SlideShare a Scribd company logo

Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il key management

โ€ข
โ€ข
Consulthinkspa
Consulthinkspa

Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il Key Management

Devices & HardwareTechnologyEducation
1 of 76
Download to read offline
Android Security Key Management Roberto Piccirillo (r.piccirillo@mseclab.com) Roberto Gassirร  (r.gassira@mseclab.com)
Android Security Key Management Roberto Piccirillo โ— Senior Security Analyst - Mobile Security Lab โ—‹ Vulnerability Assessment (IT, Mobile Application) โ—‹ Hijacking Mobile Data Connection โ–  BlackHat Europe 2009 โ–  DeepSec Vienna 2009 โ–  HITB Amsterdam 2010 โ—‹ Android Secure Development @robpicone
Android Security Key Management Roberto Gassirร  โ— Senior Security Analyst - Mobile Security Lab โ—‹ Vulnerability Assessment (IT, Mobile Application) โ—‹ Hijacking Mobile Data Connection โ–  BlackHat Europe 2009 โ–  DeepSec Vienna 2009 โ–  HITB Amsterdam 2010 โ—‹ Android Secure Development โ— IpTrack Developer @robgas
Android Security Key Management Agenda โ— Cryptography in Mobile Application โ— CryptoSystem โ— Crypto in Android โ— Symmetric Encryption โ— Symmetric Key Management โ— Keychain e AndroidKeyStore โ— Tipologie di AndroidKeyStore
Android Security Key Management Requirements โ— A computer โ— Eclipse with ADT Plugin 22.3.0 โ— SDK Android 4.4 ( API 19 rev 2) โ— Android SDK Build-tools 19
Android Security Key Management Cryptography in Mobile Applications โ— Protect data โ—‹ Sensitive data โ—‹ Data on /sdcard โ—‹ Cryptographic material โ— Exchange data securely โ—‹ Documents โ—‹ Mail โ—‹ SMS โ—‹ Session Keys โ— Digital Signature โ—‹ Documents โ—‹ Mail
Android Security Key Management Key Management "Key management is the management of cryptographic keys in a cryptosystem."
Android Security Key Management CryptoSystem "refers to a suite of algorithms needed to implement a particular form of encryption and decryption" โ— โ— Two types of encryption: โ—‹ Symmetric Key Algorithms โ–  Identical encryption key for encryption/decryption โ–  AES, Blowfish, DES, Triple DES โ—‹ Asymmetric Key Algorithms โ–  Different key for encryption/decryption โ–  RSA, DSA, ECDSA
Android Security Key Management Ciphers โ— Two types of ciphers: โ—‹ Block: Process entire blocks of fixed-length groups of bits at a time ( padding may be required) โ—‹ Stream: Process single byte at a time ( no padding ) โ— Block Cipher modes of operation โ—‹ ECB: each block encrypted independently โ—‹ CBC, CFB, OFB: the previous block of output is used to alter the input blocks before applying the encryption algorithm starting from a IV ( initialization vector )
Android Security Key Management Crypto in Android โ— Based on JCA ( Java Cryptographic Architecture) provides API for: โ— Encryption/Decryption โ— Digital signatures โ— Message digests (hashes) โ— Key management โ— Secure random number generation โ— โ€œProviderโ€ Architecture with CSP โ— Bouncy Castle is Android default CSP
Android Security Key Management Bouncy Castle Android Version โ— Customized: โ—‹ Some services and API removed โ— Varies between Android versions โ— Fixed only in the latest versions โ— Solution: Spongy Castle โ— Repackage of Bouncy Castle โ— Supports more cryptographic options โ— Up-to-date โ— Not vulnerable to the Heartbleed Bug (CVE-2014-0160)
Android Security Key Management Set Spongy Castle โ— Include Libs: โ— Enable at Application Level:
Android Security Key Management GC overhead limit exceeded โ— Solution: modify eclipse.ini with: -Xms256m -Xmx1024m -XX:MaxPermSize=1024m
Android Security Key Management Step 1 Enabling SpongyCastle https://github.com/mseclab/gdgmeetsu2014-symmetric-demo-step1.git
Android Security Key Management Import Project from https://github.com/mseclab 1 2 3 4
Android Security Key Management Import Project from https://github.com/mseclab 5 6 7
Android Security Key Management Import Project from https://github.com/mseclab 8 9 10 https://github.com/mseclab/droidconit2014-symmetric-demo-step3.git
Android Security Key Management The project cannot be built... 1 2 3
Android Security Key Management Cipher Object Secret Key Specification Cipher getInstance Cipher Init Cipher Final
Android Security Key Management SecretKey Specification javax.crypto.spec.SecretKeySpec โ— SecretKeySpec specifies a key for a specific algorithm SecretKeySpec skeySpec = new SecretKeySpec(key, "AES"); Topic of this workshop Cryptographic Algorithm
Android Security Key Management Cipher GetInstance javax.crypto.Cipher โ— Provides access to implementations of cryptographic ciphers for encryption and decryption Cipher c = Cipher.getInstance("AES/CBC/PKCS5Paddingโ€,โ€œSCโ€); Trasformation (describes set of operation to perform): โ€ข algorithm/mode/padding โ€ข algorithm Provider ( SpongyCastle )
Android Security Key Management Cipher Init javax.crypto.Cipher โ— Initializes the cipher instance with the specified operational mode, key and algorithm parameters. cipher.init(Cipher.DECRYPT_MODE, keySpec, new IvParameterSpec(iv)); Operational Mode: โ€ข ENCRYPT_MODE โ€ข DECRYPT_MODE โ€ข WRAP_MODE โ€ข UNWRAP_MODE SecretKeySpec Specify Cipher Algorithm parameters ( IV for CBC )
Android Security Key Management Cipher Final javax.crypto.Cipher โ— Finishes a multi-part transformation (encryption or decryption) byte[] encryptedText = cipher.doFinal(clearText.getBytes()); Encrypted Text in byte ClearText in bytes
Android Security Key Management Step 2 Encryption Example https://github.com/mseclab/gdgmeetsu2014-symmetric-demo-step2.git
Android Security Key Management SecureRandom java.security.SecureRandom โ— Cryptographically secure pseudo-random number generator SecureRandom secureRandom = new SecureRandom(); Default constructor uses the most cryptographically strong provider available โ— Seeding SecureRandom is dangerous: โ—‹ Not Secure โ—‹ Output may change
Android Security Key Management Some SecureRandom Thoughts... โ— Android security team discovered a JCA improper PRNG initialization in August 2013 โ— Applications invoking system-provided OpenSSL PRNG without explicit initialization are also affected โ— Key Generation, Signing or Random Number Generation not receiving cryptographically strong values โ— Developer must explicitly initialize the PRNG PRNGFixes.apply()
Android Security Key Management KeyGenerator keyGenerator = KeyGenerator.getInstance("AESโ€,โ€œSCโ€); keyGenerator.init(outputKeyLength, secureRandom); SecretKey key = keyGenerator.generateKey(); Generate Secret Key javax.crypto.KeyGenerator โ— Symmetric cryptographic keys generator API Specify Key Size Algorithm and Provider Key to use in Cipher.init()
Android Security Key Management Key Management: Store on device โ— Protected by Android Filesystem Isolation โ— Plain File โ— SharedPreferences โ— Keystore File (BKS, JKS) โ— More secure with Phone Encryption โ— Store safely โ—‹ MODE_PRIVATE flag โ—‹ Use only internal storage /data/data/app_package
Android Security Key Management Key Management: Store on device โ— Device Rooted?
Android Security Key Management Step 3 Rooted device demo https://github.com/mseclab/gdgmeetsu2014-symmetric-demo-step3.git
Android Security Key Management Key Management: Store in App โ— Uses static keys or device specific information at run-time (IMEI, mac address, ANDROID_ID) โ— Android app can be easily reversed ( live demo ) โ— Hide with Code obfuscation โ— Security by Obscurity is never a good idea...
Android Security Key Management Key Management: Store in App โ— unzip: APK -> DEX โ— dex2jar: DEX -> JAR โ— JD-GUI: JAR -> Source
Android Security Key Management Reversing Demo
Android Security Key Management Key Management: PBKDF2 โ— Password Based Key Derivation Function (PKCS#5) โ— Variable length password in input โ— Fixed length key in output โ— User interaction required โ— Params: โ—‹ Password โ—‹ Pseudorandom Function โ—‹ Salt โ—‹ Number of iteration โ—‹ Key Size
Android Security Key Management KeySpec keySpec = new PBEKeySpec(password.toCharArray(), salt, NUM_OF_ITERATIONS, KEY_SIZE); SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance(PBE_ALGORITHM); encKey = secretKeyFactory.generateSecret(keySpec); Key Management: PBKDF2 javax.crypto.spec.PBEKeySpec โ— PBE Key specification and generation A good PBE algorithm is PBKDF2WithHmacSHA1 User Password N. >= 1000
Android Security Key Management SecretKeyFactory factory; if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT) // Use compatibility key factory -- only uses lower 8-bits of passphrase chars factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1And8bit"); else if (Build.VERSION.SDK_INT >= 10) // Traditional key factory. Will use lower 8-bits of passphrase chars on // older Android versions (API level 18 and lower) and all available bits // on KitKat and newer (API level 19 and higher) factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1"); else // FIX for Android 8,9 factory = SecretKeyFactory.getInstance("PBEWITHSHAAND128BITAES-CBC-BC"); SecretKeyFactory API in Android 4.4
Android Security Key Management Step 4 PBE Example https://github.com/mseclab/gdgmeetsu2014-symmetric-demo-step4.git
Android Security Key Management Key Management: Other solutions โ— Store on server side โ— Internet connection required โ— Use trusted and protected connections (HTTPS, Certificate Pinning) โ— Store on external device โ—‹ NFC Java Card (NXP J3A081) โ—‹ Smartcard โ—‹ USB PenDrive โ—‹ MicroSD with secure storage โ— AndroidKeyStore???
Android Security Key Management Asymmetric Algorithms โ— Public/Private Key โ—‹ Public Key -> encrypt/verify signature โ—‹ Private Key -> decrypt/sign โ— Advantages: โ—‹ Public Key distribution is not dangerous โ— Disadvantages: โ—‹ Computationally expensive โ— Usually used with PKI (Public Key Infrastructure for digital certificates)
Android Security Key Management Public-key Applications โ— Can classify uses into 3 categories: โ—‹ Encryption/Decryption (provides confidentiality) โ—‹ Digital Signatures (provides authentication and Integrity) โ—‹ Key Exchange (of session keys) โ— Some algorithms are suitable for all uses (RSA), others are specific to one
Android Security Key Management PKCS for Asymmetric Algorithms โ— PKCS is a group of public-key cryptography standards published by RSA Security Inc โ— PKCS#1 (v.2.1) โ—‹ RSA Cryptography Standard โ— PKCS#3 (v.1.4) โ—‹ Diffie-Hellman Key Agreement Standard โ— PKCS#8 (v.1.2) โ—‹ Private-Key Information Syntax Standard โ— PKCS#10 (v.1.7) โ—‹ Certification Request Standard โ— PKCS#12 (v.1.0) โ—‹ Personal Information Exchange Syntax Standard
Android Security Key Management Android: RSA KeyPairGenerator kpg = KeyPairGenerator.getIstance(โ€RSA"); Java.security.KeyPairGenerator โ— KeyPairGenerator is an engine capable of generating public/private keys with specified algorithms Cryptographic Algorithm
