MCE^3 - Scott Alexander-Bown - Android App Security on a Budget
•
0 j'aime•277 vues
The document discusses improving the security of an Android app called Acme Corp on a limited budget. It outlines three "sneak sprints" to enhance security: 1) strengthening the SSL/TLS connection and implementing SSL pinning, 2) checking device integrity and encrypting data, and 3) adding tamper detection and obfuscating the APK. While more code complexity was introduced, the app is now less vulnerable to man-in-the-middle attacks, XSS vulnerabilities, and tampering by rooted users. Resources for mobile security best practices are also provided.
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
En vedette
En vedette (19)
Similaire à MCE^3 - Scott Alexander-Bown - Android App Security on a Budget
Similaire à MCE^3 - Scott Alexander-Bown - Android App Security on a Budget (20)
Dernier
Dernier (20)
MCE^3 - Scott Alexander-Bown - Android App Security on a Budget
- 1. ANDROID APP SECURITY: ON A BUDGET SCOTT ALEXANDER-BOWN ANDROID FREELANCER @SCOTTYAB
- 2. DEVELOPER - ANDROID AUTHOR - ANDROID SECURITY COOKBOOK ORGANISER - SWMOBILE GROUP @SCOTTYAB SCOTT ALEXANDER-BOWN
- 3. TL;DR STORY OF IMPROVING APP SECURITY. MIN EFFORT. MAX IMPACT @SCOTTYAB
- 4. APP: ACME CORP DISCLAIMER: ALL CHARACTERS APPEARING IN THIS WORK ARE FICTITIOUS. ANY RESEMBLANCE TO REAL PERSONS, LIVING OR DEAD, IS PURELY COINCIDENTAL. @SCOTTYAB
- 10. WHAT CAN YOU DO? @SCOTTYAB
- 11. @SCOTTYAB
- 12. 3 Sneaky Sprints 1. Connection between app and api/server 2. Device integrity and Data 3. Apk integrity and protection. @SCOTTYAB
- 15. SSL Connection spec Use only strong cipher suites (128bit+) TLS versions (TLS v1.2) @SCOTTYAB
- 16. Patch against SSL exploits • Android relies on a security ‘Provider’ to provide secure network communications. • Google Play Services provides a way to update the device security provider • ProviderInstaller.installIfNeeded(getContext()); @SCOTTYAB
- 17. SSL/TLS Pinning Pinning limits the trusted root CA’s Devices ship with 100+ Certificate Authorities (CA) and users can install their own Two types of pinning * Certificate pinning * Public Key pinning What is SSL pinning? @SCOTTYAB
- 18. SSL Pinning with OKhttp SSL pin generator http://bit.ly/sslpin OKHttp Version OkHttp 3.1.2+ OkHttp 2.7.4+ @SCOTTYAB
- 19. Let’s make Webview less shit safer
- 20. Webview Disable risky settings Javascript File access White list urls / domains https://gist.github.com/scottyab/6f51bbd82a0ffb08ac7a @SCOTTYAB
- 21. SNEAK SPRINT 2: DEVICE INTEGRITY AND DATA @SCOTTYAB
- 23. Device Integrity Check the execution environment Root Check Root Beer - https://github.com/scottyab/rootbeer SafteyNet API (Google Play services) SafetyNet Wrapper - https://github.com/scottyab/safetynethelper @SCOTTYAB
- 24. Encrypt (obfuscate) Data Shared preferences - replaces with secure-preferences (or Hawk) https://github.com/scottyab/secure-preferences SQLlite - replaced with SQL Cipher for Android https://github.com/sqlcipher/android-database-sqlcipher Realm - has an encryption option https://github.com/realm/realm-java/tree/master/examples/ encryptionExample @SCOTTYAB
- 25. Encryption without storing key App pin code Android Keystore Device pin Finger printreader
- 26. SNEAK SPRINT 3: APK INTEGRITY & PROTECTION @SCOTTYAB
- 27. Tamper check Android requires all apps to be digitally signed Consistent for life of app Needed to publish app updates @SCOTTYAB
- 28. Build time 1. Get you certificate signature $keytool -list -v -keystore your_app.keystore 2. Embed in app String CERTIFICATE_SHA1 = “71920AC9486E087DCBCF5C7F6F…” @SCOTTYAB
- 29. Run time 3. Get the Signature from the PackageManager 4. Hash the Signature 5. Compare the signature hashes strings @SCOTTYAB
- 30. Obfuscation: ProGuard Java code obfuscator Part of the Android SDK (free!) To turn on: minifyEnabled=true @SCOTTYAB
- 32. ProGuard tips Add to config when you add a new lib Strip Log statements Crash stack traces Gradle Proguard plugin https://github.com/hotchemi/gradle-proguard-plugin Consider: DexGuard (paid) @SCOTTYAB
- 36. Cons More code==more complexity APK file size was larger Slower to start up Encrypted data is really only obfuscated ProGuard config was time consuming No credit for our hard work @SCOTTYAB
- 37. Pros Less vulnerable to MITM Webviews are less vulnerable to XSS attacks Curious rooted users cannot simply edit our db and pref data Rooted users will struggle Re-complication is hampered tamper check Understanding the decompiled code is hampered by the obfuscation @SCOTTYAB
- 38. DID WE WIN?
- 39. DID WE WIN?
- 40. DID WE WIN?
- 41. DID WE WIN?Much Win wow so security
- 42. WHAT CAN YOU DO? @SCOTTYAB
- 43. @SCOTTYAB STRENGTH SSL/TLS SSL PINNING WHITE LIST WEBVIEW CHECK FOR ROOT ENCRYPT DATA AT REST TAMPER CHECK OBFUSCATE
- 46. Resources Secure mobile development best practices - https://github.com/ nowsecure/secure-mobile-development OWASP Mobile security risks - http://bit.ly/owaspmobile Android security cookbook - http://bit.ly/MscEFu Best Practices for Security & Privacy - https://developer.android.com/ training/best-security.html Adding Tamper detection to your apps - https://www.airpair.com/android/ posts/adding-tampering-detection-to-your-android-app @SCOTTYAB
- 48. Good practices… Using SSL for API Using Context.MODE_PRIVATE Not using the SDcard to store anything Not logging user details to Android.Log