In Flight Data Fusion. Drones: How To and Why. - Roberto Collina - Codemotion Roma 2015
Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan...
-
Upload
codemotion -
Category
Technology
-
view
376 -
download
1
Transcript of Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan...
![Page 1: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/1.jpg)
Roberto Gassirà - Roberto Piccirillo
MILAN 25-26 NOVEMBER 2016
![Page 2: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/2.jpg)
2
● Senior Security Analysts for Mobile Security Lab○ Vulnerability Assessment (IT, Mobile Application)○ Android Secure Development
Increasing Android app security for freeWho we are
● Roberto Gassirà@robgas
● Roberto Piccirillo@robpicone
![Page 3: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/3.jpg)
Increasing Android app security for freePotentially Hostile Environment
![Page 4: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/4.jpg)
4
Mobile Application can run in a Potentially Hostile Environment
Potentially Hostile EnvironmentIntroduction
![Page 5: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/5.jpg)
5
Free Open Wifi ...
Potentially Hostile EnvironmentUnreliable Communication Channels
… Free user data
Threat:Traffic Snooping
![Page 6: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/6.jpg)
6
Potentially Hostile EnvironmentUnreliable Communication Channels
Free WPA2 Wifi ...
… Free user data (MITM)
Threat: MITM
![Page 7: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/7.jpg)
7
Potentially Hostile EnvironmentUnreliable Communication Channels
Under attack...
Threat: Information Gathering
![Page 8: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/8.jpg)
8
Rooting
Potentially Hostile EnvironmentTampered Device
BootLoader Unlock Local/remote Exploit
![Page 9: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/9.jpg)
9
Rooting -> Android platform security compromised
Potentially Hostile EnvironmentTampered Device
No more application
sandbox
![Page 10: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/10.jpg)
10
Potentially Hostile EnvironmentTampered Device
Hooking/Instrumentation
Threat:Code Hijacking
onCreate()
isDeviceTampered()
...()EXIT
falsetrue
Hooking...
isDeviceTampered()
false
![Page 11: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/11.jpg)
11
Mobile Threats for Developers
● Advanced Device Owner○ Remove Bloatware/Customization
Attacker
● Mobile Cybercriminal○ Application analysis
● Potentially Harmful Applications○ Steal info/money
![Page 12: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/12.jpg)
12
Mobile Threats for DevelopersMalware Infection
Apps from “Unknown sources”
Apps from “Unknown sites”
![Page 13: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/13.jpg)
13
Mobile Threats for DevelopersGoogle Security Services for Android
From Android Security 2015
Year in Review - April 2016
![Page 14: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/14.jpg)
14
Mobile Threats for Developers
Tampered Device Detection
Free Weapons for Developers
SafetyNet API
● Allows an app to analyze the device where it is installed
● Check if the device has passed the Compatibility Test Suite (CTS)
Check the integrity of the device
(Rooted?Hooked?Infected?)
● Provided by Google Play Services
![Page 15: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/15.jpg)
15
Mobile Threats for Developers
Key Material Protection
Free Weapons for Developers
AndroidKeyStore
● Asymmetric and Symmetric Keys (API 23+) Secure Container with Hardware Backend
Secure CommunicationNetwork Security
Configuration
● Network security settings (certificate pinning, trusted CA, ...) customized with a safe and declarative configuration file
![Page 16: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/16.jpg)
Increasing Android app security for freeDetecting Tampered Device
![Page 17: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/17.jpg)
17
Detecting Tampered Device
https://developer.android.com/training/safetynet/index.html
Checking Device Compatibility
![Page 18: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/18.jpg)
18
Detecting Tampered Device
https://developers.google.com/android/guides/api-client
Access Google API
SafetyNet service
build.gradle
Create an instance of Google API Client
![Page 19: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/19.jpg)
19
Detecting Tampered DeviceSend Compatibility Check Request
Generate a random one time nonce to defeat
replay attacks
Send the request
AttestationResult
![Page 20: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/20.jpg)
20
● Formatted in JSON Web Signature format○ RSA256 Signed JSON
Detecting Tampered DeviceAttestation Result
JWS Signature
JWS Payload
JWS Header
Device passed Compatibility Test Suite
Device integrity statustrue: OK
false: TAMPERED
![Page 21: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/21.jpg)
21
Detecting Tampered Device
● Google provides Android Device Verification API for validating the response
Validate Compatibility Check Response
POST "https://www.googleapis.com/androidcheck/v1/attestations/verify?key="
{ "signedAttestation": }JWS
Signature
JWS Payload
JWS Header
{ “isValidSignature”: true }
![Page 22: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/22.jpg)
Increasing Android app security for freeEnhancing Network Security
![Page 23: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/23.jpg)
23
● MITM attack:○ Is a well-known technique used by an attacker to setup a proxy to intercept traffic
between your application and backend servers
● How○ ARP poisoning○ DNS poisoning○ Rouge proxy○ etc
Enhancing Network SecurityMITM attack
![Page 24: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/24.jpg)
24
● HTTP and HTTPS:○ HTTP: all data sent are in clear○ HTTPS: all data sent are ciphered (Digital Certificates and Session Keys)
● Implement MITM attack on HTTP (easier)
