This document discusses various aspects of securing Android development including permissions, encryption, API management, and more. It addresses securing the USB, screen, clipboard, and databases. It recommends using Android NDK for cryptography to make analysis harder. API access should use randomly generated access tokens that are tied to the user ID and hardware ID and refreshed periodically. Encryption should be done with keys derived from random, hardware ID, and user-provided values.

1. Android Security
Development
SEAN

4. Sean
• Developer
• Developer
• Developer

5. Something you need to know
• USB
• Screen
• Clipboard
• Permission
• Database
• Network
• Cryptography
• API Management

6. USB

7. ANDROID:ALLOWBACKUP = "FALSE"

8. ANDROID:ALLOWBACKUP = "TRUE"
It will allow someone can backup databases and
preferences.

9. ANDROID:DEBUGGABLE = "FALSE"

10. ANDROID:DEBUGGABLE = "TRUE"
It will let someone can see log message and do
something more …

11. IF ANDROID:DEBUGGABLE MAKE ERROR
NOTIFICATION IN ECLIPSE, IT IS ALL ABOUT
ADT LINT.

12. CLICK ON "PROBLEMS" TAB

13. RIGHT CLICK ON ITEM
AND CHOOSE "QUICK FIX"

14. CHOOSE "DISABLE CHECK"

15. SCREEN

16. GETWINDOW().SETFLAGS(LAYOUTPARAMS.F
LAG_SECURE,
LAYOUTPARAMS.FLAG_SECURE);
It disable screen capture
• [POWER] + [VOL-DWN]
• OEM feature like SAMSUNG / HTC

17. CLIPBOARD

18. SAVE THE STATE OF APPLICATION
onResume => FOREGROUND
onPause => BACKGROUND

19. USE RUNNABLE AND POSTDELAYED 500 MS
when onPause is triggered

20. DETECT STATE AND SETPRIMARYCLIP
If STATE equals BACKGROUND, execute
BaseActivity.this.mClipboardManager
.setPrimaryClip(ClipData.newPlainText("", ""));

21. PERMISSION

22. ONLY USE NECESSARY PERMISSIONS

23. GOOGLE CLOUD MESSAGING
NEEDS
ANDROID.PERMISSION.GET_ACCOUNTS

24. BUT

25. GOOGLE CLOUD MESSAGING
NEEDS
ANDROID.PERMISSION.GET_ACCOUNTS

26. Database

27. SQLITE

28. SQLCipher
https://www.zetetic.net/sqlcipher/open-source

29. SQLite Encryption Extension
http://www.sqlite.org/see/

30. NETWORK

31. USE HTTPS WITH SELF-SIGNED CERTIFICATE

32. BUT

33. SOMETHING IGNORED ?

34. HOSTNAME IS VALID ?

35. VERIFY HOSTNAME

36. CHECK CERT ?

37. CLEAR KEYSTORE AND IMPORT SERVER CERT

38. DOUBLE CHECK CERT ?

39. VERIFY BINARY CONTENT OF SERVER CERT
Avoid Man-in-the-Middle attack

40. WHY ?

41. SSL MECHANISM IN OS MAY BE WRONG
APPLE SSL / TLS Bug ( CVE-2014-1266 )

42. SSL TUNNEL KEEP DATA SAFE ?

43. NO

44. YOU STILL NEED ENCRYPT DATA

46. DO NOT DO THIS

48. CRYPTOGRAPHY

49. BY ANDROID SDK OR ANDROID NDK ?

50. ANDROID SDK: JAVA
DECOMPILE EASY
ANALYSIS EASY

51. ANDROID NDK: C AND C++
DISASSEMBLE EASY
ANALYSIS HARD

52. ANDROID NDK
OpenSSL Inside

53. ANDROID NDK
Customize ?

54. ANDROID NDK
PolarSSL
https://polarssl.org

55. PolarSSL
Chang SBOX of AES, ...

56. SO, ALL KEY GENERATION AND ENCRYPTION MUST
BE DONE IN ANDROID NDK

57. EVERYTHING DONE ?

58. GENERATE KEY ?

59. RANDOM
KEY
HARDWARE
ID
USER
KEY

60. RANDOM KEY
One Key – One Encryption

61. HARDWARE ID
IMEI / MEID
WIFI MAC Address
Bluetooth Address

62. IMEI / MEID
ANDROID.PERMISSION.READ_PHONE_STATE
WIFI MAC Address
ANDROID.PERMISSION.ACCESS_WIFI_STATE
Bluetooth Address
ANDROID.PERMISSION.BLUETOOTH

63. USER KEY
Input from user
Only exist in memory
Just clear when exit

64. ONLY CIPHERTEXT ?

65. SCRAMBLED CIPHERTEXT
CIPHERTEXT

66. SCRAMBLE ?

67. MORE COMPLEX THAN BASE64
WIKI: Common Scrambling Algorithm
http://goo.gl/eP6lXj

68. THEN ?

71. GG

72. API MANAGEMENT

73. ACCESS TOKEN
REFRESH PERIODICALLY
RANDOM GENERATE

74. ACCESS TOKEN

75. ACCESS TOKEN
↓
USER ID

76. ACCESS TOKEN
↓
USER ID
↓
HARDWARE ID

77. ACCESS TOKEN
↓
USER ID
↓
HARDWARE ID
↓
ENCRYPT OR DECRYPT

78. ALL API ACCESS MUST WITH ACCESS TOKEN