Uploaded byCommonsWare
PDF, PPTX2,586 views

Android Security: Defending Your Users

This document discusses securing Android applications by encrypting data. It recommends encrypting data stored locally using SQLCipher, which provides encryption of SQLite databases with AES-256. The document outlines how to integrate SQLCipher by replacing import statements, supplying passphrases, and testing. It also discusses challenges with passphrases and suggests multi-factor authentication by combining user-supplied pieces from different sources like NFC tags or biometrics.

Embed presentation

Download as PDF, PPTX
droidcon UK 2013 Android Security: Defending Your Users Copyright © 2013 CommonsWare, LLC
Your Users' Bad Guys ● ● Different Users Have Different Security Concerns Do Not Assume All Users Are the Same as You – ● ...unless you are your only user Your Users' Collective Threats = Your Threats Copyright © 2013 CommonsWare, LLC
Rest and Motion Followed By More Rest, Because Motion is Tiring ● Securing Data at Rest = Local Storage – – SharedPreferences – ● Databases Other Types of Files Securing Data in Motion = Internet (mostly) – SSL – OTR Copyright © 2013 CommonsWare, LLC
The Droid Is Not Enough ● Lock Screen? – ● Internal Storage? – ● Mechanical brute forcing Rooting Full-Disk Crypto? – Digital brute forcing Copyright © 2013 CommonsWare, LLC
Your Objectives (One Hopes) ● Cheap and Easy Security – – ● Only have so much time to budget Aiming for “low hanging fruit” Effective Security – “Using CryptoLint, we performed a study on cryptographic implementations in 11,748 Android applications. Overall we find that 10,327 programs – 88% in total – use cryptography inappropriately. The raw scale of misuse indicates a widespread misunderstanding of how to properly use cryptography in Android development.” Copyright © 2013 CommonsWare, LLC
You're Doing It Wrong ● Hardcoded Passphrases ● Manually Seeding SecureRandom – ...with a hardcoded seed ● Hardcoded Salts ● Insufficient Key Generation Iterations ● Non-Random Initialization Vectors Copyright © 2013 CommonsWare, LLC
Introducing SQLCipher ● SQLCipher – Modified version of SQLite – AES-256 encryption by default, of all data – Relatively low overhead – Cross-platform – BSD license Copyright © 2013 CommonsWare, LLC
Introducing SQLCipher ● SQLCipher Security – Customizable encryption algorithm ● Based on OpenSSL libcrypto – Individual pages encrypted, with own initialization vector – Message authentication code (MAC) per page, to detect tampering – Hashed passphrase (PBKDF2) for key ● 4,000 iterations, moving to 64,000 for 3.0 Copyright © 2013 CommonsWare, LLC
Introducing SQLCipher ● SQLCipher for Android – NDK-compiled binaries – Drop-in replacement classes for Android's SQLite classes ● ● SQLiteOpenHelper ● – SQLiteDatabase Etc. Modify your code, third-party libraries also using SQLite Copyright © 2013 CommonsWare, LLC
Integrating SQLCipher ● Step #1: Add to Project – Download ZIP file from: http://sqlcipher.net/downloads/ – Copy ZIP's assets/ into project's assets/ – Copy ZIP's libs/ into project's libs/ Copyright © 2013 CommonsWare, LLC
Integrating SQLCipher ● Step #2: Replace Import Statements – Eclipse ● ● Delete all android.database.* and android.database.sqlite.* imports Use Ctrl-Shift-O and choose the net.sqlcipher equivalents Copyright © 2013 CommonsWare, LLC
Integrating SQLCipher ● Step #2: Replace Import Statements – Outside of Eclipse ● ● Replace all occurrences of android.database with net.sqlcipher, revert back as needed Replace all occurrences of android.database.sqlite with net.sqlcipher.database Copyright © 2013 CommonsWare, LLC
Integrating SQLCipher ● Step #3: Supply Passphrases – SQLiteDatabase openOrCreateDatabase(), etc. – SQLiteOpenHelper getReadableDatabase() and getWritableDatabase() – Collect passphrase from user via your own UI Copyright © 2013 CommonsWare, LLC
Integrating SQLCipher ● Step #4: Testing – Tests should work when starting with a clean install ● ● No existing unencrypted database Step #5: Beer! – Hooray, beer! Copyright © 2013 CommonsWare, LLC
Integrating SQLCipher ● Other Integration Issues – Upgrading to encryption – Loaders ● – CWAC-LoaderEx ContentProvider ● Can work, but need to get passphrase to it before using the database (e.g., call()) Copyright © 2013 CommonsWare, LLC
Integrating SQLCipher ● About the Bloat – 4MB base – Additional ~5MB for x86 – Additional ~3MB for ARM – Why? ● Complete independent copy of SQLite ● Static library implementation of OpenSSL ● Independent copy of ICU collation ruleset Copyright © 2013 CommonsWare, LLC
Integrating SQLCipher ● Using For Other Sorts of Data – SharedPreferences ● ● – CWAC-Prefs has SharedPreferencesEx, allow storage in SQLite/SQLCipher for Android Downside: no preference screen support IOCipher ● Virtual filesystem, backed by SQLCipher for Android Copyright © 2013 CommonsWare, LLC
Passphrases ● Passphrase Entry Pain – Users do not like typing long passwords – Result = weaker quality – Option: “diceware” ● ● ● Choose ~5 words from stock list Can offer scrolling lists, auto-complete to help speed data entry Downside: more annoying for accessibility Copyright © 2013 CommonsWare, LLC
Passphrases xkcd comics reproduced under CC license from Randall Munroe, even though Hat Guy owns a $5 wrench Copyright © 2013 CommonsWare, LLC
Passphrases xkcd comics reproduced under CC license from Randall Munroe, but BYO talking horse Copyright © 2013 CommonsWare, LLC
Passphrases ● Multi-Factor Authentication – Passphrase generated in code from user-supplied pieces – Organization options ● ● Simple concatenation Concatenation with factor prefix, un-typeable divider characters Copyright © 2013 CommonsWare, LLC
Passphrases ● Multi-Factor Authentication Objectives – Longer passphrase without as much user input – Help defeat casual attacks ● Need all factors to access via your UI ● Otherwise, need to brute-force Copyright © 2013 CommonsWare, LLC
Passphrases xkcd comics reproduced under CC license from Randall Munroe. Hat Guy is not amused. Copyright © 2013 CommonsWare, LLC
Passphrases ● Multi-Factor Authentication Sources – NFC tag – QR code – Paired Bluetooth device – Wearable device app – Biometrics (e.g., fingerprint scanner) Copyright © 2013 CommonsWare, LLC
Summary ● Consider Encryption – ● ...even if you don't think you need it SQLCipher: Easiest Option for Encrypted Database – ...if you can live with the APK footprint Copyright © 2013 CommonsWare, LLC

