SlideShare ist ein Scribd-Unternehmen logo

Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016

Codemotion
Codemotion

Secure Development of Android App sometimes requires the use of third party libraries and external frameworks, often expensive or hard to quickly update if vulnerable.The Android SDK and Google Play Services provide security features and services, that allows a developer to take advantage of security enhancements in order to increase the security level of an application.The talk, starting from real common threats, will show how some of these features can be used into the different versions of Android, until the newest Nougat, to mitigate security risks that could afflict a mobile application.

Technologie
1 von 43
Downloaden Sie, um offline zu lesen
Roberto Gassirà - Roberto Piccirillo MILAN 25-26 NOVEMBER 2016
2 ● Senior Security Analysts for Mobile Security Lab ○ Vulnerability Assessment (IT, Mobile Application) ○ Android Secure Development Increasing Android app security for free Who we are ● Roberto Gassirà @robgas r.gassira@mseclab.com ● Roberto Piccirillo @robpicone r.piccirillo@mseclab.com
Increasing Android app security for free Potentially Hostile Environment
4 Mobile Application can run in a Potentially Hostile Environment Potentially Hostile Environment Introduction
5 Free Open Wifi ... Potentially Hostile Environment Unreliable Communication Channels … Free user data Threat:Traffic Snooping
6 Potentially Hostile Environment Unreliable Communication Channels Free WPA2 Wifi ... … Free user data (MITM) Threat: MITM
7 Potentially Hostile Environment Unreliable Communication Channels Under attack... Threat: Information Gathering
8 Rooting Potentially Hostile Environment Tampered Device BootLoader Unlock Local/remote Exploit
9 Rooting -> Android platform security compromised Potentially Hostile Environment Tampered Device No more application sandbox
10 Potentially Hostile Environment Tampered Device Hooking/Instrumentation Threat:Code Hijacking onCreate() isDeviceTampered() ...()EXIT falsetrue Hooking... isDeviceTampered() false
11 Mobile Threats for Developers ● Advanced Device Owner ○ Remove Bloatware/Customization Attacker ● Mobile Cybercriminal ○ Application analysis ● Potentially Harmful Applications ○ Steal info/money
12 Mobile Threats for Developers Malware Infection Apps from “Unknown sources” Apps from “Unknown sites”
13 Mobile Threats for Developers Google Security Services for Android From Android Security 2015 Year in Review - April 2016
14 Mobile Threats for Developers Tampered Device Detection Free Weapons for Developers SafetyNet API ● Allows an app to analyze the device where it is installed ● Check if the device has passed the Compatibility Test Suite (CTS) Check the integrity of the device (Rooted?Hooked?Infected?) ● Provided by Google Play Services
15 Mobile Threats for Developers Key Material Protection Free Weapons for Developers AndroidKeyStore ● Asymmetric and Symmetric Keys (API 23+) Secure Container with Hardware Backend Secure Communication Network Security Configuration ● Network security settings (certificate pinning, trusted CA, ...) customized with a safe and declarative configuration file
Increasing Android app security for free Detecting Tampered Device
17 Detecting Tampered Device https://developer.android.com/training/safetynet/index.html Checking Device Compatibility
18 Detecting Tampered Device https://developers.google.com/android/guides/api-client Access Google API SafetyNet service build.gradle Create an instance of Google API Client
19 Detecting Tampered Device Send Compatibility Check Request Generate a random one time nonce to defeat replay attacks Send the request AttestationResult
20 ● Formatted in JSON Web Signature format ○ RSA256 Signed JSON Detecting Tampered Device Attestation Result JWS Signature JWS Payload JWS Header Device passed Compatibility Test Suite Device integrity status true: OK false: TAMPERED
21 Detecting Tampered Device ● Google provides Android Device Verification API for validating the response Validate Compatibility Check Response POST "https://www.googleapis.com/androidcheck/v1/attestations/verify?key=" { "signedAttestation": } JWS Signature JWS Payload JWS Header { “isValidSignature”: true }
Increasing Android app security for free Enhancing Network Security
23 ● MITM attack: ○ Is a well-known technique used by an attacker to setup a proxy to intercept traffic between your application and backend servers ● How ○ ARP poisoning ○ DNS poisoning ○ Rouge proxy ○ etc Enhancing Network Security MITM attack
24 ● HTTP and HTTPS: ○ HTTP: all data sent are in clear ○ HTTPS: all data sent are ciphered (Digital Certificates and Session Keys) ● Implement MITM attack on HTTP (easier) ● Implement MITM attack on HTTPS (harder) ○ Not impossible Enhancing Network Security MITM with HTTP or HTTPS
