SE2016 Android Denis Zhuchinski "Ways of enhancing application security"

SE2016 Android Denis Zhuchinski "Ways of enhancing application security"
Ways of Enhancing Application Security Denis Zhuchinski Android Developer EVO.company
Ways of Enhancing Application Security Denis Zhuchinski Android Developer EVO.company
What are we talking about today? - Android & Security - Interprocess Communication - Networking - Data safety - Analyzing tools
Why should care about?
What Android know about you? - Calls - Messages - Emails - Contacts - Calendar - Location - Photos, Videos - Camera - ...
Enemies - ADB - Malicious Apps - Unprotect Network - Sniffers
Android security model
Application sandboxing
Permissions
Inter Process Communication
Code Signing
SELinux
Google’s Android Security Rewards has given researchers over $550,000 in 1 year
Interprocess Communication “In the Android platform, the binder is used for nearly everything that happens across processes in the core platform." – Dianne Hackborn
Binder
Interprocess Communication - Intents - Content Providers - Messenger - System services (Telephone, Vibrator, Wifi, Battery, Notification, etc.) - Lifecycle callbacks in your Activity like onStart(),onResume(), onDestroy() are invoked by ActivityManagerServer via binders
Man in the Binder
Android IPC is not secure!
Networking
HTTPS is a must have!
But...
HTTPS in not enough!
Man in the Middle
Pinning - Certificate - Public key RFC 5280
Certificate pinning CertificateFactory cf = CertificateFactory.getInstance("X.509"); InputStream caInput = new BufferedInputStream(new FileInputStream("load-der.crt")); Certificate ca; try { ca = cf.generateCertificate(caInput); System.out.println("ca=" + ((X509Certificate) ca).getSubjectDN()); } finally { caInput.close(); } OkHttpClient client = new OkHttpClient(); String certPin = CertificatePinner.pin(ca); CertificatePinner certificatePinner = new CertificatePinner.Builder() .add(API_HOST, certPin) .build(); client.setCertificatePinner(certificatePinner);
android.security.net.config res/xml/network_security_config.xml: <domain-config hstsEnforced=[True|False] cleartextTrafficPermitted=[True|False]> <domain includeSubdomains=[True|False]>example.com</domain> <pin-set expiration="exp-date"> <pin digest=sha256>PaJOmDNhWkVBvuXfzqXMyfo7kgtGpcyZp6L8EqvM8Ck=</pin> </pin-set> </domain-config> Android N
Risks - Insecure Data Storage - Weak Server Side Controls - Insufficient Transport Layer Protection - Client Side Injection - Poor Authorization and Authentication - Security Decisions Via Untrusted Inputs - Broken Cryptography
Where is the rescue, Bro?
Cryptography
Encryption Tools - Cipher (javax.crypto) - Spongy Castle - Conceal - SQLCipher - AESCrypt-Android - Secure-preferences (https://github.com/scottyab/secure-preferences ) - etc.
Conceal
Resources / Importance - Secure key storage - Suitable algorithm - Right key length
ONLINE ANALYZERS 1. AndroTotal 2. Dexter 3. Tracedroid 4. Visual Threat 5. Mobile Malware Sandbox 6. MobiSec Eacus 7. IBM Security AppScan Mobile Analyzer - not free 8. NVISO ApkScan ...
STATIC ANALYSIS TOOLS 1. QUARK 2. ApkAnalyser 3. APKInspector 4. Droid Intent Data Flow Analysis for Information Leakage 5. Drozer 6. Several tools from PSU 7. Smali CFG generator 8. FlowDroid ...
Apktool $ apktool d app-test.apk I: Using Apktool 2.2.0 on app-prod-release.apk I: Loading resource table... I: Decoding AndroidManifest.xml with resources... I: Loading resource table from file: /home/oem/.local/share/apktool/framework/1.apk I: Regular manifest package... I: Decoding file-resources... I: Decoding values */* XMLs... I: Baksmaling classes.dex... I: Copying assets and libs... I: Copying unknown files... I: Copying original files...
Apktool
QARK
QARK
Drozer adb install agent.apk $ drozer console connect dz> run app.package.attacksurface com.app.test dz> run app.package.attacksurface com.app.test Attack Surface: 3 activities exported 0 broadcast receivers exported 2 content providers exported 2 services exported is debuggable
Thing to remember 1. Never trust any input (use whitelists not blacklists) 1. Store data securely 4. Use HTTPS with certificate pinning 5. Use Cryptography 6. Don't write your own crypto 2. Make code obfuscation 7. Audit third-party code and services that you use 3. Avoid excessive logging 8. Perform security code review
Plan for security from the start - it's not something you can bolt on at the end
Links 1. https://www.androidpit.com/android-m-release-date-news-features-name#s ecurity 2. https://www.nowsecure.com/blog/2015/07/16/android-m-a-security-research -perspective-part-1/ 3. https://koz.io/network-security-policy-configuration-for-android-apps/ 4. http://blog.riskfinder.co.jp/2016/03/network-security-configuration-android-n. html 5. http://markup.su/highlighter/ 6. https://www.securecoding.cert.org/confluence/display/android/Android+Sec ure+Coding+Standard 7. https://www.securecoding.cert.org/confluence/display/android/DRD06.+Do+ not+act+on+malicious+intents 8. https://github.com/ashishb/android-security-awesome