More Related Content

PDF
Rich Text Editing and Beyond
byCommonsWare
 
PDF
Gradle and Your Android Wearable Projects
byCommonsWare
 
PDF
Getting Android Developers for Your Wearables
byCommonsWare
 
PDF
When Microwatts Are Precious: Battery Tips for Wearable Apps
byCommonsWare
 
PDF
ExoPlayer for Application developers
byHassan Abid
 
PDF
Android's HIDL: Treble in the HAL
byOpersys inc.
 
PDF
Targeting Android with Qt
byEspen Riskedal
 
PDF
Embedded Android Workshop with Oreo
byOpersys inc.
 
Rich Text Editing and Beyond
byCommonsWare
 
Gradle and Your Android Wearable Projects
byCommonsWare
 
Getting Android Developers for Your Wearables
byCommonsWare
 
When Microwatts Are Precious: Battery Tips for Wearable Apps
byCommonsWare
 
ExoPlayer for Application developers
byHassan Abid
 
Android's HIDL: Treble in the HAL
byOpersys inc.
 
Targeting Android with Qt
byEspen Riskedal
 
Embedded Android Workshop with Oreo
byOpersys inc.
 

What's hot

PDF
Effective Spring on Kubernetes
byNeven Cvetković
 
PDF
Embedded Android Workshop with Pie
byOpersys inc.
 