25 Enhancing Network Security How SSL works
26 Digital certificate Network Security Configuration ● Most important: ○ Common name ○ Issuer name ○ Not Valid Before ○ Not Valid After ○ Public Key ○ Signature Remember “Public Key Info” section
27 ● Use HTTPS is not enough to mitigate some risks due to MITM Attacks ○ But in almost all cases should be mandatory use it ● To be more secure it’s important: ○ Check the common name of server digital certificate ○ Verify the issuer of server digital certificate ○ Trust the issuer of server digital certificate ● In the last years is usual: ○ Check the server public key (Pinning certificate or sometime called SSL Pinning) ○ More code to implement this technique Enhancing Network Security HTTPS key security points Android Nougat offers new features to perform easily checks to make HTTPS more secure
28 ● Uses declarative configuration file to: ○ Enforce HTTPS for specified domain used into your application ○ Use certificate pinning ○ Trust only specific Certification Authority or use specific Self-signed certificate ○ Debug secure connections without modify code ● What you need: Enhancing Network Security Network Security Configuration AndroidManifest.xml
29 Enhancing Network Security Configuration file format Contains all Network Configuration Default configuration for all connections Configurations for one or more domains Configurations valid only for debug purpose
30 ● Get error when try to connect using HTTP Enhancing Network Security Enforce HTTPS Enforce HTTPS HTTP Connection Error: “Cleartext HTTP traffic to android-developers.blogspot.it not permitted”
31 ● Use yours CA to verify yours certificate Enhancing Network Security Digital Certificate with custom CA Enforce HTTPS for the domain codemotion.milan.2016 Use cacert certificate to verify server certificate ● If cacert is not used the app get an error
32 ● Force your application to use a specific public key ● In previous Android version you had to write boring code to implement certificate pinning ● Now you need calculate the sha256 of Public Key Info of X509 digital certificate Enhancing Network Security Certificate pinning sha256 base64 PinDigest
33 ● If server public key is different the application get an error Enhancing Network Security Certificate pinning ● Add PinDigest with Expiration date
34 ● In our analysis is horrible to find out the all SSL checks are off to overcame problem into development environment ● Now it is possible to add debug configuration without modify any line of code ● When you build in “release-mode” debug configuration is not considered Enhancing Network Security Safe debug
35 ● You could define a base configuration for all connections ● You could insert more PinDigest ● You could define which CA store will be used to verify certificates: ○ User ○ System ● You could use self signed-certificate Enhancing Network Security Other options
Increasing Android app security for free Key Management Evolution
37 Key Management Evolution ● Android KeyStore Provider introduced with API level 18 ○ Based on Android Keystore System to store cryptographic keys ● Until API level 22 only asymmetric keys ○ For info: https://speakerdeck.com/mseclab/android-key-management ● With API level 23+ also symmetric Keys AndroidKeyStore Provider Asymmetric Asymmetric + Symmetric
38 Key Management Evolution Generating Symmetric Key
39 Key Management Evolution Fingerprint Authentication
40 Key Management Evolution AndroidKeyStore Security Features ● Preventing extraction of the key material from application process ● Preventing extraction of the key material from Android device ● Key material never enters the application process: ○ App cryptographic operations are performed by system process ○ ● Key materials may be bound to the secure hardware: ○ Trust Execution Environment (TEE) ○ Secure Element ● More and more processors are equipped with TEE: ○ Snapdragon 808 (Nexus 5x), Snapdragon 810 (Nexus 6P), Snapdragon 820 (Galaxy S7) etc
Increasing Android app security for free The Bill
42 The Bill ● Detecting Tampered Device: Free ● Enhancing Network Security: Free ● Key Management Evolution: Free Total = Free :) How much costs
Web: www.mseclab.com www.consulkthink.it Mail: research@mseclab.com Telefono:+39-06-4549 2416 Fax:+39-06-4549 2454 Grazie per l’attenzione

Empfohlen

Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...
Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...
Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...
Consulthinkspa
 
Bandit and Gosec - Security Linters
Bandit and Gosec - Security LintersBandit and Gosec - Security Linters
Bandit and Gosec - Security Linters
EricBrown328
 
