Security and User Privacy In Android Apps
-
date post
19-Oct-2014 -
Category
Documents
-
view
904 -
download
3
description
Transcript of Security and User Privacy In Android Apps
![Page 1: Security and User Privacy In Android Apps](https://reader034.fdocuments.in/reader034/viewer/2022042613/5444bea0b1af9f6c0a8b4a24/html5/thumbnails/1.jpg)
www.wipconnector.com@caaarlo#wipjam
Security and User Privacy In Android Apps
![Page 2: Security and User Privacy In Android Apps](https://reader034.fdocuments.in/reader034/viewer/2022042613/5444bea0b1af9f6c0a8b4a24/html5/thumbnails/2.jpg)
Agenda• About the Speakers/Companies• Why should I care about user privacy?• Privacy By Design• Appstore privacy rules• Regulations you should know about• How to create a privacy policy• Common privacy technical issues• How to test for user data• Accommodating for user mistakes• Q&A
![Page 4: Security and User Privacy In Android Apps](https://reader034.fdocuments.in/reader034/viewer/2022042613/5444bea0b1af9f6c0a8b4a24/html5/thumbnails/4.jpg)
About the Speakers• Carlo Longino, Director of Developer
Marketing Services, WIP– [email protected]–@caaarlo
• Brent Melson, Director of Technology and Development, Intertek Testing Services– [email protected]
![Page 5: Security and User Privacy In Android Apps](https://reader034.fdocuments.in/reader034/viewer/2022042613/5444bea0b1af9f6c0a8b4a24/html5/thumbnails/5.jpg)
About their companies• WIP – http://www.wipconnector.com–WIP connects mobile developers with
information, resources and people. Find an event, partner, API or connection through us.
• Intertek – http://www.intertek.com/it – Intertek is a leading provider of quality
and safety solutions serving a wide range of industries around the world.
![Page 6: Security and User Privacy In Android Apps](https://reader034.fdocuments.in/reader034/viewer/2022042613/5444bea0b1af9f6c0a8b4a24/html5/thumbnails/6.jpg)
Remember these?
![Page 7: Security and User Privacy In Android Apps](https://reader034.fdocuments.in/reader034/viewer/2022042613/5444bea0b1af9f6c0a8b4a24/html5/thumbnails/7.jpg)
The Long Arm of the Law• Lots of rules and regulations to be aware of• Constantly shifting and evolving, so pay
attention• COPPA– Restricts collection of personal info from kida
under 13• Financial Services Modernization Act– Requires privacy policies from financial
institutions• HIPAA– Standards for healthcare information
![Page 8: Security and User Privacy In Android Apps](https://reader034.fdocuments.in/reader034/viewer/2022042613/5444bea0b1af9f6c0a8b4a24/html5/thumbnails/8.jpg)
Mutiple Jurisdictions, Too• In the EU– Data Protection Directive– E-Privacy Directive
• In California– CalOPPA– AG has started enforcement– Requires privacy policy for apps that
collect personal info from Californians and make it “reasonably accessible”
– $2,500 fine per download
![Page 9: Security and User Privacy In Android Apps](https://reader034.fdocuments.in/reader034/viewer/2022042613/5444bea0b1af9f6c0a8b4a24/html5/thumbnails/9.jpg)
Working With User Data• Plan Ahead–What data does my app need to function?– Am I collecting more than necessary?
• Collecting unneeded data is not a good idea– Invites user suspicion– Creates unnecessary risk for you
• Limiting data = limiting potential impact of breach
• What do you gain from unnecessary data?