PDF
App integration: Strategies and Tactics
byCommonsWare
 
PDF
Embedded Android Workshop with Marshmallow
byOpersys inc.
 
PDF
The unconventional devices for the video streaming in Android
byAlessandro Martellucci
 
PDF
Brillo / Weave Internals
byOpersys inc.
 
PDF
Brillo/Weave Internals
byOpersys inc.
 
PDF
Android Platform Debugging and Development
byOpersys inc.
 
PDF
Android Things Internals
byOpersys inc.
 
PDF
Project Ara
byOpersys inc.
 
PDF
Aosp+
byjpuderer
 
PDF
Embedded Android Workshop with Marshmallow
byOpersys inc.
 
PDF
Embedded Android Workshop
byOpersys inc.
 
PDF
Embedded Android Workshop with Nougat
byOpersys inc.
 
PDF
Developing Cross platform apps in flutter (Android, iOS, Web)
byPriyanka Tyagi
 
PDF
Developing Android Platform Tools
byOpersys inc.
 
PDF
Embedded Android Workshop with Lollipop
byOpersys inc.
 
PDF
Cross Platform Mobile Development using Flutter by Wei Meng Lee at Mobile foc...
byDevClub_lv
 
PDF
Android Treble: Blessing or Trouble?
byOpersys inc.
 
PDF
Embedded Android Workshop with Nougat
byOpersys inc.
 
Effective Spring on Kubernetes
byNeven Cvetković
 
Embedded Android Workshop with Pie
byOpersys inc.
 
App integration: Strategies and Tactics
byCommonsWare
 
Embedded Android Workshop with Marshmallow
byOpersys inc.
 
The unconventional devices for the video streaming in Android
byAlessandro Martellucci
 
Brillo / Weave Internals
byOpersys inc.
 
Brillo/Weave Internals
byOpersys inc.
 
Android Platform Debugging and Development
byOpersys inc.
 
Android Things Internals
byOpersys inc.
 
Project Ara
byOpersys inc.
 
Aosp+
byjpuderer
 
Embedded Android Workshop with Marshmallow
byOpersys inc.
 
Embedded Android Workshop
byOpersys inc.
 
Embedded Android Workshop with Nougat
byOpersys inc.
 
Developing Cross platform apps in flutter (Android, iOS, Web)
byPriyanka Tyagi
 
Developing Android Platform Tools
byOpersys inc.
 
Embedded Android Workshop with Lollipop
byOpersys inc.
 
Cross Platform Mobile Development using Flutter by Wei Meng Lee at Mobile foc...
byDevClub_lv
 
Android Treble: Blessing or Trouble?
byOpersys inc.
 
Embedded Android Workshop with Nougat
byOpersys inc.
 

Viewers also liked

PDF
Android Security
byLars Jacobs
 
PPTX
Android security by ravi-rai
byRavi Rai
 
PPTX
History of Android Security – from linux to jelly bean
byJung Pil (J.P.) Choi
 
PDF
Google Android Security 2014 Report
byRonen Mendezitsky
 
PPSX
Android OS and its Features
byHarshad Lokhande
 
PPTX
SydMobNet March 2016: Matthew Robbins - Android M Security Policies
byAlec Tucker
 
PDF
The 25 hour of day | Mawa3ed
byAhmed Faris
 
PDF
Android Internals (This is not the droid you’re loking for...)
byGiacomo Bergami
 
PPTX
Android application for gps
bySutej Chakka
 
PDF
Смирнов Александр, Security in Android Application
bySECON
 
PDF
SecureDroid: An Android Security Framework Extension for Context-Aware policy...
byGiuseppe La Torre
 
PPTX
Android security
byMobile Rtpl
 
PDF
Android Project report on City Tourist Location based services (Shuja ul hassan)
byShuja Hassan
 
PDF
600.250 UI Cross Platform Development and the Android Security Model
byMichael Rushanan
 
