Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
Android Security
Development
PART 1 – App Development
SEAN
Sean
• Developer
• erinus.startup@gmail.com
• https://www.facebook.com/erinus
Something you need to know
• USB
• Screen
• Clipboard
• Permission
• Database
• Network
• Cryptography
• API Management
• ...
Security about USB
SAFE
ANDROID:ALLOWBACKUP = "FALSE"
DANGEROUS
ANDROID:ALLOWBACKUP = "TRUE"
It will allow someone can backup databases and
preferences.
SAFE
ANDROID:DEBUGGABLE = "FALSE"
DANGEROUS
ANDROID:DEBUGGABLE = "TRUE"
It will let someone can see logcat messages and do
something more …
WHY ?
If you do not set android:debuggable="false",
debug mode will depend on system settings.
IF ERROR NOTIFICATION SHOWS IN ECLIPSE
WHEN SET ANDROID:DEBUGGABLE, IT IS ALL
ABOUT ADT LINT.
CLICK ON "PROBLEMS" TAB
RIGHT CLICK ON ITEM
AND CHOOSE "QUICK FIX"
CHOOSE "DISABLE CHECK"
Security about SCREEN
GETWINDOW().SETFLAGS(LAYOUTPARAMS.FL
AG_SECURE, LAYOUTPARAMS.FLAG_SECURE);
It disable all screen capture (except rooted de...
Security about CLIPBOARD
WHEN USER LEAVE APP
You want to clear clipboard
YOU WANT TO ALLOW
User can use something copied from other apps
in your app
ALSO WANT TO REJECT
User can not use something copied from your app
in other apps
FIRST
SAVE THE STATE OF APPLICATION
onResume => FOREGROUND
onPause => BACKGROUND
SECOND
USE RUNNABLE AND POSTDELAYED 500 MS
When onPause is triggered, you can detect
the state of application after ~500ms.
LAST
DETECT STATE AND SETPRIMARYCLIP
If STATE equals BACKGROUND, executes
BaseActivity.this.mClipboardManager
.setPrimaryClip(C...
THE TOP ITEM WILL BE EMPTY
IN CLIPBOARD STACK
Android only lets app access the top item in
clipboard stack on non-rooted d...
Security on PERMISSION
ONLY USE NECESSARY PERMISSIONS
IT IS COMMON SENSE
BUT SOMETHING MORE
GOOGLE CLOUD MESSAGING
NEEDS
ANDROID.PERMISSION.GET_ACCOUNTS
BUT
GOOGLE CLOUD MESSAGING
NEEDS
ANDROID.PERMISSION.GET_ACCOUNTS
ONE YEAR LATER
YOU SHOULD REMOVE "GET_ACCOUNTS"
When you do not support
Android 4.0.3 and older version
Security on Database
SQLITE
RECOMMENDED
SQLCipher
Support iOS / Android
https://www.zetetic.net/sqlcipher/open-source
SQLite Encryption Extension
http://www.sqlite.org/see/
Security on NETWORK
USE HTTPS WITH SELF-SIGNED CERTIFICATE
BUT
SOMETHING IGNORED ?
DO YOU CHECK
HOSTNAME IS VALID ?
VERIFY HOSTNAME
DO YOU AVOID
IMPORTING MALICIOUS CERT ?
CREATE BRAND NEW KEYSTORE
AND IMPORT SERVER CERT
DOUBLE CHECK
THE BINARY CONTENT OF CERT ?
VERIFY BINARY CONTENT OF SERVER CERT
Avoid Man-in-the-Middle attack
WHY ?
SSL MECHANISM IN OS MAY BE WRONG
APPLE SSL / TLS Bug ( CVE-2014-1266 )
Chinese MITM Attack on iCloud
POODLE Bites
Lenovo Superfish
FREAK
SSL TUNNEL KEEP DATA SAFE ?
NO
YOU STILL NEED ENCRYPT DATA
HTTPS WEB PROXY
DO NOT PUT KEY IN YOUR DATA
Security on CRYPTOGRAPHY
USE ANDROID SDK OR ANDROID NDK ?
ANDROID SDK: JAVA
DECOMPILE EASY
ANALYSIS EASY
ANDROID NDK: C AND C++
DISASSEMBLE EASY
ANALYSIS HARD
ANDROID NDK
OpenSSL Inside
ANDROID NDK
Can I customize ?
ANDROID NDK
PolarSSL
https://polarssl.org
PolarSSL
You can change SBOX of AES, ...
AES
AES-256 / CBC / PKCS7Padding
RSA
RSA-4096
ALL KEY GENERATION AND ENCRYPTION
MUST BE DONE IN ANDROID NDK
EVERYTHING IS DONE ?
NO
HOW TO GENERATE KEY ?
RANDOM
KEY
HARDWARE
ID
USER
KEY
RANDOM KEY
One Key – One Encryption
HARDWARE ID
IMEI / MEID
WIFI MAC Address
Bluetooth Address
IMEI / MEID
ANDROID.PERMISSION.READ_PHONE_STATE
WIFI MAC Address
ANDROID.PERMISSION.ACCESS_WIFI_STATE
Bluetooth Address
AN...
USER KEY
Input from user
Only exist in memory
Just clear when exit
ONLY CIPHERTEXT ?
SCRAMBLE YOUR CIPHERTEXT
WEP can be cracked by collecting large amount
packet and analyzing ciphertext.
SCRAMBLED CIPHERTEXT
CIPHERTEXT
HOW TO SCRAMBLE ?
MORE COMPLEX THAN BASE64
WIKI: Common Scrambling Algorithm
http://goo.gl/eP6lXj
IF ALL KEY LOST ?
SORRY
GOD BLESS YOU
Security on API MANAGEMENT
ACCESS TOKEN
REFRESH PERIODICALLY
RANDOM GENERATE
HOW TO USE ACCESS TOKEN ?
ACCESS TOKEN
↓
USER ID
ACCESS TOKEN
↓
USER ID
↓
HARDWARE ID
ACCESS TOKEN
↓
USER ID
↓
HARDWARE ID
↓
ENCRYPT OR DECRYPT
ALL API ACCESS MUST USE ACCESS TOKEN
Security on VALIDATION
PASSWORD
HASH Algorithms
MD5
Not Secure
SHA-1
Almost Secure
SHA-256
Secure
Suggestion
MD5(SHA-1(Password + Salt))
+
SHA-256(SHA-1(Password + Salt))
Next Part
Malicious Android App
Dynamic Analyzing System
2015.04.24 Updated > Android Security Development - Part 1: App Development
Nächste SlideShare
Wird geladen in …5
×

