The Android security jungle: pitfalls, threats and survival tips - - PowerPoint PPT Presentation

The Android security jungle: pitfalls, threats and survival tips

Scott Alexander-Bown @scottyab

The Jungle

• Ecosystem
• Google’s protection
• Threats
• Risks

• Network
• Data protection (encryption)
• App/device integrity
• App binary security
• Testing

Survival

• Lead Android Dev (remote) at Intohand
• Co-Author - Android Security Cookbook
• Co-Founder of SWmobile

Scott Alexander-Bown

1.4 Billion users

OpenSignals.com

Security Services

• Google Play
• Approval process (human approval since 2015)
• Developer security notifications
• Android Bouncer
• Android device manager (Device security)
• Safety net (intrusion detection)
• Android at Work

Slide Adrian Ludwig’s - Android Security State of the Union

Newer version of Android are more secure

1.5 stack buffer, integer overflow protection 2.3+ null pointer dereference mitigation, NX 4.0+ ASLR 4.1+ ASLR strengthened 4.3 Security-Enhanced Linux 5.0 Security-Enhanced Linux - enforcing Updatabled Webview (via playstore)

Threats

Threats: App Hijacking

• Taking an app and adding malware
• Concerns
• Reversing Android apps is easy
• No need for certificate authority
• Sideload

“I ain’t got time to (heart)bleed”

OWASP

• Mobile Security Project
• iOS and Android
• Top 10 risks
• attack vectors
• threat agents
• impacts

OWASP top 10 risks

• M1: Weak Server Side

Controls

• M2: Insecure Data Storage
• M3: Insufficient Transport

Layer Protection

• M4: Unintended Data Leakage
• M5: Poor Authorization and

Authentication

• M6: Broken Cryptography
• M7: Client Side Injection
• M8: Security Decisions Via

Untrusted Inputs

• M9: Improper Session Handling
• M10: Lack of Binary Protections

Survival kit

Survival tips

• 1. Harden the network communications
• 2. Protect stored data (encryption)
• 3. Validate the device and app integrity
• 4. Increase binary security

Network communications

• Use SSL / TLS!
• Use the platform SSL/TLS validation (i.e don’t disable it!)
• Use only strong cipher suites (128bit+) and TLS versions (TLS v1.2)
• OkHttp 2.1 - https://publicobject.com/2014/11/12/okhttp-2-1/

Looks like you’re not using SSL pinning?

• Devices ship with 100+ Certificate Authorities (CA) and

users can install their own

• Pinning limits the trusted root CA’s
• Two types
• Certificate pinning
• Public Key pinning

Public key pinning

Patch against SSL exploits

• Google Play Services provides a dynamic security provider
• ProviderInstaller.installIfNeeded(getContext());
• https://developer.android.com/training/articles/security-gms-

provider.html#patching

Tips

Password based encryption

Code in a slide :’(

Encryption libraries

• Conceal
• https://facebook.github.io/conceal
• SQL cipher

https://www.zetetic.net/sqlcipher/sqlcipher-for-android/

• Secure-Preferences (or Hawk)
• https://github.com/scottyab/secure-preferences

Hardcoded encryption key

Verifying App integrity

• Debuggable check
• Apk Checksum
• Signing certificate verification

Signing Certificate Verification

Build-time Runtime

• 1. Get you certificate signature

$keytool -list -v -keystore your_app.keystore

• 2. Embed in app

String CERTIFICATE_SHA1 = “71920AC9486E087DCBCF5C7F6F…”;

• 3. Get the Signature from the

PackageManager

• 4. Hash the Signature
• 5. Compare the signature hashes

strings

Verifying device integrity

• Emulator check
• https://github.com/strazzere/a

nti-emulator

• Google SafteyNet test
• https://github.com/scottyab/sa

fetynethelper

root@android:/ #

• Root apps / Dangerous apps
• Suspect system properties
• SU/BusyBox binaries
• RW /system
• https://github.com/scottyab/rootbeer

Obfuscation

ProGuard

• Java code obfuscator
• Part of the Android SDK
• Free as in Beer!
• ReTrace - Supported by Error handling services such as Crashlytics

DexGuard

• Commercial version of ProGuard
• Designed for Android and protection
• Useful security utils - SSL Pinning, Root check, logging removal etc
• My favourite features
• String Encryption
• API hiding

Quick Android Review Kit (Quak)

• Python script
• Works with .apk or source code
• Automated tests
• weaknesses
• exploits
• Creates exploit .apks
• https://github.com/linkedin/qark

Click here for more!

• 42+ Secure mobile development tips

http://bit.ly/viafor42

• OWASP Mobile security risks

http://bit.ly/owaspmobile

• Android security cookbook [book]

http://bit.ly/MscEFu

• Android security internals [book]

http://bit.ly/andsecint

• Droidsec (whitepapers)

droidsec.org/wiki

• @gotocph
• @intohand
• 20th Century Fox
• Android security team

Thanks

Questions?

dev@scottyab.com @scottyab github.com/scottyab Please Remember to rate this session Thank you

WebView

• Before
• getSettings().setJavaScriptEnabled(false)
• getSettings().setAllowFileAccess(false)
• During
• WebViewClient.shouldOverrideUrlLoading()
• enforce local content or Https
• Whitelisted hosts/urls
• .shouldInterceptRequest() to intercept XmlHttpRequests
• After
• webview.clearCache(true)