Secure Development of Android App sometimes requires the use of third party libraries and external frameworks, often expensive or hard to quickly update if vulnerable.The Android SDK and Google Play Services provide security features and services, that allows a developer to take advantage of security enhancements in order to increase the security level of an application.The talk, starting from real common threats, will show how some of these features can be used into the different versions of Android, until the newest Nougat, to mitigate security risks that could afflict a mobile application.
2. 2
● Senior Security Analysts for Mobile Security Lab
○ Vulnerability Assessment (IT, Mobile Application)
○ Android Secure Development
Increasing Android app security for free
Who we are
● Roberto Gassirà
@robgas
r.gassira@mseclab.com
● Roberto Piccirillo
@robpicone
r.piccirillo@mseclab.com
11. 11
Mobile Threats for Developers
● Advanced Device Owner
○ Remove Bloatware/Customization
Attacker
● Mobile Cybercriminal
○ Application analysis
● Potentially Harmful Applications
○ Steal info/money
12. 12
Mobile Threats for Developers
Malware Infection
Apps from “Unknown sources”
Apps from “Unknown sites”
13. 13
Mobile Threats for Developers
Google Security Services for Android
From Android
Security 2015
Year in Review -
April 2016
14. 14
Mobile Threats for Developers
Tampered Device
Detection
Free Weapons for Developers
SafetyNet API
● Allows an app to analyze the device where it is
installed
● Check if the device has passed the Compatibility
Test Suite (CTS)
Check the integrity of the device
(Rooted?Hooked?Infected?)
● Provided by Google Play Services
15. 15
Mobile Threats for Developers
Key Material Protection
Free Weapons for Developers
AndroidKeyStore
● Asymmetric and Symmetric Keys
(API 23+) Secure Container with
Hardware Backend
Secure Communication
Network Security
Configuration
● Network security settings (certificate
pinning, trusted CA, ...) customized with a
safe and declarative configuration file
19. 19
Detecting Tampered Device
Send Compatibility Check Request
Generate a random one
time nonce to defeat
replay attacks
Send the
request
AttestationResult
20. 20
● Formatted in JSON Web Signature format
○ RSA256 Signed JSON
Detecting Tampered Device
Attestation Result
JWS Signature
JWS Payload
JWS Header
Device passed
Compatibility Test Suite
Device integrity status
true: OK
false: TAMPERED
21. 21
Detecting Tampered Device
● Google provides Android Device Verification API for validating the response
Validate Compatibility Check Response
POST "https://www.googleapis.com/androidcheck/v1/attestations/verify?key="
{ "signedAttestation": }
JWS
Signature
JWS Payload
JWS Header
{ “isValidSignature”: true }
23. 23
● MITM attack:
○ Is a well-known technique used by an attacker to setup a proxy to intercept traffic
between your application and backend servers
● How
○ ARP poisoning
○ DNS poisoning
○ Rouge proxy
○ etc
Enhancing Network Security
MITM attack
24. 24
● HTTP and HTTPS:
○ HTTP: all data sent are in clear
○ HTTPS: all data sent are ciphered (Digital Certificates and Session Keys)
● Implement MITM attack on HTTP (easier)
● Implement MITM attack on HTTPS (harder)
○ Not impossible
Enhancing Network Security
MITM with HTTP or HTTPS
26. 26
Digital certificate
Network Security Configuration
● Most important:
○ Common name
○ Issuer name
○ Not Valid Before
○ Not Valid After
○ Public Key
○ Signature
Remember “Public Key Info” section
27. 27
● Use HTTPS is not enough to mitigate some risks due to MITM Attacks
○ But in almost all cases should be mandatory use it
● To be more secure it’s important:
○ Check the common name of server digital certificate
○ Verify the issuer of server digital certificate
○ Trust the issuer of server digital certificate
● In the last years is usual:
○ Check the server public key (Pinning certificate or sometime called SSL Pinning)
○ More code to implement this technique
Enhancing Network Security
HTTPS key security points
Android Nougat offers new features to perform easily checks
to make HTTPS more secure
28. 28
● Uses declarative configuration file to:
○ Enforce HTTPS for specified domain used into your application
○ Use certificate pinning
○ Trust only specific Certification Authority or use specific Self-signed certificate
○ Debug secure connections without modify code
● What you need:
Enhancing Network Security
Network Security Configuration
AndroidManifest.xml
29. 29
Enhancing Network Security
Configuration file format
Contains all Network Configuration
Default configuration for all
connections
Configurations for one or more
domains
Configurations valid only for debug
purpose
30. 30
● Get error when try to connect using HTTP
Enhancing Network Security
Enforce HTTPS
Enforce HTTPS
HTTP Connection
Error:
“Cleartext HTTP traffic to
android-developers.blogspot.it
not permitted”
31. 31
● Use yours CA to verify yours certificate
Enhancing Network Security
Digital Certificate with custom CA
Enforce HTTPS for the domain
codemotion.milan.2016
Use cacert certificate to verify
server certificate
● If cacert is not used the app get an error
32. 32
● Force your application to use a specific public key
● In previous Android version you had to write boring code to implement
certificate pinning
● Now you need calculate the sha256 of Public Key Info of X509 digital
certificate
Enhancing Network Security
Certificate pinning
sha256 base64
PinDigest
33. 33
● If server public key is different the application get an
error
Enhancing Network Security
Certificate pinning
● Add PinDigest with Expiration date
34. 34
● In our analysis is horrible to find out the all SSL checks are off to overcame
problem into development environment
● Now it is possible to add debug configuration without modify any line of
code
● When you build in “release-mode” debug configuration is not considered
Enhancing Network Security
Safe debug
35. 35
● You could define a base configuration for all connections
● You could insert more PinDigest
● You could define which CA store will be used to verify certificates:
○ User
○ System
● You could use self signed-certificate
Enhancing Network Security
Other options
37. 37
Key Management Evolution
● Android KeyStore Provider introduced with API level 18
○ Based on Android Keystore System to store cryptographic keys
● Until API level 22 only asymmetric keys
○ For info: https://speakerdeck.com/mseclab/android-key-management
● With API level 23+ also symmetric Keys
AndroidKeyStore Provider
Asymmetric
Asymmetric + Symmetric
40. 40
Key Management Evolution
AndroidKeyStore Security Features
● Preventing extraction of the key material from application process
● Preventing extraction of the key material from Android device
● Key material never enters the application process:
○ App cryptographic operations are performed by system process
○
● Key materials may be bound to the secure hardware:
○ Trust Execution Environment (TEE)
○ Secure Element
● More and more processors are equipped with TEE:
○ Snapdragon 808 (Nexus 5x), Snapdragon 810 (Nexus 6P), Snapdragon 820 (Galaxy S7)
etc