2015.04.24 Updated > Android Security Development - Part 1: App Development

8.433 Aufrufe

Veröffentlicht am

Android Security Development

Part 1: App Development

How to create safe App ?

Veröffentlicht in: Software
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Antworten 
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier

2015.04.24 Updated > Android Security Development - Part 1: App Development

  1. 1. Android Security Development PART 1 – App Development SEAN
  2. 2. Sean • Developer • erinus.startup@gmail.com • https://www.facebook.com/erinus
  3. 3. Something you need to know • USB • Screen • Clipboard • Permission • Database • Network • Cryptography • API Management • Validation
  4. 4. Security about USB
  5. 5. SAFE ANDROID:ALLOWBACKUP = "FALSE"
  6. 6. DANGEROUS ANDROID:ALLOWBACKUP = "TRUE" It will allow someone can backup databases and preferences.
  7. 7. SAFE ANDROID:DEBUGGABLE = "FALSE"
  8. 8. DANGEROUS ANDROID:DEBUGGABLE = "TRUE" It will let someone can see logcat messages and do something more …
  9. 9. WHY ? If you do not set android:debuggable="false", debug mode will depend on system settings.
  10. 10. IF ERROR NOTIFICATION SHOWS IN ECLIPSE WHEN SET ANDROID:DEBUGGABLE, IT IS ALL ABOUT ADT LINT.
  11. 11. CLICK ON "PROBLEMS" TAB
  12. 12. RIGHT CLICK ON ITEM AND CHOOSE "QUICK FIX"
  13. 13. CHOOSE "DISABLE CHECK"
  14. 14. Security about SCREEN
  15. 15. GETWINDOW().SETFLAGS(LAYOUTPARAMS.FL AG_SECURE, LAYOUTPARAMS.FLAG_SECURE); It disable all screen capture (except rooted device) • [POWER] + [VOL-DWN] • OEM feature like SAMSUNG / HTC
  16. 16. Security about CLIPBOARD
  17. 17. WHEN USER LEAVE APP You want to clear clipboard
  18. 18. YOU WANT TO ALLOW User can use something copied from other apps in your app
  19. 19. ALSO WANT TO REJECT User can not use something copied from your app in other apps
  20. 20. FIRST
  21. 21. SAVE THE STATE OF APPLICATION onResume => FOREGROUND onPause => BACKGROUND
  22. 22. SECOND
  23. 23. USE RUNNABLE AND POSTDELAYED 500 MS When onPause is triggered, you can detect the state of application after ~500ms.
  24. 24. LAST
  25. 25. DETECT STATE AND SETPRIMARYCLIP If STATE equals BACKGROUND, executes BaseActivity.this.mClipboardManager .setPrimaryClip(ClipData.newPlainText("", ""));
  26. 26. THE TOP ITEM WILL BE EMPTY IN CLIPBOARD STACK Android only lets app access the top item in clipboard stack on non-rooted device.
  27. 27. Security on PERMISSION
  28. 28. ONLY USE NECESSARY PERMISSIONS
  29. 29. IT IS COMMON SENSE
  30. 30. BUT SOMETHING MORE
  31. 31. GOOGLE CLOUD MESSAGING NEEDS ANDROID.PERMISSION.GET_ACCOUNTS
  32. 32. BUT
  33. 33. GOOGLE CLOUD MESSAGING NEEDS ANDROID.PERMISSION.GET_ACCOUNTS
  34. 34. ONE YEAR LATER
  35. 35. YOU SHOULD REMOVE "GET_ACCOUNTS" When you do not support Android 4.0.3 and older version
  36. 36. Security on Database
  37. 37. SQLITE
