Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016
•
2 likes•1,511 views
Secure Development of Android App sometimes requires the use of third party libraries and external frameworks, often expensive or hard to quickly update if vulnerable.The Android SDK and Google Play Services provide security features and services, that allows a developer to take advantage of security enhancements in order to increase the security level of an application.The talk, starting from real common threats, will show how some of these features can be used into the different versions of Android, until the newest Nougat, to mitigate security risks that could afflict a mobile application.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016
Similar to Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016 (20)
More from Codemotion
More from Codemotion (20)
Recently uploaded
Recently uploaded (20)
Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016
- 1. Roberto Gassirà - Roberto Piccirillo MILAN 25-26 NOVEMBER 2016
- 2. 2 ● Senior Security Analysts for Mobile Security Lab ○ Vulnerability Assessment (IT, Mobile Application) ○ Android Secure Development Increasing Android app security for free Who we are ● Roberto Gassirà @robgas r.gassira@mseclab.com ● Roberto Piccirillo @robpicone r.piccirillo@mseclab.com
- 3. Increasing Android app security for free Potentially Hostile Environment
- 4. 4 Mobile Application can run in a Potentially Hostile Environment Potentially Hostile Environment Introduction
- 5. 5 Free Open Wifi ... Potentially Hostile Environment Unreliable Communication Channels … Free user data Threat:Traffic Snooping
- 6. 6 Potentially Hostile Environment Unreliable Communication Channels Free WPA2 Wifi ... … Free user data (MITM) Threat: MITM
- 7. 7 Potentially Hostile Environment Unreliable Communication Channels Under attack... Threat: Information Gathering
- 8. 8 Rooting Potentially Hostile Environment Tampered Device BootLoader Unlock Local/remote Exploit
- 9. 9 Rooting -> Android platform security compromised Potentially Hostile Environment Tampered Device No more application sandbox
- 10. 10 Potentially Hostile Environment Tampered Device Hooking/Instrumentation Threat:Code Hijacking onCreate() isDeviceTampered() ...()EXIT falsetrue Hooking... isDeviceTampered() false
- 11. 11 Mobile Threats for Developers ● Advanced Device Owner ○ Remove Bloatware/Customization Attacker ● Mobile Cybercriminal ○ Application analysis ● Potentially Harmful Applications ○ Steal info/money
- 12. 12 Mobile Threats for Developers Malware Infection Apps from “Unknown sources” Apps from “Unknown sites”
- 13. 13 Mobile Threats for Developers Google Security Services for Android From Android Security 2015 Year in Review - April 2016
- 14. 14 Mobile Threats for Developers Tampered Device Detection Free Weapons for Developers SafetyNet API ● Allows an app to analyze the device where it is installed ● Check if the device has passed the Compatibility Test Suite (CTS) Check the integrity of the device (Rooted?Hooked?Infected?) ● Provided by Google Play Services
- 15. 15 Mobile Threats for Developers Key Material Protection Free Weapons for Developers AndroidKeyStore ● Asymmetric and Symmetric Keys (API 23+) Secure Container with Hardware Backend Secure Communication Network Security Configuration ● Network security settings (certificate pinning, trusted CA, ...) customized with a safe and declarative configuration file
- 16. Increasing Android app security for free Detecting Tampered Device
- 17. 17 Detecting Tampered Device https://developer.android.com/training/safetynet/index.html Checking Device Compatibility
- 18. 18 Detecting Tampered Device https://developers.google.com/android/guides/api-client Access Google API SafetyNet service build.gradle Create an instance of Google API Client
- 19. 19 Detecting Tampered Device Send Compatibility Check Request Generate a random one time nonce to defeat replay attacks Send the request AttestationResult
- 20. 20 ● Formatted in JSON Web Signature format ○ RSA256 Signed JSON Detecting Tampered Device Attestation Result JWS Signature JWS Payload JWS Header Device passed Compatibility Test Suite Device integrity status true: OK false: TAMPERED
- 21. 21 Detecting Tampered Device ● Google provides Android Device Verification API for validating the response Validate Compatibility Check Response POST "https://www.googleapis.com/androidcheck/v1/attestations/verify?key=" { "signedAttestation": } JWS Signature JWS Payload JWS Header { “isValidSignature”: true }
- 22. Increasing Android app security for free Enhancing Network Security
- 23. 23 ● MITM attack: ○ Is a well-known technique used by an attacker to setup a proxy to intercept traffic between your application and backend servers ● How ○ ARP poisoning ○ DNS poisoning ○ Rouge proxy ○ etc Enhancing Network Security MITM attack
