Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016

777 views

Published on

Secure Development of Android App sometimes requires the use of third party libraries and external frameworks, often expensive or hard to quickly update if vulnerable.The Android SDK and Google Play Services provide security features and services, that allows a developer to take advantage of security enhancements in order to increase the security level of an application.The talk, starting from real common threats, will show how some of these features can be used into the different versions of Android, until the newest Nougat, to mitigate security risks that could afflict a mobile application.

Published in: Technology

Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016

  1. 1. Roberto Gassirà - Roberto Piccirillo MILAN 25-26 NOVEMBER 2016
  2. 2. 2 ● Senior Security Analysts for Mobile Security Lab ○ Vulnerability Assessment (IT, Mobile Application) ○ Android Secure Development Increasing Android app security for free Who we are ● Roberto Gassirà @robgas r.gassira@mseclab.com ● Roberto Piccirillo @robpicone r.piccirillo@mseclab.com
  3. 3. Increasing Android app security for free Potentially Hostile Environment
  4. 4. 4 Mobile Application can run in a Potentially Hostile Environment Potentially Hostile Environment Introduction
  5. 5. 5 Free Open Wifi ... Potentially Hostile Environment Unreliable Communication Channels … Free user data Threat:Traffic Snooping
  6. 6. 6 Potentially Hostile Environment Unreliable Communication Channels Free WPA2 Wifi ... … Free user data (MITM) Threat: MITM
  7. 7. 7 Potentially Hostile Environment Unreliable Communication Channels Under attack... Threat: Information Gathering
  8. 8. 8 Rooting Potentially Hostile Environment Tampered Device BootLoader Unlock Local/remote Exploit
  9. 9. 9 Rooting -> Android platform security compromised Potentially Hostile Environment Tampered Device No more application sandbox
  10. 10. 10 Potentially Hostile Environment Tampered Device Hooking/Instrumentation Threat:Code Hijacking onCreate() isDeviceTampered() ...()EXIT falsetrue Hooking... isDeviceTampered() false
  11. 11. 11 Mobile Threats for Developers ● Advanced Device Owner ○ Remove Bloatware/Customization Attacker ● Mobile Cybercriminal ○ Application analysis ● Potentially Harmful Applications ○ Steal info/money
  12. 12. 12 Mobile Threats for Developers Malware Infection Apps from “Unknown sources” Apps from “Unknown sites”
  13. 13. 13 Mobile Threats for Developers Google Security Services for Android From Android Security 2015 Year in Review - April 2016
  14. 14. 14 Mobile Threats for Developers Tampered Device Detection Free Weapons for Developers SafetyNet API ● Allows an app to analyze the device where it is installed ● Check if the device has passed the Compatibility Test Suite (CTS) Check the integrity of the device (Rooted?Hooked?Infected?) ● Provided by Google Play Services
  15. 15. 15 Mobile Threats for Developers Key Material Protection Free Weapons for Developers AndroidKeyStore ● Asymmetric and Symmetric Keys (API 23+) Secure Container with Hardware Backend Secure Communication Network Security Configuration ● Network security settings (certificate pinning, trusted CA, ...) customized with a safe and declarative configuration file
  16. 16. Increasing Android app security for free Detecting Tampered Device
  17. 17. 17 Detecting Tampered Device https://developer.android.com/training/safetynet/index.html Checking Device Compatibility
  18. 18. 18 Detecting Tampered Device https://developers.google.com/android/guides/api-client Access Google API SafetyNet service build.gradle Create an instance of Google API Client
  19. 19. 19 Detecting Tampered Device Send Compatibility Check Request Generate a random one time nonce to defeat replay attacks Send the request AttestationResult
  20. 20. 20 ● Formatted in JSON Web Signature format ○ RSA256 Signed JSON Detecting Tampered Device Attestation Result JWS Signature JWS Payload JWS Header Device passed Compatibility Test Suite Device integrity status true: OK false: TAMPERED
  21. 21. 21 Detecting Tampered Device ● Google provides Android Device Verification API for validating the response Validate Compatibility Check Response POST "https://www.googleapis.com/androidcheck/v1/attestations/verify?key=" { "signedAttestation": } JWS Signature JWS Payload JWS Header { “isValidSignature”: true }
  22. 22. Increasing Android app security for free Enhancing Network Security
  23. 23. 23 ● MITM attack: ○ Is a well-known technique used by an attacker to setup a proxy to intercept traffic between your application and backend servers ● How ○ ARP poisoning ○ DNS poisoning ○ Rouge proxy ○ etc Enhancing Network Security MITM attack