And That’s It…Thanks! Questions? Comments?
What are we talking about today? - Android & Security - Interprocess Communication - Networking - Data safety - Analyzing tools
Why should care about?
What Android know about you? - Calls - Messages - Emails - Contacts - Calendar - Location - Photos, Videos - Camera - ...
Enemies - ADB - Malicious Apps - Unprotect Network - Sniffers
Android security model
Application sandboxing
Permissions
Inter Process Communication
Code Signing
SELinux
Google’s Android Security Rewards has given researchers over $550,000 in 1 year
Interprocess Communication “In the Android platform, the binder is used for nearly everything that happens across processes in the core platform." – Dianne Hackborn
Binder
Interprocess Communication - Intents - Content Providers - Messenger - System services (Telephone, Vibrator, Wifi, Battery, Notification, etc.) - Lifecycle callbacks in your Activity like onStart(),onResume(), onDestroy() are invoked by ActivityManagerServer via binders
Man in the Binder
Android IPC is not secure!
Networking
HTTPS is a must have!
But...
HTTPS in not enough!
Man in the Middle
Pinning - Certificate - Public key RFC 5280
Certificate pinning CertificateFactory cf = CertificateFactory.getInstance("X.509"); InputStream caInput = new BufferedInputStream(new FileInputStream("load-der.crt")); Certificate ca; try { ca = cf.generateCertificate(caInput); System.out.println("ca=" + ((X509Certificate) ca).getSubjectDN()); } finally { caInput.close(); } OkHttpClient client = new OkHttpClient(); String certPin = CertificatePinner.pin(ca); CertificatePinner certificatePinner = new CertificatePinner.Builder() .add(API_HOST, certPin) .build(); client.setCertificatePinner(certificatePinner);
android.security.net.config res/xml/network_security_config.xml: <domain-config hstsEnforced=[True|False] cleartextTrafficPermitted=[True|False]> <domain includeSubdomains=[True|False]>example.com</domain> <pin-set expiration="exp-date"> <pin digest=sha256>PaJOmDNhWkVBvuXfzqXMyfo7kgtGpcyZp6L8EqvM8Ck=</pin> </pin-set> </domain-config> Android N
Where is the rescue, Bro?
Cryptography
Encryption Tools - Cipher (javax.crypto) - Spongy Castle - Conceal - SQLCipher - AESCrypt-Android - Secure-preferences (https://github.com/scottyab/secure-preferences ) - etc.
Conceal
Resources / Importance - Secure key storage - Suitable algorithm - Right key length
ONLINE ANALYZERS 1. AndroTotal 2. Dexter 3. Tracedroid 4. Visual Threat 5. Mobile Malware Sandbox 6. MobiSec Eacus 7. IBM Security AppScan Mobile Analyzer - not free 8. NVISO ApkScan ...
STATIC ANALYSIS TOOLS 1. QUARK 2. ApkAnalyser 3. APKInspector 4. Droid Intent Data Flow Analysis for Information Leakage 5. Drozer 6. Several tools from PSU 7. Smali CFG generator 8. FlowDroid ...
Apktool $ apktool d app-test.apk I: Using Apktool 2.2.0 on app-prod-release.apk I: Loading resource table... I: Decoding AndroidManifest.xml with resources... I: Loading resource table from file: /home/oem/.local/share/apktool/framework/1.apk I: Regular manifest package... I: Decoding file-resources... I: Decoding values */* XMLs... I: Baksmaling classes.dex... I: Copying assets and libs... I: Copying unknown files... I: Copying original files...
Apktool
QARK
QARK
Drozer adb install agent.apk $ drozer console connect dz> run app.package.attacksurface com.app.test dz> run app.package.attacksurface com.app.test Attack Surface: 3 activities exported 0 broadcast receivers exported 2 content providers exported 2 services exported is debuggable
Thing to remember 1. Never trust any input (use whitelists not blacklists) 1. Store data securely 4. Use HTTPS with certificate pinning 5. Use Cryptography 6. Don't write your own crypto 2. Make code obfuscation 7. Audit third-party code and services that you use 3. Avoid excessive logging 8. Perform security code review
Plan for security from the start - it's not something you can bolt on at the end
Links 1. https://www.androidpit.com/android-m-release-date-news-features-name#s ecurity 2. https://www.nowsecure.com/blog/2015/07/16/android-m-a-security-research -perspective-part-1/ 3. https://koz.io/network-security-policy-configuration-for-android-apps/ 4. http://blog.riskfinder.co.jp/2016/03/network-security-configuration-android-n. html 5. http://markup.su/highlighter/ 6. https://www.securecoding.cert.org/confluence/display/android/Android+Sec ure+Coding+Standard 7. https://www.securecoding.cert.org/confluence/display/android/DRD06.+Do+ not+act+on+malicious+intents 8. https://github.com/ashishb/android-security-awesome
And That’s It…Thanks! Questions? Comments?

Check these out next

SE2016 Android Denis Zhuchinski "Ways of enhancing application security"

Recomendados

Más contenido relacionado

Presentaciones para ti(19)

Similar a SE2016 Android Denis Zhuchinski "Ways of enhancing application security"(20)

Más de Inhacking(20)

Último(20)

SE2016 Android Denis Zhuchinski "Ways of enhancing application security"