corporate phone? Absolutely. “Convergent Security”. “Can I borrow your phone for a sec?” While on a public network, NO!
Demo. Stolen root intermediate and root certificates (http://wiki.cacert.org/Risk/History) By default, your App likely validates against all of the CA certificates that ship with Android, but that means any single compromised CA in the total set can potentially compromise your communication (even if it’s not the CA you’re using) Solution?
In order to be able to observe HTTPS traffic, we install the root CA certificate
This allows the app to verify certificates that were signed allowing the TLS handshake to happen between the app and Charles. We then forwards the app’s request to the backend using normal HTTPS protocols. Demo with live banking app.
Customers want apps. What to do?
Certificate pinning done right. For f*cks sake, hash and salt passwords. Don’t send password with every request (Guilty as charged). Use cookies instead (will only support 2.3 and above on Android). All these solutions available on https://github.com/echebukati/sec- android-post Constantly check the certificates installed on your device. Obfuscate URLs. Demo of soln.
Pinning is the process of associating a host with their expected X509 certificate or public key. Once a certificate or public key is known or seen for a host, the certificate or public key is associated or 'pinned' to the host. Certificate Pinning can be done two different ways: by pinning the certificate itself, or by pinning just the public key.
Do this on a self signed setup. Improvements as they come.
echebukati@gmail.com