Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

MCE^3 - Scott Alexander-Bown - Android App Security on a Budget

137 views

Published on

Even with all the time & budget in the world you can't make a completely bulletproof app, so how do you stand a chance with a real world app? Real world apps have limited budget, are short on time and the task priorities are often decided by the security oblivious client/project managers.

So what can we developers do to increase our app’s security and help protect our professional reputation? Where should we focus our app security effort? Isn’t security really difficult? and what gives us the biggest bang for our buck?

We will answer these questions and show that improving your security need not be technically challenging or time consuming. Also I’ll illustrate that it doesn’t necessarily need buy-in from stakeholders. We’ll be using commercially viable open source libraries to level up your app’s network verification, tamper protection, device integrity checks and more! while keeping in mind a shoestring budget!

Published in: Technology
  • Be the first to comment

  • Be the first to like this

MCE^3 - Scott Alexander-Bown - Android App Security on a Budget

  1. 1. ANDROID APP SECURITY: ON A BUDGET SCOTT ALEXANDER-BOWN ANDROID FREELANCER @SCOTTYAB
  2. 2. DEVELOPER - ANDROID AUTHOR - ANDROID SECURITY COOKBOOK ORGANISER - SWMOBILE GROUP @SCOTTYAB SCOTT ALEXANDER-BOWN
  3. 3. TL;DR STORY OF IMPROVING APP SECURITY. MIN EFFORT. MAX IMPACT @SCOTTYAB
  4. 4. APP: ACME CORP DISCLAIMER: ALL CHARACTERS APPEARING IN THIS WORK ARE FICTITIOUS. ANY RESEMBLANCE TO REAL PERSONS, LIVING OR DEAD, IS PURELY COINCIDENTAL. @SCOTTYAB
  5. 5. OUR REPUTATION! @SCOTTYAB
  6. 6. WHAT CAN YOU DO? @SCOTTYAB
  7. 7. @SCOTTYAB
  8. 8. 3 Sneaky Sprints 1. Connection between app and api/server 2. Device integrity and Data 3. Apk integrity and protection. @SCOTTYAB
  9. 9. SNEAK SPRINT 1: NETWORK @SCOTTYAB
  10. 10. Let’s make SSL Stronger! @SCOTTYAB
  11. 11. SSL Connection spec Use only strong cipher suites (128bit+) TLS versions (TLS v1.2) @SCOTTYAB
  12. 12. Patch against SSL exploits • Android relies on a security ‘Provider’ to provide secure network communications. • Google Play Services provides a way to update the device security provider • ProviderInstaller.installIfNeeded(getContext()); @SCOTTYAB
  13. 13. SSL/TLS Pinning Pinning limits the trusted root CA’s Devices ship with 100+ Certificate Authorities (CA) and users can install their own Two types of pinning * Certificate pinning * Public Key pinning What is SSL pinning? @SCOTTYAB
  14. 14. SSL Pinning with OKhttp SSL pin generator http://bit.ly/sslpin OKHttp Version OkHttp 3.1.2+ OkHttp 2.7.4+ @SCOTTYAB
  15. 15. Let’s make Webview less shit safer
  16. 16. Webview Disable risky settings Javascript File access White list urls / domains https://gist.github.com/scottyab/6f51bbd82a0ffb08ac7a @SCOTTYAB
  17. 17. SNEAK SPRINT 2: DEVICE INTEGRITY AND DATA @SCOTTYAB
  18. 18. Device Integrity Check the execution environment Root Check Root Beer - https://github.com/scottyab/rootbeer SafteyNet API (Google Play services) SafetyNet Wrapper - https://github.com/scottyab/safetynethelper @SCOTTYAB
  19. 19. Encrypt (obfuscate) Data Shared preferences - replaces with secure-preferences (or Hawk) https://github.com/scottyab/secure-preferences SQLlite - replaced with SQL Cipher for Android https://github.com/sqlcipher/android-database-sqlcipher Realm - has an encryption option https://github.com/realm/realm-java/tree/master/examples/ encryptionExample @SCOTTYAB
  20. 20. Encryption without storing key App pin code Android Keystore Device pin Finger printreader
  21. 21. SNEAK SPRINT 3: APK INTEGRITY & PROTECTION @SCOTTYAB
  22. 22. Tamper check Android requires all apps to be digitally signed Consistent for life of app Needed to publish app updates @SCOTTYAB
  23. 23. Build time 1. Get you certificate signature $keytool -list -v -keystore your_app.keystore 2. Embed in app String CERTIFICATE_SHA1 = “71920AC9486E087DCBCF5C7F6F…” @SCOTTYAB
  24. 24. Run time 3. Get the Signature from the PackageManager 4. Hash the Signature 5. Compare the signature hashes strings @SCOTTYAB
  25. 25. Obfuscation: ProGuard Java code obfuscator Part of the Android SDK (free!) To turn on: minifyEnabled=true @SCOTTYAB
  26. 26. ProGuard tips Add to config when you add a new lib Strip Log statements Crash stack traces Gradle Proguard plugin https://github.com/hotchemi/gradle-proguard-plugin Consider: DexGuard (paid) @SCOTTYAB
  27. 27. Cons More code==more complexity APK file size was larger Slower to start up Encrypted data is really only obfuscated ProGuard config was time consuming No credit for our hard work @SCOTTYAB
  28. 28. Pros Less vulnerable to MITM Webviews are less vulnerable to XSS attacks Curious rooted users cannot simply edit our db and pref data Rooted users will struggle Re-complication is hampered tamper check Understanding the decompiled code is hampered by the obfuscation @SCOTTYAB
  29. 29. DID WE WIN?
  30. 30. DID WE WIN?
  31. 31. DID WE WIN?
  32. 32. DID WE WIN?Much Win wow so security
  33. 33. WHAT CAN YOU DO? @SCOTTYAB
  34. 34. @SCOTTYAB STRENGTH SSL/TLS SSL PINNING WHITE LIST WEBVIEW CHECK FOR ROOT ENCRYPT DATA AT REST TAMPER CHECK OBFUSCATE
  35. 35. Resources Secure mobile development best practices - https://github.com/ nowsecure/secure-mobile-development OWASP Mobile security risks - http://bit.ly/owaspmobile Android security cookbook - http://bit.ly/MscEFu Best Practices for Security & Privacy - https://developer.android.com/ training/best-security.html Adding Tamper detection to your apps - https://www.airpair.com/android/ posts/adding-tampering-detection-to-your-android-app @SCOTTYAB
  36. 36. THANKS… @SCOTTYAB HELLO@SCOTTYAB.COM
  37. 37. Good practices… Using SSL for API Using Context.MODE_PRIVATE Not using the SDcard to store anything Not logging user details to Android.Log

×