The document discusses improving the security of an Android app called Acme Corp on a limited budget. It outlines three "sneak sprints" to enhance security: 1) strengthening the SSL/TLS connection and implementing SSL pinning, 2) checking device integrity and encrypting data, and 3) adding tamper detection and obfuscating the APK. While more code complexity was introduced, the app is now less vulnerable to man-in-the-middle attacks, XSS vulnerabilities, and tampering by rooted users. Resources for mobile security best practices are also provided.
4. APP: ACME CORP
DISCLAIMER:
ALL CHARACTERS APPEARING IN THIS
WORK ARE FICTITIOUS. ANY
RESEMBLANCE TO REAL PERSONS, LIVING
OR DEAD, IS PURELY COINCIDENTAL.
@SCOTTYAB
15. SSL Connection spec
Use only strong cipher suites (128bit+)
TLS versions (TLS v1.2)
@SCOTTYAB
16. Patch against SSL exploits
• Android relies on a security ‘Provider’ to provide secure network
communications.
• Google Play Services provides a way to update the device security
provider
• ProviderInstaller.installIfNeeded(getContext());
@SCOTTYAB
17. SSL/TLS Pinning
Pinning limits the trusted root CA’s
Devices ship with 100+ Certificate Authorities (CA) and
users can install their own
Two types of pinning
* Certificate pinning
* Public Key pinning
What is SSL pinning?
@SCOTTYAB
18. SSL Pinning with OKhttp
SSL pin generator
http://bit.ly/sslpin
OKHttp Version
OkHttp 3.1.2+
OkHttp 2.7.4+
@SCOTTYAB
32. ProGuard tips
Add to config when you add a new lib
Strip Log statements
Crash stack traces
Gradle Proguard plugin
https://github.com/hotchemi/gradle-proguard-plugin
Consider: DexGuard (paid)
@SCOTTYAB
33.
34.
35.
36. Cons
More code==more complexity
APK file size was larger
Slower to start up
Encrypted data is really only obfuscated
ProGuard config was time consuming
No credit for our hard work
@SCOTTYAB
37. Pros
Less vulnerable to MITM
Webviews are less vulnerable to XSS attacks
Curious rooted users cannot simply edit our db and pref data
Rooted users will struggle
Re-complication is hampered tamper check
Understanding the decompiled code is hampered by the obfuscation
@SCOTTYAB
46. Resources
Secure mobile development best practices - https://github.com/
nowsecure/secure-mobile-development
OWASP Mobile security risks - http://bit.ly/owaspmobile
Android security cookbook - http://bit.ly/MscEFu
Best Practices for Security & Privacy - https://developer.android.com/
training/best-security.html
Adding Tamper detection to your apps - https://www.airpair.com/android/
posts/adding-tampering-detection-to-your-android-app
@SCOTTYAB