Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Safety first
Best practices in app security
ANA BAOTIĆ
TECHNICAL MANAGER, MOBILE BANKING @ INFINUM
We're an independent
design &
development
agency.
HOW TO INCREASE SECURITY
BUILD INTEGRITY
DATA PRIVACY
NETWORK SECURITY
THINGS TO ADD TO A NEW PROJECT
Release keystore
Obfuscation
KEYSTORE
Should be used for ALL builds
You should NEVER lose it
No one should EVER acquire it
signingConfigs {
release {
storeFile file("myapp.keystore")
storePassword "password123"
keyAlias "keyAlias"
keyPassword "p...
DO!
gradle.properties
KEYSTORE_PASSWORD=password123
KEY_PASSWORD=password789
try {
storeFile file("myapp.keystore")
storePassword KEYSTORE_PASSWORD
keyAlias "keyAlias"
keyPassword KEY_PASSWORD
} catc...
OBFUSCATION
Proguard
DexGuard
DexProtector
release {


minifyEnabled true
proguardFiles getDefaultProguardFile(
'proguard-android.txt'), ‘proguard-rules.txt'


signi...
public abstract class e {

private int a = -1;

private String b = null;

protected boolean k = false;



public abstract ...
WILL THIS KEEP THE APK SAFE?
No.
TAMPERING DETECTION
Verify signing certificate at runtime
Verify the installer
context.getPackageManager()
.getInstallerPac...
DATA PRIVACY
USERS ARE SENSITIVE ABOUT THEIR DATA
WAYS TO STORE (AND RETRIEVE) DATA
Internal storage
External storage
Content providers
INTERNAL STORAGE
Is (generally) sufficiently safe
Private to the your app
EXTERNAL STORAGE
Globally readable and writable
CONTENT PROVIDERS
Structured storage mechanism
Can be exported to allow access by other apps
 
<provider
android:name="com.example.android.datasync.provider.StubProvider" 
android:authorities="com.example.android.data...
SHARED PREFERENCES
Useful for primitive key-value based data
private readable safe
Internal storage yes yes yes
External
storage
no yes no
Content
providers
depends yes yes
Shared pre...
SO EVERYTHING IS FINE?
Yes, until you root the device.
USE LIBRARIES
Bouncy Castle
Spongy Castle
Keyczar
AeroGear Crypto
Conceal
ENCRYPT USING A PIN/PASSWORD
4 digits - 10 000 attempts
No effort to crack or even guess
BCRYPT
Key derivation function
Slow
Cost of the hash function depends on the work factor
CAN DATA REMAIN PRIVATE?
Rooting your device allows access
Not encrypting allows (mis)use
NETWORK SECURITY
HTTP
Still (frequently) used
MiTM
HTTPS
Encrypts data
Validation of server’s identity
android:usesCleartextTraffic="false"
ANDROID M
StrictMode.setVmPolicy(
new StrictMode.VmPolicy.Builder()
.detectCleartextN...
ANDROID N
Network Security Configuration feature
Finer grained control
CERTIFICATE PINNING
Defines which CAs are trusted
Reduces effectiveness of MiTM
okhttpbuilder

.pinClientCertificate(resources,
R.raw.client_cert, "pass".toCharArray(), “PKCS12”)
.pinServerCertificates(...
WHAT IF THE CERTIFICATES CHANGE?
INFORM THE USERS
Implement a mechanism for notifying users
(GCM) and forcing updates
PLAN AHEAD
Check server security’s impact on Android
devices
https://www.ssllabs.com/
INCLUDE THE CLIENT IN THE PROCESS
Keep them up-to-date
Help them understand risks and advise them
Insist on updates and se...
RECAP
ANDROID IS NOT SECURE
But you can make it less easy to abuse
THINGS TO REMEMBER
Use internal storage if applicable
Encrypt data
Use HTTPS
Pin certificates
Be aware of the update cycle
REFERENCES
• Gradle configuration
• http://developer.android.com/guide/topics/data/data-
storage.html#db
• https://codahale...
REFERENCES
• https://www.ssllabs.com/
• http://developer.android.com/preview/features/security-
config.html
• https://www.i...
Thank you!

Questions?
Visit www.infinum.co or find us on social networks:
infinum.co infinumco infinumco infinum
ANA@INFINUM.CO...
Safety first – best practices in app security​
Safety first – best practices in app security​
Safety first – best practices in app security​
Safety first – best practices in app security​
Safety first – best practices in app security​
Safety first – best practices in app security​
Safety first – best practices in app security​
Safety first – best practices in app security​
Upcoming SlideShare
Loading in …5
×

Safety first – best practices in app security​

722 views

Published on

Presentation about implementing security features in Android applications from Droidcon Zagreb 2016

Published in: Technology
  • Hello! Who wants to chat with me? Nu photos with me here http://bit.ly/helenswee
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Safety first – best practices in app security​