Android Security Key Management Available Providers for RSA Algorithm KeyPairGenerator.getInstance(โ€RSAโ€,โ€SEC_PROVIDERSโ€); Java.security.KeyPairGenerator โ— Different security providers could be used (could change for different OS versions) โ€œAndroidOpenSSLโ€ โ€œBCโ€ โ€œAndroidKeyStroreโ€ Version 1.0 Version 1.49 Version 1.0
Android Security Key Management โ— KeySize โ€“ 1024,2048,4096 bits KeyPairGenerator: Initialization and Randomness KeyPairGenerator kpg = KeyPairGenerator.initialize(2048); Java.security.KeyPairGenerator โ— KeyPairGenerator initialization with the key size Key Size
Android Security Key Management KeyPairGenerator: Initialization and Randomness KeyPairGenerator kpg = KeyPairGenerator.initialize(2048,sr); Java.security.KeyPairGenerator, Java.security.SecureRandom โ— KeyPairGenerator initialization with a SecureRandom SecureRandom sr = new SecureRandom();
Android Security Key Management Generating RSA Key Java.security.KeyPair โ— KeyPair is a container for a public/private key generated by the KeyPairGenerator KeyPair keypair = kpg.genKeyPair() โ— We can retrieve public/private keys from KeyPair Key public_key = kaypair.getPublic(); Key private_key = kaypair.getPrivate();
Android Security Key Management Using RSA Keys: cipher example Javax.crypto.Cipher โ— Cipher provides access to implementation of cryptography ciphers for encryption and decryption Cipher cipher = Cipher.getInstance(โ€œRSAโ€,โ€SEC_PROVIDER); Transformation โ€œAndroidOpenSSLโ€ โ€œBCโ€ โ€œAndroidKeyStroreโ€
Android Security Key Management Using RSA Key: cipher example Javax.crypto.Cipher โ— Encryption cipher.init(Cipher.ENCRYPT_MODE,public_key); โ— Decryption byte[] encrypted_data= cipher.doFinal(โ€œGDG-Meets-U2014โ€.getBytes()); cipher.init(Cipher.DECRYPT_MODE,private_key); byte[] decrypted_data= cipher.doFinal(cipherd_data);
Android Security Key Management Parameters of RSA Keys java.security.KeyFactory, java.security.spec, โ— Retrieve RSA Key parameters using KeyFactory RSAPublicKeySpec rsa_public = keyfactory.getKeySpec(keypair.getPublic(), RSAPublicKeySpec.class); RSAPrivateKeySpec rsa_private = keyfactory.getKeySpec(keypair.getPrivate(), RSAPrivateKeySpec.class);
Android Security Key Management Extract Parameters of RSA Keys Java.security.spec.RSAPublicKeySpec, java.security.spec.RSAPrivateKeySpec โ— Retrieved parameters can be stored BigInteger m = rsa_public.getModulus(); BigInteger e = rsa_public.getPublicExponent(); BigInteger d = rsa_private.getPrivateExponent(); Is Private
Android Security Key Management Step 1 RSA Keys Generaration https://github.com/mseclab/gdgmeetsu2014_asymmetric_demo.git
Android Security Key Management AndroidKeyStore โ— Custom Java Security Provider available from Android 4.3 version and beyond โ— An App can generate and save private keys โ— Keys are private for each App โ— 2048-bit key size (4.3), 1024-2048-4096-bit key size (4.4) can be stored โ— ECDSA support added from Android 4.4
Android Security Key Management Key Management Evolution API LEVEL 14 API LEVEL 18 Global Level: KeyChain ( Public API ) App Level: KeyStore ( Closed API ) Global Level Only: Default TrustStore cacerts.bks (ROOTED device) Global Level: KeyChain ( Public API ) App Level and per User Level: AndroidKeyStore ( Public API )
Android Security Key Management AndroidKeyStore Storage โ— Two kinds of storage โ—‹ Hardware-backed (Nexus 7, Nexus 4, Nexus 5 :-) with OS >= 4.3) โ—‹ Secure Element โ—‹ TPM โ—‹ TrustZone โ—‹ Software only (Other devices with OS >= 4.3)
Android Security Key Management Type of Storage import android.security.KeyChain; if (KeyChain.isBoundKeyAlgorithm("RSA")) // Hardware-Backed else // Software Only
Android Security Key Management Certificate parameters Context cx = getActivity(); String pkg = cx.getPackageName(); Calendar notBefore = Calendar.getInstance(); Calendar notAfter = Calendar.getInstance(); notAfter.add(1, Calendar.YEAR); import android.security.KeyPairGeneratorSpec.Builder; Builder builder = new KeyPairGeneratorSpec.Builder(cx); builder.setAlias(โ€œDEVKEY1โ€); String infocert = String.format("CN=%s, OU=%s", โ€œDEVKEY1โ€, pkg); builder.setSubject(new X500Principal(infocert)); builder.setSerialNumber(BigInteger.ONE); builder.setStartDate(notBefore.getTime()); builder.setEndDate(notAfter.getTime()); KeyPairGeneratorSpec spec = builder.build(); Times parameters Self-Signed X.509 โ— Common Name (CN) โ— Subject (OU) โ— Serial Number Generate certificate ALIAS to index the certificate
Android Security Key Management Generating Public/Private keys KeyPairGenerator kpGenerator; kpGenerator = KeyPairGenerator .getInstance("RSA", "AndroidKeyStore"); kpGenerator.initialize(spec); KeyPair kp; kp = kpGenerator.generateKeyPair(); Engine to generate Public/Private key Init Engine with: โ— RSA Algorithm โ— Provider: AndroidKeyStore Init Engine with certificate parameters After generation, the keys will be stored into AndroidKeyStore and will be accessible by ALIAS โ— Generating Private/Public key
Android Security Key Management AndroidKeyStore Initialization keyStore = KeyStore.getInstance("AndroidKeyStore"); keyStore.load(null); Now we have the KeyStore reference that will be used to access to the Private/Public key by the ALIAS Should be used if there is an InputStream to load (for example the name of imported KeyStore). If not used the App will crash Get a reference to the AndroidKeyStore
Android Security Key Management Step 2 AndroidKeyStore Gen Keys https://github.com/mseclab/gdgmeetsu2014_asymmetric_demo.git
Android Security Key Management RSA Digital Signature โ— Digital Signature โ—‹ Authentication, Non-Repudiation and Integrity โ—‹ RSA Private key to Sign โ—‹ RSA Public Key to Verify KeyStore.Entry entry = ks.getEntry(โ€œDEVKEY1โ€, null); byte[] data = โ€œGDG-Meets-U 2014!โ€.getBytes(); Signature s = Signature.getInstance(โ€œSHA256withRSAโ€); s.initSign(((KeyStore.PrivateKeyEntry) entry).getPrivateKey()); s.update(data); byte[] signature = s.sign(); String result = null; result = Base64.encodeToString(signature, Base64.DEFAULT); Access to Private/Public key identified by ALIAS Algorithm choice Private key to sign Signature and Base64 encoding
Android Security Key Management Verify RSA Digital Signature byte[] data = input.getBytes(); byte[] signature; signature = Base64.decode(signatureStr, Base64.DEFAULT); KeyStore.Entry entry = ks.getEntry(โ€œDEVKEY1โ€, null); Signature s = Signature.getInstance("SHA256withRSA"); s.initVerify(((KeyStore.PrivateKeyEntry) entry).getCertificate()); s.update(data); boolean valid = s.verify(signature); Base64 decoding Access to the Private/Public key identified by ALIAS==DEVKEY1 Algorithm choice Public Key in certificate to verify signature TRUE == Verified FALSE== Not Verified
Android Security Key Management Step 3 AndroidKeyStore Sign/Verify https://github.com/mseclab/gdgmeetsu2014_asymmetric_demo.git
Android Security Key Management RSA Encryption โ— Encryption โ—‹ Confidentiality โ—‹ RSA Public key to Encrypt โ—‹ RSA Private key to Decrypt PublicKey publicKeyEnc = ((KeyStore.PrivateKeyEntry) entry) .getCertificate().getPublicKey(); String textToEncrypt = new String(โ€GDG-Meet-U-2014"); byte[] textToEncryptToByte = textToEncrypt.getBytes(); Cipher encCipher = null; byte[] encryptedText = null; encCipher = Cipher.getInstance("RSA/ECB/PKCS1Padding"); encCipher.init(Cipher.ENCRYPT_MODE, publicKeyEnc); encryptedText = encCipher.doFinal(textToEncryptToByte); Access to Public key to encrypt โ— Algorithm โ— Encryption with Public key Ciphered
Android Security Key Management RSA Decryption Cipher decCipher = null; byte[] plainTextByte = null; decCipher = Cipher.getInstance("RSA/ECB/PKCS1Padding"); decCipher.init(Cipher.DECRYPT_MODE, ((KeyStore.PrivateKeyEntry) entry).getPrivateKey()); plainTextByte = decCipher.doFinal(ecryptedText); String plainText = new String(plainTextByte); Algorithm Decryption with Private key Plaintext
Android Security Key Management Step 4 AndroidKeyStore Enc/Dec https://github.com/mseclab/gdgmeetsu2014_asymmetric_demo.git
Android Security Key Management It is observed that... โ— Different screen lock โ— The choice of screen lock impactsthe keys โ— If you change the screen lock the keys are deleted
Android Security Key Management Expected behavior? โ— The official documentation shows: โ— The keys should ramain intact when the type of screen lock is changed by the user
Android Security Key Management Issue 61989 ...
Android Security Key Management Cryptographic material on devices โ— Device with Storage โ€œHardware-backedโ€ โ— Device with Storage โ€œSoftware-onlyโ€
Android Security Key Management KeyChain โ— KeyChain โ—‹ Accessible by any Application โ— Typically used for corporate certificates
Android Security Key Management Example: Import Certificates โ— Import .p12 certificates Intent intent = KeyChain.createInstallIntent(); byte[] p12 = readFile(โ€œCERTIFICATE_NAME.p12โ€); Intent.putExtra(KeyChain.EXTRA_PKCS12,p12); Specify PKCS#12 Key to install startActivity(intent); The user will be prompted for the password
Android Security Key Management KeyChain.choosePrivateKeyAlias( Activity activity, KeyChainAliasCallBack response, String[] keyTypes, Principal[] issuers, String host, Int port, String Alias); Example: Retrieve the key โ— The KeyChainAliasCallback invoked when a user chooses a certificate/private key
Android Security Key Management @Override public void alias(String alias){ . . PrivateKey private_key = KeyChain. getPrivateKey(this,alias); . . X509Certificate[] chain = KeyChain. getCertificateChain(this,โ€Droidconโ€); . PublicKey public_key = chain[0].getPublicKey(); } Example: Retrieve and use the keys โ— KeyChainAliasCallbak must implement the abstract method alias: Private Key Public Key
Android Security Key Management Step 5 KeyChain https://github.com/mseclab/gdgmeetsu2014_asymmetric_demo.git
Android Security Key Management References โ— http://developer.android.com/about/versions/android-4.3.html#Security โ— http://developer.android.com/reference/java/security/KeyStore.html โ— http://en.wikipedia.org/wiki/Encryption โ— http://en.wikipedia.org/wiki/Digital_signature โ— http://nelenkov.blogspot.it/2013/08/credential-storage-enhancements-android-43.html โ— http://nelenkov.blogspot.it/2012/05/storing-application-secrets-in-androids.html โ— http://nelenkov.blogspot.it/2012/04/using-password-based-encryption-on.html โ— http://nelenkov.blogspot.it/2011/11/ics-credential-storage-implementation.html โ— http://developer.android.com/reference/android/security/KeyPairGeneratorSpec.html โ— http://android-developers.blogspot.it/2013/02/using-cryptography-to-store- credentials.html โ— http://www.bouncycastle.org/ โ— http://android-developers.blogspot.it/2013/08/some-securerandom-thoughts.html โ— http://nelenkov.blogspot.it/2013/10/signing-email-with-nfc-smart-card.html โ— http://en.wikipedia.org/wiki/PKCS โ— http://developer.android.com/reference/android/security/KeyChain.html โ— http://android-developers.blogspot.it/2013/12/changes-to-secretkeyfactory-api-in.html
Android Security Key Management Thank you Q&Awww.mseclab.com www.consulthink.it research@mseclab.comgoo.gl/TA8EA1