PPTX
Android audio system(audioplicy_service)
byfefe7270
 
PPTX
Security threats in Android OS + App Permissions
byHariharan Ganesan
 
PDF
Sperasoft talks: Android Security Threats
bySperasoft
 
PDF
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
byConsulthinkspa
 
PDF
2015.04.24 Updated > Android Security Development - Part 1: App Development
byCheng-Yi Yu
 
PPTX
Permission in Android Security: Threats and solution
byTandhy Simanjuntak
 
Android Security
byLars Jacobs
 
Android security by ravi-rai
byRavi Rai
 
History of Android Security – from linux to jelly bean
byJung Pil (J.P.) Choi
 
Google Android Security 2014 Report
byRonen Mendezitsky
 
Android OS and its Features
byHarshad Lokhande
 
SydMobNet March 2016: Matthew Robbins - Android M Security Policies
byAlec Tucker
 
The 25 hour of day | Mawa3ed
byAhmed Faris
 
Android Internals (This is not the droid you’re loking for...)
byGiacomo Bergami
 
Android application for gps
bySutej Chakka
 
Смирнов Александр, Security in Android Application
bySECON
 
SecureDroid: An Android Security Framework Extension for Context-Aware policy...
byGiuseppe La Torre
 
Android security
byMobile Rtpl
 
Android Project report on City Tourist Location based services (Shuja ul hassan)
byShuja Hassan
 
600.250 UI Cross Platform Development and the Android Security Model
byMichael Rushanan
 
Android audio system(audioplicy_service)
byfefe7270
 
Security threats in Android OS + App Permissions
byHariharan Ganesan
 
Sperasoft talks: Android Security Threats
bySperasoft
 
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
byConsulthinkspa
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
byCheng-Yi Yu
 
Permission in Android Security: Threats and solution
byTandhy Simanjuntak
 

Similar to Android Security: Defending Your Users

PDF
Securing User Data with SQLCipher
byCommonsWare
 
PPTX
Android secure offline storage - CC Mobile
byJWORKS powered by Ordina
 
PPTX
Android secure offline storage - CC Mobile
bySteve De Zitter
 
PPTX
[OWASP Poland Day] Saving private token
byOWASP
 
PPTX
How to do Cryptography right in Android Part One
byArash Ramez
 
PDF
Cryptography For The Average Developer
byAnthony Ferrara
 
PDF
User Authentication: Passwords and Beyond
byJim Fenton
 
PPTX
Protecting data on device with SQLCipher, Stephen Lombardo
byXamarin
 
PDF
Cryptography For The Average Developer - Sunshine PHP
byAnthony Ferrara
 
PDF
Cryptography
byYnon Perek
 
PDF
"Crypto wallets security. For developers", Julia Potapenko
byFwdays
 
PDF
2012 03 The Death of Passwords
byRaleigh ISSA
 
PDF
Mr. Andrey Belenko - secure password managers and military-grade encryption o...
bynooralmousa
 
PDF
7. Attacking Android Applications (Part 2)
bySam Bowne
 
PDF
Security in Android Applications / Александр Смирнов (RedMadRobot)
byOntico
 
PPTX
Crypt-Oh No!
byZach Grace
 
PDF
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...
byPositive Hack Days
 
KEY
Security and Encryption on iOS
byGraham Lee
 
PPTX
Using Cryptography Properly in Applications
byGreat Wide Open
 
PPTX
PBKDF2: Storing Sensitive Data Securely in Android Applications
byShiv Sahni
 
Securing User Data with SQLCipher
byCommonsWare
 
Android secure offline storage - CC Mobile
byJWORKS powered by Ordina
 
Android secure offline storage - CC Mobile
bySteve De Zitter
 
[OWASP Poland Day] Saving private token
byOWASP
 
How to do Cryptography right in Android Part One
byArash Ramez
 
Cryptography For The Average Developer
byAnthony Ferrara
 
User Authentication: Passwords and Beyond
byJim Fenton
 
Protecting data on device with SQLCipher, Stephen Lombardo
byXamarin
 
Cryptography For The Average Developer - Sunshine PHP
byAnthony Ferrara
 
Cryptography
byYnon Perek
 
"Crypto wallets security. For developers", Julia Potapenko
byFwdays
 
2012 03 The Death of Passwords
byRaleigh ISSA
 
Mr. Andrey Belenko - secure password managers and military-grade encryption o...
bynooralmousa
 