  1. 1. Safety first Best practices in app security ANA BAOTIĆ TECHNICAL MANAGER, MOBILE BANKING @ INFINUM
  2. 2. We're an independent design & development agency.
  3. 3. HOW TO INCREASE SECURITY BUILD INTEGRITY DATA PRIVACY NETWORK SECURITY
  4. 4. THINGS TO ADD TO A NEW PROJECT Release keystore Obfuscation
  5. 5. KEYSTORE Should be used for ALL builds You should NEVER lose it No one should EVER acquire it
  6. 6. signingConfigs { release { storeFile file("myapp.keystore") storePassword "password123" keyAlias "keyAlias" keyPassword "password789" } } DO NOT!
  7. 7. DO! gradle.properties KEYSTORE_PASSWORD=password123 KEY_PASSWORD=password789
  8. 8. try { storeFile file("myapp.keystore") storePassword KEYSTORE_PASSWORD keyAlias "keyAlias" keyPassword KEY_PASSWORD } catch (ex) { throw new InvalidUserDataException(“…”) }
  9. 9. OBFUSCATION Proguard DexGuard DexProtector
  10. 10. release { 
 minifyEnabled true proguardFiles getDefaultProguardFile( 'proguard-android.txt'), ‘proguard-rules.txt' 
 signingConfig signingConfigs.release
 }
  11. 11. public abstract class e {
 private int a = -1;
 private String b = null;
 protected boolean k = false;
 
 public abstract void a(Intent var1);
 
 public void run() {
 this.a((Intent)null);
 }
 protected final void a(String var1) {
 this.b = var1;
 }
 public final void c() {
 this.a = -1;
 this.b = null;
 }
 public final boolean d() {
 return this.k;
 }
 }
  12. 12. WILL THIS KEEP THE APK SAFE? No.
  13. 13. TAMPERING DETECTION Verify signing certificate at runtime Verify the installer context.getPackageManager() .getInstallerPackageName(context.getPackageName()) .startsWith("com.android.vending") Check if app is debuggable (or run on emulator)
  14. 14. DATA PRIVACY
  15. 15. USERS ARE SENSITIVE ABOUT THEIR DATA
  16. 16. WAYS TO STORE (AND RETRIEVE) DATA Internal storage External storage Content providers
  17. 17. INTERNAL STORAGE Is (generally) sufficiently safe Private to the your app
  18. 18. EXTERNAL STORAGE Globally readable and writable
  19. 19. CONTENT PROVIDERS Structured storage mechanism Can be exported to allow access by other apps  
  20. 20. <provider android:name="com.example.android.datasync.provider.StubProvider"  android:authorities="com.example.android.datasync.provider" android:exported="false"/> android:protectionLevel="signature"
  21. 21. SHARED PREFERENCES Useful for primitive key-value based data
  22. 22. private readable safe Internal storage yes yes yes External storage no yes no Content providers depends yes yes Shared prefs. yes yes yes
  23. 23. SO EVERYTHING IS FINE? Yes, until you root the device.
  24. 24. USE LIBRARIES Bouncy Castle Spongy Castle Keyczar AeroGear Crypto Conceal
  25. 25. ENCRYPT USING A PIN/PASSWORD 4 digits - 10 000 attempts No effort to crack or even guess
  26. 26. BCRYPT Key derivation function Slow Cost of the hash function depends on the work factor
  27. 27. CAN DATA REMAIN PRIVATE? Rooting your device allows access Not encrypting allows (mis)use
  28. 28. NETWORK SECURITY
  29. 29. HTTP Still (frequently) used MiTM
  30. 30. HTTPS Encrypts data Validation of server’s identity
  31. 31. android:usesCleartextTraffic="false" ANDROID M StrictMode.setVmPolicy( new StrictMode.VmPolicy.Builder() .detectCleartextNetwork() .penaltyLog().build());
  32. 32. ANDROID N Network Security Configuration feature Finer grained control
  33. 33. CERTIFICATE PINNING Defines which CAs are trusted Reduces effectiveness of MiTM
  34. 34. okhttpbuilder
 .pinClientCertificate(resources, R.raw.client_cert, "pass".toCharArray(), “PKCS12”) .pinServerCertificates(resources, 
 R.raw.server_cert, "pass".toCharArray(), "BKS")
 .build(); return new OkClient(client);

  35. 35. WHAT IF THE CERTIFICATES CHANGE?
  36. 36. INFORM THE USERS Implement a mechanism for notifying users (GCM) and forcing updates
  37. 37. PLAN AHEAD Check server security’s impact on Android devices https://www.ssllabs.com/
  38. 38. INCLUDE THE CLIENT IN THE PROCESS Keep them up-to-date Help them understand risks and advise them Insist on updates and security patches
  39. 39. RECAP
  40. 40. ANDROID IS NOT SECURE But you can make it less easy to abuse
  41. 41. THINGS TO REMEMBER Use internal storage if applicable Encrypt data Use HTTPS Pin certificates Be aware of the update cycle
  42. 42. REFERENCES • Gradle configuration • http://developer.android.com/guide/topics/data/data- storage.html#db • https://codahale.com/how-to-safely-store-a-password/ • http://www.developereconomics.com/android- cryptography-tools-for-beginners/ • https://www.airpair.com/android/posts/adding-tampering- detection-to-your-android-app
  43. 43. REFERENCES • https://www.ssllabs.com/ • http://developer.android.com/preview/features/security- config.html • https://www.ionic.com/mitm-attacks-ssl-pinning-what-is-it- and-why-you-should-care/
  44. 44. Thank you!
 Questions? Visit www.infinum.co or find us on social networks: infinum.co infinumco infinumco infinum ANA@INFINUM.CO @ABAOTIC

×