Breaking Closed Systems with Code-Signing and Mitigation Techniques
Breaking Closed Systems with Code-Signing and Mitigation TechniquesBreaking Closed Systems with Code-Signing and Mitigation Techniques
Breaking Closed Systems with Code-Signing and Mitigation Techniques
Priyanka Aash
 
CodeFest 2014 - Pentesting client/server API
CodeFest 2014 - Pentesting client/server APICodeFest 2014 - Pentesting client/server API
CodeFest 2014 - Pentesting client/server API
Sergey Belov
 
CodeFest 2014. Белов С. — BlackBox тестирование безопасности клиент-серверног...
CodeFest 2014. Белов С. — BlackBox тестирование безопасности клиент-серверног...CodeFest 2014. Белов С. — BlackBox тестирование безопасности клиент-серверног...
CodeFest 2014. Белов С. — BlackBox тестирование безопасности клиент-серверног...
CodeFest
 
The Unexpected Attack Vector: Software Updaters
The Unexpected Attack Vector: Software UpdatersThe Unexpected Attack Vector: Software Updaters
The Unexpected Attack Vector: Software Updaters
Priyanka Aash
 
GitStack 0day . Remote code execution - Adam Nurudini
GitStack 0day . Remote code execution - Adam NurudiniGitStack 0day . Remote code execution - Adam Nurudini
GitStack 0day . Remote code execution - Adam Nurudini
Adam Nurudini
 
Protecting Pipeline DevOps and IaC
Protecting Pipeline DevOps and IaCProtecting Pipeline DevOps and IaC
Protecting Pipeline DevOps and IaC
Fernando Cardoso
 

Empfohlen

Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...
Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...
Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...
Consulthinkspa
 
Bandit and Gosec - Security Linters
Bandit and Gosec - Security LintersBandit and Gosec - Security Linters
Bandit and Gosec - Security Linters
EricBrown328
 
Breaking Closed Systems with Code-Signing and Mitigation Techniques
Breaking Closed Systems with Code-Signing and Mitigation TechniquesBreaking Closed Systems with Code-Signing and Mitigation Techniques
Breaking Closed Systems with Code-Signing and Mitigation Techniques
Priyanka Aash
 
CodeFest 2014 - Pentesting client/server API
CodeFest 2014 - Pentesting client/server APICodeFest 2014 - Pentesting client/server API
CodeFest 2014 - Pentesting client/server API
Sergey Belov
 
CodeFest 2014. Белов С. — BlackBox тестирование безопасности клиент-серверног...
CodeFest 2014. Белов С. — BlackBox тестирование безопасности клиент-серверног...CodeFest 2014. Белов С. — BlackBox тестирование безопасности клиент-серверног...
CodeFest 2014. Белов С. — BlackBox тестирование безопасности клиент-серверног...
CodeFest
 
The Unexpected Attack Vector: Software Updaters
The Unexpected Attack Vector: Software UpdatersThe Unexpected Attack Vector: Software Updaters
The Unexpected Attack Vector: Software Updaters
Priyanka Aash
 
GitStack 0day . Remote code execution - Adam Nurudini
GitStack 0day . Remote code execution - Adam NurudiniGitStack 0day . Remote code execution - Adam Nurudini
GitStack 0day . Remote code execution - Adam Nurudini
Adam Nurudini
 
Protecting Pipeline DevOps and IaC
Protecting Pipeline DevOps and IaCProtecting Pipeline DevOps and IaC
Protecting Pipeline DevOps and IaC
Fernando Cardoso
 
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
BeyondTrust
 
Security vulnerabilities of 2015
Security vulnerabilities of 2015Security vulnerabilities of 2015
Security vulnerabilities of 2015
dogangcr
 
Хакеро-машинный интерфейс
Хакеро-машинный интерфейсХакеро-машинный интерфейс
Хакеро-машинный интерфейс
Positive Hack Days
 
Open source iam value, benefits, and risks
Open source iam value, benefits, and risksOpen source iam value, benefits, and risks
Open source iam value, benefits, and risks
WSO2
 
Building layers of defense for your application
Building layers of defense for your applicationBuilding layers of defense for your application
Building layers of defense for your application
VMware Tanzu
 
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenApi days 2018 - API Security by Sqreen
Api days 2018 - API Security by Sqreen
Sqreen
 
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthinkspa
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
Tim Mackey
 
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE - ATT&CKcon
 
Secure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackSecure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStack
Tim Mackey
 