Recommended

Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security Threats
Sperasoft
ย 
2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development
Cheng-Yi Yu
ย 
Android Security
Android SecurityAndroid Security
Android Security
Lars Jacobs
ย 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Development
hackstuff
ย 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and Security
Kelwin Yang
ย 
Android Security
Android SecurityAndroid Security
Android Security
Suminda Gunawardhana
ย 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
Marakana Inc.
ย 
Android security
Android securityAndroid security
Android security
Mobile Rtpl
ย 

Recommended

Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security Threats
Sperasoft
ย 
2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development
Cheng-Yi Yu
ย 
Android Security
Android SecurityAndroid Security
Android Security
Lars Jacobs
ย 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Development
hackstuff
ย 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and Security
Kelwin Yang
ย 
Android Security
Android SecurityAndroid Security
Android Security
Suminda Gunawardhana
ย 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
Marakana Inc.
ย 
Android security
Android securityAndroid security
Android security
Mobile Rtpl
ย 
Android Security
Android SecurityAndroid Security
Android Security
Mehrnaz Amoon
ย 
Android security
Android securityAndroid security
Android security
Midhun P Gopi
ย 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop
OWASP
ย 
Android system security
Android system securityAndroid system security
Android system security
Chong-Kuan Chen
ย 
Android Security
Android SecurityAndroid Security
Android Security
Arqum Ahmad
ย 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security model
Pragati Rai
ย 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on android
Ravishankar Kumar
ย 
Android Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android ApplicationsAndroid Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android Applications
h4oxer
ย 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration Testing
OWASP
ย 
Android security in depth
Android security in depthAndroid security in depth
Android security in depth
Sander Alberink
ย 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
BlrDroid
ย 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
Subho Halder
ย 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam edition
Jose Manuel Ortega Candel
ย 
Understanding Android Security
Understanding Android SecurityUnderstanding Android Security
Understanding Android Security
Asanka Dilruk
ย 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
Yogesh Ojha
ย 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OS
EC-Council
ย 
Android sandbox
Android sandboxAndroid sandbox
Android sandbox
Anusha Chavan
ย 
Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solution
Tandhy Simanjuntak
ย 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)
Justin Hoang
ย 
Bypassing the Android Permission Model
Bypassing the Android Permission ModelBypassing the Android Permission Model
Bypassing the Android Permission Model
Georgia Weidman
ย 
Android Security Development - Part 2: Malicious Android App Dynamic Analyzi...
Android Security Development - Part 2: Malicious Android App Dynamic Analyzi...Android Security Development - Part 2: Malicious Android App Dynamic Analyzi...
Android Security Development - Part 2: Malicious Android App Dynamic Analyzi...
Cheng-Yi Yu
ย 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android Security
National Cheng Kung University
ย 

More Related Content

What's hot

Android security
Android securityAndroid security
Android security
Midhun P Gopi
ย 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on android
Ravishankar Kumar
ย 
Android sandbox
Android sandboxAndroid sandbox
Android sandbox
Anusha Chavan
ย 
Bypassing the Android Permission Model
Bypassing the Android Permission ModelBypassing the Android Permission Model
Bypassing the Android Permission Model
Georgia Weidman
ย 

What's hot (20)

Android Security
Android SecurityAndroid Security
Android Security
ย 
Android security
Android securityAndroid security
Android security
ย 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop
ย 
Android system security
Android system securityAndroid system security
Android system security
ย 
Android Security
Android SecurityAndroid Security
Android Security
ย 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security model
ย 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on android
ย 
Android Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android ApplicationsAndroid Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android Applications
ย 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration Testing
ย 
Android security in depth
Android security in depthAndroid security in depth
Android security in depth
ย 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
ย 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
ย 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam edition
ย 
Understanding Android Security
Understanding Android SecurityUnderstanding Android Security
Understanding Android Security
ย 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
ย 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OS
ย 
Android sandbox
Android sandboxAndroid sandbox
Android sandbox
ย 
Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solution
ย 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)
ย 
Bypassing the Android Permission Model
Bypassing the Android Permission ModelBypassing the Android Permission Model
Bypassing the Android Permission Model
ย 

Viewers also liked

End to end web security
End to end web securityEnd to end web security
End to end web security
George Boobyer
ย 
unix interprocess communication
unix interprocess communicationunix interprocess communication
unix interprocess communication
guest4c9430
ย 
Abdullah Mukhtar ppt
Abdullah Mukhtar pptAbdullah Mukhtar ppt
Abdullah Mukhtar ppt
Abdullah Mukhtar
ย 

Viewers also liked (20)

