Ways of Enhancing Application Security

Denis Zhuchinski Android DeveloperEVO.company

Ways of Enhancing Application Security

Denis Zhuchinski Android DeveloperEVO.company

What are we talking about today?

- Android & Security- Interprocess Communication- Networking- Data safety- Analyzing tools

Why should care about?

What Android know about you?

- Calls- Messages- Emails- Contacts- Calendar- Location- Photos, Videos- Camera- ...

Enemies

- ADB- Malicious Apps- Unprotect Network- Sniffers

Android security model

Application sandboxing

Permissions

Inter Process Communication

Code Signing

SELinux

Google’s Android Security Rewards has given researchers over $550,000 in 1 year

Interprocess Communication

“In the Android platform, the binder is used for nearly everything that happens across processes in the core platform."

– Dianne Hackborn

Binder

Interprocess Communication

- Intents- Content Providers- Messenger- System services (Telephone, Vibrator, Wifi,

Battery, Notification, etc.)- Lifecycle callbacks in your Activity like

onStart(),onResume(), onDestroy() are invoked by ActivityManagerServer via binders

Man in the Binder

Android IPC is not secure!

Networking

HTTPS is a must have!

But...

HTTPS in not enough!

Man in the Middle

Pinning

- Certificate- Public key

RFC 5280

Certificate pinning

CertificateFactory cf = CertificateFactory.getInstance("X.509");

InputStream caInput = new BufferedInputStream(new FileInputStream("load-der.crt"));

Certificate ca;

try {

ca = cf.generateCertificate(caInput);

System.out.println("ca=" + ((X509Certificate) ca).getSubjectDN());

} finally {

caInput.close();

}

OkHttpClient client = new OkHttpClient();

String certPin = CertificatePinner.pin(ca);

CertificatePinner certificatePinner = new CertificatePinner.Builder()

.add(API_HOST, certPin)

.build();

client.setCertificatePinner(certificatePinner);

android.security.net.config

res/xml/network_security_config.xml:

<domain-config hstsEnforced=[True|False] cleartextTrafficPermitted=[True|False]>

<domain includeSubdomains=[True|False]>example.com</domain>

<pin-set expiration="exp-date">

<pin digest=sha256>PaJOmDNhWkVBvuXfzqXMyfo7kgtGpcyZp6L8EqvM8Ck=</pin>

</pin-set>

</domain-config>

Android N

Risks

- Insecure Data Storage - Weak Server Side Controls - Insufficient Transport Layer Protection - Client Side Injection - Poor Authorization and Authentication- Security Decisions Via Untrusted Inputs - Broken Cryptography

Where is the rescue, Bro?

Cryptography

Encryption Tools

- Cipher (javax.crypto)- Spongy Castle- Conceal- SQLCipher- AESCrypt-Android- Secure-preferences (https://github.com/scottyab/secure-preferences)- etc.

Conceal

Resources / Importance

- Secure key storage- Suitable algorithm- Right key length

ONLINE ANALYZERS

1. AndroTotal2. Dexter3. Tracedroid4. Visual Threat5. Mobile Malware Sandbox6. MobiSec Eacus7. IBM Security AppScan Mobile Analyzer - not free8. NVISO ApkScan...

STATIC ANALYSIS TOOLS

1. QUARK2. ApkAnalyser3. APKInspector4. Droid Intent Data Flow Analysis for Information

Leakage5. Drozer6. Several tools from PSU7. Smali CFG generator8. FlowDroid...

Apktool

$ apktool d app-test.apk

I: Using Apktool 2.2.0 on app-prod-release.apk

I: Loading resource table...

I: Decoding AndroidManifest.xml with resources...

I: Loading resource table from file: /home/oem/.local/share/apktool/framework/1.apk

I: Regular manifest package...

I: Decoding file-resources...

I: Decoding values */* XMLs...

I: Baksmaling classes.dex...

I: Copying assets and libs...

I: Copying unknown files...

I: Copying original files...

Apktool

QARK

QARK

Drozer

adb install agent.apk

$ drozer console connect dz> run app.package.attacksurface com.app.test

dz> run app.package.attacksurface com.app.test

Attack Surface:

3 activities exported

0 broadcast receivers exported

2 content providers exported

2 services exported

is debuggable

Thing to remember

1. Never trust any input (use whitelists not blacklists)1. Store data securely4. Use HTTPS with certificate pinning5. Use Cryptography6. Don't write your own crypto2. Make code obfuscation7. Audit third-party code and services that you use3. Avoid excessive logging8. Perform security code review

Plan for security from the start - it's not something you can bolt on at the end

Links

1. https://www.androidpit.com/android-m-release-date-news-features-name#security

2. https://www.nowsecure.com/blog/2015/07/16/android-m-a-security-research-perspective-part-1/

3. https://koz.io/network-security-policy-configuration-for-android-apps/4. http://blog.riskfinder.co.jp/2016/03/network-security-configuration-android-n.

html5. http://markup.su/highlighter/6. https://www.securecoding.cert.org/confluence/display/android/Android+Sec

ure+Coding+Standard7. https://www.securecoding.cert.org/confluence/display/android/DRD06.+Do+

not+act+on+malicious+intents8. https://github.com/ashishb/android-security-awesome

And That’s It…Thanks!

