securing android applications

100
SECURING ANDROID APPLICATIONS October 2014

Upload: jose-manuel-candel

Post on 22-Nov-2014

210 views

Category:

Mobile


5 download

DESCRIPTION

Securing android applications

TRANSCRIPT

Page 1: Securing android applications

SECURING

ANDROID

APPLICATIONS

October 2014

Page 2: Securing android applications

http://www.linkedin.com/jmortega1

https://speakerdeck.com/jmortega/

@jmortegac

Page 3: Securing android applications

ARCHITECTURE / DALVIK VM / SANDBOX

ANDROID APPLICATIONS / PERMISSIONS

UTILS EXECUTION ENVIRONMENT

TOOLS ECLIPSE / ANDROID STUDIO

COMPONENTS SECURITY / STATIC ANALYSIS

ENCRYPTION / OBSFUSCATION

REVERSING APK TOOLS

APK ANALYZERS / PENTESTING / FORENSICS

Page 4: Securing android applications

Android Architecture

Page 5: Securing android applications

Dalvik VM

REGISTER-BASED VIRTUAL MACHINE

RUN ON A SLOW CPU WITH LITTLE RAM

OPTIMIZED FOR MOBILE DEVICES

DEX(Dalvik executable)

Page 6: Securing android applications

Dalvik vs ART(4.4)

DALVIK ART

Just-In-Time (JIT)

Compilation

Ahead-Of-Time (AOT)

Compilation

Cache builds up over time

Boot times are faster

Cache is built at first boot

Rebooting device takes

significantly longer

Apps compiled when

executed

Stores Compiled Apps

Consumes much more

internal storage space

Settings>Developer options>Select runtime

Page 7: Securing android applications

Sandbox

Each app gets a unique linux ID(uid) and Groud ID(gid)

Gets own dedicated process and dedicated dalvik VM

Applications are "self-signed" with certificate signed by Developer

Apps can share the data with other apps using content providers

Permissions determine the capacity for communication components

The App Data gets stored in /data/data/<app process> accessible only by UID and GID

(root exceptional)

Page 8: Securing android applications

/data/data

Apps installed by user

Apps installed by google default : play store, play

music , maps

Apps that are manufacturer specific : HTC

sense, touchwiz

Apps that are shipped with stock

rom : browsers

ROOT

Page 9: Securing android applications

Android Applications

Page 10: Securing android applications

APK Generating

ZIP + jarsigner+ zipalign for optimizing apk

Page 11: Securing android applications

Obtain APK

Google Play

Alternative markets (BlackMart, Fdroid, Aptoide)

Apk extractor

http://apps.evozi.com/apk-downloader

Page 12: Securing android applications
Page 13: Securing android applications

Permissions model Android permissions protect

Access to sensitive APIs

Access to content providers

Inter- and intra-application communication

Protection mechanism to interact with other applications

Location (GPS), Camera, Bluetooth, Telephony, SMS/MMS,

Network/data

AndroidManifest.xml

Page 14: Securing android applications

Permissions

Page 15: Securing android applications

Permissions

Be carefull with install

applications

Recommend install some

application to check permissions

Disable automatic updates and

check application permissions

manually each time an application

wants to be installed or updated

Page 16: Securing android applications

Permissions in apps

Check permissions in runtime

PackageManager pm = context.getPackageManager();

int hasPerm = pm.checkPermission(

android.Manifest.permission.WRITE_EXTERNAL_STORAGE,

context.getPackageName());

if (hasPerm != PackageManager.PERMISSION_GRANTED) { // do stuff}

private boolean checkWriteExternalPermission(){

String permission =

"android.permission.WRITE_EXTERNAL_STORAGE";

int res = getContext().checkCallingOrSelfPermission(permission);

return (res == PackageManager.PERMISSION_GRANTED);

}

Page 17: Securing android applications

Protection levels

normal: Default level for not application system, always

granted

dangerous: Higher-Risk permission for access to private data. Requires user approval.

SEND_SMS,ACCESS_FINE_LOCATION

signature Matching signature key. Two apps signed with the

same certificate

system, signatureOrSystem:Same as signature, but also system apps pre-installed like Google Play Services

Page 18: Securing android applications

Permissions in apps

Minimize requested permissions

Users like apps that request few permissions

33% apps request more permissions that they need

Get Camera Pic need android.permission.CAMERA? ContentValues contentValues = new ContentValues();

contentValues.put(MediaStore.Images.Media.DESCRIPTION, "Image capture");

contentValues.put(MediaStore.Images.Media.TITLE, "new image");

Uri uri =

getContentResolver().insert(MediaStore.Images.Media.EXTERNAL_CONTENT_URI,

contentValues);

Intent intent = new Intent(MediaStore.ACTION_IMAGE_CAPTURE);

intent.putExtra(MediaStore.EXTRA_OUTPUT, uri);

intent.putExtra(MediaStore.EXTRA_VIDEO_QUALITY, 1);

startActivityForResult(intent, 1);

Page 19: Securing android applications

Permissions in apps

Application don`t need permission to get a camera pic

<uses-permission android:name="android.permission.CAMERA" />

Where is the permission?