7. Attacking Android Applications (Part 2)
bySam Bowne
 
Security in Android Applications / Александр Смирнов (RedMadRobot)
byOntico
 
Crypt-Oh No!
byZach Grace
 
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...
byPositive Hack Days
 
Security and Encryption on iOS
byGraham Lee
 
Using Cryptography Properly in Applications
byGreat Wide Open
 
PBKDF2: Storing Sensitive Data Securely in Android Applications
byShiv Sahni
 

More from CommonsWare

PDF
The Action Bar: Front to Back
byCommonsWare
 
PDF
Secondary Screen Support Using DisplayManager
byCommonsWare
 
PDF
Mastering the Master Detail Pattern
byCommonsWare
 
PDF
Not Quite As Painful Threading
byCommonsWare
 
PDF
Android Development: The 20,000-Foot View
byCommonsWare
 
PDF
Maps V2... And You!
byCommonsWare
 
PDF
A Deep Dive Into ViewPager
byCommonsWare
 
PDF
Second-Screen Support in Android 4.2
byCommonsWare
 
PDF
Integrate Android Apps and Web Apps
byCommonsWare
 
PDF
From Android to the Mobile Web
byCommonsWare
 
PDF
X Means Y
byCommonsWare
 
PDF
The Wonderful World of Wearables
byCommonsWare
 
PDF
Beaming Data to Devices with NFC
byCommonsWare
 
PDF
What's New in Jelly Bean
byCommonsWare
 
PDF
Making Money at Mobile: 60 Business Models
byCommonsWare
 
PDF
AppsWorld Keynote
byCommonsWare
 
PDF
App Integration (Revised and Updated)
byCommonsWare
 
PDF
Backwards Compatibility: Strategies and Tactics
byCommonsWare
 
PDF
Android Hardware That's A Little Bit... Odd
byCommonsWare
 
PDF
Google TV For Fun
byCommonsWare
 
The Action Bar: Front to Back
byCommonsWare
 
Secondary Screen Support Using DisplayManager
byCommonsWare
 
Mastering the Master Detail Pattern
byCommonsWare
 
Not Quite As Painful Threading
byCommonsWare
 
Android Development: The 20,000-Foot View
byCommonsWare
 
Maps V2... And You!
byCommonsWare
 
A Deep Dive Into ViewPager
byCommonsWare
 
Second-Screen Support in Android 4.2
byCommonsWare
 
Integrate Android Apps and Web Apps
byCommonsWare
 
From Android to the Mobile Web
byCommonsWare
 
X Means Y
byCommonsWare
 
The Wonderful World of Wearables
byCommonsWare
 
Beaming Data to Devices with NFC
byCommonsWare
 
What's New in Jelly Bean
byCommonsWare
 
Making Money at Mobile: 60 Business Models
byCommonsWare
 
AppsWorld Keynote
byCommonsWare
 
App Integration (Revised and Updated)
byCommonsWare
 
Backwards Compatibility: Strategies and Tactics
byCommonsWare
 
Android Hardware That's A Little Bit... Odd
byCommonsWare
 
Google TV For Fun
byCommonsWare
 

Recently uploaded

PDF
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
PDF
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
PDF
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
PDF
A Simple Guide to Real Estate Tokenization on XRP Ledger.pdf
byemmajoh2025
 
PDF
JCB_3CX_SPECS (24 págs) companywrench.com .pdf
byAquilesOyarzn1
 
PDF
Real-Time AI at Scale Masterclass - Challenges of AI at Scale
byScyllaDB
 
PDF
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
PDF
Taxonomy Alignment for SDG Tagging - ASHA Case Study
byEnterprise Knowledge
 
PDF
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
PPTX
Code Like Bro -A guide for better Coding
byMadan Panthi
 
PDF
Real-Time AI at Scale Masterclass: Feature Store at Scale
byScyllaDB
 
PDF
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
PDF
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
PDF
Certified AI-Empowered SAFe Release Train Engineer.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
PDF
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
PDF
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 
PDF
Transcript: What Thema can do: Leveraging metadata to support the discoverabi...
byBookNet Canada
 
