Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Android Application Security from consumer and developer perspectives
1. Android
Application
Security
from Consumer and
Developer Perspectives
http://www.meetup.com/Colombo-White-Hat-Security
https://www.facebook.com/colombowhitehat
https://twitter.com/ColomboWhiteHat
Ayoma Wijethunga
WSO2, Platform Security Team
[ayomawdb]
2. Ayoma Wijethunga
api android arduino automation building developing
discusses diy electronics engineering iot
jaggery java kali linux modular osgi prusa reprap
security software ublox web wireshark wso2
o WSO2, Platform Security Team.
o Get in touch
o Email : ayoma@wso2.com
o LinkedIn : https://lk.linkedin.com/in/ayoma
o Blog : http://ayomaonline.com
o Twitter / Facebook / Github / Hangout : ayomawdb
3. Agenda
● Statistics
● Developer Perspective
○ OWASP Mobile Top 10
○ Additional Security Best Practices
● Consumer Perspective
○ Android Malware (Demo and code walkthrough)
■ AndroRAT - Android Remote Administration Tool
■ Android Chat - Custom made RAT demo
○ Prevention and Detection Options
9. OWASP Mobile Top 10
M1: Weak Server Side Controls (Relates to OWASP Top 10)
A1 Injection
A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS)
A4 Insecure Direct Object References
A5 Security Misconfiguration
A6 Sensitive Data Exposure
A7 Missing Function Level Access Control
A8 Cross-Site Request Forgery (CSRF)
A9 Using Components with Known Vulnerabilities
A10 Unvalidated Redirects and Forwards
ConsideringRESTAPIbasedServerSide
10. OWASP Mobile Top 10 (Cntd.)
M2: Insecure Data Storage
Storage Options:
● Shared Preferences
● Internal Storage
● External Storage
● SQLite Databases
● Network Connection
Encrypt sensitive data before storing
Encryption keys should not be hardcoded (KeyStore, ‘FireAndForget’ key)
Shared preferences should not be MODE_WORLD_READABLE/WRITABLE
(deprecated in API level 17)
Transport Layer Protection
11. OWASP Mobile Top 10 (Cntd.)
M3: Insufficient Transport Layer Protection
General transport layer protection practices
● SSL/TLS (TLS 1.2 prefered) with strong cipher suite & appropriate key
lengths
● Certificates issued by trusted CA provider
● SSL chain verification / Hostname verification
● Always alert user if any validation goes wrong
When possible, do application level encryption before sending data over
transport layer (avoid future transport layer vulnerabilities)
M4: Unintended Data Leakage
● Keyboard Caching / Suggestions
○ For non-password informtion : android:inputType="textNoSuggestions"
○ For passwords : andorid:inputType="password"
● Analytics Data
● Logs (!)
12. OWASP Mobile Top 10 (Cntd.)
M5: Poor Authorization and Authentication
● Never persistent credentials locally
● Avoid spoofable values during authentication (MAC/IMEI)
● Ensure authorization controls cannot be bypassed
● Token based authentication with backend APIs (OAuth 2)
○ Google “Dulanja API Security”
● Discourage use of 4 digit or all digit pass-codes
M6: Broken Cryptography
M7: Client Side Injection
SQL Injection (SQL Lite), XSS, File Inclusion
13. OWASP Mobile Top 10 (Cntd.)
M8: Security Decisions Via Untrusted Inputs
Intents
PackageManager.getLaunchIntentForPackage(-)
Intent intent = new Intent(Intent.ACTION_MAIN);
intent.setComponent(ComponentName.unflattenFromString("com.example.app/com.ex
ample.app.ExampleAction"));
intent.addCategory(Intent.CATEGORY_LAUNCHER);
intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
intent.putExtra(“SESSION_DATA”, sessionData);
startActivity(intent);
Binder Framework
http://blog.checkpoint.com/wp-content/uploads/2015/02/Man-In-The-Binder-He-Who-Co
ntrols-IPC-Controls-The-Droid-wp.pdf
BroadcastReceiver
14. OWASP Mobile Top 10 (Cntd.)
M9: Improper Session Handling : Timeouts, cookie or token rotation
M10: Lack of Binary Protections
● Bytecode Conversion (apktool; dex2jar)
● Runtime Analysis (ADB)
● Reverse Engineering (IDA Pro)
○ https://www.hex-rays.com/products/ida/support/tutorials/debugging_dalvik.pdf
● Disassembly (baksmali)
Let’s keep these for another sessions...
(Maybe: Android Application Security - from Pentester Perspective)
Image credit:
http://www.gograph.com/vector-clip-art/complex.html
20. Application permissions
Pokémon GO:
● In-app purchases
● Identity
● Location
● Photos/Media/Files
● Camera
● Other
○ receive data from Internet
MX Player:
● Photos/Media/Files
● Wi-Fi connection information
● Other
○ receive data from Internet
VLC Player:
● Photos/Media/Files
21. New Permission Model
Android 6.0 (API level 23)+
● Users grant permissions at
run-time
● User can control what permissions
to allow (and what to revoke)
● Developers see warnings if code
will break due to not handling
permission revocations properly.
● Dangerous permission must be
approved manually.
https://developer.android.com/guide/topics/permissions/requesting.html
26. Additional Security Best Practices
Apart from what was discussed in OWASP Mobile Top 10
● Request least number of permissions possible (avoid dangerous permissions)
● Update dependent libraries and frameworks
● Properly define Content Provider’s exposed attribute and permissions
● Avoid storing and transmitting personal / sensitive data as much as possible
● Using WebView can introduce web application vulnerabilities (XSS, Cache
Poisoning, ..) to mobile apps. Use with caution!
● Be cautious with dynamic class loading and usage of reflection (do not allow
external parties to tamper dynamic values)
● https://developer.android.com/training/articles/security-tips.html
27. Point to Ponder
Is there any option but to sacrifice privacy?
https://github.com/will3942/uber-hack
http://motherboard.vice.com/read/ubers-god-view-was-once-available-to-drivers
Uber God View
Image credit: https://www.pinterest.com/pin/453245149972280324/
28. BE WITHIN LEGAL LIMITS
Only test with your own devices,
or test with proper authorization.
Thank you!