Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Android security

95 vues

Publié le

Data leaks are increasing, therefore it is very important to deal with the topic of security. Android is one of the most widely used systems on mobile phones. Among other things, best practices for android security are presented here.

Publié dans : Logiciels
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Répondre 
    Voulez-vous vraiment ?  Oui  Non
    Votre message apparaîtra ici
  • Soyez le premier à aimer ceci

Android security

  1. 1. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 1Robin Wiegand, Jonas Wisplinghoff| || Android Security
  2. 2. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 2Robin Wiegand, Jonas Wisplinghoff| || Why?
  3. 3. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 3Robin Wiegand, Jonas Wisplinghoff| ||
  4. 4. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 4Robin Wiegand, Jonas Wisplinghoff| || Why? Smartphones contain the most sensitive user data Users have an evolving awareness for privacy Loss of trust and reputation in case of a security incident
  5. 5. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 5Robin Wiegand, Jonas Wisplinghoff| || Best Practices
  6. 6. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 6Robin Wiegand, Jonas Wisplinghoff| || Security on the device
  7. 7. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 7Robin Wiegand, Jonas Wisplinghoff| || Data Storage
  8. 8. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 8Robin Wiegand, Jonas Wisplinghoff| || Risk Data Storage • Critical data is stored unsecurely on the device • e.g. passwords, tokens or personal information • in plain text or not proper encrypted
  9. 9. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 9Robin Wiegand, Jonas Wisplinghoff| || Where to look? Data Storage • SQLite databases • XML/JSON Data Stores • Plain text config files • External storages (SD-Card)
  10. 10. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 10Robin Wiegand, Jonas Wisplinghoff| || Mitigation Data Storage • Only store the data that is actually required • Properly encrypt locally stored files • Encrypt the database
  11. 11. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 11Robin Wiegand, Jonas Wisplinghoff| || Always challenge answers from the internet! Data Storage
  12. 12. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 12Robin Wiegand, Jonas Wisplinghoff| || Unaware Leaks
  13. 13. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 13Robin Wiegand, Jonas Wisplinghoff| || Risk Unaware leaks • Logs contain sensitive data • Public content providers offer access to sensitive data • Used libraries send sensitive data to 3rd parties (e.g. GPS location)
  14. 14. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 14Robin Wiegand, Jonas Wisplinghoff| || How to find them? Unaware leaks • Logs • Observe logcat • adb logcat [output filter] • Public content providers offer access to sensitive data • Scan for public content providers on the device (e.g. with drozer) • Used libraries send sensitive data to 3rd parties • Observe network traffic with http proxy tools
  15. 15. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 15Robin Wiegand, Jonas Wisplinghoff| || Mitigation Unaware leaks • Do not log sensitive information • Do not export content providers and use a proper protection level • Only use selected and trustworthy libraries
  16. 16. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 16Robin Wiegand, Jonas Wisplinghoff| || Encryption
  17. 17. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 17Robin Wiegand, Jonas Wisplinghoff| || Risk Encryption • Cryptography is a complex topic • Most errors happen when existing protocols have been implemented incorrect • Or even worse: People made up their own solution
  18. 18. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 18Robin Wiegand, Jonas Wisplinghoff| || What to look for? Encryption • Decompile an app... • ... and look for hardcoded passwords/keys • ... and look if there are passwords stored in the resource files • ... and check if insecure protocols have been used
  19. 19. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 19Robin Wiegand, Jonas Wisplinghoff| || Mitigation Encryption • Use established libraries • Use the system API (KeyChain) for storing key material or passwords
  20. 20. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 20Robin Wiegand, Jonas Wisplinghoff| || Security for the transmission
  21. 21. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 21Robin Wiegand, Jonas Wisplinghoff| || TLS
  22. 22. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 22Robin Wiegand, Jonas Wisplinghoff| || Risk TLS (Transport Layer Security) • No secure connection used at all • „Wrong“ usage of TLS • Prone to man in the middle attacks (MITM)
  23. 23. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 23Robin Wiegand, Jonas Wisplinghoff| || What do you mean with a „wrong“ usage? TLS (Transport Layer Security) • Known insecure protocols are used (e.g. SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, ...) • Only parts of the communication are encrypted (e.g. only the authentication, but not the other transfers) • The authenticity of certificates is not checked properly
  24. 24. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 24Robin Wiegand, Jonas Wisplinghoff| || Mitigation TLS (Transport Layer Security) • Use the latest encryption protocols for all data transfers • Certificate Pinning
  25. 25. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 25Robin Wiegand, Jonas Wisplinghoff| || Man-in-the-middle
  26. 26. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 26Robin Wiegand, Jonas Wisplinghoff| || Man-in-the-middle Trusted root certificates https
  27. 27. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 27Robin Wiegand, Jonas Wisplinghoff| || Man-in-the-middle Trusted root certificates https