PDF
Certified AI-Empowered SAFe 6 Scrum Master.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
PDF
Afsar Ahmed - Digital Marketing Portfolio
byAfsar Ahmed
 
PDF
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
A Simple Guide to Real Estate Tokenization on XRP Ledger.pdf
byemmajoh2025
 
JCB_3CX_SPECS (24 págs) companywrench.com .pdf
byAquilesOyarzn1
 
Real-Time AI at Scale Masterclass - Challenges of AI at Scale
byScyllaDB
 
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
Taxonomy Alignment for SDG Tagging - ASHA Case Study
byEnterprise Knowledge
 
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
Code Like Bro -A guide for better Coding
byMadan Panthi
 
Real-Time AI at Scale Masterclass: Feature Store at Scale
byScyllaDB
 
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
Certified AI-Empowered SAFe Release Train Engineer.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 
Transcript: What Thema can do: Leveraging metadata to support the discoverabi...
byBookNet Canada
 
Certified AI-Empowered SAFe 6 Scrum Master.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
Afsar Ahmed - Digital Marketing Portfolio
byAfsar Ahmed
 
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 

Android Security: Defending Your Users

  • 1.
    droidcon UK 2013 AndroidSecurity: Defending Your Users Copyright © 2013 CommonsWare, LLC
  • 2.
    Your Users' BadGuys ● ● Different Users Have Different Security Concerns Do Not Assume All Users Are the Same as You – ● ...unless you are your only user Your Users' Collective Threats = Your Threats Copyright © 2013 CommonsWare, LLC
  • 3.
    Rest and Motion FollowedBy More Rest, Because Motion is Tiring ● Securing Data at Rest = Local Storage – – SharedPreferences – ● Databases Other Types of Files Securing Data in Motion = Internet (mostly) – SSL – OTR Copyright © 2013 CommonsWare, LLC
  • 4.
    The Droid IsNot Enough ● Lock Screen? – ● Internal Storage? – ● Mechanical brute forcing Rooting Full-Disk Crypto? – Digital brute forcing Copyright © 2013 CommonsWare, LLC
  • 5.
    Your Objectives (OneHopes) ● Cheap and Easy Security – – ● Only have so much time to budget Aiming for “low hanging fruit” Effective Security – “Using CryptoLint, we performed a study on cryptographic implementations in 11,748 Android applications. Overall we find that 10,327 programs – 88% in total – use cryptography inappropriately. The raw scale of misuse indicates a widespread misunderstanding of how to properly use cryptography in Android development.” Copyright © 2013 CommonsWare, LLC
  • 6.
    You're Doing ItWrong ● Hardcoded Passphrases ● Manually Seeding SecureRandom – ...with a hardcoded seed ● Hardcoded Salts ● Insufficient Key Generation Iterations ● Non-Random Initialization Vectors Copyright © 2013 CommonsWare, LLC
  • 7.
    Introducing SQLCipher ● SQLCipher – Modified versionof SQLite – AES-256 encryption by default, of all data – Relatively low overhead – Cross-platform – BSD license Copyright © 2013 CommonsWare, LLC
  • 8.
    Introducing SQLCipher ● SQLCipher Security – Customizableencryption algorithm ● Based on OpenSSL libcrypto – Individual pages encrypted, with own initialization vector – Message authentication code (MAC) per page, to detect tampering – Hashed passphrase (PBKDF2) for key ● 4,000 iterations, moving to 64,000 for 3.0 Copyright © 2013 CommonsWare, LLC
  • 9.
    Introducing SQLCipher ● SQLCipher forAndroid – NDK-compiled binaries – Drop-in replacement classes for Android's SQLite classes ● ● SQLiteOpenHelper ● – SQLiteDatabase Etc. Modify your code, third-party libraries also using SQLite Copyright © 2013 CommonsWare, LLC
  • 10.
