Apps, apis, third party services (Droidcon)

1,957 views
1,883 views

Published on

In this talk I talked about my experiences with Android security when it comes to storing secrets in apps on the device. It uses oauth as an example but contained practical hints on how to store any secret securely. Presented at DroidconNL in Amsterdam, November 23 2011.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,957
On SlideShare
0
From Embeds
0
Number of Embeds
15
Actions
Shares
0
Downloads
11
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Apps, apis, third party services (Droidcon)

  1. 1. http://www.egeniq.com info@egeniq.com @egeniqApps, APIs and third party services A Love Triangle Ivo Jansch - @ijansch Droidcon, 23 November 2011
  2. 2. About Me@ijanschDeveloperAuthorEntreprenerdiOS/Java/PHP 2
  3. 3. About EgeniqStartupMobileTechKnowledgeGeeksDevelopment 3
  4. 4. Tiqr - Learning about Android Security 1 6 3 2 5 4 http://www.tiqr.org 4
  5. 5. The Use Case APIAndroid App Third Party Service 5
  6. 6. Timeline 6
  7. 7. OAuth Your Android Twitter Application 7
  8. 8. OAuth OAuth OAuth Consumer Provider 8
  9. 9. Why do you need to protect keys? OAuth Provider 8 9
  10. 10. The Android Security Model 10
  11. 11. Sandboxing‣ Apps only have access to their own data‣ Access is based on Linux user ID‣ Further protected by application signature 11
  12. 12. Storage + Secure Storage‣ USB Storage • External storage, sharable between apps‣ Device Storage • Apps have their own location, within sandbox‣ Secure Storage • Java KeyStores with strong encryption algorithms • Unfortunately no hardware encrypted storage like iPhone 12
  13. 13. The Main Problem‣ How can I securely store secrets? • Is sandboxing a solution? -> Not when device is rooted • Is device storage a solution? -> Not when device is rooted • Is encryption a solution? ‣ Yes, but where do you store your encryption keys? 13
  14. 14. It’s a common questionStackoverflow search for ‘store secrets android’: 14
  15. 15. With common answers- Huh?- Don’t store secrets- Don’t use OAuth- Obfuscate- Encrypt 15
  16. 16. Know what? I’ll just use a library 16
  17. 17. Scribehttps://github.com/fernandezpablo85/scribe-java 17
  18. 18. A Couple Of Solutions 18
  19. 19. Option 1 - Obfuscation 19
  20. 20. Option 2 - Encryption 20
  21. 21. Option 2 - Encryption 21
  22. 22. Option 2 - Encryption 22
  23. 23. Option 2 - Encryption 23
  24. 24. Option 3 - Using the KeyStore 24
  25. 25. Option 3 - Using the KeyStore 25
  26. 26. Option 4 - Retrieve key from API Your API ? OAuth Android App Provider 26
  27. 27. Option 5 - Transparent Proxy Proxy Android OAuth App Provider 27
  28. 28. Conclusion It’s all about awareness 28
  29. 29. Recommended Reading‣ ISBN: 2147483647‣ Authors: • Himanshu Dwivedi • Chris Clark • David Thiel‣ Covers: • Android • Apple • WinMo 29
  30. 30. http://www.egeniq.com info@egeniq.com @egeniqThank you! Questions? http://www.egeniq.com ivo@egeniq.com @ijansch
  31. 31. Credits ‣ ‘Tege in Sandbox’ by Judi Cox - http://www.flickr.com/photos/madaise/3406217980/ ‣ ‘Locker (KHS up close) by Travis Hymas - http://www.flickr.com/photos/ travishasphotos/3481640534/ ‣ ‘Mask’ by Ben Fredericson - http://www.flickr.com/photos/xjrlokix/3932488768/

×