![Page 1: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/1.jpg)
The Android security jungle:
pitfalls, threats and survival tips Scott Alexander-Bown
@scottyab
![Page 2: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/2.jpg)
The Jungle
• Ecosystem
• Google’s protection
• Threats
• Risks
![Page 3: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/3.jpg)
• Network
• Data protection (encryption)
• App/device integrity
• App binary security
• Testing
Survival
![Page 4: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/4.jpg)
• Lead Android Dev (remote) at Intohand
• Co-Author - Android Security Cookbook
• Co-Founder of SWmobile
Scott Alexander-Bown
![Page 5: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/5.jpg)
1.4 Billion users
![Page 6: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/6.jpg)
OpenSignals.com
![Page 7: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/7.jpg)
![Page 8: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/8.jpg)
Security Services • Google Play
• Approval process (human approval since 2015)
• Developer security notifications
• Android Bouncer
• Android device manager (Device security)
• Safety net (intrusion detection)
• Android at Work
![Page 9: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/9.jpg)
Slide Adrian Ludwig’s - Android Security State of the Union
![Page 10: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/10.jpg)
Newer version of Android are more secure
1.5 stack buffer, integer overflow protection
2.3+ null pointer dereference mitigation, NX
4.0+ ASLR
4.1+ ASLR strengthened
4.3 Security-Enhanced Linux
5.0 Security-Enhanced Linux - enforcing
Updatabled Webview (via playstore)
![Page 11: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/11.jpg)
Threats
![Page 12: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/12.jpg)
Threats: App Hijacking
• Taking an app and adding malware
• Concerns
• Reversing Android apps is easy
• No need for certificate authority
• Sideload
![Page 13: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/13.jpg)
“I ain’t got time to (heart)bleed”
![Page 14: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/14.jpg)
![Page 15: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/15.jpg)
![Page 16: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/16.jpg)
OWASP • Mobile Security Project
• iOS and Android
• Top 10 risks
• attack vectors
• threat agents
• impacts
![Page 17: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/17.jpg)
OWASP top 10 risks • M1: Weak Server Side
Controls
• M2: Insecure Data Storage
• M3: Insufficient Transport
Layer Protection
• M4: Unintended Data Leakage
• M5: Poor Authorization and
Authentication
• M6: Broken Cryptography
• M7: Client Side Injection
• M8: Security Decisions Via
Untrusted Inputs
• M9: Improper Session Handling
• M10: Lack of Binary Protections
![Page 18: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/18.jpg)
Survival
kit
![Page 19: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/19.jpg)
Survival tips
1. Harden the network communications
2. Protect stored data (encryption)
3. Validate the device and app integrity
4. Increase binary security
![Page 20: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/20.jpg)
Network communications
• Use SSL / TLS!
• Use the platform SSL/TLS validation (i.e don’t disable it!)
• Use only strong cipher suites (128bit+) and TLS versions (TLS v1.2)
• OkHttp 2.1 - https://publicobject.com/2014/11/12/okhttp-2-1/
![Page 21: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/21.jpg)
Looks like you’re not using SSL pinning?
• Devices ship with 100+ Certificate Authorities (CA) and
users can install their own
• Pinning limits the trusted root CA’s
• Two types
• Certificate pinning
• Public Key pinning
![Page 22: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/22.jpg)
Public key
pinning
![Page 23: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/23.jpg)
Patch against SSL exploits
• Google Play Services provides a dynamic security provider
• ProviderInstaller.installIfNeeded(getContext());
• https://developer.android.com/training/articles/security-gms-
provider.html#patching
![Page 24: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/24.jpg)
Tips
![Page 25: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/25.jpg)
Password based encryption
Code in a slide :’(
![Page 26: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/26.jpg)
Encryption libraries
• Conceal
• https://facebook.github.io/conceal
• SQL cipher
https://www.zetetic.net/sqlcipher/sqlcipher-for-android/
• Secure-Preferences (or Hawk)
• https://github.com/scottyab/secure-preferences
![Page 27: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/27.jpg)
Hardcoded encryption key
![Page 28: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/28.jpg)
Verifying App integrity
• Debuggable check
• Apk Checksum
• Signing certificate verification
![Page 29: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/29.jpg)
Signing Certificate Verification
Build-time Runtime
1. Get you certificate signature
$keytool -list -v -keystore
your_app.keystore
2. Embed in app
String CERTIFICATE_SHA1 =
“71920AC9486E087DCBCF5C7F6F…”;
3. Get the Signature from the
PackageManager
4. Hash the Signature
5. Compare the signature hashes
strings
![Page 30: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/30.jpg)
Verifying device integrity
• Emulator check
• https://github.com/strazzere/a
nti-emulator
• Google SafteyNet test
• https://github.com/scottyab/sa
fetynethelper
![Page 31: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/31.jpg)
root@android:/ #
• Root apps / Dangerous apps
• Suspect system properties
• SU/BusyBox binaries
• RW /system
• https://github.com/scottyab/rootbeer
![Page 32: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/32.jpg)
Obfuscation
![Page 33: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/33.jpg)
ProGuard
• Java code obfuscator
• Part of the Android SDK
• Free as in Beer!
• ReTrace - Supported by Error handling services such as Crashlytics
![Page 34: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/34.jpg)
DexGuard • Commercial version of ProGuard
• Designed for Android and protection
• Useful security utils - SSL Pinning, Root check, logging removal etc
• My favourite features
• String Encryption
• API hiding
![Page 35: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/35.jpg)
![Page 36: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/36.jpg)
Quick Android Review Kit (Quak) • Python script
• Works with .apk or source code
• Automated tests
• weaknesses
• exploits
• Creates exploit .apks
• https://github.com/linkedin/qark
![Page 37: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/37.jpg)
![Page 38: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/38.jpg)
Click here for more! • 42+ Secure mobile development tips
http://bit.ly/viafor42
• OWASP Mobile security risks
http://bit.ly/owaspmobile
• Android security cookbook [book]
http://bit.ly/MscEFu
• Android security internals [book]
http://bit.ly/andsecint
• Droidsec (whitepapers)
droidsec.org/wiki
![Page 39: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/39.jpg)
![Page 40: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/40.jpg)
![Page 41: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/41.jpg)
• @gotocph
• @intohand
• 20th Century Fox
• Android security team
Thanks
![Page 42: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/42.jpg)
Questions?
@scottyab
github.com/scottyab Please
Remember to
rate this session
Thank you
![Page 43: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/43.jpg)
![Page 44: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/44.jpg)
![Page 45: The Android security jungle: pitfalls, threats and ......OWASP top 10 risks • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection](https://reader030.vdocuments.site/reader030/viewer/2022040307/5ed07658cb98f31e1f3341a2/html5/thumbnails/45.jpg)
WebView • Before
• getSettings().setJavaScriptEnabled(false)
• getSettings().setAllowFileAccess(false)
• During
• WebViewClient.shouldOverrideUrlLoading()
• enforce local content or Https
• Whitelisted hosts/urls
• .shouldInterceptRequest() to intercept XmlHttpRequests
• After
• webview.clearCache(true)