Questions? Comments?

What are we talking about today?

- Android & Security- Interprocess Communication- Networking- Data safety- Analyzing tools

Why should care about?

What Android know about you?

- Calls- Messages- Emails- Contacts- Calendar- Location- Photos, Videos- Camera- ...

Enemies

- ADB- Malicious Apps- Unprotect Network- Sniffers

Android security model

Application sandboxing

Permissions

Inter Process Communication

Code Signing

SELinux

Google’s Android Security Rewards has given researchers over $550,000 in 1 year

Interprocess Communication

“In the Android platform, the binder is used for nearly everything that happens across processes in the core platform."

– Dianne Hackborn

Binder

Interprocess Communication

- Intents- Content Providers- Messenger- System services (Telephone, Vibrator, Wifi,

Battery, Notification, etc.)- Lifecycle callbacks in your Activity like

onStart(),onResume(), onDestroy() are invoked by ActivityManagerServer via binders

Man in the Binder

Android IPC is not secure!

Networking

HTTPS is a must have!

But...

HTTPS in not enough!

Man in the Middle

Pinning

- Certificate- Public key

RFC 5280

Certificate pinning

CertificateFactory cf = CertificateFactory.getInstance("X.509");

InputStream caInput = new BufferedInputStream(new FileInputStream("load-der.crt"));

Certificate ca;

try {

ca = cf.generateCertificate(caInput);

System.out.println("ca=" + ((X509Certificate) ca).getSubjectDN());

} finally {

caInput.close();

}

OkHttpClient client = new OkHttpClient();

String certPin = CertificatePinner.pin(ca);

CertificatePinner certificatePinner = new CertificatePinner.Builder()

.add(API_HOST, certPin)

.build();

client.setCertificatePinner(certificatePinner);

android.security.net.config

res/xml/network_security_config.xml:

<domain-config hstsEnforced=[True|False] cleartextTrafficPermitted=[True|False]>

<domain includeSubdomains=[True|False]>example.com</domain>

<pin-set expiration="exp-date">

<pin digest=sha256>PaJOmDNhWkVBvuXfzqXMyfo7kgtGpcyZp6L8EqvM8Ck=</pin>

</pin-set>

</domain-config>

Android N

Where is the rescue, Bro?

Cryptography

Encryption Tools

- Cipher (javax.crypto)- Spongy Castle- Conceal- SQLCipher- AESCrypt-Android- Secure-preferences (https://github.com/scottyab/secure-preferences)- etc.

Conceal

Resources / Importance

- Secure key storage- Suitable algorithm- Right key length

ONLINE ANALYZERS

1. AndroTotal2. Dexter3. Tracedroid4. Visual Threat5. Mobile Malware Sandbox6. MobiSec Eacus7. IBM Security AppScan Mobile Analyzer - not free8. NVISO ApkScan...

STATIC ANALYSIS TOOLS

1. QUARK2. ApkAnalyser3. APKInspector4. Droid Intent Data Flow Analysis for Information

Leakage5. Drozer6. Several tools from PSU7. Smali CFG generator8. FlowDroid...

Apktool

$ apktool d app-test.apk

I: Using Apktool 2.2.0 on app-prod-release.apk

I: Loading resource table...

I: Decoding AndroidManifest.xml with resources...

I: Loading resource table from file: /home/oem/.local/share/apktool/framework/1.apk

I: Regular manifest package...

I: Decoding file-resources...

I: Decoding values */* XMLs...

I: Baksmaling classes.dex...

I: Copying assets and libs...

I: Copying unknown files...

I: Copying original files...

Apktool

QARK

QARK

Drozer

adb install agent.apk

$ drozer console connect dz> run app.package.attacksurface com.app.test

dz> run app.package.attacksurface com.app.test

Attack Surface:

3 activities exported

0 broadcast receivers exported

2 content providers exported

2 services exported

is debuggable

Thing to remember

1. Never trust any input (use whitelists not blacklists)1. Store data securely4. Use HTTPS with certificate pinning5. Use Cryptography6. Don't write your own crypto2. Make code obfuscation7. Audit third-party code and services that you use3. Avoid excessive logging8. Perform security code review

Plan for security from the start - it's not something you can bolt on at the end

Links

1. https://www.androidpit.com/android-m-release-date-news-features-name#security

2. https://www.nowsecure.com/blog/2015/07/16/android-m-a-security-research-perspective-part-1/

3. https://koz.io/network-security-policy-configuration-for-android-apps/4. http://blog.riskfinder.co.jp/2016/03/network-security-configuration-android-n.

html5. http://markup.su/highlighter/6. https://www.securecoding.cert.org/confluence/display/android/Android+Sec

ure+Coding+Standard7. https://www.securecoding.cert.org/confluence/display/android/DRD06.+Do+

not+act+on+malicious+intents8. https://github.com/ashishb/android-security-awesome

And That’s It…Thanks!

Questions? Comments?