Android Security Development - Part 2: Malicious Android App Dynamic Analyzi...
Android Security Development - Part 2: Malicious Android App Dynamic Analyzi...Android Security Development - Part 2: Malicious Android App Dynamic Analyzi...
Android Security Development - Part 2: Malicious Android App Dynamic Analyzi...
ย 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android Security
ย 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devices
ย 
Android security in depth - extended
Android security in depth - extendedAndroid security in depth - extended
Android security in depth - extended
ย 
Ipc
IpcIpc
Ipc
ย 
Web application Security
Web application SecurityWeb application Security
Web application Security
ย 
Web application security (RIT 2014, rus)
Web application security (RIT 2014, rus)Web application security (RIT 2014, rus)
Web application security (RIT 2014, rus)
ย 
OWASP Top 10 Overview
OWASP Top 10 OverviewOWASP Top 10 Overview
OWASP Top 10 Overview
ย 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
ย 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
ย 
End to end web security
End to end web securityEnd to end web security
End to end web security
ย 
Web security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsWeb security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutions
ย 
Secure Password Storage & Management
Secure Password Storage & ManagementSecure Password Storage & Management
Secure Password Storage & Management
ย 
unix interprocess communication
unix interprocess communicationunix interprocess communication
unix interprocess communication
ย 
Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)
ย 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10
ย 
Abdullah Mukhtar ppt
Abdullah Mukhtar pptAbdullah Mukhtar ppt
Abdullah Mukhtar ppt
ย 
Android training day 4
Android training day 4Android training day 4
Android training day 4
ย 
Tips dan Third Party Library untuk Android - Part 1
Tips dan Third Party Library untuk Android - Part 1Tips dan Third Party Library untuk Android - Part 1
Tips dan Third Party Library untuk Android - Part 1
ย 
Web Services and Android - OSSPAC 2009
Web Services and Android - OSSPAC 2009Web Services and Android - OSSPAC 2009
Web Services and Android - OSSPAC 2009
ย 

Similar to Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il key management

Dicoding Developer Coaching #37: Android | Kesalahan yang Sering Terjadi pada...
Dicoding Developer Coaching #37: Android | Kesalahan yang Sering Terjadi pada...Dicoding Developer Coaching #37: Android | Kesalahan yang Sering Terjadi pada...
Dicoding Developer Coaching #37: Android | Kesalahan yang Sering Terjadi pada...
DicodingEvent
ย 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
Kevin Hakanson
ย 
Secure VoIP - DroidCon 2015
Secure VoIP - DroidCon 2015Secure VoIP - DroidCon 2015
Secure VoIP - DroidCon 2015
Marco Pozzato
ย 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
Sergey Gordeychik
ย 
The Listening: Email Client Backdoor
The Listening: Email Client BackdoorThe Listening: Email Client Backdoor
The Listening: Email Client Backdoor
Michael Scovetta
ย 
HKG15-407: EME implementation in Chromium: Linaro Clear Key
HKG15-407: EME implementation in Chromium: Linaro Clear Key HKG15-407: EME implementation in Chromium: Linaro Clear Key
HKG15-407: EME implementation in Chromium: Linaro Clear Key
Linaro
ย 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
Bosnia Agile
ย 
Kubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdfKubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdf
KawimbaLofgrens
ย 
How to do Cryptography right in Android Part Two
How to do Cryptography right in Android Part TwoHow to do Cryptography right in Android Part Two
How to do Cryptography right in Android Part Two
Arash Ramez
ย 

Similar to Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il key management (20)

Dicoding Developer Coaching #37: Android | Kesalahan yang Sering Terjadi pada...
Dicoding Developer Coaching #37: Android | Kesalahan yang Sering Terjadi pada...Dicoding Developer Coaching #37: Android | Kesalahan yang Sering Terjadi pada...
Dicoding Developer Coaching #37: Android | Kesalahan yang Sering Terjadi pada...
ย 
Increasing Android app security for free - Roberto Gassirร , Roberto Piccirill...
Increasing Android app security for free - Roberto Gassirร , Roberto Piccirill...Increasing Android app security for free - Roberto Gassirร , Roberto Piccirill...
Increasing Android app security for free - Roberto Gassirร , Roberto Piccirill...
ย 
OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA Testers
ย 
Increasing Android app security for free - Roberto Gassirร , Roberto Piccirill...
Increasing Android app security for free - Roberto Gassirร , Roberto Piccirill...Increasing Android app security for free - Roberto Gassirร , Roberto Piccirill...
Increasing Android app security for free - Roberto Gassirร , Roberto Piccirill...
ย 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
ย 
Secure VoIP - DroidCon 2015
Secure VoIP - DroidCon 2015Secure VoIP - DroidCon 2015
Secure VoIP - DroidCon 2015
ย 
WebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in DepthWebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in Depth
ย 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
ย 
Mobile security recipes for xamarin
Mobile security recipes for xamarinMobile security recipes for xamarin
Mobile security recipes for xamarin
ย 
The Listening: Email Client Backdoor
The Listening: Email Client BackdoorThe Listening: Email Client Backdoor
The Listening: Email Client Backdoor
ย 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
ย 
HKG15-407: EME implementation in Chromium: Linaro Clear Key
HKG15-407: EME implementation in Chromium: Linaro Clear Key HKG15-407: EME implementation in Chromium: Linaro Clear Key
HKG15-407: EME implementation in Chromium: Linaro Clear Key
ย 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
ย 
Workshop su Android Kernel Hacking
Workshop su Android Kernel HackingWorkshop su Android Kernel Hacking
Workshop su Android Kernel Hacking
ย 
Kubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdfKubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdf
ย 
How to do Cryptography right in Android Part Two
How to do Cryptography right in Android Part TwoHow to do Cryptography right in Android Part Two
How to do Cryptography right in Android Part Two
ย 
Penetration Testing AWS
Penetration Testing AWSPenetration Testing AWS
Penetration Testing AWS
ย 
Mitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMMitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVM
ย 
Bandit and Gosec - Security Linters
Bandit and Gosec - Security LintersBandit and Gosec - Security Linters
Bandit and Gosec - Security Linters
ย 
Bandit and Gosec - Security Linters
Bandit and Gosec - Security LintersBandit and Gosec - Security Linters
Bandit and Gosec - Security Linters
ย 

More from Consulthinkspa

Pensiero Analogico e Microservizi
Pensiero Analogico e MicroserviziPensiero Analogico e Microservizi
Pensiero Analogico e Microservizi
Consulthinkspa
ย 
Droidcon it 2015: Android Lollipop for Enterprise
Droidcon it 2015: Android Lollipop for EnterpriseDroidcon it 2015: Android Lollipop for Enterprise
Droidcon it 2015: Android Lollipop for Enterprise
Consulthinkspa
ย 
Prevenzione degli attacchi informatici che coinvolgono dati sensibili aziendali
Prevenzione degli attacchi informatici che coinvolgono dati sensibili aziendaliPrevenzione degli attacchi informatici che coinvolgono dati sensibili aziendali
Prevenzione degli attacchi informatici che coinvolgono dati sensibili aziendali
Consulthinkspa
ย 

More from Consulthinkspa (16)

GDPR - Il Nuovo Regolamento Generale sulla Protezione dei Dati
GDPR - Il Nuovo Regolamento Generale sulla Protezione dei DatiGDPR - Il Nuovo Regolamento Generale sulla Protezione dei Dati
GDPR - Il Nuovo Regolamento Generale sulla Protezione dei Dati
ย 
Big Data Vs. Open Data
Big Data Vs. Open Data Big Data Vs. Open Data
Big Data Vs. Open Data
ย 
Data Science
Data ScienceData Science
Data Science
ย 
Hot trend 2017
Hot trend 2017Hot trend 2017
Hot trend 2017
ย 
Pensiero Analogico e Microservizi
Pensiero Analogico e MicroserviziPensiero Analogico e Microservizi
Pensiero Analogico e Microservizi
ย 
DevOps - Come diventare un buon DevOpper
DevOps - Come diventare un buon DevOpperDevOps - Come diventare un buon DevOpper
DevOps - Come diventare un buon DevOpper
ย 
Consulthink Overview
Consulthink OverviewConsulthink Overview
Consulthink Overview
ย 
Scenari introduzione Application Service Governance in Azienda
Scenari introduzione Application Service Governance in AziendaScenari introduzione Application Service Governance in Azienda
Scenari introduzione Application Service Governance in Azienda
ย 
Droidcon it 2015: Android Lollipop for Enterprise
Droidcon it 2015: Android Lollipop for EnterpriseDroidcon it 2015: Android Lollipop for Enterprise
Droidcon it 2015: Android Lollipop for Enterprise
ย 
Test Driven Development
Test Driven DevelopmentTest Driven Development
Test Driven Development
ย 
IPv6 - Breve panoramica tra mito e realtร 
IPv6 - Breve panoramica tra mito e realtร IPv6 - Breve panoramica tra mito e realtร 
IPv6 - Breve panoramica tra mito e realtร 
ย 
BitCoin Protocol
BitCoin ProtocolBitCoin Protocol
BitCoin Protocol
ย 
Big data - stack tecnologico
Big data - stack tecnologicoBig data - stack tecnologico
Big data - stack tecnologico
ย 
Quality Software Development LifeCycle
Quality Software Development LifeCycleQuality Software Development LifeCycle
Quality Software Development LifeCycle
ย 
Android Security - Key Management at GDG DevFest Rome 2013
Android Security - Key Management at GDG DevFest Rome 2013 Android Security - Key Management at GDG DevFest Rome 2013
Android Security - Key Management at GDG DevFest Rome 2013
ย 
Prevenzione degli attacchi informatici che coinvolgono dati sensibili aziendali
Prevenzione degli attacchi informatici che coinvolgono dati sensibili aziendaliPrevenzione degli attacchi informatici che coinvolgono dati sensibili aziendali
Prevenzione degli attacchi informatici che coinvolgono dati sensibili aziendali
ย 