Cys Report Krack Attack Threat Briefing
Cys Report Krack Attack Threat BriefingCys Report Krack Attack Threat Briefing
Cys Report Krack Attack Threat Briefing
Debra Baker, CISSP CSSP
 
How to Analyze an Android Bot
How to Analyze an Android BotHow to Analyze an Android Bot
How to Analyze an Android Bot
Priyanka Aash
 
Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASP
Isuru Samaraweera
 
Top 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management TeamsTop 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management Teams
Deborah Schalm
 
Check Point SandBlast and SandBlast Agent
Check Point SandBlast and SandBlast AgentCheck Point SandBlast and SandBlast Agent
Check Point SandBlast and SandBlast Agent
MarketingArrowECS_CZ
 
Check Point Infinity powered by R80.10
Check Point Infinity powered by R80.10Check Point Infinity powered by R80.10
Check Point Infinity powered by R80.10
MarketingArrowECS_CZ
 
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay ProtocolDo-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Martin Vigo
 
Protect Your Enterprise - Check Point SandBlast Mobile
Protect Your Enterprise - Check Point SandBlast MobileProtect Your Enterprise - Check Point SandBlast Mobile
Protect Your Enterprise - Check Point SandBlast Mobile
MarketingArrowECS_CZ
 
The Ugly Cost of Cyber Crime
The Ugly Cost of Cyber CrimeThe Ugly Cost of Cyber Crime
The Ugly Cost of Cyber Crime
Rahul Neel Mani
 
42crunch-API-security-workshop
42crunch-API-security-workshop42crunch-API-security-workshop
42crunch-API-security-workshop
42Crunch
 
CSW2017 Qidan he+Gengming liu_cansecwest2017
CSW2017 Qidan he+Gengming liu_cansecwest2017CSW2017 Qidan he+Gengming liu_cansecwest2017
CSW2017 Qidan he+Gengming liu_cansecwest2017
CanSecWest
 
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwearCsw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
CanSecWest
 

Weitere ähnliche Inhalte

Was ist angesagt?

Хакеро-машинный интерфейс
Хакеро-машинный интерфейсХакеро-машинный интерфейс
Хакеро-машинный интерфейс
Positive Hack Days
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
Tim Mackey
 
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay ProtocolDo-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Martin Vigo
 

Was ist angesagt? (20)

Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
 
Security vulnerabilities of 2015
Security vulnerabilities of 2015Security vulnerabilities of 2015
Security vulnerabilities of 2015
 
Хакеро-машинный интерфейс
Хакеро-машинный интерфейсХакеро-машинный интерфейс
Хакеро-машинный интерфейс
 
Open source iam value, benefits, and risks
Open source iam value, benefits, and risksOpen source iam value, benefits, and risks
Open source iam value, benefits, and risks
 
Building layers of defense for your application
Building layers of defense for your applicationBuilding layers of defense for your application
Building layers of defense for your application
 
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenApi days 2018 - API Security by Sqreen
Api days 2018 - API Security by Sqreen
 
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
 
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
 
Secure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackSecure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStack
 
Cys Report Krack Attack Threat Briefing
Cys Report Krack Attack Threat BriefingCys Report Krack Attack Threat Briefing
Cys Report Krack Attack Threat Briefing
 
How to Analyze an Android Bot
How to Analyze an Android BotHow to Analyze an Android Bot
How to Analyze an Android Bot
 
Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASP
 
Top 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management TeamsTop 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management Teams
 
Check Point SandBlast and SandBlast Agent
Check Point SandBlast and SandBlast AgentCheck Point SandBlast and SandBlast Agent
Check Point SandBlast and SandBlast Agent
 
Check Point Infinity powered by R80.10
Check Point Infinity powered by R80.10Check Point Infinity powered by R80.10
Check Point Infinity powered by R80.10
 
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay ProtocolDo-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
 
Protect Your Enterprise - Check Point SandBlast Mobile
Protect Your Enterprise - Check Point SandBlast MobileProtect Your Enterprise - Check Point SandBlast Mobile
Protect Your Enterprise - Check Point SandBlast Mobile
 
The Ugly Cost of Cyber Crime
The Ugly Cost of Cyber CrimeThe Ugly Cost of Cyber Crime
The Ugly Cost of Cyber Crime
 
42crunch-API-security-workshop
42crunch-API-security-workshop42crunch-API-security-workshop
42crunch-API-security-workshop
 

