Android security is nowhere near where it should be. I have been able to hack and get sensitive information from a few different apps and I’m just an amateur hacker at best. It’s easy to forget mobile devices aren’t as safe as we think they are. In this session we will explore a number of ways an Android app can be exploited and methods we can use to avoid these attacks. We will finish by looking at common techniques that will help you protect sensitive information within your application by adding tampering detection and making sure every external communication request is made securely.

1. I just hacked
your app

2. Watch this

4. PWNED

5. Marcos Placona
@marcos_placona
marcos@twilio.com
github.com/mplacona
androidsecurity.info

6. NOT

8. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Vestibulum euismod ipsum
et semper vestibulum. In congue, risus ac lobortis commodo, arcu elit congue nisi, e
ullamcorper diam quam in est. Quisque nec lectus eget metus pharetra placerat.
Quisque nisi lorem, convallis eget lobortis quis, suscipit eu sem. Sed ligula purus,
lacinia quis ultrices at, sollicitudin at lacus. Duis porta hendrerit semper. Sed vitae
mauris fringilla, porta turpis facilisis, facilisis risus. Integer quis lobortis velit. Vivamu
ut placerat ex. Nunc est purus, pretium vitae hendrerit fringilla, molestie at tortor.
Vestibulum vel purus et urna hendrerit pretium et quis nunc. Fusce sit amet neque in
justo elementum rutrum ut nec metus. Fusce sollicitudin, dui vel molestie aliquam,
ligula leo fringilla augue, a luctus quam sem sed tortor. Vivamus mattis nisi purus, si
amet efficitur lectus mollis nec. Etiam consectetur, nisl eu euismod posuere, justo
neque vehicula ex, nec lobortis augue neque id mi. Ut aliquam odio ac turpis
condimentum porttitor.
Mauris ut est eu sapien tempor congue. Proin ipsum sem, cursus quis magna eu,
finibus fringilla nulla. Vestibulum viverra felis ac arcu iaculis condimentum. Aenean
mattis magna non ipsum viverra accumsan. Suspendisse potenti. Nam quis dapibus
ipsum. Integer at tortor ac neque semper consectetur. Donec vitae mattis felis, quis

9. elementum dolor fringilla eu. Nulla luctus arcu et egestas ultrices. Quisque dignissim
lacinia vehicula. Suspendisse vitae nisl dapibus, dapibus elit quis, efficitur ex. Done
interdum est purus, nec tempor risus sollicitudin tincidunt. Vestibulum accumsan sed
libero ut tincidunt.
Interdum et malesuada fames ac ante ipsum primis in faucibus. Vestibulum vitae
consectetur ex, vitae viverra felis. Sed vitae imperdiet turpis. Donec eget velit
sagittis, hendrerit ante id, aliquet libero. Proin pulvinar ornare consectetur. Vestibulum
ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia Curae; Proin
consequat tincidunt risus et aliquam. Donec vel vulputate sem, sed ornare lorem.
Curabitur a maximus urna, ut blandit tellus.
Suspendisse I haven’t nisl a ultricies semper. Cras really purus mollis vestibulum
rhoncus. Sed hacked your orci, imperdiet vitae pharetra app, tincidunt laoreet lacus
Vivamus posuere nisl diam, ut efficitur mauris facilisis vehicula. Vestibulum risus veli
tincidunt a libero a, vestibulum tincidunt orci. Pellentesque in finibus est. Praesent
tempus tortor ac magna iaculis, sed cursus quam venenatis. Quisque pharetra
euismod auctor.

10. Sue-y
/s(j)uːi/
1. To become annoyed with someone who broke your
toy without permission and want to sue them for that.
“Company X got all ‘sue-y’ on me when I hacked their
app and showed the world"

14. Kuba Gretzki
http://bit.ly/hack4beer

15. loyalty
ˈlȯi(-ə)l-tē

16. loyalty
+ =

17. loyalty
HTTP Proxy

18. POST /users/461845f5d03e6c052a43afbc/points
Accept: application/json
Accept-Language: en-gb
X-App-Version: 1.28.0
User-Agent: Dalvik/2.1.0 (Linux; U; Android 6.0.1;)
...
Content-Type: application/json; charset=UTF-8
Content-Length: 375
Host: api.eatapp.com
Connection: Keep-Alive
Accept-Encoding: gzip
{
"authentication_token":"boKUp9vBHNAJp7XbWZCK",
"latitude":...,
"longitude":...,
"point":{
"isDoneByGesture":false,
"main_beacon":{
"major":38995,
"minor":12702,
"uuid":"2C75E74B-41B7-49E3-BD26-CE86B2F569F8"
},
"place_id":"450",
"promoted_products_ids":[
{"id":"647035946536601578040000"},
{"id":"647035946536601578040000"},
{"id":"647035946536601578050000"}
]
}
}

