2015.04.24 Updated > Android Security Development - Part 1: App Development

7,067 views

Published on

Android Security Development

Part 1: App Development

How to create safe App ?

Published in: Software

2015.04.24 Updated > Android Security Development - Part 1: App Development

  1. 1. Android Security Development PART 1 – App Development SEAN
  2. 2. Sean • Developer • erinus.startup@gmail.com • https://www.facebook.com/erinus
  3. 3. Something you need to know • USB • Screen • Clipboard • Permission • Database • Network • Cryptography • API Management • Validation
  4. 4. Security about USB
  5. 5. SAFE ANDROID:ALLOWBACKUP = "FALSE"
  6. 6. DANGEROUS ANDROID:ALLOWBACKUP = "TRUE" It will allow someone can backup databases and preferences.
  7. 7. SAFE ANDROID:DEBUGGABLE = "FALSE"
  8. 8. DANGEROUS ANDROID:DEBUGGABLE = "TRUE" It will let someone can see logcat messages and do something more …
  9. 9. WHY ? If you do not set android:debuggable="false", debug mode will depend on system settings.
  10. 10. IF ERROR NOTIFICATION SHOWS IN ECLIPSE WHEN SET ANDROID:DEBUGGABLE, IT IS ALL ABOUT ADT LINT.
  11. 11. CLICK ON "PROBLEMS" TAB
  12. 12. RIGHT CLICK ON ITEM AND CHOOSE "QUICK FIX"
  13. 13. CHOOSE "DISABLE CHECK"
  14. 14. Security about SCREEN
  15. 15. GETWINDOW().SETFLAGS(LAYOUTPARAMS.FL AG_SECURE, LAYOUTPARAMS.FLAG_SECURE); It disable all screen capture (except rooted device) • [POWER] + [VOL-DWN] • OEM feature like SAMSUNG / HTC
  16. 16. Security about CLIPBOARD
  17. 17. WHEN USER LEAVE APP You want to clear clipboard
  18. 18. YOU WANT TO ALLOW User can use something copied from other apps in your app
  19. 19. ALSO WANT TO REJECT User can not use something copied from your app in other apps
  20. 20. FIRST
  21. 21. SAVE THE STATE OF APPLICATION onResume => FOREGROUND onPause => BACKGROUND
  22. 22. SECOND
  23. 23. USE RUNNABLE AND POSTDELAYED 500 MS When onPause is triggered, you can detect the state of application after ~500ms.
  24. 24. LAST
  25. 25. DETECT STATE AND SETPRIMARYCLIP If STATE equals BACKGROUND, executes BaseActivity.this.mClipboardManager .setPrimaryClip(ClipData.newPlainText("", ""));
  26. 26. THE TOP ITEM WILL BE EMPTY IN CLIPBOARD STACK Android only lets app access the top item in clipboard stack on non-rooted device.
  27. 27. Security on PERMISSION
  28. 28. ONLY USE NECESSARY PERMISSIONS
  29. 29. IT IS COMMON SENSE
  30. 30. BUT SOMETHING MORE
  31. 31. GOOGLE CLOUD MESSAGING NEEDS ANDROID.PERMISSION.GET_ACCOUNTS
  32. 32. BUT
  33. 33. GOOGLE CLOUD MESSAGING NEEDS ANDROID.PERMISSION.GET_ACCOUNTS
  34. 34. ONE YEAR LATER
  35. 35. YOU SHOULD REMOVE "GET_ACCOUNTS" When you do not support Android 4.0.3 and older version
  36. 36. Security on Database
  37. 37. SQLITE
  38. 38. RECOMMENDED SQLCipher Support iOS / Android https://www.zetetic.net/sqlcipher/open-source