Andere mochten auch

CSW2017 Qidan he+Gengming liu_cansecwest2017
CSW2017 Qidan he+Gengming liu_cansecwest2017CSW2017 Qidan he+Gengming liu_cansecwest2017
CSW2017 Qidan he+Gengming liu_cansecwest2017
CanSecWest
 
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwearCsw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
CanSecWest
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CanSecWest
 
Configuring a Secure, Multitenant Cluster for the Enterprise
Configuring a Secure, Multitenant Cluster for the EnterpriseConfiguring a Secure, Multitenant Cluster for the Enterprise
Configuring a Secure, Multitenant Cluster for the Enterprise
Cloudera, Inc.
 

Andere mochten auch (20)

CSW2017 Qidan he+Gengming liu_cansecwest2017
CSW2017 Qidan he+Gengming liu_cansecwest2017CSW2017 Qidan he+Gengming liu_cansecwest2017
CSW2017 Qidan he+Gengming liu_cansecwest2017
 
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwearCsw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
 
DE LA PRUEBA CIENTÍFICA A LA PRUEBA PERICIAL. Autora: Carmen Vázquez.ISBN:978...
DE LA PRUEBA CIENTÍFICA A LA PRUEBA PERICIAL. Autora: Carmen Vázquez.ISBN:978...DE LA PRUEBA CIENTÍFICA A LA PRUEBA PERICIAL. Autora: Carmen Vázquez.ISBN:978...
DE LA PRUEBA CIENTÍFICA A LA PRUEBA PERICIAL. Autora: Carmen Vázquez.ISBN:978...
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
 
色彩センスのいらない配色講座
色彩センスのいらない配色講座色彩センスのいらない配色講座
色彩センスのいらない配色講座
 
Infographic: Medicare Marketing: Direct Mail: Still The #1 Influencer For Tho...
Infographic: Medicare Marketing: Direct Mail: Still The #1 Influencer For Tho...Infographic: Medicare Marketing: Direct Mail: Still The #1 Influencer For Tho...
Infographic: Medicare Marketing: Direct Mail: Still The #1 Influencer For Tho...
 
Milano Chatbots Meetup - Paolo Montrasio - Codemotion Milan 2016
Milano Chatbots Meetup - Paolo Montrasio - Codemotion Milan 2016Milano Chatbots Meetup - Paolo Montrasio - Codemotion Milan 2016
Milano Chatbots Meetup - Paolo Montrasio - Codemotion Milan 2016
 
Big Data, Small Dashboard - Andrea Maietta - Codemotion Milan 2016
Big Data, Small Dashboard - Andrea Maietta - Codemotion Milan 2016Big Data, Small Dashboard - Andrea Maietta - Codemotion Milan 2016
Big Data, Small Dashboard - Andrea Maietta - Codemotion Milan 2016
 
Design in Tech Report 2017
Design in Tech Report 2017Design in Tech Report 2017
Design in Tech Report 2017
 
Culture
CultureCulture
Culture
 
Milano Chatbots Meetup - Vittorio Banfi - Bot Design - Codemotion Milan 2016
Milano Chatbots Meetup - Vittorio Banfi - Bot Design - Codemotion Milan 2016 Milano Chatbots Meetup - Vittorio Banfi - Bot Design - Codemotion Milan 2016
Milano Chatbots Meetup - Vittorio Banfi - Bot Design - Codemotion Milan 2016
 
Build Features, Not Apps
Build Features, Not AppsBuild Features, Not Apps
Build Features, Not Apps
 
Pentaho BigDataParis_session_20170306
Pentaho BigDataParis_session_20170306Pentaho BigDataParis_session_20170306
Pentaho BigDataParis_session_20170306
 
Un 2016 da record per l’interscambio economico tra Italia e Germania
Un 2016 da record per l’interscambio economico tra Italia e GermaniaUn 2016 da record per l’interscambio economico tra Italia e Germania
Un 2016 da record per l’interscambio economico tra Italia e Germania
 
Cashgate Scandal Malawi: Different Types Of Fashion Styles
Cashgate Scandal Malawi: Different Types Of Fashion StylesCashgate Scandal Malawi: Different Types Of Fashion Styles
Cashgate Scandal Malawi: Different Types Of Fashion Styles
 
Controlling Technical Debt with Continuous Delivery
Controlling Technical Debt with Continuous DeliveryControlling Technical Debt with Continuous Delivery
Controlling Technical Debt with Continuous Delivery
 
