the android security jungle
play

The Android security jungle: pitfalls, threats and survival tips - PowerPoint PPT Presentation

Apr 21, 2023 •434 likes •888 views

The Android security jungle: pitfalls, threats and survival tips Scott Alexander-Bown @scottyab The Jungle Ecosystem Googles protection Threats Risks Survival Network Data protection (encryption) App/device

  1. The Android security jungle: pitfalls, threats and survival tips Scott Alexander-Bown @scottyab

  2. The Jungle • Ecosystem • Google’s protection • Threats • Risks

  3. Survival • Network • Data protection (encryption) • App/device integrity • App binary security • Testing

  4. Scott Alexander-Bown • Lead Android Dev (remote) at Intohand • Co-Author - Android Security Cookbook • Co-Founder of SWmobile

  5. 1.4 Billion users

  6. OpenSignals.com

  8. Security Services • Google Play Approval process (human approval since 2015) • Developer security notifications • Android Bouncer • • Android device manager (Device security) • Safety net (intrusion detection) • Android at Work

  9. Slide Adrian Ludwig’s - Android Security State of the Union

  10. Newer version of Android are more secure 1.5 stack buffer, integer overflow protection 2.3+ null pointer dereference mitigation, NX 4.0+ ASLR 4.1+ ASLR strengthened 4.3 Security-Enhanced Linux 5.0 Security-Enhanced Linux - enforcing Updatabled Webview (via playstore)

  11. Threats

  12. Threats: App Hijacking • Taking an app and adding malware • Concerns • Reversing Android apps is easy • No need for certificate authority • Sideload

  13. “I ain’t got time to (heart)bleed”

  16. OWASP • Mobile Security Project • iOS and Android • Top 10 risks • attack vectors • threat agents • impacts

  17. OWASP top 10 risks • M1: Weak Server Side • M6: Broken Cryptography Controls • M7: Client Side Injection • M2: Insecure Data Storage • M8: Security Decisions Via • M3: Insufficient Transport Untrusted Inputs Layer Protection • M9: Improper Session Handling • M4: Unintended Data Leakage • M10: Lack of Binary Protections • M5: Poor Authorization and Authentication

  18. Survival kit

  19. Survival tips 1. Harden the network communications 2. Protect stored data (encryption) 3. Validate the device and app integrity 4. Increase binary security

  20. Network communications • Use SSL / TLS! • Use the platform SSL/TLS validation (i.e don’t disable it!) • Use only strong cipher suites (128bit+) and TLS versions (TLS v1.2) • OkHttp 2.1 - https://publicobject.com/2014/11/12/okhttp-2-1/

  21. Looks like you’re not using SSL pinning? • Devices ship with 100+ Certificate Authorities (CA) and users can install their own • Pinning limits the trusted root CA’s • Two types • Certificate pinning • Public Key pinning

  22. Public key pinning

  23. Patch against SSL exploits • Google Play Services provides a dynamic security provider • ProviderInstaller.installIfNeeded(getContext()); • https://developer.android.com/training/articles/security-gms- provider.html#patching

  24. Tips

  25. Code in a slide :’( Password based encryption

  26. Encryption libraries • Conceal • https://facebook.github.io/conceal • SQL cipher https://www.zetetic.net/sqlcipher/sqlcipher-for-android/ • Secure-Preferences (or Hawk) • https://github.com/scottyab/secure-preferences

  27. Hardcoded encryption key

  28. Verifying App integrity • Debuggable check • Apk Checksum • Signing certificate verification

  29. Signing Certificate Verification Build-time Runtime 3. Get the Signature from the 1. Get you certificate signature PackageManager $keytool -list -v -keystore your_app.keystore 4. Hash the Signature 2. Embed in app 5. Compare the signature hashes strings String CERTIFICATE_SHA1 = “71920AC9486E087DCBCF5C7F6F…”;

  30. Verifying device integrity • Emulator check • https://github.com/strazzere/a nti-emulator • Google SafteyNet test • https://github.com/scottyab/sa fetynethelper

  31. root@android:/ # • Root apps / Dangerous apps • Suspect system properties • SU/BusyBox binaries • RW /system • https://github.com/scottyab/rootbeer

  32. Obfuscation

  33. ProGuard • Java code obfuscator • Part of the Android SDK • Free as in Beer! • ReTrace - Supported by Error handling services such as Crashlytics

  34. DexGuard • Commercial version of ProGuard • Designed for Android and protection • Useful security utils - SSL Pinning, Root check, logging removal etc • My favourite features • String Encryption • API hiding

  36. Quick Android Review Kit (Quak) • Python script • Works with .apk or source code • Automated tests • weaknesses • exploits • Creates exploit .apks • https://github.com/linkedin/qark

  38. Click here for more! • 42+ Secure mobile development tips http://bit.ly/viafor42 • OWASP Mobile security risks http://bit.ly/owaspmobile • Android security cookbook [book] http://bit.ly/MscEFu • Android security internals [book] http://bit.ly/andsecint • Droidsec (whitepapers) droidsec.org/wiki