- 24. 24 ● HTTP and HTTPS: ○ HTTP: all data sent are in clear ○ HTTPS: all data sent are ciphered (Digital Certificates and Session Keys) ● Implement MITM attack on HTTP (easier) ● Implement MITM attack on HTTPS (harder) ○ Not impossible Enhancing Network Security MITM with HTTP or HTTPS
- 25. 25 Enhancing Network Security How SSL works
- 26. 26 Digital certificate Network Security Configuration ● Most important: ○ Common name ○ Issuer name ○ Not Valid Before ○ Not Valid After ○ Public Key ○ Signature Remember “Public Key Info” section
- 27. 27 ● Use HTTPS is not enough to mitigate some risks due to MITM Attacks ○ But in almost all cases should be mandatory use it ● To be more secure it’s important: ○ Check the common name of server digital certificate ○ Verify the issuer of server digital certificate ○ Trust the issuer of server digital certificate ● In the last years is usual: ○ Check the server public key (Pinning certificate or sometime called SSL Pinning) ○ More code to implement this technique Enhancing Network Security HTTPS key security points Android Nougat offers new features to perform easily checks to make HTTPS more secure
- 28. 28 ● Uses declarative configuration file to: ○ Enforce HTTPS for specified domain used into your application ○ Use certificate pinning ○ Trust only specific Certification Authority or use specific Self-signed certificate ○ Debug secure connections without modify code ● What you need: Enhancing Network Security Network Security Configuration AndroidManifest.xml
- 29. 29 Enhancing Network Security Configuration file format Contains all Network Configuration Default configuration for all connections Configurations for one or more domains Configurations valid only for debug purpose
- 30. 30 ● Get error when try to connect using HTTP Enhancing Network Security Enforce HTTPS Enforce HTTPS HTTP Connection Error: “Cleartext HTTP traffic to android-developers.blogspot.it not permitted”
- 31. 31 ● Use yours CA to verify yours certificate Enhancing Network Security Digital Certificate with custom CA Enforce HTTPS for the domain codemotion.milan.2016 Use cacert certificate to verify server certificate ● If cacert is not used the app get an error
- 32. 32 ● Force your application to use a specific public key ● In previous Android version you had to write boring code to implement certificate pinning ● Now you need calculate the sha256 of Public Key Info of X509 digital certificate Enhancing Network Security Certificate pinning sha256 base64 PinDigest
- 33. 33 ● If server public key is different the application get an error Enhancing Network Security Certificate pinning ● Add PinDigest with Expiration date
- 34. 34 ● In our analysis is horrible to find out the all SSL checks are off to overcame problem into development environment ● Now it is possible to add debug configuration without modify any line of code ● When you build in “release-mode” debug configuration is not considered Enhancing Network Security Safe debug
- 35. 35 ● You could define a base configuration for all connections ● You could insert more PinDigest ● You could define which CA store will be used to verify certificates: ○ User ○ System ● You could use self signed-certificate Enhancing Network Security Other options
- 36. Increasing Android app security for free Key Management Evolution
- 37. 37 Key Management Evolution ● Android KeyStore Provider introduced with API level 18 ○ Based on Android Keystore System to store cryptographic keys ● Until API level 22 only asymmetric keys ○ For info: https://speakerdeck.com/mseclab/android-key-management ● With API level 23+ also symmetric Keys AndroidKeyStore Provider Asymmetric Asymmetric + Symmetric
- 38. 38 Key Management Evolution Generating Symmetric Key
- 39. 39 Key Management Evolution Fingerprint Authentication
- 40. 40 Key Management Evolution AndroidKeyStore Security Features ● Preventing extraction of the key material from application process ● Preventing extraction of the key material from Android device ● Key material never enters the application process: ○ App cryptographic operations are performed by system process ○ ● Key materials may be bound to the secure hardware: ○ Trust Execution Environment (TEE) ○ Secure Element ● More and more processors are equipped with TEE: ○ Snapdragon 808 (Nexus 5x), Snapdragon 810 (Nexus 6P), Snapdragon 820 (Galaxy S7) etc
- 41. Increasing Android app security for free The Bill
- 42. 42 The Bill ● Detecting Tampered Device: Free ● Enhancing Network Security: Free ● Key Management Evolution: Free Total = Free :) How much costs
- 43. Web: www.mseclab.com www.consulkthink.it Mail: research@mseclab.com Telefono:+39-06-4549 2416 Fax:+39-06-4549 2454 Grazie per l’attenzione