ACCIONA Reports 65
ACCIONA Reports 65ACCIONA Reports 65
ACCIONA Reports 65
 
How i became a data scientist
How i became a data scientistHow i became a data scientist
How i became a data scientist
 
Configuring a Secure, Multitenant Cluster for the Enterprise
Configuring a Secure, Multitenant Cluster for the EnterpriseConfiguring a Secure, Multitenant Cluster for the Enterprise
Configuring a Secure, Multitenant Cluster for the Enterprise
 
IPv6セキュリティ はじめの一歩
IPv6セキュリティ はじめの一歩IPv6セキュリティ はじめの一歩
IPv6セキュリティ はじめの一歩
 

Ähnlich wie Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016

API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
WSO2
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
Kevin Hakanson
 
stackconf 2022: Minimum Viable Security for Cloud Native Stacks
stackconf 2022: Minimum Viable Security for Cloud Native Stacksstackconf 2022: Minimum Viable Security for Cloud Native Stacks
stackconf 2022: Minimum Viable Security for Cloud Native Stacks
NETWAYS
 

Ähnlich wie Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016 (20)

Toronto Virtual Meetup #5 - API Security and Threats
Toronto Virtual Meetup #5 - API Security and ThreatsToronto Virtual Meetup #5 - API Security and Threats
Toronto Virtual Meetup #5 - API Security and Threats
 
Owasp masvs spain 17
Owasp masvs spain 17Owasp masvs spain 17
Owasp masvs spain 17
 
Mitigating data theft_in_android
Mitigating data theft_in_androidMitigating data theft_in_android
Mitigating data theft_in_android
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
 
Android Application Security from consumer and developer perspectives
Android Application Security from consumer and developer perspectivesAndroid Application Security from consumer and developer perspectives
Android Application Security from consumer and developer perspectives
 
Android N Security Overview - Mobile Security Saturday at Ciklum
Android N Security Overview - Mobile Security Saturday at CiklumAndroid N Security Overview - Mobile Security Saturday at Ciklum
Android N Security Overview - Mobile Security Saturday at Ciklum
 
APIsecure 2023 - Enhancing API Security with Runtime Secrets & Attestation, T...
APIsecure 2023 - Enhancing API Security with Runtime Secrets & Attestation, T...APIsecure 2023 - Enhancing API Security with Runtime Secrets & Attestation, T...
APIsecure 2023 - Enhancing API Security with Runtime Secrets & Attestation, T...
 
Cloud Security Introduction
Cloud Security IntroductionCloud Security Introduction
Cloud Security Introduction
 
Cyanogen Platform SDK
Cyanogen Platform SDKCyanogen Platform SDK
Cyanogen Platform SDK
 
Android security in depth - extended
Android security in depth - extendedAndroid security in depth - extended
Android security in depth - extended
 
Bsides Delhi Security Automation for Red and Blue Teams
Bsides Delhi Security Automation for Red and Blue TeamsBsides Delhi Security Automation for Red and Blue Teams
Bsides Delhi Security Automation for Red and Blue Teams
 
Security by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecuritySecurity by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal Security
 
Security by design: An Introduction to Drupal Security
Security by design: An Introduction to Drupal SecuritySecurity by design: An Introduction to Drupal Security
Security by design: An Introduction to Drupal Security
 
Check Point: Securing Web 2.0
Check Point: Securing Web 2.0 Check Point: Securing Web 2.0
Check Point: Securing Web 2.0
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
 
stackconf 2022: Minimum Viable Security for Cloud Native Stacks
stackconf 2022: Minimum Viable Security for Cloud Native Stacksstackconf 2022: Minimum Viable Security for Cloud Native Stacks
stackconf 2022: Minimum Viable Security for Cloud Native Stacks
 
New Products Overview: Use Cases and Demos
New Products Overview: Use Cases and DemosNew Products Overview: Use Cases and Demos
New Products Overview: Use Cases and Demos
 
New Products Overview: Use Cases and Demos
New Products Overview: Use Cases and DemosNew Products Overview: Use Cases and Demos
New Products Overview: Use Cases and Demos
 
Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)
 

Mehr von Codemotion

Mehr von Codemotion (20)

Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
 
Pompili - From hero to_zero: The FatalNoise neverending story
Pompili - From hero to_zero: The FatalNoise neverending storyPompili - From hero to_zero: The FatalNoise neverending story
Pompili - From hero to_zero: The FatalNoise neverending story
 