  38. 38. RECOMMENDED SQLCipher Support iOS / Android https://www.zetetic.net/sqlcipher/open-source
  39. 39. SQLite Encryption Extension http://www.sqlite.org/see/
  40. 40. Security on NETWORK
  41. 41. USE HTTPS WITH SELF-SIGNED CERTIFICATE
  42. 42. BUT
  43. 43. SOMETHING IGNORED ?
  44. 44. DO YOU CHECK HOSTNAME IS VALID ?
  45. 45. VERIFY HOSTNAME
  46. 46. DO YOU AVOID IMPORTING MALICIOUS CERT ?
  47. 47. CREATE BRAND NEW KEYSTORE AND IMPORT SERVER CERT
  48. 48. DOUBLE CHECK THE BINARY CONTENT OF CERT ?
  49. 49. VERIFY BINARY CONTENT OF SERVER CERT Avoid Man-in-the-Middle attack
  50. 50. WHY ?
  51. 51. SSL MECHANISM IN OS MAY BE WRONG APPLE SSL / TLS Bug ( CVE-2014-1266 )
  52. 52. Chinese MITM Attack on iCloud
  53. 53. POODLE Bites
  54. 54. Lenovo Superfish
  55. 55. FREAK
  56. 56. SSL TUNNEL KEEP DATA SAFE ?
  57. 57. NO
  58. 58. YOU STILL NEED ENCRYPT DATA
  59. 59. HTTPS WEB PROXY
  60. 60. DO NOT PUT KEY IN YOUR DATA
  61. 61. Security on CRYPTOGRAPHY
  62. 62. USE ANDROID SDK OR ANDROID NDK ?
  63. 63. ANDROID SDK: JAVA DECOMPILE EASY ANALYSIS EASY
  64. 64. ANDROID NDK: C AND C++ DISASSEMBLE EASY ANALYSIS HARD
  65. 65. ANDROID NDK OpenSSL Inside
  66. 66. ANDROID NDK Can I customize ?
  67. 67. ANDROID NDK PolarSSL https://polarssl.org
  68. 68. PolarSSL You can change SBOX of AES, ...
  69. 69. AES AES-256 / CBC / PKCS7Padding
  70. 70. RSA RSA-4096
  71. 71. ALL KEY GENERATION AND ENCRYPTION MUST BE DONE IN ANDROID NDK
  72. 72. EVERYTHING IS DONE ?
  73. 73. NO
  74. 74. HOW TO GENERATE KEY ?
  75. 75. RANDOM KEY HARDWARE ID USER KEY
  76. 76. RANDOM KEY One Key – One Encryption
  77. 77. HARDWARE ID IMEI / MEID WIFI MAC Address Bluetooth Address
  78. 78. IMEI / MEID ANDROID.PERMISSION.READ_PHONE_STATE WIFI MAC Address ANDROID.PERMISSION.ACCESS_WIFI_STATE Bluetooth Address ANDROID.PERMISSION.BLUETOOTH
  79. 79. USER KEY Input from user Only exist in memory Just clear when exit
  80. 80. ONLY CIPHERTEXT ?
  81. 81. SCRAMBLE YOUR CIPHERTEXT WEP can be cracked by collecting large amount packet and analyzing ciphertext.
  82. 82. SCRAMBLED CIPHERTEXT CIPHERTEXT
  83. 83. HOW TO SCRAMBLE ?
  84. 84. MORE COMPLEX THAN BASE64 WIKI: Common Scrambling Algorithm http://goo.gl/eP6lXj
  85. 85. IF ALL KEY LOST ?
  86. 86. SORRY
  87. 87. GOD BLESS YOU
  88. 88. Security on API MANAGEMENT
  89. 89. ACCESS TOKEN REFRESH PERIODICALLY RANDOM GENERATE
  90. 90. HOW TO USE ACCESS TOKEN ?
  91. 91. ACCESS TOKEN ↓ USER ID
  92. 92. ACCESS TOKEN ↓ USER ID ↓ HARDWARE ID
  93. 93. ACCESS TOKEN ↓ USER ID ↓ HARDWARE ID ↓ ENCRYPT OR DECRYPT
  94. 94. ALL API ACCESS MUST USE ACCESS TOKEN
  95. 95. Security on VALIDATION
  96. 96. PASSWORD HASH Algorithms
  97. 97. MD5 Not Secure
  98. 98. SHA-1 Almost Secure
  99. 99. SHA-256 Secure
  100. 100. Suggestion MD5(SHA-1(Password + Salt)) + SHA-256(SHA-1(Password + Salt))
  101. 101. Next Part
  102. 102. Malicious Android App Dynamic Analyzing System

×