![Page 10: Security and User Privacy In Android Apps](https://reader034.fdocuments.in/reader034/viewer/2022042613/5444bea0b1af9f6c0a8b4a24/html5/thumbnails/10.jpg)
Handling Data You Do Collect• Don’t send data off the device unless
it’s necessary–More potential user suspicion– Another potential breach point
• If you store data locally, make sure it’s encrypted
• Can you use hash values instead?– Vs MEID/IMEI or other personal info
![Page 11: Security and User Privacy In Android Apps](https://reader034.fdocuments.in/reader034/viewer/2022042613/5444bea0b1af9f6c0a8b4a24/html5/thumbnails/11.jpg)
Watch Out For Data Logging• It’s 10pm. Do you know what your
app is logging?– Android logs are a shared resource – so
info your app logs can be read by other apps
![Page 12: Security and User Privacy In Android Apps](https://reader034.fdocuments.in/reader034/viewer/2022042613/5444bea0b1af9f6c0a8b4a24/html5/thumbnails/12.jpg)
Give Users Choices• Let your users decide how much data
is collected and how it’s shared• The more sensitive information you
collect, the more careful you need to be about giving users information and choices
• Let users opt out of data collection and sharing– It’s okay to make them aware of
functionality tradeoffs
![Page 13: Security and User Privacy In Android Apps](https://reader034.fdocuments.in/reader034/viewer/2022042613/5444bea0b1af9f6c0a8b4a24/html5/thumbnails/13.jpg)
Expectations about the Unexpected
• Are you using any data in an unexpected way?– Grabbing contacts without transparency– Logging data– Publishing data
• Inform users first• Don’t expect users to have the same
expectations as you do
![Page 14: Security and User Privacy In Android Apps](https://reader034.fdocuments.in/reader034/viewer/2022042613/5444bea0b1af9f6c0a8b4a24/html5/thumbnails/14.jpg)
Privacy Policies: Required• Android Market:
4.3 You agree that if you use the Market to distribute Products, you will protect the privacy and legal rights of users. If the users provide you with, or your Product accesses or uses, user names, passwords, or other login information or personal information, you must make the users aware that the information will be available to your Product, and you must provide legally adequate privacy notice and protection for those users. Further, your Product may only use that information for the limited purposes for which the user has given you permission to do so. If your Product stores personal or sensitive information provided by users, it must do so securely and only for as long as it is needed. But if the user has opted into a separate agreement with you that allows you or your Product to store or use personal or sensitive information directly related to your Product (not including other products or applications) then the terms of that separate agreement will govern your use of such information. If the user provides your Product with Google Account information, your Product may only use that information to access the user's Google Account when, and for the limited purposes for which, the user has given you permission to do so.
![Page 15: Security and User Privacy In Android Apps](https://reader034.fdocuments.in/reader034/viewer/2022042613/5444bea0b1af9f6c0a8b4a24/html5/thumbnails/15.jpg)
What does all that mean?• Have a policy, for starters• Be transparent about data you
collect and how you use it• Stick to your policy, and update it• Collect only data you need, and get
rid of it when you no longer need it• “Legally adequate”– Be aware of where your users and apps
are
![Page 16: Security and User Privacy In Android Apps](https://reader034.fdocuments.in/reader034/viewer/2022042613/5444bea0b1af9f6c0a8b4a24/html5/thumbnails/16.jpg)
How Do I Make a Privacy Policy?• Think about your data collection and
usage, and what you need to disclose• Err on the side of caution• Consult resources:– FTC guidance– CDT Best Practices– Privacy Choice Policy Maker– BuildMobile Sample Policies
• Copying is not a good idea, but comparing is
![Page 17: Security and User Privacy In Android Apps](https://reader034.fdocuments.in/reader034/viewer/2022042613/5444bea0b1af9f6c0a8b4a24/html5/thumbnails/17.jpg)
Going A Step Beyond• Minimum requirements are just that• Make your policy clear and concise• Don’t hide behind legalese or
grammatical sleight of hand
![Page 18: Security and User Privacy In Android Apps](https://reader034.fdocuments.in/reader034/viewer/2022042613/5444bea0b1af9f6c0a8b4a24/html5/thumbnails/18.jpg)
Two Key Policy Points• This isn’t a place to dump all the
nasty things you do, just to CYA– Total opposite – a place for you to inform
and build trust• Your policy is just a starting point for
responsible behavior– Remember user choice and notifications
![Page 19: Security and User Privacy In Android Apps](https://reader034.fdocuments.in/reader034/viewer/2022042613/5444bea0b1af9f6c0a8b4a24/html5/thumbnails/19.jpg)
Don’t Forget Third-Party Code• Once it goes in your app, you’re
responsible for it• Advertising, Analytics, anything• Vet it, understand it, make sure your
policy reflects it• If you don’t understand it, don’t use
it• Your ad libraries have the same
permissions as your app
![Page 20: Security and User Privacy In Android Apps](https://reader034.fdocuments.in/reader034/viewer/2022042613/5444bea0b1af9f6c0a8b4a24/html5/thumbnails/20.jpg)
Where is data going?• http://www.privacychoice.org/
mobilescaninfo
![Page 21: Security and User Privacy In Android Apps](https://reader034.fdocuments.in/reader034/viewer/2022042613/5444bea0b1af9f6c0a8b4a24/html5/thumbnails/21.jpg)
Think of the children• If your app is for kids, take extreme
care• Tailor your app appropriately• Ensure parents understand what
you’re doing• Avoid personal information if possible• Use stricter privacy defaults• Do you need age verification?