Recently uploaded

Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verifiedSector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Delhi Call girls
ย 
SM-N975F esquematico completo - reparaciรณn.pdf
SM-N975F esquematico completo - reparaciรณn.pdfSM-N975F esquematico completo - reparaciรณn.pdf
SM-N975F esquematico completo - reparaciรณn.pdf
StefanoBiamonte1
ย 
Escorts Service Sanjay Nagar โ˜Ž 7737669865โ˜Ž Book Your One night Stand (Bangalore)
Escorts Service Sanjay Nagar โ˜Ž 7737669865โ˜Ž Book Your One night Stand (Bangalore)Escorts Service Sanjay Nagar โ˜Ž 7737669865โ˜Ž Book Your One night Stand (Bangalore)
Escorts Service Sanjay Nagar โ˜Ž 7737669865โ˜Ž Book Your One night Stand (Bangalore)
amitlee9823
ย 
CHEAP Call Girls in Hauz Quazi (-DELHI )๐Ÿ” 9953056974๐Ÿ”(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Hauz Quazi (-DELHI )๐Ÿ” 9953056974๐Ÿ”(=)/CALL GIRLS SERVICECHEAP Call Girls in Hauz Quazi (-DELHI )๐Ÿ” 9953056974๐Ÿ”(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Hauz Quazi (-DELHI )๐Ÿ” 9953056974๐Ÿ”(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
ย 
Shikrapur Call Girls Most Awaited Fun 6297143586 High Profiles young Beautie...
Shikrapur Call Girls Most Awaited Fun 6297143586 High Profiles young Beautie...Shikrapur Call Girls Most Awaited Fun 6297143586 High Profiles young Beautie...
Shikrapur Call Girls Most Awaited Fun 6297143586 High Profiles young Beautie...
tanu pandey
ย 
(INDIRA) Call Girl Napur Call Now 8617697112 Napur Escorts 24x7
(INDIRA) Call Girl Napur Call Now 8617697112 Napur Escorts 24x7(INDIRA) Call Girl Napur Call Now 8617697112 Napur Escorts 24x7
(INDIRA) Call Girl Napur Call Now 8617697112 Napur Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
ย 
Kothanur Call Girls Service: ๐Ÿ“ 7737669865 ๐Ÿ“ High Profile Model Escorts | Bang...
Kothanur Call Girls Service: ๐Ÿ“ 7737669865 ๐Ÿ“ High Profile Model Escorts | Bang...Kothanur Call Girls Service: ๐Ÿ“ 7737669865 ๐Ÿ“ High Profile Model Escorts | Bang...
Kothanur Call Girls Service: ๐Ÿ“ 7737669865 ๐Ÿ“ High Profile Model Escorts | Bang...
amitlee9823
ย 
(ISHITA) Call Girls Service Aurangabad Call Now 8617697112 Aurangabad Escorts...
(ISHITA) Call Girls Service Aurangabad Call Now 8617697112 Aurangabad Escorts...(ISHITA) Call Girls Service Aurangabad Call Now 8617697112 Aurangabad Escorts...
(ISHITA) Call Girls Service Aurangabad Call Now 8617697112 Aurangabad Escorts...
Call Girls in Nagpur High Profile Call Girls
ย 
Bommasandra Call Girls: ๐Ÿ“ 7737669865 ๐Ÿ“ High Profile Model Escorts | Bangalore...
Bommasandra Call Girls: ๐Ÿ“ 7737669865 ๐Ÿ“ High Profile Model Escorts | Bangalore...Bommasandra Call Girls: ๐Ÿ“ 7737669865 ๐Ÿ“ High Profile Model Escorts | Bangalore...
Bommasandra Call Girls: ๐Ÿ“ 7737669865 ๐Ÿ“ High Profile Model Escorts | Bangalore...
amitlee9823
ย 
Top Rated Pune Call Girls Shirwal โŸŸ 6297143586 โŸŸ Call Me For Genuine Sex Ser...
Top Rated Pune Call Girls Shirwal โŸŸ 6297143586 โŸŸ Call Me For Genuine Sex Ser...Top Rated Pune Call Girls Shirwal โŸŸ 6297143586 โŸŸ Call Me For Genuine Sex Ser...
Top Rated Pune Call Girls Shirwal โŸŸ 6297143586 โŸŸ Call Me For Genuine Sex Ser...
Call Girls in Nagpur High Profile
ย 
CHEAP Call Girls in Mayapuri (-DELHI )๐Ÿ” 9953056974๐Ÿ”(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Mayapuri (-DELHI )๐Ÿ” 9953056974๐Ÿ”(=)/CALL GIRLS SERVICECHEAP Call Girls in Mayapuri (-DELHI )๐Ÿ” 9953056974๐Ÿ”(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Mayapuri (-DELHI )๐Ÿ” 9953056974๐Ÿ”(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
ย 
Top Rated Pune Call Girls Ravet โŸŸ 6297143586 โŸŸ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Ravet โŸŸ 6297143586 โŸŸ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Ravet โŸŸ 6297143586 โŸŸ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Ravet โŸŸ 6297143586 โŸŸ Call Me For Genuine Sex Servi...
Call Girls in Nagpur High Profile
ย 
Deira Dubai Escorts +0561951007 Escort Service in Dubai by Dubai Escort Girls
Deira Dubai Escorts +0561951007 Escort Service in Dubai by Dubai Escort GirlsDeira Dubai Escorts +0561951007 Escort Service in Dubai by Dubai Escort Girls
Deira Dubai Escorts +0561951007 Escort Service in Dubai by Dubai Escort Girls
Escorts Call Girls
ย 
Book Sex Workers Available Pune Call Girls Yerwada 6297143586 Call Hot India...
Book Sex Workers Available Pune Call Girls Yerwada 6297143586 Call Hot India...Book Sex Workers Available Pune Call Girls Yerwada 6297143586 Call Hot India...
Book Sex Workers Available Pune Call Girls Yerwada 6297143586 Call Hot India...
Call Girls in Nagpur High Profile
ย 
Call Girls Kothrud Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Kothrud Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Kothrud Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Kothrud Call Me 7737669865 Budget Friendly No Advance Booking
roncy bisnoi
ย 
Call Girls In RT Nagar โ˜Ž 7737669865 ๐Ÿฅต Book Your One night Stand
Call Girls In RT Nagar โ˜Ž 7737669865 ๐Ÿฅต Book Your One night StandCall Girls In RT Nagar โ˜Ž 7737669865 ๐Ÿฅต Book Your One night Stand
Call Girls In RT Nagar โ˜Ž 7737669865 ๐Ÿฅต Book Your One night Stand
amitlee9823
ย 
Vip Mumbai Call Girls Kalyan Call On 9920725232 With Body to body massage wit...
Vip Mumbai Call Girls Kalyan Call On 9920725232 With Body to body massage wit...Vip Mumbai Call Girls Kalyan Call On 9920725232 With Body to body massage wit...
Vip Mumbai Call Girls Kalyan Call On 9920725232 With Body to body massage wit...
amitlee9823
ย 
Call Girls Chikhali Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Chikhali Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Chikhali Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Chikhali Call Me 7737669865 Budget Friendly No Advance Booking
roncy bisnoi
ย 

Recently uploaded (20)

Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verifiedSector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
ย 
SM-N975F esquematico completo - reparaciรณn.pdf
SM-N975F esquematico completo - reparaciรณn.pdfSM-N975F esquematico completo - reparaciรณn.pdf
SM-N975F esquematico completo - reparaciรณn.pdf
ย 
Escorts Service Sanjay Nagar โ˜Ž 7737669865โ˜Ž Book Your One night Stand (Bangalore)
Escorts Service Sanjay Nagar โ˜Ž 7737669865โ˜Ž Book Your One night Stand (Bangalore)Escorts Service Sanjay Nagar โ˜Ž 7737669865โ˜Ž Book Your One night Stand (Bangalore)
Escorts Service Sanjay Nagar โ˜Ž 7737669865โ˜Ž Book Your One night Stand (Bangalore)
ย 
Escorts Service Daryaganj - 9899900591 College Girls & Models 24/7
Escorts Service Daryaganj - 9899900591 College Girls & Models 24/7Escorts Service Daryaganj - 9899900591 College Girls & Models 24/7
Escorts Service Daryaganj - 9899900591 College Girls & Models 24/7
ย 
CHEAP Call Girls in Hauz Quazi (-DELHI )๐Ÿ” 9953056974๐Ÿ”(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Hauz Quazi (-DELHI )๐Ÿ” 9953056974๐Ÿ”(=)/CALL GIRLS SERVICECHEAP Call Girls in Hauz Quazi (-DELHI )๐Ÿ” 9953056974๐Ÿ”(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Hauz Quazi (-DELHI )๐Ÿ” 9953056974๐Ÿ”(=)/CALL GIRLS SERVICE
ย 
Shikrapur Call Girls Most Awaited Fun 6297143586 High Profiles young Beautie...
Shikrapur Call Girls Most Awaited Fun 6297143586 High Profiles young Beautie...Shikrapur Call Girls Most Awaited Fun 6297143586 High Profiles young Beautie...
Shikrapur Call Girls Most Awaited Fun 6297143586 High Profiles young Beautie...
ย 
(INDIRA) Call Girl Napur Call Now 8617697112 Napur Escorts 24x7
(INDIRA) Call Girl Napur Call Now 8617697112 Napur Escorts 24x7(INDIRA) Call Girl Napur Call Now 8617697112 Napur Escorts 24x7
(INDIRA) Call Girl Napur Call Now 8617697112 Napur Escorts 24x7
ย 
Kothanur Call Girls Service: ๐Ÿ“ 7737669865 ๐Ÿ“ High Profile Model Escorts | Bang...
Kothanur Call Girls Service: ๐Ÿ“ 7737669865 ๐Ÿ“ High Profile Model Escorts | Bang...Kothanur Call Girls Service: ๐Ÿ“ 7737669865 ๐Ÿ“ High Profile Model Escorts | Bang...
Kothanur Call Girls Service: ๐Ÿ“ 7737669865 ๐Ÿ“ High Profile Model Escorts | Bang...
ย 
(ISHITA) Call Girls Service Aurangabad Call Now 8617697112 Aurangabad Escorts...
(ISHITA) Call Girls Service Aurangabad Call Now 8617697112 Aurangabad Escorts...(ISHITA) Call Girls Service Aurangabad Call Now 8617697112 Aurangabad Escorts...
(ISHITA) Call Girls Service Aurangabad Call Now 8617697112 Aurangabad Escorts...
ย 
Bommasandra Call Girls: ๐Ÿ“ 7737669865 ๐Ÿ“ High Profile Model Escorts | Bangalore...
Bommasandra Call Girls: ๐Ÿ“ 7737669865 ๐Ÿ“ High Profile Model Escorts | Bangalore...Bommasandra Call Girls: ๐Ÿ“ 7737669865 ๐Ÿ“ High Profile Model Escorts | Bangalore...
Bommasandra Call Girls: ๐Ÿ“ 7737669865 ๐Ÿ“ High Profile Model Escorts | Bangalore...
ย 
Top Rated Pune Call Girls Shirwal โŸŸ 6297143586 โŸŸ Call Me For Genuine Sex Ser...
Top Rated Pune Call Girls Shirwal โŸŸ 6297143586 โŸŸ Call Me For Genuine Sex Ser...Top Rated Pune Call Girls Shirwal โŸŸ 6297143586 โŸŸ Call Me For Genuine Sex Ser...
Top Rated Pune Call Girls Shirwal โŸŸ 6297143586 โŸŸ Call Me For Genuine Sex Ser...
ย 
CHEAP Call Girls in Mayapuri (-DELHI )๐Ÿ” 9953056974๐Ÿ”(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Mayapuri (-DELHI )๐Ÿ” 9953056974๐Ÿ”(=)/CALL GIRLS SERVICECHEAP Call Girls in Mayapuri (-DELHI )๐Ÿ” 9953056974๐Ÿ”(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Mayapuri (-DELHI )๐Ÿ” 9953056974๐Ÿ”(=)/CALL GIRLS SERVICE
ย 
Top Rated Pune Call Girls Ravet โŸŸ 6297143586 โŸŸ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Ravet โŸŸ 6297143586 โŸŸ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Ravet โŸŸ 6297143586 โŸŸ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Ravet โŸŸ 6297143586 โŸŸ Call Me For Genuine Sex Servi...
ย 
Call Girls in Vashi Escorts Services - 7738631006
Call Girls in Vashi Escorts Services - 7738631006Call Girls in Vashi Escorts Services - 7738631006
Call Girls in Vashi Escorts Services - 7738631006
ย 
Deira Dubai Escorts +0561951007 Escort Service in Dubai by Dubai Escort Girls
Deira Dubai Escorts +0561951007 Escort Service in Dubai by Dubai Escort GirlsDeira Dubai Escorts +0561951007 Escort Service in Dubai by Dubai Escort Girls
Deira Dubai Escorts +0561951007 Escort Service in Dubai by Dubai Escort Girls
ย 
Book Sex Workers Available Pune Call Girls Yerwada 6297143586 Call Hot India...
Book Sex Workers Available Pune Call Girls Yerwada 6297143586 Call Hot India...Book Sex Workers Available Pune Call Girls Yerwada 6297143586 Call Hot India...
Book Sex Workers Available Pune Call Girls Yerwada 6297143586 Call Hot India...
ย 
Call Girls Kothrud Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Kothrud Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Kothrud Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Kothrud Call Me 7737669865 Budget Friendly No Advance Booking
ย 
Call Girls In RT Nagar โ˜Ž 7737669865 ๐Ÿฅต Book Your One night Stand
Call Girls In RT Nagar โ˜Ž 7737669865 ๐Ÿฅต Book Your One night StandCall Girls In RT Nagar โ˜Ž 7737669865 ๐Ÿฅต Book Your One night Stand
Call Girls In RT Nagar โ˜Ž 7737669865 ๐Ÿฅต Book Your One night Stand
ย 
Vip Mumbai Call Girls Kalyan Call On 9920725232 With Body to body massage wit...
Vip Mumbai Call Girls Kalyan Call On 9920725232 With Body to body massage wit...Vip Mumbai Call Girls Kalyan Call On 9920725232 With Body to body massage wit...
Vip Mumbai Call Girls Kalyan Call On 9920725232 With Body to body massage wit...
ย 
Call Girls Chikhali Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Chikhali Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Chikhali Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Chikhali Call Me 7737669865 Budget Friendly No Advance Booking
ย 

Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il key management

  • 1. Android Security Key Management Roberto Piccirillo (r.piccirillo@mseclab.com) Roberto Gassirร  (r.gassira@mseclab.com)
  • 2. Android Security Key Management Roberto Piccirillo โ— Senior Security Analyst - Mobile Security Lab โ—‹ Vulnerability Assessment (IT, Mobile Application) โ—‹ Hijacking Mobile Data Connection โ–  BlackHat Europe 2009 โ–  DeepSec Vienna 2009 โ–  HITB Amsterdam 2010 โ—‹ Android Secure Development @robpicone
  • 3. Android Security Key Management Roberto Gassirร  โ— Senior Security Analyst - Mobile Security Lab โ—‹ Vulnerability Assessment (IT, Mobile Application) โ—‹ Hijacking Mobile Data Connection โ–  BlackHat Europe 2009 โ–  DeepSec Vienna 2009 โ–  HITB Amsterdam 2010 โ—‹ Android Secure Development โ— IpTrack Developer @robgas
  • 4. Android Security Key Management Agenda โ— Cryptography in Mobile Application โ— CryptoSystem โ— Crypto in Android โ— Symmetric Encryption โ— Symmetric Key Management โ— Keychain e AndroidKeyStore โ— Tipologie di AndroidKeyStore
  • 5. Android Security Key Management Requirements โ— A computer โ— Eclipse with ADT Plugin 22.3.0 โ— SDK Android 4.4 ( API 19 rev 2) โ— Android SDK Build-tools 19
  • 6. Android Security Key Management Cryptography in Mobile Applications โ— Protect data โ—‹ Sensitive data โ—‹ Data on /sdcard โ—‹ Cryptographic material โ— Exchange data securely โ—‹ Documents โ—‹ Mail โ—‹ SMS โ—‹ Session Keys โ— Digital Signature โ—‹ Documents โ—‹ Mail
  • 7. Android Security Key Management Key Management "Key management is the management of cryptographic keys in a cryptosystem."
  • 8. Android Security Key Management CryptoSystem "refers to a suite of algorithms needed to implement a particular form of encryption and decryption" โ— โ— Two types of encryption: โ—‹ Symmetric Key Algorithms โ–  Identical encryption key for encryption/decryption โ–  AES, Blowfish, DES, Triple DES โ—‹ Asymmetric Key Algorithms โ–  Different key for encryption/decryption โ–  RSA, DSA, ECDSA
  • 9. Android Security Key Management Ciphers โ— Two types of ciphers: โ—‹ Block: Process entire blocks of fixed-length groups of bits at a time ( padding may be required) โ—‹ Stream: Process single byte at a time ( no padding ) โ— Block Cipher modes of operation โ—‹ ECB: each block encrypted independently โ—‹ CBC, CFB, OFB: the previous block of output is used to alter the input blocks before applying the encryption algorithm starting from a IV ( initialization vector )
  • 10. Android Security Key Management Crypto in Android โ— Based on JCA ( Java Cryptographic Architecture) provides API for: โ— Encryption/Decryption โ— Digital signatures โ— Message digests (hashes) โ— Key management โ— Secure random number generation โ— โ€œProviderโ€ Architecture with CSP โ— Bouncy Castle is Android default CSP
  • 11. Android Security Key Management Bouncy Castle Android Version โ— Customized: โ—‹ Some services and API removed โ— Varies between Android versions โ— Fixed only in the latest versions โ— Solution: Spongy Castle โ— Repackage of Bouncy Castle โ— Supports more cryptographic options โ— Up-to-date โ— Not vulnerable to the Heartbleed Bug (CVE-2014-0160)
  • 12. Android Security Key Management Set Spongy Castle โ— Include Libs: โ— Enable at Application Level:
  • 13. Android Security Key Management GC overhead limit exceeded โ— Solution: modify eclipse.ini with: -Xms256m -Xmx1024m -XX:MaxPermSize=1024m
  • 14. Android Security Key Management Step 1 Enabling SpongyCastle https://github.com/mseclab/gdgmeetsu2014-symmetric-demo-step1.git
  • 15. Android Security Key Management Import Project from https://github.com/mseclab 1 2 3 4
  • 16. Android Security Key Management Import Project from https://github.com/mseclab 5 6 7
  • 17. Android Security Key Management Import Project from https://github.com/mseclab 8 9 10 https://github.com/mseclab/droidconit2014-symmetric-demo-step3.git
  • 18. Android Security Key Management The project cannot be built... 1 2 3
  • 19. Android Security Key Management Cipher Object Secret Key Specification Cipher getInstance Cipher Init Cipher Final
  • 20. Android Security Key Management SecretKey Specification javax.crypto.spec.SecretKeySpec โ— SecretKeySpec specifies a key for a specific algorithm SecretKeySpec skeySpec = new SecretKeySpec(key, "AES"); Topic of this workshop Cryptographic Algorithm
  • 21. Android Security Key Management Cipher GetInstance javax.crypto.Cipher โ— Provides access to implementations of cryptographic ciphers for encryption and decryption Cipher c = Cipher.getInstance("AES/CBC/PKCS5Paddingโ€,โ€œSCโ€); Trasformation (describes set of operation to perform): โ€ข algorithm/mode/padding โ€ข algorithm Provider ( SpongyCastle )
  • 22. Android Security Key Management Cipher Init javax.crypto.Cipher โ— Initializes the cipher instance with the specified operational mode, key and algorithm parameters. cipher.init(Cipher.DECRYPT_MODE, keySpec, new IvParameterSpec(iv)); Operational Mode: โ€ข ENCRYPT_MODE โ€ข DECRYPT_MODE โ€ข WRAP_MODE โ€ข UNWRAP_MODE SecretKeySpec Specify Cipher Algorithm parameters ( IV for CBC )
  • 23. Android Security Key Management Cipher Final javax.crypto.Cipher โ— Finishes a multi-part transformation (encryption or decryption) byte[] encryptedText = cipher.doFinal(clearText.getBytes()); Encrypted Text in byte ClearText in bytes
  • 24. Android Security Key Management Step 2 Encryption Example https://github.com/mseclab/gdgmeetsu2014-symmetric-demo-step2.git
  • 25. Android Security Key Management SecureRandom java.security.SecureRandom โ— Cryptographically secure pseudo-random number generator SecureRandom secureRandom = new SecureRandom(); Default constructor uses the most cryptographically strong provider available โ— Seeding SecureRandom is dangerous: โ—‹ Not Secure โ—‹ Output may change
  • 26. Android Security Key Management Some SecureRandom Thoughts... โ— Android security team discovered a JCA improper PRNG initialization in August 2013 โ— Applications invoking system-provided OpenSSL PRNG without explicit initialization are also affected โ— Key Generation, Signing or Random Number Generation not receiving cryptographically strong values โ— Developer must explicitly initialize the PRNG PRNGFixes.apply()
  • 27. Android Security Key Management KeyGenerator keyGenerator = KeyGenerator.getInstance("AESโ€,โ€œSCโ€); keyGenerator.init(outputKeyLength, secureRandom); SecretKey key = keyGenerator.generateKey(); Generate Secret Key javax.crypto.KeyGenerator โ— Symmetric cryptographic keys generator API Specify Key Size Algorithm and Provider Key to use in Cipher.init()
  • 28. Android Security Key Management Key Management: Store on device โ— Protected by Android Filesystem Isolation โ— Plain File โ— SharedPreferences โ— Keystore File (BKS, JKS) โ— More secure with Phone Encryption โ— Store safely โ—‹ MODE_PRIVATE flag โ—‹ Use only internal storage /data/data/app_package
  • 29. Android Security Key Management Key Management: Store on device โ— Device Rooted?
  • 30. Android Security Key Management Step 3 Rooted device demo https://github.com/mseclab/gdgmeetsu2014-symmetric-demo-step3.git
  • 31. Android Security Key Management Key Management: Store in App โ— Uses static keys or device specific information at run-time (IMEI, mac address, ANDROID_ID) โ— Android app can be easily reversed ( live demo ) โ— Hide with Code obfuscation โ— Security by Obscurity is never a good idea...
  • 32. Android Security Key Management Key Management: Store in App โ— unzip: APK -> DEX โ— dex2jar: DEX -> JAR โ— JD-GUI: JAR -> Source
  • 34. Android Security Key Management Key Management: PBKDF2 โ— Password Based Key Derivation Function (PKCS#5) โ— Variable length password in input โ— Fixed length key in output โ— User interaction required โ— Params: โ—‹ Password โ—‹ Pseudorandom Function โ—‹ Salt โ—‹ Number of iteration โ—‹ Key Size
  • 35. Android Security Key Management KeySpec keySpec = new PBEKeySpec(password.toCharArray(), salt, NUM_OF_ITERATIONS, KEY_SIZE); SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance(PBE_ALGORITHM); encKey = secretKeyFactory.generateSecret(keySpec); Key Management: PBKDF2 javax.crypto.spec.PBEKeySpec โ— PBE Key specification and generation A good PBE algorithm is PBKDF2WithHmacSHA1 User Password N. >= 1000
  • 36. Android Security Key Management SecretKeyFactory factory; if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT) // Use compatibility key factory -- only uses lower 8-bits of passphrase chars factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1And8bit"); else if (Build.VERSION.SDK_INT >= 10) // Traditional key factory. Will use lower 8-bits of passphrase chars on // older Android versions (API level 18 and lower) and all available bits // on KitKat and newer (API level 19 and higher) factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1"); else // FIX for Android 8,9 factory = SecretKeyFactory.getInstance("PBEWITHSHAAND128BITAES-CBC-BC"); SecretKeyFactory API in Android 4.4
  • 37. Android Security Key Management Step 4 PBE Example https://github.com/mseclab/gdgmeetsu2014-symmetric-demo-step4.git
  • 38. Android Security Key Management Key Management: Other solutions โ— Store on server side โ— Internet connection required โ— Use trusted and protected connections (HTTPS, Certificate Pinning) โ— Store on external device โ—‹ NFC Java Card (NXP J3A081) โ—‹ Smartcard โ—‹ USB PenDrive โ—‹ MicroSD with secure storage โ— AndroidKeyStore???
  • 39. Android Security Key Management Asymmetric Algorithms โ— Public/Private Key โ—‹ Public Key -> encrypt/verify signature โ—‹ Private Key -> decrypt/sign โ— Advantages: โ—‹ Public Key distribution is not dangerous โ— Disadvantages: โ—‹ Computationally expensive โ— Usually used with PKI (Public Key Infrastructure for digital certificates)
  • 40. Android Security Key Management Public-key Applications โ— Can classify uses into 3 categories: โ—‹ Encryption/Decryption (provides confidentiality) โ—‹ Digital Signatures (provides authentication and Integrity) โ—‹ Key Exchange (of session keys) โ— Some algorithms are suitable for all uses (RSA), others are specific to one
  • 41. Android Security Key Management PKCS for Asymmetric Algorithms โ— PKCS is a group of public-key cryptography standards published by RSA Security Inc โ— PKCS#1 (v.2.1) โ—‹ RSA Cryptography Standard โ— PKCS#3 (v.1.4) โ—‹ Diffie-Hellman Key Agreement Standard โ— PKCS#8 (v.1.2) โ—‹ Private-Key Information Syntax Standard โ— PKCS#10 (v.1.7) โ—‹ Certification Request Standard โ— PKCS#12 (v.1.0) โ—‹ Personal Information Exchange Syntax Standard
  • 42. Android Security Key Management Android: RSA KeyPairGenerator kpg = KeyPairGenerator.getIstance(โ€RSA"); Java.security.KeyPairGenerator โ— KeyPairGenerator is an engine capable of generating public/private keys with specified algorithms Cryptographic Algorithm
  • 43. Android Security Key Management Available Providers for RSA Algorithm KeyPairGenerator.getInstance(โ€RSAโ€,โ€SEC_PROVIDERSโ€); Java.security.KeyPairGenerator โ— Different security providers could be used (could change for different OS versions) โ€œAndroidOpenSSLโ€ โ€œBCโ€ โ€œAndroidKeyStroreโ€ Version 1.0 Version 1.49 Version 1.0