● Implement MITM attack on HTTPS (harder)○ Not impossible
Enhancing Network SecurityMITM with HTTP or HTTPS
![Page 25: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/25.jpg)
25
Enhancing Network SecurityHow SSL works
![Page 26: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/26.jpg)
26
Digital certificateNetwork Security Configuration
● Most important:○ Common name
○ Issuer name
○ Not Valid Before
○ Not Valid After
○ Public Key
○ Signature
Remember “Public Key Info” section
![Page 27: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/27.jpg)
27
● Use HTTPS is not enough to mitigate some risks due to MITM Attacks○ But in almost all cases should be mandatory use it
● To be more secure it’s important:○ Check the common name of server digital certificate○ Verify the issuer of server digital certificate○ Trust the issuer of server digital certificate
● In the last years is usual:○ Check the server public key (Pinning certificate or sometime called SSL Pinning)○ More code to implement this technique
Enhancing Network SecurityHTTPS key security points
Android Nougat offers new features to perform easily checks to make HTTPS more secure
![Page 28: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/28.jpg)
28
● Uses declarative configuration file to:○ Enforce HTTPS for specified domain used into your application○ Use certificate pinning ○ Trust only specific Certification Authority or use specific Self-signed certificate○ Debug secure connections without modify code
● What you need:
Enhancing Network SecurityNetwork Security Configuration
AndroidManifest.xml
![Page 29: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/29.jpg)
29
Enhancing Network SecurityConfiguration file format
Contains all Network Configuration
Default configuration for all connections
Configurations for one or more domains
Configurations valid only for debug purpose
![Page 30: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/30.jpg)
30
● Get error when try to connect using HTTP
Enhancing Network SecurityEnforce HTTPS
Enforce HTTPS
HTTP Connection
Error:“Cleartext HTTP traffic to
android-developers.blogspot.it not permitted”
![Page 31: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/31.jpg)
31
● Use yours CA to verify yours certificate
Enhancing Network SecurityDigital Certificate with custom CA
Enforce HTTPS for the domaincodemotion.milan.2016
Use cacert certificate to verify server certificate
● If cacert is not used the app get an error
![Page 32: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/32.jpg)
32
● Force your application to use a specific public key● In previous Android version you had to write boring code to implement
certificate pinning● Now you need calculate the sha256 of Public Key Info of X509 digital
certificate
Enhancing Network SecurityCertificate pinning
sha256 base64
PinDigest
![Page 33: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/33.jpg)
33
● If server public key is different the application get an error
Enhancing Network SecurityCertificate pinning
● Add PinDigest with Expiration date
![Page 34: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/34.jpg)
34
● In our analysis is horrible to find out the all SSL checks are off to overcame problem into development environment
● Now it is possible to add debug configuration without modify any line of code
● When you build in “release-mode” debug configuration is not considered
Enhancing Network SecuritySafe debug
![Page 35: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/35.jpg)
35
● You could define a base configuration for all connections
● You could insert more PinDigest
● You could define which CA store will be used to verify certificates:○ User○ System
● You could use self signed-certificate
Enhancing Network SecurityOther options
![Page 36: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/36.jpg)
Increasing Android app security for freeKey Management Evolution
![Page 37: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/37.jpg)
37
Key Management Evolution
● Android KeyStore Provider introduced with API level 18○ Based on Android Keystore System to store cryptographic keys
● Until API level 22 only asymmetric keys○ For info: https://speakerdeck.com/mseclab/android-key-management
● With API level 23+ also symmetric Keys
AndroidKeyStore Provider
Asymmetric
Asymmetric + Symmetric
![Page 38: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/38.jpg)
38
Key Management EvolutionGenerating Symmetric Key
![Page 39: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/39.jpg)
39
Key Management EvolutionFingerprint Authentication
![Page 40: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/40.jpg)
40
Key Management EvolutionAndroidKeyStore Security Features
● Preventing extraction of the key material from application process
● Preventing extraction of the key material from Android device
● Key material never enters the application process:○ App cryptographic operations are performed by system process ○
● Key materials may be bound to the secure hardware:○ Trust Execution Environment (TEE)○ Secure Element
● More and more processors are equipped with TEE:○ Snapdragon 808 (Nexus 5x), Snapdragon 810 (Nexus 6P), Snapdragon 820 (Galaxy S7)
etc
![Page 41: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/41.jpg)
Increasing Android app security for freeThe Bill
![Page 42: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/42.jpg)
42
The Bill
● Detecting Tampered Device: Free
● Enhancing Network Security: Free
● Key Management Evolution: Free
Total = Free :)
How much costs
![Page 43: Increasing Android app security for free - Roberto Gassirà, Roberto Piccirillo - Codemotion Milan 2016](https://reader034.fdocuments.in/reader034/viewer/2022042908/58ed456d1a28ab4b258b4597/html5/thumbnails/43.jpg)
Web: www.mseclab.com www.consulkthink.itMail: [email protected]:+39-06-4549 2416Fax:+39-06-4549 2454
Grazie per l’attenzione