![Page 22: Security and User Privacy In Android Apps](https://reader034.fdocuments.in/reader034/viewer/2022042613/5444bea0b1af9f6c0a8b4a24/html5/thumbnails/22.jpg)
Observed issues• Usernames and Passwords in the
clear.– Generally debug vs. production problem.– Third party API usage
• Tracking user information– Location, IMEI, MEID– Phone Numbers
• Expired or Self-signed certifications– Identify risk
![Page 23: Security and User Privacy In Android Apps](https://reader034.fdocuments.in/reader034/viewer/2022042613/5444bea0b1af9f6c0a8b4a24/html5/thumbnails/23.jpg)
Capturing traffic and analysis• Black box capture tools/scenarios• Creating a set of filters– Usernames, passwords, IMED/MEID, others?– Using services for service blacklists (e.g.
websense)• Integration in to regression testing– Automation– False positives
• Final build validations
![Page 24: Security and User Privacy In Android Apps](https://reader034.fdocuments.in/reader034/viewer/2022042613/5444bea0b1af9f6c0a8b4a24/html5/thumbnails/24.jpg)
Testing for user data• Create test cases against your privacy policy, use them.• Regression testing for bugs
– Validation that encryption hasn’t been disabled for debug– Test Setup
• Validation of your third party libraries– IMEI / MEID (Ok? Not Ok?) refer to privacy policy– Location, how important is it?– Validation of encryption, certificates
• Scanning the filesystem– Test cases to verify your encryption– Creating a “malware” application to exercise your security
• Sharing information well– MODE_WORLD_READABLE, MODE_WORLD_WRITABLE– External Storage concerns– ContentProvider API and Interprocess Communication (IPC)– HTTPS vs. HTTP– SMS (Avoid it)
![Page 25: Security and User Privacy In Android Apps](https://reader034.fdocuments.in/reader034/viewer/2022042613/5444bea0b1af9f6c0a8b4a24/html5/thumbnails/25.jpg)
Third Party Libraries• Checking the hosts for know malware
hosts• Validation of the source code– Reading others code = fun– How to manage changes in those
libraries• Justification for all permissions
necessary.
![Page 26: Security and User Privacy In Android Apps](https://reader034.fdocuments.in/reader034/viewer/2022042613/5444bea0b1af9f6c0a8b4a24/html5/thumbnails/26.jpg)
Best Practices / Common Mistakes• Remove your debug code• Allow for opt-in/opt-out at any time• Don’t save private data to public places• Moving privacy management out of the
application (e.g. website) and ramifications• Keep privacy policy up to date with your
application as it changes• Data retention policies
– Validating your data retention policy– Aligning third-party solutions with your policies
![Page 27: Security and User Privacy In Android Apps](https://reader034.fdocuments.in/reader034/viewer/2022042613/5444bea0b1af9f6c0a8b4a24/html5/thumbnails/27.jpg)
Top 10 Privacy Best Practices1. Build privacy and security planning
from the start2. Limit the data you collect to what’s
absolutely necessary3. Don’t transfer data off the device
unless you have do; and use encryption.
4. Delete data that’s no longer needed, and encrypt any that is stored.
![Page 28: Security and User Privacy In Android Apps](https://reader034.fdocuments.in/reader034/viewer/2022042613/5444bea0b1af9f6c0a8b4a24/html5/thumbnails/28.jpg)
Top 10 Privacy Best Practices5. Use hash values instead of raw data.6. Give your users choices about how
much data is collected, stored and shared.
7. Have a solid privacy policy and follow it!
8. Be careful with 3rd party code.9. Take extra care with kids.
![Page 29: Security and User Privacy In Android Apps](https://reader034.fdocuments.in/reader034/viewer/2022042613/5444bea0b1af9f6c0a8b4a24/html5/thumbnails/29.jpg)
Tip Number 10• Don’t forget the obvious!– Don’t send passwords in the clear– Encrypt data in transit– Follow laws, rules and regulations
![Page 30: Security and User Privacy In Android Apps](https://reader034.fdocuments.in/reader034/viewer/2022042613/5444bea0b1af9f6c0a8b4a24/html5/thumbnails/30.jpg)
Resources• https://developer.android.com/training/articles/security-tips.html(the value and understanding of this document cannot be overstated)• http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/Guidanc
eDocuments/ucm263280.htm
(your application is a device)• http://www.wireshark.org• http://www.tcpdump.org (tcpdump and libpcap)(invaluable for black box testing/manual packet inspection)• http://sourceforge.net/projects/jpcap/ or Net::Pcap for Perl(for packet inspection automation)• FTC guidance on app privacy policies -
http://business.ftc.gov/documents/bus81-marketing-your-mobile-app• CDT Best Practices -
https://www.cdt.org/files/pdfs/Best-Practices-Mobile-App-Developers.pdf• Privacy Choice Policy Maker - http://www.privacychoice.org/policymaker• BuildMobile Sample Policies -
http://buildmobile.com/5-critical-contracts-for-mobile-app-developers/