1 / 50

Android Security Basics: Keeping Users & Apps Safe

Learn about Android security measures to protect data transmission, storage, APKs, and more. Understand the Android security model, permissions, SSL/PKI, and how to mitigate vulnerabilities.

ericw
Download Presentation

Android Security Basics: Keeping Users & Apps Safe

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Android Security Basics How to keep your users and apps safe

  2. About Me • Android Developer at ADT

  3. Main Areas We are Covering • Data Transmission Security • Data Storage Security • APK Security

  4. Data Transmission Security • Inter Process/Component Communication • The Android Security Model • Broadcast permissions • Content Provider Permissions • Safe Network usage • SSL/ PKI Overview • SSL pain points • Pinning • Misc. • WebView pitfalls

  5. Android Security Model: Each App is a Linux User

  6. Interposes communication Mostly through intents Also Binding Messaging etc Image source http://css.csail.mit.edu/6.858/2012/readings/android.pdf

  7. Permissions • Protection levels • normal • dangerous • signature • signature or system – Not allowed in 3rd party apps • For internal only components exported=false For a more in-depth discussion of permissions read http://www.cs.berkeley.edu/~emc/papers/android_permissions.pdf and http://css.csail.mit.edu/6.858/2012/readings/android.pdf

  8. Example Insecure Broadcast Receiver • <receiver • android:name="Your receiver” • <intent-filter> • <action android:name=“com.example.mybroadcast"/> • </intent-filter> • </receiver> • Q: Who can send this receiver broadcasts? Any component which uses <intent-filter> before android 4.2 is exported by default

  9. <receiver android:name=".MyListener”> <intent-filter> <action android:name= "android.provider.Telephony.SMS_RECEIVED" /> </intent-filter> </receiver> Couldthis permission bebetter? Add <receiver android:name=".MyListener" android:permission="android.permission.READ_SMS">

  10. Broadcasts can also put permissions on intents • Intent intent = new Intent(); • intent.setAction(MY_BROADCAST_ACTION); • sendBroadcast(intent,"android.provider.Telephony.SMS_RECEIVED");

  11. Content Provider • <providerandroid:name=”com.example.testprovider • android:read_permissions = “android.provider.Telephony.SMS_RECEIVED” • android:write_permissions = “android.provider.Telephony.SMS_RECEIVED” • </provider> • Warning before 4.2 all content providers were exported by default!

  12. uri-permissions • <providerandroid:name=”com.example.testprovider" • android:authorities=“" • android:grantUriPermission="true” •           <grant-uri-permissionandroid:pathPattern="/notes/" /> • </provider> • Uri uri = Uri.parse("content://com.example.testprovider/notes/1"); •         Intent intent = new Intent(); • intent.setAction(NOTE_ACTION_VIEW); // SET CUSTOM INTENT ACTION • intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK); • intent.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION); • intent.setData(uri); • startActivity(intent) See Jason Wei’s http://thinkandroid.wordpress.com/2012/08/07/granting-content-provider-uri-permissions/ for more details

  13. Implicit Intent Attacks Broadcast Eavesdropping Broadcast Denial of Service for ordered broadcasts Activity/Service Hijacking Image source: http://www.eecs.berkeley.edu/~emc/papers/mobi168-chin.pdf

  14. Target Version Gotachas • If a permission has been added since the target in your androids manifest Android will automatically apply the new permission request to the app's manifest • You can see permission changes at each release • http://developer.android.com/reference/android/os/Build.VERSION_CODES.html

  15. SSL Image source: http://www.awghost.com/ssl.html

  16. SSL and the Public Key Infrastructure http://software-engineer-tips-and-tricks.blogspot.com/2012/09/what-is-pki.html

  17. SSL Pain points • There are A LOT of trust anchors • Vary by Android version and manufacturer • Occasionally get hacked (TurkTrust) • Internal Servers • Download manager doesn’t support SSL before ICS Alvinjs has suggested a custom download manager which can handle ssl at at https://github.com/alvinsj/android-https-downloadmanager-demo

  18. How to View Trusted Cas per Phone • ICS onwards, go to Settings->Security->Trusted credentials • Before ICS • adb pull /system/etc/security/cacerts.bks` • keytool -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -v –list *OnionKit offers a consistent set of CAs based on Debian but is requires adding its library to your app. http://commonsware.com/blog/2013/03/07/ssl-android-onionkit.html

  19. Anti-Pattern! Accept all certificates SSLSocketFactory.ALLOW_ALLHOSTNAME_VERIFIER Or TrustManager where checkServerTrusted() always returns true An Oct. 2012 study found that 8% of the most popular app on the app store were vulnerable to man in the middle attacks http://www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf Image: https://www.owasp.org/index.php/Man-in-the-middle_attack

  20. Not Registered with CA • AFTER ICS: • Just add the your own certificate to list of trusted CA • BEFORE ICS: • Create a dynamic TrustManager • Store new public certificate in app • Uses system default TrustManager for most checks • If check fails then uses custom TrustManager *For more info about dynamic TrustManager http://nelenkov.blogspot.com/2011/12/using-custom-certificate-trust-store-on.html Or http://commonsware.com/blog/2013/03/04/ssl-android-basics.html Or http://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https/6378872#6378872 (response by emmby) Ps Certificates don’t have to be expensive. Check out http://webdesign.about.com/od/ssl/tp/cheapest-ssl-certificates.htm

  21. Kitkat SSL improvements • SSL CA Certificate Warnings • Android Certificate Pinning for Google Certs http://www.xda-developers.com/android/android-4-4-security-enhancements/