19. POST /users/461845f5d03e6c052a43afbc/points
Accept: application/json
Accept-Language: en-gb
X-App-Version: 1.28.0
User-Agent: Dalvik/2.1.0 (Linux; U; Android 6.0.1;)
...
Content-Type: application/json; charset=UTF-8
Content-Length: 375
Host: api.eatapp.com
Connection: Keep-Alive
Accept-Encoding: gzip
{
"authentication_token":"boKUp9vBHNAJp7XbWZCK",
"latitude":...,
"longitude":...,
"point":{
"isDoneByGesture":false,
"main_beacon":{
"major":38995,
"minor":12702,
"uuid":"2C75E74B-41B7-49E3-BD26-CE86B2F569F8"
},
"place_id":"450",
"promoted_products_ids":[
{"id":"647035946536601578040000"},
{"id":"647035946536601578040000"},
{"id":"647035946536601578050000"}
]
}
}

20. POST /users/461845f5d03e6c052a43afbc/points
Accept: application/json
Accept-Language: en-gb
X-App-Version: 1.28.0
User-Agent: Dalvik/2.1.0 (Linux; U; Android 6.0.1;)
...
Content-Type: application/json; charset=UTF-8
Content-Length: 375
Host: api.eatapp.com
Connection: Keep-Alive
Accept-Encoding: gzip
{
"authentication_token":"boKUp9vBHNAJp7XbWZCK",
"latitude":...,
"longitude":...,
"point":{
"isDoneByGesture":false,
"main_beacon":{
"major":38995,
"minor":12702,
"uuid":"2C75E74B-41B7-49E3-BD26-CE86B2F569F8"
},
"place_id":"450",
"promoted_products_ids":[
{"id":"647035946536601578040000"},
{"id":"647035946536601578040000"},
{"id":"647035946536601578050000"}
]
}
}

24. stop!

25. • Encrypt all the values
• Utilise security features when they exist
• Certificate pinning
• DO NOT TRUST THE DEVICE

26. Encrypt all the values
dependencies {
compile 'com.scottyab:aescrypt:0.0.1'
}
String password = "password";
String message = "hello world";
try {
String encryptedMsg = AESCrypt.encrypt(password, message);
}catch (GeneralSecurityException e){
//handle error
}
String password = "password";
String encryptedMsg = "2B22cS3UC5s35WBihLBo8w==";
try {
String messageAfterDecrypt = AESCrypt.decrypt(password, encryptedMsg);
}catch (GeneralSecurityException e){
//handle error - could be due to incorrect password or tampered encryptedMsg
}

27. Caveat: Your keys will end up in GitHub

28. • Encrypt all the values
• Utilise security features when they exist
• Certificate pinning
• DO NOT TRUST THE DEVICE

29. Utilise security features when they exist

30. • Encrypt all the values
• Utilise security features when they exist
• Certificate pinning
• DO NOT TRUST THE DEVICE

31. Certificate pinning
String hostname = "publicobject.com";
CertificatePinner certificatePinner = new CertificatePinner.Builder()
.add(hostname, "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")
.build();
OkHttpClient client = OkHttpClient.Builder()
.certificatePinner(certificatePinner)
.build();
Request request = new Request.Builder()
.url("https://" + hostname)
.build();
client.newCall(request).execute();
http://bit.ly/android-certificate-pinning

32. Certificate pinning
String hostname = "publicobject.com";
CertificatePinner certificatePinner = new CertificatePinner.Builder()
.add(hostname, "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")
.build();
OkHttpClient client = OkHttpClient.Builder()
.certificatePinner(certificatePinner)
.build();
Request request = new Request.Builder()
.url("https://" + hostname)
.build();
client.newCall(request).execute();
http://bit.ly/android-certificate-pinning

33. Certificate pinning
String hostname = "publicobject.com";
CertificatePinner certificatePinner = new CertificatePinner.Builder()
.add(hostname, "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")
.build();
OkHttpClient client = OkHttpClient.Builder()
.certificatePinner(certificatePinner)
.build();
Request request = new Request.Builder()
.url("https://" + hostname)
.build();
client.newCall(request).execute();
http://bit.ly/android-certificate-pinning

34. • Encrypt all the values
• Utilise security features when they exist
• Certificate pinning
• DO NOT TRUST THE DEVICE

35. Someone will decompile your app

36. And when they do…

37. –Every Developer
“But I need magic strings”

38. Options
http://bit.ly/SafeKey
Encrypt
Make sure you encrypt or at least
encode them
Server
Get your keys of a server you own

39. Store in the NDK
http://bit.ly/NDKStorage

40. start!