  39. 39. SQLite Encryption Extension http://www.sqlite.org/see/
  40. 40. Security on NETWORK
  41. 41. USE HTTPS WITH SELF-SIGNED CERTIFICATE
  42. 42. BUT
  43. 43. SOMETHING IGNORED ?
  44. 44. DO YOU CHECK HOSTNAME IS VALID ?
  45. 45. VERIFY HOSTNAME
  46. 46. DO YOU AVOID IMPORTING MALICIOUS CERT ?
  47. 47. CREATE BRAND NEW KEYSTORE AND IMPORT SERVER CERT
  48. 48. DOUBLE CHECK THE BINARY CONTENT OF CERT ?
  49. 49. VERIFY BINARY CONTENT OF SERVER CERT Avoid Man-in-the-Middle attack
  50. 50. WHY ?
  51. 51. SSL MECHANISM IN OS MAY BE WRONG APPLE SSL / TLS Bug ( CVE-2014-1266 )
  52. 52. Chinese MITM Attack on iCloud
  53. 53. POODLE Bites
  54. 54. Lenovo Superfish
  55. 55. FREAK
  56. 56. SSL TUNNEL KEEP DATA SAFE ?
  57. 57. NO
  58. 58. YOU STILL NEED ENCRYPT DATA
  59. 59. HTTPS WEB PROXY
  60. 60. DO NOT PUT KEY IN YOUR DATA
  61. 61. Security on CRYPTOGRAPHY
  62. 62. USE ANDROID SDK OR ANDROID NDK ?
  63. 63. ANDROID SDK: JAVA DECOMPILE EASY ANALYSIS EASY
  64. 64. ANDROID NDK: C AND C++ DISASSEMBLE EASY ANALYSIS HARD
  65. 65. ANDROID NDK OpenSSL Inside
  66. 66. ANDROID NDK Can I customize ?
  67. 67. ANDROID NDK PolarSSL https://polarssl.org
  68. 68. PolarSSL You can change SBOX of AES, ...
  69. 69. AES AES-256 / CBC / PKCS7Padding
  70. 70. RSA RSA-4096
  71. 71. ALL KEY GENERATION AND ENCRYPTION MUST BE DONE IN ANDROID NDK
  72. 72. EVERYTHING IS DONE ?
  73. 73. NO
  74. 74. HOW TO GENERATE KEY ?
  75. 75. RANDOM KEY HARDWARE ID USER KEY
  76. 76. RANDOM KEY One Key – One Encryption
  77. 77. HARDWARE ID IMEI / MEID WIFI MAC Address Bluetooth Address
  78. 78. IMEI / MEID ANDROID.PERMISSION.READ_PHONE_STATE WIFI MAC Address ANDROID.PERMISSION.ACCESS_WIFI_STATE Bluetooth Address ANDROID.PERMISSION.BLUETOOTH
  79. 79. USER KEY Input from user Only exist in memory Just clear when exit
  80. 80. ONLY CIPHERTEXT ?
  81. 81. SCRAMBLE YOUR CIPHERTEXT WEP can be cracked by collecting large amount packet and analyzing ciphertext.
  82. 82. SCRAMBLED CIPHERTEXT CIPHERTEXT
  83. 83. HOW TO SCRAMBLE ?
  84. 84. MORE COMPLEX THAN BASE64 WIKI: Common Scrambling Algorithm http://goo.gl/eP6lXj
  85. 85. IF ALL KEY LOST ?
  86. 86. SORRY
  87. 87. GOD BLESS YOU
  88. 88. Security on API MANAGEMENT
  89. 89. ACCESS TOKEN REFRESH PERIODICALLY RANDOM GENERATE
  90. 90. HOW TO USE ACCESS TOKEN ?
  91. 91. ACCESS TOKEN ↓ USER ID
  92. 92. ACCESS TOKEN ↓ USER ID ↓ HARDWARE ID
  93. 93. ACCESS TOKEN ↓ USER ID ↓ HARDWARE ID ↓ ENCRYPT OR DECRYPT
  94. 94. ALL API ACCESS MUST USE ACCESS TOKEN
  95. 95. Security on VALIDATION
  96. 96. PASSWORD HASH Algorithms
  97. 97. MD5 Not Secure
  98. 98. SHA-1 Almost Secure
  99. 99. SHA-256 Secure
  100. 100. Suggestion MD5(SHA-1(Password + Salt)) + SHA-256(SHA-1(Password + Salt))
  101. 101. Next Part
  102. 102. Malicious Android App Dynamic Analyzing System

×