  41. Thanks • @gotocph • @intohand • 20th Century Fox • Android security team

  42. Questions? dev@scottyab.com @scottyab github.com/scottyab Please Remember to rate this session Thank you

  45. WebView • Before • getSettings().setJavaScriptEnabled(false) • getSettings().setAllowFileAccess(false) • During • WebViewClient.shouldOverrideUrlLoading() • enforce local content or Https • Whitelisted hosts/urls • .shouldInterceptRequest() to intercept XmlHttpRequests • After • webview.clearCache(true)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security Enhanced (SE) Android: Bringing Flexible MAC to Android Stephen Smalley and Robert Craig

Security Enhanced (SE) Android: Bringing Flexible MAC to Android Stephen Smalley and Robert Craig

Security Enhanced (SE) Android: Bringing Flexible MAC to Android Stephen Smalley and Robert Craig Trusted Systems Research National Security Agency Motivation Android security relies on Linux DAC. To protect the system from apps. To

480 views • 21 slides
Security & Pie Android 9.0 & APK Security Plan of Attack Start at the hardware

Security & Pie Android 9.0 & APK Security Plan of Attack Start at the hardware

Security & Pie Android 9.0 & APK Security Plan of Attack Start at the hardware Work up to Android OS Climb into the Play Store Discuss Application (APK) Connor Tumbleson Senior Software Engineer @Sourcetoad

672 views • 56 slides
Runtime verification meets Android security Gil Vegliach Joint work with Andreas Bauer and

Runtime verification meets Android security Gil Vegliach Joint work with Andreas Bauer and

Runtime verification meets Android security Gil Vegliach Joint work with Andreas Bauer and Jan-Christoph K uster Background, what Android is Developed by Android Inc. (acquired by Google in 2005) Open Handset Alliance (founded in 2007)

161 views • 15 slides
Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security

Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security

Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security Evaluation with Comparative Analysis Robbie MacGregor 5 th Who Are You?! Adventures in Authentication (WAY), Santa Clara, CA, USA, 2019. I did a thing so

132 views • 10 slides
Security Enhancements (SE) for Android Stephen Smalley Trusted Systems Research Natjonal

Security Enhancements (SE) for Android Stephen Smalley Trusted Systems Research Natjonal

Security Enhancements (SE) for Android Stephen Smalley Trusted Systems Research Natjonal Security Agency CLASSIFICATION HEADER Agenda Motjvatjon/Background Current State Using SELinux in Android What's Next for SELinux in

762 views • 72 slides
management scenario jungle Nicola Suter Workplace Engineer itnetX (Switzerland) AG Blog

management scenario jungle Nicola Suter Workplace Engineer itnetX (Switzerland) AG Blog

A safari through the Intune device management scenario jungle Nicola Suter Workplace Engineer itnetX (Switzerland) AG Blog tech.nicolonsky.ch Twitter @nicolonsky Content Intune basics MAM Android Enterprise iOS / macOS

554 views • 34 slides
CS-527 Software Security Mobile Security Asst. Prof. Mathias Payer Department of Computer

CS-527 Software Security Mobile Security Asst. Prof. Mathias Payer Department of Computer

CS-527 Software Security Mobile Security Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017 Android Security Table of Contents Android

562 views • 15 slides
Android Security CS 4720 Mobile Application Development CS 4720 Security through Obscurity

Android Security CS 4720 Mobile Application Development CS 4720 Security through Obscurity

Android Security CS 4720 Mobile Application Development CS 4720 Security through Obscurity It used to be that phones had so little connectivity to devices other than the phone network that security wasn't a huge deal Phone number

660 views • 15 slides
Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2 Anthony Morris Jan-Felix Schmakeit Tech Lead, Android Maps API Android Developer Relations Code, Slides, Worksheet: http://goo.gl/MfY67 Welcome!

687 views • 49 slides
What is Jungle Beat? Remember when kids were kids and

What is Jungle Beat? Remember when kids were kids and

What is Jungle Beat? Remember when kids were kids and playing meant grass burns, bare feet and muddy faces? Jungle Beat is a fun,

722 views • 39 slides
Android Security Security Philosophy Humans have difficulty understanding risk Safer to

Android Security Security Philosophy Humans have difficulty understanding risk Safer to

Android Security Security Philosophy Humans have difficulty understanding risk Safer to assume that Most developers do not understand security Most users do not understand security Security philosophy cornerstones Need to

582 views • 37 slides
Finding your way through the QEMU parameter jungle 2018-02-04 Thomas Huth

Finding your way through the QEMU parameter jungle 2018-02-04 Thomas Huth

Finding your way through the QEMU parameter jungle 2018-02-04 Thomas Huth <thuth@redhat.com> Legal Disclaimer: Opinions are my own and not necessarily the views of my employer Jungle Leaves background license: CC BY 3.0 US

492 views • 28 slides
Introduction to Android Development What is Android? Android is the customizable, easy to

Introduction to Android Development What is Android? Android is the customizable, easy to

Introduction to Android Development What is Android? Android is the customizable, easy to use operating system that powers more than a billion devices across the globe - from phones and tablets to watches, TV, cars and more to come.