  24. 24. 24 ● HTTP and HTTPS: ○ HTTP: all data sent are in clear ○ HTTPS: all data sent are ciphered (Digital Certificates and Session Keys) ● Implement MITM attack on HTTP (easier) ● Implement MITM attack on HTTPS (harder) ○ Not impossible Enhancing Network Security MITM with HTTP or HTTPS
  25. 25. 25 Enhancing Network Security How SSL works
  26. 26. 26 Digital certificate Network Security Configuration ● Most important: ○ Common name ○ Issuer name ○ Not Valid Before ○ Not Valid After ○ Public Key ○ Signature Remember “Public Key Info” section
  27. 27. 27 ● Use HTTPS is not enough to mitigate some risks due to MITM Attacks ○ But in almost all cases should be mandatory use it ● To be more secure it’s important: ○ Check the common name of server digital certificate ○ Verify the issuer of server digital certificate ○ Trust the issuer of server digital certificate ● In the last years is usual: ○ Check the server public key (Pinning certificate or sometime called SSL Pinning) ○ More code to implement this technique Enhancing Network Security HTTPS key security points Android Nougat offers new features to perform easily checks to make HTTPS more secure
  28. 28. 28 ● Uses declarative configuration file to: ○ Enforce HTTPS for specified domain used into your application ○ Use certificate pinning ○ Trust only specific Certification Authority or use specific Self-signed certificate ○ Debug secure connections without modify code ● What you need: Enhancing Network Security Network Security Configuration AndroidManifest.xml
  29. 29. 29 Enhancing Network Security Configuration file format Contains all Network Configuration Default configuration for all connections Configurations for one or more domains Configurations valid only for debug purpose
  30. 30. 30 ● Get error when try to connect using HTTP Enhancing Network Security Enforce HTTPS Enforce HTTPS HTTP Connection Error: “Cleartext HTTP traffic to android-developers.blogspot.it not permitted”
  31. 31. 31 ● Use yours CA to verify yours certificate Enhancing Network Security Digital Certificate with custom CA Enforce HTTPS for the domain codemotion.milan.2016 Use cacert certificate to verify server certificate ● If cacert is not used the app get an error
  32. 32. 32 ● Force your application to use a specific public key ● In previous Android version you had to write boring code to implement certificate pinning ● Now you need calculate the sha256 of Public Key Info of X509 digital certificate Enhancing Network Security Certificate pinning sha256 base64 PinDigest
  33. 33. 33 ● If server public key is different the application get an error Enhancing Network Security Certificate pinning ● Add PinDigest with Expiration date
  34. 34. 34 ● In our analysis is horrible to find out the all SSL checks are off to overcame problem into development environment ● Now it is possible to add debug configuration without modify any line of code ● When you build in “release-mode” debug configuration is not considered Enhancing Network Security Safe debug
  35. 35. 35 ● You could define a base configuration for all connections ● You could insert more PinDigest ● You could define which CA store will be used to verify certificates: ○ User ○ System ● You could use self signed-certificate Enhancing Network Security Other options
  36. 36. Increasing Android app security for free Key Management Evolution
  37. 37. 37 Key Management Evolution ● Android KeyStore Provider introduced with API level 18 ○ Based on Android Keystore System to store cryptographic keys ● Until API level 22 only asymmetric keys ○ For info: https://speakerdeck.com/mseclab/android-key-management ● With API level 23+ also symmetric Keys AndroidKeyStore Provider Asymmetric Asymmetric + Symmetric
  38. 38. 38 Key Management Evolution Generating Symmetric Key
  39. 39. 39 Key Management Evolution Fingerprint Authentication
  40. 40. 40 Key Management Evolution AndroidKeyStore Security Features ● Preventing extraction of the key material from application process ● Preventing extraction of the key material from Android device ● Key material never enters the application process: ○ App cryptographic operations are performed by system process ○ ● Key materials may be bound to the secure hardware: ○ Trust Execution Environment (TEE) ○ Secure Element ● More and more processors are equipped with TEE: ○ Snapdragon 808 (Nexus 5x), Snapdragon 810 (Nexus 6P), Snapdragon 820 (Galaxy S7) etc
  41. 41. Increasing Android app security for free The Bill
  42. 42. 42 The Bill ● Detecting Tampered Device: Free ● Enhancing Network Security: Free ● Key Management Evolution: Free Total = Free :) How much costs
  43. 43. Web: www.mseclab.com www.consulkthink.it Mail: research@mseclab.com Telefono:+39-06-4549 2416 Fax:+39-06-4549 2454 Grazie per l’attenzione

×