In the Google Camera Application

GoogleCamera.apk

Page 20: Securing android applications

Permissions in apps

Create custom permissions

<permission android:name="android.permission.CUSTOM_PERMISSION" android:protectionLevel="normal" android:label="@string/custom_permission_label">

<permission android:name="android.permission.SEND_SMS" android:permissionGroup=“android.permission-group.COST_MONEY" android:protectionLevel="dangerous" android:label="@string/permlab_sendSms" android:description="@string/permdesc_sendSms" />

Page 21: Securing android applications

Permissions in apps

Group permissions

<permission-group android:name="android.permission-group.LOCATION"

android:description="@string/permgroupdesc_location" />

<!-- Allows an application to access fine (e.g., GPS) location -->

<permission android:name="android.permission.ACCESS_FINE_LOCATION"

android:permissionGroup="android.permission-group.LOCATION"

android:protectionLevel="dangerous"

android:description="@string/permdesc_accessFineLocation" />

<!-- Allows an application to access coarse (e.g., Cell-ID, WiFi) location -->

<permission android:name="android.permission.ACCESS_COARSE_LOCATION"

android:permissionGroup="android.permission-group.LOCATION"

android:protectionLevel="dangerous"

android:description="@string/permdesc_accessCoarseLocation" />

Page 22: Securing android applications
Page 23: Securing android applications

Install in SD CARD

<manifest xmlns:android="http://schemas.android.com/apk/res/android"

package="com.example1" android:versionCode=“1"

android:versionName="1.0"

android:installLocation="auto|preferExternal"> <uses-sdk android:minSdkVersion="8" android:targetSdkVersion="19" />

</manifest>

$ adb shell

$ pm set-install-location 2

0 [auto]: Let system decide the best location1

[internal]: Install on internal device storage2

[external]: Install on external media

Page 24: Securing android applications

Check if Play Store is the installer

Check if Debuggable

Page 25: Securing android applications

Check Running emulator

Check Debugger certificate

Page 26: Securing android applications

Check signing key

Page 27: Securing android applications

Root detection

private boolean isDeviceRooted(){

try{

Runtime.getRuntime().exec("su");

return true;

}catch(IOExeception ex){

return false;

}

}

public static boolean() isDeviceRooted(){

File f= new File("/system/sbin/su");

return f.exits();

}

Page 28: Securing android applications
Page 29: Securing android applications

Malware

• Installing applications from known sites

• Check permissions during installation / upgrade

• Review comments from users

• Update the operating system and applications.

• Disable automatic connection to WiFi networks and avoid connecting to free WiFi

• Disable BlueTooth when not in use

Recommendations to avoid malware

Page 30: Securing android applications

Malware detection in Google play

Bluebox Security Scanner

SRT AppScanner

Lookout Mobile Security

Advanced Mobile Care

Malwarebytes Anti-Malware

CM Security

Page 31: Securing android applications

foresafe.com/scan

mobilesandbox.org

andrototal.org

copperdroid

Page 32: Securing android applications
Page 33: Securing android applications

Signing applications Purpose of certificates in Android is to distinguish

application authors

Android won't allow application to be upgraded unless signed with same certificate the applications are signed with the same key.

Android allows applications that are signed with the same certificate to run in the same processes

All applications must be signed with a digital certificate

Page 34: Securing android applications

Signing applications

Java keytool

$ keytool -genkey -v -keystore <keystore filename>

-alias <alias for key> -keyalg RSA -keysize 2048

-validity 10000

Page 35: Securing android applications

Sign apk with private key

Check the apk signature

sm 236 Sun Feb 02 15:08:10 CET 2014 javamail.pop3.provider

X.509, CN=Android Debug, O=Android, C=US [certificate is valid from 3/04/13 18:13 to 27/03/43 17:13]

54226 Sun Feb 02 15:08:10 CET 2014 META-INF/MANIFEST.MF

54279 Sun Feb 02 15:08:10 CET 2014 META-INF/CERT.SF

1203 Sun Feb 02 15:08:10 CET 2014 META-INF/CERT.RSA

s = signature was verified

m = entry is listed in manifest

k = at least one certificate was found in keystore

i = at least one certificate was found in identity scope

jar verified.

