Apps, apis, third party services (Droidcon)

http://www.egeniq.com info@egeniq.com @egeniqApps, APIs and third party services A Love Triangle Ivo Jansch - @ijansch Droidcon, 23 November 2011

About Me@ijanschDeveloperAuthorEntreprenerdiOS/Java/PHP 2

About EgeniqStartupMobileTechKnowledgeGeeksDevelopment 3

Tiqr - Learning about Android Security 1 6 3 2 5 4 http://www.tiqr.org 4

The Use Case APIAndroid App Third Party Service 5

Timeline 6

OAuth Your Android Twitter Application 7

OAuth OAuth OAuth Consumer Provider 8

Why do you need to protect keys? OAuth Provider 8 9

The Android Security Model 10

Sandboxing‣ Apps only have access to their own data‣ Access is based on Linux user ID‣ Further protected by application signature 11

Storage + Secure Storage‣ USB Storage • External storage, sharable between apps‣ Device Storage • Apps have their own location, within sandbox‣ Secure Storage • Java KeyStores with strong encryption algorithms • Unfortunately no hardware encrypted storage like iPhone 12

The Main Problem‣ How can I securely store secrets? • Is sandboxing a solution? -> Not when device is rooted • Is device storage a solution? -> Not when device is rooted • Is encryption a solution? ‣ Yes, but where do you store your encryption keys? 13

It’s a common questionStackoverflow search for ‘store secrets android’: 14

With common answers- Huh?- Don’t store secrets- Don’t use OAuth- Obfuscate- Encrypt 15

Know what? I’ll just use a library 16

Scribehttps://github.com/fernandezpablo85/scribe-java 17

A Couple Of Solutions 18

Option 1 - Obfuscation 19

Option 2 - Encryption 20

Option 3 - Using the KeyStore 24

Option 3 - Using the KeyStore 25

Option 4 - Retrieve key from API Your API ? OAuth Android App Provider 26

Option 5 - Transparent Proxy Proxy Android OAuth App Provider 27

Conclusion It’s all about awareness 28

Recommended Reading‣ ISBN: 2147483647‣ Authors: • Himanshu Dwivedi • Chris Clark • David Thiel‣ Covers: • Android • Apple • WinMo 29

http://www.egeniq.com info@egeniq.com @egeniqThank you! Questions? http://www.egeniq.com ivo@egeniq.com @ijansch

Credits ‣ ‘Tege in Sandbox’ by Judi Cox - http://www.flickr.com/photos/madaise/3406217980/ ‣ ‘Locker (KHS up close) by Travis Hymas - http://www.flickr.com/photos/ travishasphotos/3481640534/ ‣ ‘Mask’ by Ben Fredericson - http://www.flickr.com/photos/xjrlokix/3932488768/

Apps, apis, third party services (Droidcon)

by Ivo Jansch on Nov 25, 2011

Accessibility

Categories

Tags

Upload Details

Usage Rights

2 Embeds 7

Statistics

Apps, apis, third party services (Droidcon) — Presentation Transcript

http://paper.li	6
http://a0.twimg.com	1