Pastore - Commodore 65 - La storia
Pastore - Commodore 65 - La storiaPastore - Commodore 65 - La storia
Pastore - Commodore 65 - La storia
 
Pennisi - Essere Richard Altwasser
Pennisi - Essere Richard AltwasserPennisi - Essere Richard Altwasser
Pennisi - Essere Richard Altwasser
 
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
 
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
 
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
 
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 - Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
 
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
 
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
 
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
 
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
 
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
 
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
 
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
 
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
 
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
 
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
 
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
 
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
 

Kürzlich hochgeladen

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Kürzlich hochgeladen (20)

Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 

Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016

  • 1. Roberto Gassirà - Roberto Piccirillo MILAN 25-26 NOVEMBER 2016
  • 2. 2 ● Senior Security Analysts for Mobile Security Lab ○ Vulnerability Assessment (IT, Mobile Application) ○ Android Secure Development Increasing Android app security for free Who we are ● Roberto Gassirà @robgas r.gassira@mseclab.com ● Roberto Piccirillo @robpicone r.piccirillo@mseclab.com
  • 3. Increasing Android app security for free Potentially Hostile Environment
  • 4. 4 Mobile Application can run in a Potentially Hostile Environment Potentially Hostile Environment Introduction
  • 5. 5 Free Open Wifi ... Potentially Hostile Environment Unreliable Communication Channels … Free user data Threat:Traffic Snooping
  • 6. 6 Potentially Hostile Environment Unreliable Communication Channels Free WPA2 Wifi ... … Free user data (MITM) Threat: MITM
  • 7. 7 Potentially Hostile Environment Unreliable Communication Channels Under attack... Threat: Information Gathering
  • 8. 8 Rooting Potentially Hostile Environment Tampered Device BootLoader Unlock Local/remote Exploit
  • 9. 9 Rooting -> Android platform security compromised Potentially Hostile Environment Tampered Device No more application sandbox
  • 10. 10 Potentially Hostile Environment Tampered Device Hooking/Instrumentation Threat:Code Hijacking onCreate() isDeviceTampered() ...()EXIT falsetrue Hooking... isDeviceTampered() false
  • 11. 11 Mobile Threats for Developers ● Advanced Device Owner ○ Remove Bloatware/Customization Attacker ● Mobile Cybercriminal ○ Application analysis ● Potentially Harmful Applications ○ Steal info/money
  • 12. 12 Mobile Threats for Developers Malware Infection Apps from “Unknown sources” Apps from “Unknown sites”
  • 13. 13 Mobile Threats for Developers Google Security Services for Android From Android Security 2015 Year in Review - April 2016
  • 14. 14 Mobile Threats for Developers Tampered Device Detection Free Weapons for Developers SafetyNet API ● Allows an app to analyze the device where it is installed ● Check if the device has passed the Compatibility Test Suite (CTS) Check the integrity of the device (Rooted?Hooked?Infected?) ● Provided by Google Play Services
  • 15. 15 Mobile Threats for Developers Key Material Protection Free Weapons for Developers AndroidKeyStore ● Asymmetric and Symmetric Keys (API 23+) Secure Container with Hardware Backend Secure Communication Network Security Configuration ● Network security settings (certificate pinning, trusted CA, ...) customized with a safe and declarative configuration file
  • 16. Increasing Android app security for free Detecting Tampered Device
  • 18. 18 Detecting Tampered Device https://developers.google.com/android/guides/api-client Access Google API SafetyNet service build.gradle Create an instance of Google API Client
  • 19. 19 Detecting Tampered Device Send Compatibility Check Request Generate a random one time nonce to defeat replay attacks Send the request AttestationResult
  • 20. 20 ● Formatted in JSON Web Signature format ○ RSA256 Signed JSON Detecting Tampered Device Attestation Result JWS Signature JWS Payload JWS Header Device passed Compatibility Test Suite Device integrity status true: OK false: TAMPERED
  • 21. 21 Detecting Tampered Device ● Google provides Android Device Verification API for validating the response Validate Compatibility Check Response POST "https://www.googleapis.com/androidcheck/v1/attestations/verify?key=" { "signedAttestation": } JWS Signature JWS Payload JWS Header { “isValidSignature”: true }
