SE2016 Exotic Valerii Vasylkov "Erlang. Measurements and benefits"
SE2016 Android Denis Zhuchinski "Ways of enhancing application security"
Transcript of SE2016 Android Denis Zhuchinski "Ways of enhancing application security"
Ways of Enhancing Application Security
Denis Zhuchinski Android DeveloperEVO.company
Ways of Enhancing Application Security
Denis Zhuchinski Android DeveloperEVO.company
What are we talking about today?
- Android & Security- Interprocess Communication- Networking- Data safety- Analyzing tools
Why should care about?
What Android know about you?
- Calls- Messages- Emails- Contacts- Calendar- Location- Photos, Videos- Camera- ...
Enemies
- ADB- Malicious Apps- Unprotect Network- Sniffers
Android security model
Application sandboxing
Permissions
Inter Process Communication
Code Signing
SELinux
Google’s Android Security Rewards has given researchers over $550,000 in 1 year
Interprocess Communication
“In the Android platform, the binder is used for nearly everything that happens across processes in the core platform."
– Dianne Hackborn
Binder
Interprocess Communication
- Intents- Content Providers- Messenger- System services (Telephone, Vibrator, Wifi,
Battery, Notification, etc.)- Lifecycle callbacks in your Activity like
onStart(),onResume(), onDestroy() are invoked by ActivityManagerServer via binders
Man in the Binder
Android IPC is not secure!
Networking
HTTPS is a must have!
But...
HTTPS in not enough!
Man in the Middle
Pinning
- Certificate- Public key
RFC 5280
Certificate pinning
CertificateFactory cf = CertificateFactory.getInstance("X.509");
InputStream caInput = new BufferedInputStream(new FileInputStream("load-der.crt"));
Certificate ca;
try {
ca = cf.generateCertificate(caInput);
System.out.println("ca=" + ((X509Certificate) ca).getSubjectDN());
} finally {
caInput.close();
}
OkHttpClient client = new OkHttpClient();
String certPin = CertificatePinner.pin(ca);
CertificatePinner certificatePinner = new CertificatePinner.Builder()
.add(API_HOST, certPin)
.build();
client.setCertificatePinner(certificatePinner);
android.security.net.config
res/xml/network_security_config.xml:
<domain-config hstsEnforced=[True|False] cleartextTrafficPermitted=[True|False]>
<domain includeSubdomains=[True|False]>example.com</domain>
<pin-set expiration="exp-date">
<pin digest=sha256>PaJOmDNhWkVBvuXfzqXMyfo7kgtGpcyZp6L8EqvM8Ck=</pin>
</pin-set>
</domain-config>
Android N
Risks
- Insecure Data Storage - Weak Server Side Controls - Insufficient Transport Layer Protection - Client Side Injection - Poor Authorization and Authentication- Security Decisions Via Untrusted Inputs - Broken Cryptography
Where is the rescue, Bro?
Cryptography
Encryption Tools
- Cipher (javax.crypto)- Spongy Castle- Conceal- SQLCipher- AESCrypt-Android- Secure-preferences (https://github.com/scottyab/secure-preferences)- etc.
Conceal
Resources / Importance
- Secure key storage- Suitable algorithm- Right key length
ONLINE ANALYZERS
1. AndroTotal2. Dexter3. Tracedroid4. Visual Threat5. Mobile Malware Sandbox6. MobiSec Eacus7. IBM Security AppScan Mobile Analyzer - not free8. NVISO ApkScan...
STATIC ANALYSIS TOOLS
1. QUARK2. ApkAnalyser3. APKInspector4. Droid Intent Data Flow Analysis for Information
Leakage5. Drozer6. Several tools from PSU7. Smali CFG generator8. FlowDroid...
Apktool
$ apktool d app-test.apk
I: Using Apktool 2.2.0 on app-prod-release.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: /home/oem/.local/share/apktool/framework/1.apk
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...
Apktool
QARK
QARK
Drozer
adb install agent.apk
$ drozer console connect dz> run app.package.attacksurface com.app.test
dz> run app.package.attacksurface com.app.test
Attack Surface:
3 activities exported
0 broadcast receivers exported
2 content providers exported
2 services exported
is debuggable
Thing to remember
1. Never trust any input (use whitelists not blacklists)1. Store data securely4. Use HTTPS with certificate pinning5. Use Cryptography6. Don't write your own crypto2. Make code obfuscation7. Audit third-party code and services that you use3. Avoid excessive logging8. Perform security code review
Plan for security from the start - it's not something you can bolt on at the end
Links
1. https://www.androidpit.com/android-m-release-date-news-features-name#security
2. https://www.nowsecure.com/blog/2015/07/16/android-m-a-security-research-perspective-part-1/
3. https://koz.io/network-security-policy-configuration-for-android-apps/4. http://blog.riskfinder.co.jp/2016/03/network-security-configuration-android-n.
html5. http://markup.su/highlighter/6. https://www.securecoding.cert.org/confluence/display/android/Android+Sec
ure+Coding+Standard7. https://www.securecoding.cert.org/confluence/display/android/DRD06.+Do+
not+act+on+malicious+intents8. https://github.com/ashishb/android-security-awesome
And That’s It…Thanks!
