Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Android Security Development

8,620 views

Published on

Android Security Development

Part 1: App Development

How to create safe App ?

Published in: Software
  • Be the first to comment

Android Security Development

  1. 1. Android Security Development SEAN
  2. 2. Sean • Developer • Developer • Developer
  3. 3. Something you need to know • USB • Screen • Clipboard • Permission • Database • Network • Cryptography • API Management
  4. 4. USB
  5. 5. ANDROID:ALLOWBACKUP = "FALSE"
  6. 6. ANDROID:ALLOWBACKUP = "TRUE" It will allow someone can backup databases and preferences.
  7. 7. ANDROID:DEBUGGABLE = "FALSE"
  8. 8. ANDROID:DEBUGGABLE = "TRUE" It will let someone can see log message and do something more …
  9. 9. IF ANDROID:DEBUGGABLE MAKE ERROR NOTIFICATION IN ECLIPSE, IT IS ALL ABOUT ADT LINT.
  10. 10. CLICK ON "PROBLEMS" TAB
  11. 11. RIGHT CLICK ON ITEM AND CHOOSE "QUICK FIX"
  12. 12. CHOOSE "DISABLE CHECK"
  13. 13. SCREEN
  14. 14. GETWINDOW().SETFLAGS(LAYOUTPARAMS.F LAG_SECURE, LAYOUTPARAMS.FLAG_SECURE); It disable screen capture • [POWER] + [VOL-DWN] • OEM feature like SAMSUNG / HTC
  15. 15. CLIPBOARD
  16. 16. SAVE THE STATE OF APPLICATION onResume => FOREGROUND onPause => BACKGROUND
  17. 17. USE RUNNABLE AND POSTDELAYED 500 MS when onPause is triggered
  18. 18. DETECT STATE AND SETPRIMARYCLIP If STATE equals BACKGROUND, execute BaseActivity.this.mClipboardManager .setPrimaryClip(ClipData.newPlainText("", ""));
  19. 19. PERMISSION
  20. 20. ONLY USE NECESSARY PERMISSIONS
  21. 21. GOOGLE CLOUD MESSAGING NEEDS ANDROID.PERMISSION.GET_ACCOUNTS
  22. 22. BUT
  23. 23. GOOGLE CLOUD MESSAGING NEEDS ANDROID.PERMISSION.GET_ACCOUNTS
  24. 24. Database
  25. 25. SQLITE
  26. 26. SQLCipher https://www.zetetic.net/sqlcipher/open-source
  27. 27. SQLite Encryption Extension http://www.sqlite.org/see/
  28. 28. NETWORK
  29. 29. USE HTTPS WITH SELF-SIGNED CERTIFICATE
  30. 30. BUT
  31. 31. SOMETHING IGNORED ?
  32. 32. HOSTNAME IS VALID ?
  33. 33. VERIFY HOSTNAME
  34. 34. CHECK CERT ?
  35. 35. CLEAR KEYSTORE AND IMPORT SERVER CERT
  36. 36. DOUBLE CHECK CERT ?
  37. 37. VERIFY BINARY CONTENT OF SERVER CERT Avoid Man-in-the-Middle attack
  38. 38. WHY ?
  39. 39. SSL MECHANISM IN OS MAY BE WRONG APPLE SSL / TLS Bug ( CVE-2014-1266 )
  40. 40. SSL TUNNEL KEEP DATA SAFE ?
  41. 41. NO
  42. 42. YOU STILL NEED ENCRYPT DATA
  43. 43. DO NOT DO THIS
  44. 44. CRYPTOGRAPHY
  45. 45. BY ANDROID SDK OR ANDROID NDK ?
  46. 46. ANDROID SDK: JAVA DECOMPILE EASY ANALYSIS EASY
  47. 47. ANDROID NDK: C AND C++ DISASSEMBLE EASY ANALYSIS HARD
  48. 48. ANDROID NDK OpenSSL Inside
  49. 49. ANDROID NDK Customize ?
  50. 50. ANDROID NDK PolarSSL https://polarssl.org
  51. 51. PolarSSL Chang SBOX of AES, ...
  52. 52. SO, ALL KEY GENERATION AND ENCRYPTION MUST BE DONE IN ANDROID NDK
  53. 53. EVERYTHING DONE ?
  54. 54. GENERATE KEY ?
  55. 55. RANDOM KEY HARDWARE ID USER KEY
  56. 56. RANDOM KEY One Key – One Encryption
  57. 57. HARDWARE ID IMEI / MEID WIFI MAC Address Bluetooth Address
  58. 58. IMEI / MEID ANDROID.PERMISSION.READ_PHONE_STATE WIFI MAC Address ANDROID.PERMISSION.ACCESS_WIFI_STATE Bluetooth Address ANDROID.PERMISSION.BLUETOOTH
  59. 59. USER KEY Input from user Only exist in memory Just clear when exit
  60. 60. ONLY CIPHERTEXT ?
  61. 61. SCRAMBLED CIPHERTEXT CIPHERTEXT
  62. 62. SCRAMBLE ?
  63. 63. MORE COMPLEX THAN BASE64 WIKI: Common Scrambling Algorithm http://goo.gl/eP6lXj
  64. 64. THEN ?
  65. 65. GG
  66. 66. API MANAGEMENT
  67. 67. ACCESS TOKEN REFRESH PERIODICALLY RANDOM GENERATE
  68. 68. ACCESS TOKEN
  69. 69. ACCESS TOKEN ↓ USER ID
  70. 70. ACCESS TOKEN ↓ USER ID ↓ HARDWARE ID
  71. 71. ACCESS TOKEN ↓ USER ID ↓ HARDWARE ID ↓ ENCRYPT OR DECRYPT
  72. 72. ALL API ACCESS MUST WITH ACCESS TOKEN

×