  28. 28. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 28Robin Wiegand, Jonas Wisplinghoff| || Man-in-the-middle Trusted root certificates https
  29. 29. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 29Robin Wiegand, Jonas Wisplinghoff| || Man-in-the-middle Trusted root certificates https
  30. 30. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 30Robin Wiegand, Jonas Wisplinghoff| || Man-in-the-middle Trusted root certificates https
  31. 31. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 31Robin Wiegand, Jonas Wisplinghoff| || Man-in-the-middle Trusted root certificates
  32. 32. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 32Robin Wiegand, Jonas Wisplinghoff| || Man-in-the-middle Trusted root certificates
  33. 33. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 33Robin Wiegand, Jonas Wisplinghoff| || Man-in-the-middle Trusted root certificates
  34. 34. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 34Robin Wiegand, Jonas Wisplinghoff| || Certificate pinning Trusted root certificates
  35. 35. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 35Robin Wiegand, Jonas Wisplinghoff| || Certificate pinning Trusted root certificates
  36. 36. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 36Robin Wiegand, Jonas Wisplinghoff| || Certificate pinning Pinned certificate
  37. 37. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 37Robin Wiegand, Jonas Wisplinghoff| || Certificate pinning Pinned certificate
  38. 38. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 38Robin Wiegand, Jonas Wisplinghoff| || Certificate pinning Pinned certificate
  39. 39. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 39Robin Wiegand, Jonas Wisplinghoff| || Certificate pinning Pinned certificate
  40. 40. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 40Robin Wiegand, Jonas Wisplinghoff| || Certificate pinning Pinned certificate
  41. 41. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 41Robin Wiegand, Jonas Wisplinghoff| || Session Handling
  42. 42. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 42Robin Wiegand, Jonas Wisplinghoff| || Risk Session Handling • A session token is insecure when... • ... it can be guessed • ... it can easily be accessed by a 3rd party • ... it is valid indefinitely
  43. 43. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 43Robin Wiegand, Jonas Wisplinghoff| || What to look for? Session Handling • Try to find a session token with a MITM attack • Test, if... • ... the token expires after x minutes • ... the token offers access to other API endpoints • ... other tokens can be guessed
  44. 44. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 44Robin Wiegand, Jonas Wisplinghoff| || Mitigation Session-Handling • Allow session tokens to be disabled on the server • Think about the time-to-live of a session token • Destroy all outdated session tokens
  45. 45. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 45Robin Wiegand, Jonas Wisplinghoff| || Reverse Engineering
  46. 46. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 46Robin Wiegand, Jonas Wisplinghoff| || Decompilation
  47. 47. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 47Robin Wiegand, Jonas Wisplinghoff| || The APK assets/ Raw files, anything, even dynamically loaded code lib/ Native code libraries META-INF/ Certificate, signature and file hashes, to verify origin and integrity res/ Non-compiled resources AndroidManifest.xml Binary XML version of manifest classes.dex Dalvik Executable – All the classes for the Dalvik VM resources.arsc Compiled resources * (other)
  48. 48. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 48Robin Wiegand, Jonas Wisplinghoff| || Android Asset Packaging Tool Tools: aapt • Static APK analysis • APK info • aapt dump badging Test.apk • Interesting strings? • aapt dump strings Test.apk
  49. 49. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 49Robin Wiegand, Jonas Wisplinghoff| || Tools: apktool • Decompiler for Android APKs • apktool d Consortium.apk • https://ibotpeaches.github.io/Apktool/
  50. 50. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 50Robin Wiegand, Jonas Wisplinghoff| || Tools: drozer • Dynamic reverse engineering tool for analysing the running app • https://github.com/mwrlabs/drozer
  51. 51. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 51Robin Wiegand, Jonas Wisplinghoff| || Tools: mitmproxy • HTTPS Proxy Tool • Creates a certificate that can be installed on a device in order to attack it with a Man-in-the-middle attack • https://mitmproxy.org • Alternative: Charles Proxy • https://www.charlesproxy.com
  52. 52. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 52Robin Wiegand, Jonas Wisplinghoff| || Mitigation Reverse Engineering • Cannot be prevented completely • Use code obfuscation to make reverse engineering harder • ProGuard as part of Android SDK • Try to avoid shipping “secrets” in the app bundle
  53. 53. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 53Robin Wiegand, Jonas Wisplinghoff| || tl;dl too long; didn‘t listen.
  54. 54. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 54Robin Wiegand, Jonas Wisplinghoff| || Summary • Principle of data economy („Datensparsamkeit“) • Only store the data that is really required for the functionality of the app • Minimize the attack surface • Only export activities and content providers that should be public • Only use dependencies that are really required and keep those up to date • Encrypt sensitive data on the device and during transmission • Use code obfuscation to make reverse engineering harder
  55. 55. © Zühlke 2019Android Security 06.06.2019 | Technische Hochschule Mittelhessen Slide 55Robin Wiegand, Jonas Wisplinghoff| || Fragen? Vielen Dank @jonas_w jonas.wisplinghoff@zuehlke.com @rbn1991 robin.wiegand@zuehlke.com zuehlke.com/jobs

×