The document discusses securely storing authentication tokens on Android devices. It recommends always encrypting sensitive data like tokens or credentials. Below Android 6 there are issues with the keystore, but on Android 6 and above the keystore is improved and backed by the lock screen for secure storage. It provides examples of using libraries like AesCbcWithIntegrity to encrypt and decrypt data using a password derived from a user PIN, and storing the encrypted data and salt in SharedPreferences. This provides a secure way to store tokens that doesn't require the user to login each time even if the phone is stolen or rooted.
3. Problem
1. User logs in into some web service using
login and password.
2. Web service returns token to authenticate
further requests
3. How to securely store token on device, so
user does not have to login next time?
4. Official statement
“By default, files that you create on internal
storage are accessible only to your app. Android
implements this protection, and it's sufficient
for most applications.”
https://developer.android.com/training/articles/security-tips.html
5. Always encrypt data on local
storage
• OWASP recommendation
– Always store sensitive data encrypted
– Use strong approved Authenticated Encryption
• Mobile Top 10 2016: M2 Insecure Data
Storage
• OWASP MSTG - data storage
6. MASVS
OWASP Mobile Application Security Verification Standard
„Definition of Sensitive Data
Sensitive data in the context of the MASVS pertains to both user
credentials and any other data considered sensitive in the particular
context, such as:
• Personally identifiable information (PII) that can be abused for
identity theft: Social security numbers, credit card numbers, bank
account numbers, health information;
• Highly sensitive data that would lead to reputational harm and/or
financial costs if compromised: Contractual information,
information covered by non-disclosure agreements, management
information;
• Any data that must be protected by law or for compliance reasons.„
7. Threats
• Other apps on rooted phones can read internal
storage
• Malware can do a local privilege escalation attack
• Allow backup = true
• Security holes in certain phones
• If someone steals your phone, than can also steal
your car
– tesla app hacked
10. Android 4.4
• Api levels < 19
• Keystore below android 4.4 is not secure
11. Below Android 6.0
• Api levels 19 <= level <23
• Mostly unusable:
– Only saves asymmetric keys
– Only has unsafe crypto primitives
12. Lookout for internet examples
• why crypto is hard
• if you type letters AES into your code you are doing it wrong
13. Android 6.0 and above
• Api level >= 23
• Use key store
– Improved in Android 6.0
– It can be backed by lock screen
– Does encryption out of process on separate
processor with separate OS
– Keys never leave secure enclave
– Unfortunately there is no library
– Lock screen changes removes all keys!
14. Workaround
• Ask user for pin
• derive strong password from it
• use library to encrypt / decrypt
• Google keyczar
• java-aes-crypto
• Realm, sqlCipher
15. • This solution is suggested by Google
• Banks do this
• They also implement own keyboards to
prevent keylogging
• Also block screen capture
Talk about taxi requesting app FOR ANDROID that contained credit card information that could call a taxi
Save token is couple of story points story -> how hard can it be?
What does it mean ”sufficient for most applications”?
Pronounce: MAS VS
More about OWASP documents in Pawel Rzepa presentation
Why to always encrypt credentials?
Clickjacking malware?
BlueBorne bluetooth vulnerability
Require user to log in every time. Keep token only in ram.
But this is not what we wanted.
Ok so we encrypt the token and move on. But how to store secret key?
You could wrap symmetric key with asymetric stored in keystore but cryptography is still week
Aktualny rozklad wersji androida: https://developer.android.com/about/dashboards/index.html
unsafe crypto: CBC mode
Example 1 – how to use keystore
Example 2 – read key returns null
Przed prezentacja sprawdzic czy na emulatorze jest wlaczony pattern
Choose time for patter question
Example : https://github.com/pbochenski/savingprivatetoken/blob/master/app/src/main/java/com/siili/token/Example1.java
Don’t reinvent crypto
trade off between usability and security
How to use java-aes-crypto
How to use key store.
Security experts say enterprises spend anywhere from $400 to several thousand dollars to fix a single vulnerability in their internally Web developed applications
You don’t want to be next hackernews/reddit headline
New EU law: Data protection regulations (https://news.sophos.com/en-us/2015/01/08/5-things-you-should-know-about-the-eu-data-protection-regulation-even-if-youre-not-from-the-eu/) up to 5% of annual income might be fined