Come scrivere un'applicazione Android sicura? Come proteggere il codice e i dati? Non ci sono soluzioni definitive ed inattaccabili, qualunque sia la soluzione occorre verificarne la robustezza e l'efficacia. Scriviamo il codice con la mentalità da Developer ma lo possiamo verificare solo con le modalità di un Hacker. Ne vediamo qualcuna insieme.

1. Secure Android Apps
by Яeversing
Fabrizio Zeno Cornelli
Milan | November 29 - 30, 2018

2. FABRIZIO CORNELLI
zeno@sicurieffetti.it

3. CV
CTO, Enterprise srl
DEV / QA Manager, HT
Consultant
CEO, Sicuri Effetti

5. Inductive Deductive
Constructive Deconstructive
Programming skills Reverse Engineering
Good Practice Lateral Thinking
Desing then code Laziness
RTFM Subvert the manual
Frameworks and libs Shortcut
Conservative Incautious
High level lang Low level lang
HunterFarmer

6. Inductive Deductive
Constructive Deconstructive
Programming skills Reverse Engineering
Good Practice Lateral Thinking
Desing then code Laziness
RTFM Subvert the manual
Frameworks and libs Shortcut
Conservative Incautious
High level lang Low level lang
HackerDeveloper

7. Abstract
How to write a secure Android Application
No, I'm kidding
Applications are not secure.
Write code as a Developer
Verify its strength as a Hacker

8. Android
OS, linux based
Mostly ARM
Security made by:
- DAC (Permissions)
- MAC (Selinux)

9. Write an App
Native:
- Android Studio (Java, Kotlin, C)
- NDK
Android Turist:
- Cordova
- Xamarine

10. Write an APK
Zip with:
- Manifest
- Code
- Resources
- Native libraries
- Signature

11. Manifest.xml
Application name
Package
Permissions
Libraries references
Entry Points
- Activities
- Services

12. Code
classes.dex
binary format
jar is a collection of .class

13. Resources
icons
images
media
strings
multi language support

14. Signature
developer signature
keep it safe:
- update market
- upgrade app
- communication between apps

15. Android Security
Permissions managed during installation
Permissions asked when needed
Installation authorised only by the PlayStore
Linux is OpenSource

16. Android Insecurity
Signature managed by developers
Installation can be done out of Playstore control
Linux is OpenSource

17. Android Insecurity
Dex can be disassembled in Smali code.
Smali code can be reassembled into Dex.
Sometimes Smali code can be decompiled to Java.

18. Let's write an App
API Connection
Authentication
Permissions
Compile and Sign
DEMO TIME

19. App analisys
Static
- disassemble
- string search
Dynamic
- reassemble
- traffic analisys
- code injection

20. Static Analisys
Android Studio
- Build/Analyze APK...
Disassemble / Decompile
- apktool d <app.apk>
- MobSF

21. classes.dex

22. Static Analysis Goals
Read the code
Check the resources
Extract keys
Find passwords
Understand the protocols

23. MobSF
docker pull opensecurity/mobile-security-framework-mobsf
docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

24. classes.dex

25. Static Analysis Goals
Read the code
Check the resources
Extract keys
Find passwords
Understand the protocols

26. Dynamic Analysis
Recompile the code modifying code
Inject code dynamically
Behaviour Analysis
- network traffic
- files

27. Recompile
apktool d myfile.apk
apktool b myfile
digital signature
installation
allow from third party
DEMO TIME

28. Defence
Secure by design
Anti reversing
-code obfuscation
-native code
-string encryption
-class encryption
-apk integrity check
-signature check

29. Secure by Design
Execution depends on external check
Secrets are not persisted
Secrets are server side
Secure server access

30. Code obfuscation
proguard: free, low security
dexguard: very expensive, very good security (one licence per
package)
allatori: out of the shelf, good security
dexprotect: average price, very good security

31. Binary library
critical code in binary code
more difficult to reverse
requires different skills and tools

32. Binary library
#include <jni.h>
#include <string>
extern "C" JNIEXPORT jstring JNICALL
Java_it_sicurieffetti_codemotion2018_MainActivity_stringFromJNI(
JNIEnv *env,
jobject /* this */) {
// my api key, can be encoded or obfuscated
std::string hello = "98574632987345";
return env->NewStringUTF(hello.c_str());
}

33. Binary library
public class MainActivity extends AppCompatActivity {
// Used to load the 'native-lib' library on application startup.
static {
System.loadLibrary("native-lib");
}
/**
* A native method that is implemented by the 'native-lib' native library,
* which is packaged with this application.
*/
public native String stringFromJNI();
String key = stringFromJNI();

34. String encryption
strings in JNI, one call per string
strings in external resource
- StringCare: strings in XML

35. Class Encryption
Compile time:
- Serialize a class
- Encrypt it
- Store it as a resource
Execute time:
- Decrypt it
- Class load it

36. AntiReverse
Check the signature
The app can get the
keytool -printcert -file META-INF/CERT.RSA

37. Check Signature
private String APP_SIGNATURE = "4ACC228D6ABE6BB5E7FB1A4A52A74807FC14249C";
public static boolean validateAppSignature(Context context) {
packageInfo = context.getPackageManager().getPackageInfo( context.getPackageName(),
PackageManager.GET_SIGNATURES);
for (Signature signature : packageInfo.signatures) {
String sha1 = getDigest(signature.toByteArray());
if (APP_SIGNATURE.equals(sha1)) {
return packageInfo.signatures.length == 1;
}
}
…

38. DevSecOps’ Refutability
each part should be testable and tested
devsecops is the continuous invalidation process

39. Conclusions
Write code as a Developer
Invalidate the process as a Hacker
Start another sprint

41. THANK YOU
hacked potato for you