41. • Add tampering detection
• Check your app’s signature
• Check for rooted device
• Check for emulator
• Check if the app is debuggable

42. Tampering detection
// myPackageName should decode at runtime to "com.yourpackagename"
// google should decode at runtime to "com.android.vending";
// amazon should decode at runtime to "com.amazon.venezia";
public boolean isHacked(Context context, String myPackageName, String google, String amazon)
{
//Crooks renamed your app?
if (context.getPackageName().compareTo(myPackageName != 0)
return true; // BOOM!
//Rogues relocated your app?
String installer = context.getPackageManager().getInstallerPackageName(myPackageName);
if (installer == null)
return true; // BOOM!
if (installer.compareTo(google) != 0 && installer.compareTo(amazon) != 0)
return true; // BOOM!
return false;
}
http://bit.ly/android-tampering-detection

43. Tampering detection
// myPackageName should decode at runtime to "com.yourpackagename"
// google should decode at runtime to "com.android.vending";
// amazon should decode at runtime to "com.amazon.venezia";
public boolean isHacked(Context context, String myPackageName, String google, String amazon)
{
//Crooks renamed your app?
if (context.getPackageName().compareTo(myPackageName != 0)
return true; // BOOM!
//Rogues relocated your app?
String installer = context.getPackageManager().getInstallerPackageName(myPackageName);
if (installer == null)
return true; // BOOM!
if (installer.compareTo(google) != 0 && installer.compareTo(amazon) != 0)
return true; // BOOM!
return false;
}
http://bit.ly/android-tampering-detection

44. • Add tampering detection
• Check your app’s signature
• Check for rooted device
• Check for emulator
• Check if the app is debuggable

45. private static final int VALID = 0;
private static final int INVALID = 1;
private static final String APP_SIGNATURE = "1038C0E34658923C4192E61B16846";
public static int checkAppSignature(Context context) {
try {
PackageInfo packageInfo = context.getPackageManager()
.getPackageInfo(context.getPackageName(),
PackageManager.GET_SIGNATURES);
for (Signature signature : packageInfo.signatures) {
byte[] signatureBytes = signature.toByteArray();
MessageDigest md = MessageDigest.getInstance("SHA");
md.update(signature.toByteArray());
//compare signatures
if (SIGNATURE.equals(APP_SIGNATURE)){
return VALID;
};
}
} catch (Exception e) {
//assumes an issue in checking signature., but we let the caller decide on what to do.
}
return INVALID;
}
Check your app’s signature
http://bit.ly/AndroidTampering

46. • Add tampering detection
• Check your app’s signature
• Check for rooted device
• Check for emulator
• Check if the app is debuggable

47. private static boolean canExecuteCommand(String command) {
try {
int exitValue =
Runtime.getRuntime().exec(command).waitFor();
if (exitValue != 0) return false;
else return true;
} catch (Exception e) {
return false;
}
}
Check for rooted device

48. • Add tampering detection
• Check your app’s signature
• Check for rooted device
• Check for emulator
• Check if the app is debuggable

49. Build.FINGERPRINT.startsWith("generic")
Check for emulator

50. • Add tampering detection
• Check your app’s signature
• Check for rooted device
• Check for emulator
• Check if the app is debuggable

51. public static boolean isDebuggable(Context context){
return (context.getApplicationInfo().flags &
ApplicationInfo.FLAG_DEBUGGABLE) != 0;
}
Check if the app is debuggable

52. Debuggable app

54. Things to look at
• Protect your apps with tools like ProGuard and
DexGuard.
• Look at the SafetyNet API by Google
• Implement Network Security Configuration
http://bit.ly/SafeKey

55. ProGuard DexGuard
• Installed by default
• Name Obfuscation
• Code Optimisation
• Removal of Redundant Code
• FREE
• Class Encryption
• Call Hiding through Reflection
• String Encryption
• Certificate Checks
• Debug Detection
• Emulator Detection
• Root Detection
• Tamper Detection
• Costs $$$

56. Things to look at
• Protect your apps with tools like ProGuard and
DexGuard.
• Look at the SafetyNet API by Google
• Implement Network Security Configuration
http://bit.ly/SafeKey

57. SafetyNet API by Google

58. Things to look at
• Protect your apps with tools like ProGuard and
DexGuard.
• Look at the SafetyNet API by Google
• Implement Network Security Configuration
http://bit.ly/SafeKey

59. Network Security Configuration

62. Marcos Placona
@marcos_placona
marcos@twilio.com
Thanks
github.com/mplacona
androidsecurity.info