  • 22. Increasing Android app security for free Enhancing Network Security
  • 23. 23 ● MITM attack: ○ Is a well-known technique used by an attacker to setup a proxy to intercept traffic between your application and backend servers ● How ○ ARP poisoning ○ DNS poisoning ○ Rouge proxy ○ etc Enhancing Network Security MITM attack
  • 24. 24 ● HTTP and HTTPS: ○ HTTP: all data sent are in clear ○ HTTPS: all data sent are ciphered (Digital Certificates and Session Keys) ● Implement MITM attack on HTTP (easier) ● Implement MITM attack on HTTPS (harder) ○ Not impossible Enhancing Network Security MITM with HTTP or HTTPS
  • 26. 26 Digital certificate Network Security Configuration ● Most important: ○ Common name ○ Issuer name ○ Not Valid Before ○ Not Valid After ○ Public Key ○ Signature Remember “Public Key Info” section
  • 27. 27 ● Use HTTPS is not enough to mitigate some risks due to MITM Attacks ○ But in almost all cases should be mandatory use it ● To be more secure it’s important: ○ Check the common name of server digital certificate ○ Verify the issuer of server digital certificate ○ Trust the issuer of server digital certificate ● In the last years is usual: ○ Check the server public key (Pinning certificate or sometime called SSL Pinning) ○ More code to implement this technique Enhancing Network Security HTTPS key security points Android Nougat offers new features to perform easily checks to make HTTPS more secure
  • 28. 28 ● Uses declarative configuration file to: ○ Enforce HTTPS for specified domain used into your application ○ Use certificate pinning ○ Trust only specific Certification Authority or use specific Self-signed certificate ○ Debug secure connections without modify code ● What you need: Enhancing Network Security Network Security Configuration AndroidManifest.xml
  • 29. 29 Enhancing Network Security Configuration file format Contains all Network Configuration Default configuration for all connections Configurations for one or more domains Configurations valid only for debug purpose
  • 30. 30 ● Get error when try to connect using HTTP Enhancing Network Security Enforce HTTPS Enforce HTTPS HTTP Connection Error: “Cleartext HTTP traffic to android-developers.blogspot.it not permitted”
  • 31. 31 ● Use yours CA to verify yours certificate Enhancing Network Security Digital Certificate with custom CA Enforce HTTPS for the domain codemotion.milan.2016 Use cacert certificate to verify server certificate ● If cacert is not used the app get an error
  • 32. 32 ● Force your application to use a specific public key ● In previous Android version you had to write boring code to implement certificate pinning ● Now you need calculate the sha256 of Public Key Info of X509 digital certificate Enhancing Network Security Certificate pinning sha256 base64 PinDigest
  • 33. 33 ● If server public key is different the application get an error Enhancing Network Security Certificate pinning ● Add PinDigest with Expiration date
  • 34. 34 ● In our analysis is horrible to find out the all SSL checks are off to overcame problem into development environment ● Now it is possible to add debug configuration without modify any line of code ● When you build in “release-mode” debug configuration is not considered Enhancing Network Security Safe debug
  • 35. 35 ● You could define a base configuration for all connections ● You could insert more PinDigest ● You could define which CA store will be used to verify certificates: ○ User ○ System ● You could use self signed-certificate Enhancing Network Security Other options
  • 36. Increasing Android app security for free Key Management Evolution
  • 37. 37 Key Management Evolution ● Android KeyStore Provider introduced with API level 18 ○ Based on Android Keystore System to store cryptographic keys ● Until API level 22 only asymmetric keys ○ For info: https://speakerdeck.com/mseclab/android-key-management ● With API level 23+ also symmetric Keys AndroidKeyStore Provider Asymmetric Asymmetric + Symmetric
  • 40. 40 Key Management Evolution AndroidKeyStore Security Features ● Preventing extraction of the key material from application process ● Preventing extraction of the key material from Android device ● Key material never enters the application process: ○ App cryptographic operations are performed by system process ○ ● Key materials may be bound to the secure hardware: ○ Trust Execution Environment (TEE) ○ Secure Element ● More and more processors are equipped with TEE: ○ Snapdragon 808 (Nexus 5x), Snapdragon 810 (Nexus 6P), Snapdragon 820 (Galaxy S7) etc
  • 41. Increasing Android app security for free The Bill
  • 42. 42 The Bill ● Detecting Tampered Device: Free ● Enhancing Network Security: Free ● Key Management Evolution: Free Total = Free :) How much costs