  • 44. Android Security Key Management โ— KeySize โ€“ 1024,2048,4096 bits KeyPairGenerator: Initialization and Randomness KeyPairGenerator kpg = KeyPairGenerator.initialize(2048); Java.security.KeyPairGenerator โ— KeyPairGenerator initialization with the key size Key Size
  • 45. Android Security Key Management KeyPairGenerator: Initialization and Randomness KeyPairGenerator kpg = KeyPairGenerator.initialize(2048,sr); Java.security.KeyPairGenerator, Java.security.SecureRandom โ— KeyPairGenerator initialization with a SecureRandom SecureRandom sr = new SecureRandom();
  • 46. Android Security Key Management Generating RSA Key Java.security.KeyPair โ— KeyPair is a container for a public/private key generated by the KeyPairGenerator KeyPair keypair = kpg.genKeyPair() โ— We can retrieve public/private keys from KeyPair Key public_key = kaypair.getPublic(); Key private_key = kaypair.getPrivate();
  • 47. Android Security Key Management Using RSA Keys: cipher example Javax.crypto.Cipher โ— Cipher provides access to implementation of cryptography ciphers for encryption and decryption Cipher cipher = Cipher.getInstance(โ€œRSAโ€,โ€SEC_PROVIDER); Transformation โ€œAndroidOpenSSLโ€ โ€œBCโ€ โ€œAndroidKeyStroreโ€
  • 48. Android Security Key Management Using RSA Key: cipher example Javax.crypto.Cipher โ— Encryption cipher.init(Cipher.ENCRYPT_MODE,public_key); โ— Decryption byte[] encrypted_data= cipher.doFinal(โ€œGDG-Meets-U2014โ€.getBytes()); cipher.init(Cipher.DECRYPT_MODE,private_key); byte[] decrypted_data= cipher.doFinal(cipherd_data);
  • 49. Android Security Key Management Parameters of RSA Keys java.security.KeyFactory, java.security.spec, โ— Retrieve RSA Key parameters using KeyFactory RSAPublicKeySpec rsa_public = keyfactory.getKeySpec(keypair.getPublic(), RSAPublicKeySpec.class); RSAPrivateKeySpec rsa_private = keyfactory.getKeySpec(keypair.getPrivate(), RSAPrivateKeySpec.class);
  • 50. Android Security Key Management Extract Parameters of RSA Keys Java.security.spec.RSAPublicKeySpec, java.security.spec.RSAPrivateKeySpec โ— Retrieved parameters can be stored BigInteger m = rsa_public.getModulus(); BigInteger e = rsa_public.getPublicExponent(); BigInteger d = rsa_private.getPrivateExponent(); Is Private
  • 51. Android Security Key Management Step 1 RSA Keys Generaration https://github.com/mseclab/gdgmeetsu2014_asymmetric_demo.git
  • 52. Android Security Key Management AndroidKeyStore โ— Custom Java Security Provider available from Android 4.3 version and beyond โ— An App can generate and save private keys โ— Keys are private for each App โ— 2048-bit key size (4.3), 1024-2048-4096-bit key size (4.4) can be stored โ— ECDSA support added from Android 4.4
  • 53. Android Security Key Management Key Management Evolution API LEVEL 14 API LEVEL 18 Global Level: KeyChain ( Public API ) App Level: KeyStore ( Closed API ) Global Level Only: Default TrustStore cacerts.bks (ROOTED device) Global Level: KeyChain ( Public API ) App Level and per User Level: AndroidKeyStore ( Public API )
  • 54. Android Security Key Management AndroidKeyStore Storage โ— Two kinds of storage โ—‹ Hardware-backed (Nexus 7, Nexus 4, Nexus 5 :-) with OS >= 4.3) โ—‹ Secure Element โ—‹ TPM โ—‹ TrustZone โ—‹ Software only (Other devices with OS >= 4.3)
  • 55. Android Security Key Management Type of Storage import android.security.KeyChain; if (KeyChain.isBoundKeyAlgorithm("RSA")) // Hardware-Backed else // Software Only
  • 56. Android Security Key Management Certificate parameters Context cx = getActivity(); String pkg = cx.getPackageName(); Calendar notBefore = Calendar.getInstance(); Calendar notAfter = Calendar.getInstance(); notAfter.add(1, Calendar.YEAR); import android.security.KeyPairGeneratorSpec.Builder; Builder builder = new KeyPairGeneratorSpec.Builder(cx); builder.setAlias(โ€œDEVKEY1โ€); String infocert = String.format("CN=%s, OU=%s", โ€œDEVKEY1โ€, pkg); builder.setSubject(new X500Principal(infocert)); builder.setSerialNumber(BigInteger.ONE); builder.setStartDate(notBefore.getTime()); builder.setEndDate(notAfter.getTime()); KeyPairGeneratorSpec spec = builder.build(); Times parameters Self-Signed X.509 โ— Common Name (CN) โ— Subject (OU) โ— Serial Number Generate certificate ALIAS to index the certificate
  • 57. Android Security Key Management Generating Public/Private keys KeyPairGenerator kpGenerator; kpGenerator = KeyPairGenerator .getInstance("RSA", "AndroidKeyStore"); kpGenerator.initialize(spec); KeyPair kp; kp = kpGenerator.generateKeyPair(); Engine to generate Public/Private key Init Engine with: โ— RSA Algorithm โ— Provider: AndroidKeyStore Init Engine with certificate parameters After generation, the keys will be stored into AndroidKeyStore and will be accessible by ALIAS โ— Generating Private/Public key
  • 58. Android Security Key Management AndroidKeyStore Initialization keyStore = KeyStore.getInstance("AndroidKeyStore"); keyStore.load(null); Now we have the KeyStore reference that will be used to access to the Private/Public key by the ALIAS Should be used if there is an InputStream to load (for example the name of imported KeyStore). If not used the App will crash Get a reference to the AndroidKeyStore
  • 59. Android Security Key Management Step 2 AndroidKeyStore Gen Keys https://github.com/mseclab/gdgmeetsu2014_asymmetric_demo.git
  • 60. Android Security Key Management RSA Digital Signature โ— Digital Signature โ—‹ Authentication, Non-Repudiation and Integrity โ—‹ RSA Private key to Sign โ—‹ RSA Public Key to Verify KeyStore.Entry entry = ks.getEntry(โ€œDEVKEY1โ€, null); byte[] data = โ€œGDG-Meets-U 2014!โ€.getBytes(); Signature s = Signature.getInstance(โ€œSHA256withRSAโ€); s.initSign(((KeyStore.PrivateKeyEntry) entry).getPrivateKey()); s.update(data); byte[] signature = s.sign(); String result = null; result = Base64.encodeToString(signature, Base64.DEFAULT); Access to Private/Public key identified by ALIAS Algorithm choice Private key to sign Signature and Base64 encoding
  • 61. Android Security Key Management Verify RSA Digital Signature byte[] data = input.getBytes(); byte[] signature; signature = Base64.decode(signatureStr, Base64.DEFAULT); KeyStore.Entry entry = ks.getEntry(โ€œDEVKEY1โ€, null); Signature s = Signature.getInstance("SHA256withRSA"); s.initVerify(((KeyStore.PrivateKeyEntry) entry).getCertificate()); s.update(data); boolean valid = s.verify(signature); Base64 decoding Access to the Private/Public key identified by ALIAS==DEVKEY1 Algorithm choice Public Key in certificate to verify signature TRUE == Verified FALSE== Not Verified
  • 62. Android Security Key Management Step 3 AndroidKeyStore Sign/Verify https://github.com/mseclab/gdgmeetsu2014_asymmetric_demo.git
  • 63. Android Security Key Management RSA Encryption โ— Encryption โ—‹ Confidentiality โ—‹ RSA Public key to Encrypt โ—‹ RSA Private key to Decrypt PublicKey publicKeyEnc = ((KeyStore.PrivateKeyEntry) entry) .getCertificate().getPublicKey(); String textToEncrypt = new String(โ€GDG-Meet-U-2014"); byte[] textToEncryptToByte = textToEncrypt.getBytes(); Cipher encCipher = null; byte[] encryptedText = null; encCipher = Cipher.getInstance("RSA/ECB/PKCS1Padding"); encCipher.init(Cipher.ENCRYPT_MODE, publicKeyEnc); encryptedText = encCipher.doFinal(textToEncryptToByte); Access to Public key to encrypt โ— Algorithm โ— Encryption with Public key Ciphered
  • 64. Android Security Key Management RSA Decryption Cipher decCipher = null; byte[] plainTextByte = null; decCipher = Cipher.getInstance("RSA/ECB/PKCS1Padding"); decCipher.init(Cipher.DECRYPT_MODE, ((KeyStore.PrivateKeyEntry) entry).getPrivateKey()); plainTextByte = decCipher.doFinal(ecryptedText); String plainText = new String(plainTextByte); Algorithm Decryption with Private key Plaintext
  • 65. Android Security Key Management Step 4 AndroidKeyStore Enc/Dec https://github.com/mseclab/gdgmeetsu2014_asymmetric_demo.git
  • 66. Android Security Key Management It is observed that... โ— Different screen lock โ— The choice of screen lock impactsthe keys โ— If you change the screen lock the keys are deleted
  • 67. Android Security Key Management Expected behavior? โ— The official documentation shows: โ— The keys should ramain intact when the type of screen lock is changed by the user
  • 69. Android Security Key Management Cryptographic material on devices โ— Device with Storage โ€œHardware-backedโ€ โ— Device with Storage โ€œSoftware-onlyโ€
  • 70. Android Security Key Management KeyChain โ— KeyChain โ—‹ Accessible by any Application โ— Typically used for corporate certificates
  • 71. Android Security Key Management Example: Import Certificates โ— Import .p12 certificates Intent intent = KeyChain.createInstallIntent(); byte[] p12 = readFile(โ€œCERTIFICATE_NAME.p12โ€); Intent.putExtra(KeyChain.EXTRA_PKCS12,p12); Specify PKCS#12 Key to install startActivity(intent); The user will be prompted for the password
  • 72. Android Security Key Management KeyChain.choosePrivateKeyAlias( Activity activity, KeyChainAliasCallBack response, String[] keyTypes, Principal[] issuers, String host, Int port, String Alias); Example: Retrieve the key โ— The KeyChainAliasCallback invoked when a user chooses a certificate/private key
  • 73. Android Security Key Management @Override public void alias(String alias){ . . PrivateKey private_key = KeyChain. getPrivateKey(this,alias); . . X509Certificate[] chain = KeyChain. getCertificateChain(this,โ€Droidconโ€); . PublicKey public_key = chain[0].getPublicKey(); } Example: Retrieve and use the keys โ— KeyChainAliasCallbak must implement the abstract method alias: Private Key Public Key
  • 74. Android Security Key Management Step 5 KeyChain https://github.com/mseclab/gdgmeetsu2014_asymmetric_demo.git
  • 75. Android Security Key Management References โ— http://developer.android.com/about/versions/android-4.3.html#Security โ— http://developer.android.com/reference/java/security/KeyStore.html โ— http://en.wikipedia.org/wiki/Encryption โ— http://en.wikipedia.org/wiki/Digital_signature โ— http://nelenkov.blogspot.it/2013/08/credential-storage-enhancements-android-43.html โ— http://nelenkov.blogspot.it/2012/05/storing-application-secrets-in-androids.html โ— http://nelenkov.blogspot.it/2012/04/using-password-based-encryption-on.html โ— http://nelenkov.blogspot.it/2011/11/ics-credential-storage-implementation.html โ— http://developer.android.com/reference/android/security/KeyPairGeneratorSpec.html โ— http://android-developers.blogspot.it/2013/02/using-cryptography-to-store- credentials.html โ— http://www.bouncycastle.org/ โ— http://android-developers.blogspot.it/2013/08/some-securerandom-thoughts.html โ— http://nelenkov.blogspot.it/2013/10/signing-email-with-nfc-smart-card.html โ— http://en.wikipedia.org/wiki/PKCS โ— http://developer.android.com/reference/android/security/KeyChain.html โ— http://android-developers.blogspot.it/2013/12/changes-to-secretkeyfactory-api-in.html
  • 76. Android Security Key Management Thank you Q&Awww.mseclab.com www.consulthink.it research@mseclab.comgoo.gl/TA8EA1