464 views • 21 slides
Improving Android Reliability and Security Iulian Neamtiu, Assoc. Prof. CS Chairs Meeting June

Improving Android Reliability and Security Iulian Neamtiu, Assoc. Prof. CS Chairs Meeting June

Improving Android Reliability and Security Iulian Neamtiu, Assoc. Prof. CS Chairs Meeting June 14, 2018 Mobile OSes rapidly expanding their device range and user base. Android: 2 billion monthly active users but

403 views • 15 slides
Android Oren Laadan orenl@cellrox.com Android Builders 2014 www.cellrox.com aprilzosia Mobile

Android Oren Laadan orenl@cellrox.com Android Builders 2014 www.cellrox.com aprilzosia Mobile

Multi-Persona Android Oren Laadan orenl@cellrox.com Android Builders 2014 www.cellrox.com aprilzosia Mobile devices have multiple uses - - the device needs to reflect that. 2 Android Builders 2014 Security Use Case Personal Phone

874 views • 55 slides
Exploratory Android Surgery Digging into droids. Jesse Burns Black Hat USA 2009 Android is a

Exploratory Android Surgery Digging into droids. Jesse Burns Black Hat USA 2009 Android is a

Exploratory Android Surgery Digging into droids. Jesse Burns Black Hat USA 2009 Android is a trademark of Google Inc. Use of this trademark is subject to Google Permissions. https://www.isecpartners.com Agenda Android Security Model

725 views • 47 slides
Outline XML Query Languages CS 235: XPATH XQUERY Introduction to Databases

Outline XML Query Languages CS 235: XPATH XQUERY Introduction to Databases

Outline XML Query Languages CS 235: XPATH XQUERY Introduction to Databases Svetlozar Nestorov Lecture Notes #26 XPATH and XQUERY Example DTD XPATH is a language for describing paths <!DOCTYPE Bars [ <!ELEMENT BARS

528 views • 5 slides
1 1000 0000 0100 0000 Fast multiplication Division hardware 0010 0000 0*1000 1*1000 0001

1 1000 0000 0100 0000 Fast multiplication Division hardware 0010 0000 0*1000 1*1000 0001

0000 1000 Multiplication hardware 0001 0000 0010 0000 Computer arithmetic o The multiplication 0100 0000 algorithm we learned in Multiplicand grammar school leads to 1001 Integers and floats Shift left a simple if somewhat 0100 64 bits

533 views • 5 slides
t srt ts s t trsr

t srt ts s t trsr

t srt ts s t trsr tr r rr tts r

1.45k views • 143 slides
2020 UNDE RGRADUAT E F L AGSHI P PROGRAM PRE -COMPE T I T I ON WE BI NAR T e c

2020 UNDE RGRADUAT E F L AGSHI P PROGRAM PRE -COMPE T I T I ON WE BI NAR T e c

2020 UNDE RGRADUAT E F L AGSHI P PROGRAM PRE -COMPE T I T I ON WE BI NAR T e c hnic a l Assista nc e We b ina r Aug ust 7, 2018 WE BI NAR PART I CI PANT S De fe nse L a ng ua g e a nd Na tio na l Se c urity E duc a tio

514 views • 27 slides
LOD2 Stack and the NLP2RDF project http://slideshare.net/kurzum http://nlp2rdf.org

LOD2 Stack and the NLP2RDF project http://slideshare.net/kurzum http://nlp2rdf.org

Creating Knowledge out of Interlinked Data Rome 2013/03/13 Page 1 http://lod2.eu LOD2 Stack and the NLP2RDF project http://slideshare.net/kurzum http://nlp2rdf.org http://lod2.eu Sebastian Hellmann AKSW, Universitt Leipzig

761 views • 32 slides
Week 6: An Introduction to Time Series Dependent data, autocorrelation, AR and periodic

Week 6: An Introduction to Time Series Dependent data, autocorrelation, AR and periodic

BUS41100 Applied Regression Analysis Week 6: An Introduction to Time Series Dependent data, autocorrelation, AR and periodic regression models Max H. Farrell The University of Chicago Booth School of Business Time series data and dependence

1.49k views • 60 slides
The Way of Optimizing and Troubleshooting Our Lua Waf agentzh@gmail.com Yichun Zhang

The Way of Optimizing and Troubleshooting Our Lua Waf agentzh@gmail.com Yichun Zhang

pdf |<< < > >>| 1 / 25 The Way of Optimizing and Troubleshooting Our Lua Waf agentzh@gmail.com Yichun Zhang (agentzh) 2013.04.19 Dane now loves to open a conversation with me via a Flame Graph. One day, Dane

1.06k views • 26 slides
Tensor-Matrix Products with a Compressed Sparse Tensor Shaden Smith George Karypis University

Tensor-Matrix Products with a Compressed Sparse Tensor Shaden Smith George Karypis University

Tensor-Matrix Products with a Compressed Sparse Tensor Shaden Smith George Karypis University of Minnesota Department of Computer Science & Engineering shaden@cs.umn.edu Tensor-Matrix Products with a Compressed Sparse Tensor 1 / 47

1.09k views • 47 slides

More recommend