  22. Webview Pitfalls • If you are using webviews try to setJavascriptEnabled(false) • addJavaScriptInterface() • If you are sending sensitive information clearCache() afterwards to delete local files • You can also do this serverside with no-cache headers

  23. Storing DATA • Public data areas • Database security • Encryption

  24. Do you Have To Store it?

  25. Public Data areas • All Logs • Any files MODE_WORLD_* • Data on SD cards If you must store large amounts of data in public storage consider encrypting it. Facebook has a new fast encryption library that might be worth looking at http://facebook.github.io/conceal/

  26. SQL Injection Attacks http://xkcd.com/327/

  27. SQL Injection Example

  28. IF you must use a RAW Query • Be sure to sanitize your inputs! • Quotes are not the only problems. • Cleaver attacks using spaces • comments • Strange ascii characters • Things we haven’t thought of yet • Use allowed characters vs disallowed characters if possible. • http://ha.ckers.org/sqlinjection/

  29. Store hashes not passwords http://www.unixwiz.net/techtips/iguide-crypto-hashes.html

  30. Encryption Gotchas • Before Jellybean 4.2 • secureRandom.setSeed(b) • replaces, not supplements, the existing seed. • So it produced a deterministic number • In Jellybean 4.1-4.3 • the securerandom isn’t guaranteed to give you a random number unless you implement the fix in Some-Securerandom-thoughts To read more about the http://android-developers.blogspot.co.uk/2013/08/some-securerandom-thoughts.html And http://blog.k3170makan.com/2013/08/more-details-on-android-jca-prng-flaw.html

  31. Keystore • See Code

  32. APK Security • Application Signing • How does signing work? • Master Key Exploit • Tamper detection • Decompiling • How an APK gets built/ What’s in an APK? • Demo of Decompiling an APK • Progaurd • What is still visible even after obfuscation?

  33. App signing • purpose of certificates in Android is to distinguish application authors • Android won't allow application to be upgraded unless signed with same certificate the applications are signed with the same key. • Android allows applications that are signed with the same certificate to run in the same processes Never put your private key in the source code!

  34. See Code Detect Non-Playstore Installation

  35. Other Tamper Detection • Is the application in debug mode? • context.getApplicationInfo().flags & ApplicationInfo.FLAG_DEBUGGABLE) != 0 • Is the app running on the emulator? • is Emulator = Build.FINGERPRINT.contains("generic") or • is Emulator = "goldfish".equals(Build.HARDWARE)

  36. Other Resources • Android Developers blog on LVL: Old but interestinghttp://android-developers.blogspot.com/2010/09/securing-android-lvl-applications.html • Android Licensing tutorial: • http://stackoverflow.com/questions/18324963/are-there-any-good-android-licensing-tutorials

  37. Decompiling

  38. Image source: http://developer.android.com/tools/building/index.html

  39. Inside the .dex binary Inside the .apk Image source http://developer.android.com/tools/building/index.html *Are are curious about why Android uses .dex files and the Davlik virtual machine? Check out http://davidehringer.com/software/android/The_Dalvik_Virtual_Machine.pdf How about further decompiling dex files? Check out https://code.google.com/p/smali/wiki/

  40. For Fun:MasterKey Exploit • Want to see if you are vulnerable? Check out the Bluebox Security Scanner on the app store. • Additional details on exactly how the masterkey vulnerability works • http://vrt-blog.snort.org/2013/08/bytecode-covering-android.html

  41. Decompiling Demo

  42. What is ProgUArd? • Shrinking • Obfuscation • Prevarifacation *Fun random fact: you can run Scala on android by using progaurd to remove the unneeded library classes http://www.gamlor.info/wordpress/2011/10/running-scala-on-android/

  43. Enabling Progaurd in Eclipse • In project.properties • Uncomment • #proguard.config=${sdk.dir}/tools/proguard/proguard-android.txt:proguard-project.txt *For versions past 17 the documentation on android developers is slightly misleading You can ignore the warning when it comes to progaurd the default progaurd config file will be proguard-project.txt instead of proguard.cfg

  44. Enabling Proguard in Android Studio • In build.gradel • android { •     buildTypes { •         release { •             runProguard true •             proguardFile getDefaultProguardFile('proguard-android.txt') •         } •     } For more detailed descriptions see http://tools.android.com/tech-docs/new-build-system/user-guide#TOC-Running-ProGuard and http://stackoverflow.com/questions/20885725/how-to-use-the-proguard-in-android-studio

  45. Troubleshooting Proguard • What if I get a file not found error after running Proguard? • add –keep public class <MyClass> to your progaurd config file. • How do a read stacktraces from my production app? • Use the retrace tool • retrace.sh mapping.txt[<stacktrace_file] • * Remember to keep the mapping.txt file for each build *It is possible to reuse mapping files with -applymappingfilename but this has pros and cons see http://proguard.sourceforge.net/index.html#

  46. Things Proguard Does not do • Strings Encryption • Class Encryption • Hide Android API calls • Tamper Detection • Dexguard is a paid product by the makers of proguard that can help with some of these, but it can be pricy. • http://www.saikoa.com/dexguard • DashO is also an option

  47. Extra Stuff

  48. Check out Current known Vulnerabilities http://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-19997/Google-Android.html

  49. Additional Resources • Android Security Cookbook • There is a 50% off coupon at http://www.packtpub.com/article/knowing-sql-injection-attacks-securing-android-applications • Learning Pentesting for Android Devices • Android Application Security Essentials • Android Explorations blog by Nikolay Elenkov • http://nelenkov.blogspot.ie/ • Open Web Application Security Project • https://www.owasp.org/ • SELinux • https://www.ibm.com/developerworks/library/l-selinux/

  50. Thank you. Questions?

More Related