Questions? Comments?
What are we talking about today?
- Android & Security- Interprocess Communication- Networking- Data safety- Analyzing tools
Why should care about?
What Android know about you?
- Calls- Messages- Emails- Contacts- Calendar- Location- Photos, Videos- Camera- ...
Enemies
- ADB- Malicious Apps- Unprotect Network- Sniffers
Android security model
Application sandboxing
Permissions
Inter Process Communication
Code Signing
SELinux
Google’s Android Security Rewards has given researchers over $550,000 in 1 year
Interprocess Communication
“In the Android platform, the binder is used for nearly everything that happens across processes in the core platform."
– Dianne Hackborn
Binder
Interprocess Communication
- Intents- Content Providers- Messenger- System services (Telephone, Vibrator, Wifi,
Battery, Notification, etc.)- Lifecycle callbacks in your Activity like
onStart(),onResume(), onDestroy() are invoked by ActivityManagerServer via binders
Man in the Binder
Android IPC is not secure!
Networking
HTTPS is a must have!
But...
HTTPS in not enough!
Man in the Middle
Pinning
- Certificate- Public key
RFC 5280
Certificate pinning
CertificateFactory cf = CertificateFactory.getInstance("X.509");
InputStream caInput = new BufferedInputStream(new FileInputStream("load-der.crt"));
Certificate ca;
try {
ca = cf.generateCertificate(caInput);
System.out.println("ca=" + ((X509Certificate) ca).getSubjectDN());
} finally {
caInput.close();
}
OkHttpClient client = new OkHttpClient();
String certPin = CertificatePinner.pin(ca);
CertificatePinner certificatePinner = new CertificatePinner.Builder()
.add(API_HOST, certPin)
.build();
client.setCertificatePinner(certificatePinner);
android.security.net.config
res/xml/network_security_config.xml:
<domain-config hstsEnforced=[True|False] cleartextTrafficPermitted=[True|False]>
<domain includeSubdomains=[True|False]>example.com</domain>
<pin-set expiration="exp-date">
<pin digest=sha256>PaJOmDNhWkVBvuXfzqXMyfo7kgtGpcyZp6L8EqvM8Ck=</pin>
</pin-set>
</domain-config>
Android N
Where is the rescue, Bro?
Cryptography
Encryption Tools
- Cipher (javax.crypto)- Spongy Castle- Conceal- SQLCipher- AESCrypt-Android- Secure-preferences (https://github.com/scottyab/secure-preferences)- etc.
Conceal
Resources / Importance
- Secure key storage- Suitable algorithm- Right key length
ONLINE ANALYZERS
1. AndroTotal2. Dexter3. Tracedroid4. Visual Threat5. Mobile Malware Sandbox6. MobiSec Eacus7. IBM Security AppScan Mobile Analyzer - not free8. NVISO ApkScan...
STATIC ANALYSIS TOOLS
1. QUARK2. ApkAnalyser3. APKInspector4. Droid Intent Data Flow Analysis for Information
Leakage5. Drozer6. Several tools from PSU7. Smali CFG generator8. FlowDroid...
Apktool
$ apktool d app-test.apk
I: Using Apktool 2.2.0 on app-prod-release.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: /home/oem/.local/share/apktool/framework/1.apk
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...
Apktool
QARK
QARK
Drozer
adb install agent.apk
$ drozer console connect dz> run app.package.attacksurface com.app.test
dz> run app.package.attacksurface com.app.test
Attack Surface:
3 activities exported
0 broadcast receivers exported
2 content providers exported
2 services exported
is debuggable
Thing to remember
1. Never trust any input (use whitelists not blacklists)1. Store data securely4. Use HTTPS with certificate pinning5. Use Cryptography6. Don't write your own crypto2. Make code obfuscation7. Audit third-party code and services that you use3. Avoid excessive logging8. Perform security code review
Plan for security from the start - it's not something you can bolt on at the end
Links
1. https://www.androidpit.com/android-m-release-date-news-features-name#security
2. https://www.nowsecure.com/blog/2015/07/16/android-m-a-security-research-perspective-part-1/
3. https://koz.io/network-security-policy-configuration-for-android-apps/4. http://blog.riskfinder.co.jp/2016/03/network-security-configuration-android-n.
html5. http://markup.su/highlighter/6. https://www.securecoding.cert.org/confluence/display/android/Android+Sec
ure+Coding+Standard7. https://www.securecoding.cert.org/confluence/display/android/DRD06.+Do+
not+act+on+malicious+intents8. https://github.com/ashishb/android-security-awesome
And That’s It…Thanks!
Questions? Comments?