    Integrating SQLCipher ● Step #1:Add to Project – Download ZIP file from: http://sqlcipher.net/downloads/ – Copy ZIP's assets/ into project's assets/ – Copy ZIP's libs/ into project's libs/ Copyright © 2013 CommonsWare, LLC
  • 11.
    Integrating SQLCipher ● Step #2:Replace Import Statements – Eclipse ● ● Delete all android.database.* and android.database.sqlite.* imports Use Ctrl-Shift-O and choose the net.sqlcipher equivalents Copyright © 2013 CommonsWare, LLC
  • 12.
    Integrating SQLCipher ● Step #2:Replace Import Statements – Outside of Eclipse ● ● Replace all occurrences of android.database with net.sqlcipher, revert back as needed Replace all occurrences of android.database.sqlite with net.sqlcipher.database Copyright © 2013 CommonsWare, LLC
  • 13.
    Integrating SQLCipher ● Step #3:Supply Passphrases – SQLiteDatabase openOrCreateDatabase(), etc. – SQLiteOpenHelper getReadableDatabase() and getWritableDatabase() – Collect passphrase from user via your own UI Copyright © 2013 CommonsWare, LLC
  • 14.
    Integrating SQLCipher ● Step #4:Testing – Tests should work when starting with a clean install ● ● No existing unencrypted database Step #5: Beer! – Hooray, beer! Copyright © 2013 CommonsWare, LLC
  • 15.
    Integrating SQLCipher ● Other IntegrationIssues – Upgrading to encryption – Loaders ● – CWAC-LoaderEx ContentProvider ● Can work, but need to get passphrase to it before using the database (e.g., call()) Copyright © 2013 CommonsWare, LLC
  • 16.
    Integrating SQLCipher ● About theBloat – 4MB base – Additional ~5MB for x86 – Additional ~3MB for ARM – Why? ● Complete independent copy of SQLite ● Static library implementation of OpenSSL ● Independent copy of ICU collation ruleset Copyright © 2013 CommonsWare, LLC
  • 17.
    Integrating SQLCipher ● Using ForOther Sorts of Data – SharedPreferences ● ● – CWAC-Prefs has SharedPreferencesEx, allow storage in SQLite/SQLCipher for Android Downside: no preference screen support IOCipher ● Virtual filesystem, backed by SQLCipher for Android Copyright © 2013 CommonsWare, LLC
  • 18.
    Passphrases ● Passphrase Entry Pain – Usersdo not like typing long passwords – Result = weaker quality – Option: “diceware” ● ● ● Choose ~5 words from stock list Can offer scrolling lists, auto-complete to help speed data entry Downside: more annoying for accessibility Copyright © 2013 CommonsWare, LLC
  • 19.
    Passphrases xkcd comics reproducedunder CC license from Randall Munroe, even though Hat Guy owns a $5 wrench Copyright © 2013 CommonsWare, LLC
  • 20.
    Passphrases xkcd comics reproducedunder CC license from Randall Munroe, but BYO talking horse Copyright © 2013 CommonsWare, LLC
  • 21.
    Passphrases ● Multi-Factor Authentication – Passphrase generatedin code from user-supplied pieces – Organization options ● ● Simple concatenation Concatenation with factor prefix, un-typeable divider characters Copyright © 2013 CommonsWare, LLC
  • 22.
    Passphrases ● Multi-Factor Authentication Objectives – Longerpassphrase without as much user input – Help defeat casual attacks ● Need all factors to access via your UI ● Otherwise, need to brute-force Copyright © 2013 CommonsWare, LLC
  • 23.
    Passphrases xkcd comics reproducedunder CC license from Randall Munroe. Hat Guy is not amused. Copyright © 2013 CommonsWare, LLC
  • 24.
    Passphrases ● Multi-Factor Authentication Sources – NFCtag – QR code – Paired Bluetooth device – Wearable device app – Biometrics (e.g., fingerprint scanner) Copyright © 2013 CommonsWare, LLC
  • 25.
    Summary ● Consider Encryption – ● ...even ifyou don't think you need it SQLCipher: Easiest Option for Encrypted Database – ...if you can live with the APK footprint Copyright © 2013 CommonsWare, LLC