Signing applications

$ jarsigner -verify -certs -verbose testing.apk

$ jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1

-keystore mykeystore testing.apk <alias_name>

Page 36: Securing android applications

Android Studio

Tool included in Android SDK for apk compress and optimizing

$ zipalign -f 4 app-signed.apk final-app.apk

Build > Generate Signed APK

Page 37: Securing android applications

Eclipse/Android Studio

Page 38: Securing android applications
Page 39: Securing android applications
Page 40: Securing android applications

Content Providers

A specialized type of complex data store in Android to

standardize access and manipulation of stored data

Browser: bookmarks, browse history

CallLog: missed calls, call details

Contacts: Contact details

MediaStore: Media files

Page 41: Securing android applications

Content Providers

Offers a structured storage mechanism that can be limited to

your own application or exported to allow access by other

applications.

android:exported =“false"

android:exported ="true"

Versions >= 4.2 exported=“false” by default

<provider android:name=".data.DataProvider"

android:multiprocess="true"

android:authorities="myapp.data.DataProvider"

android:readPermission="myapp.permission.READ"

android:writePermission="myapp.permission.WRITE" />

Page 42: Securing android applications

Data Storage Shared preferences

External storage

Requires permission

android.permission.WRITE_EXTERNAL_STORAGE

Internal storage

Better than external since permissions not required

Sqlite3

File DataBase with extension *.db stored in

/data/data/[package_name]/databases

Cloud Google Cloud Messaging(GCM)

ROOT

Page 43: Securing android applications

Shared preferences

An xml key-value pairs file stored in

/data/data/com.your.package/shared_prefs/preferences.xml

Used by an application in order to save small sets of data for

the application

Storing sensitive information in shared preferences is not

recommended

Library for securing shared preferences

Encrypt the key-value pairs

AES symmetric key

https://github.com/scottyab/secure-preferences

ROOT

Page 44: Securing android applications

Secure Shared preferences ROOT

Page 45: Securing android applications

Networking

Use HttpsURLConnection for secure web traffic

HTTPS + CA Certificate

import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.SSLContext; import javax.net.ssl.TrustManagerFactory;

// build key store with ca certificate KeyStore keyStore = buildKeyStore(context, certRawResId); // Create a TrustManager that trusts the CAs in our KeyStore String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm(); TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm); tmf.init(keyStore); // Create an SSLContext that uses our TrustManager SSLContext sslContext = SSLContext.getInstance("TLS"); sslContext.init(null, tmf.getTrustManagers(), null); // Create a connection from url RL url = new URL(urlString); HttpsURLConnection urlConnection = (HttpsURLConnection) url.openConnection(); urlConnection.setSSLSocketFactory(sslContext.getSocketFactory());

Page 46: Securing android applications

Webview

class WebAppInterface {

private String sensitiveInformation;

public String toString() { return sensitiveInformation; }

}

WebView webview = new WebView(this);

setContentView(webview);

webView.loadUrl("http://website.com");

webView.addJavascriptInterface(new WebAppInterface(this), "injectedObject");

Vulnerability in version 4.1.2(API 16) Jelly Bean in Cross-site

scripting (XSS), Cross-site Request Forgery (CSRF) attacks

With JavaScript and Java Reflection can access any of the public

methods of the WebAppInterface

setJavascriptEnabled(true);

Page 47: Securing android applications

Webview

<script>

function execute(){

var

sendSMS=Android.getClass.forName("android.telephony.

SmsManager").

getMethod("getDefault",null).invoke(null,null);

sendSMS.sendTextMessage("+323232323",null,"message",

null,null);

}

</script>

Page 48: Securing android applications

Webview best practices

Disable JavaScript and Plugin support if they are not

needed.

Disable local file access. Restricts access to the app’s

resource and asset directory.

Prevent loading content from 3rd party hosts.

Activate SSL in activity using HTTPS

In 4.2 @JavascriptInterface method annotation for limit

access methods from javascript.

Avoid exposing protected data in javascript interface

@JavascriptInterface

public void method() { dostuff(); }

Page 49: Securing android applications

Webview best practices

Not save passwords

Not saving form data

Clear Cache

webSettings.setSavePassword(false);

webSettings.setSaveFormData(false);

@Override public void onPageFinished(WebView view, String url) {

super.onPageFinished(view, url);

view.clearCache(true); //delete local files in the browser

}

Page 50: Securing android applications

SQLite

SQLiteDatabase db = dbHelper.getWriteableDatabase();

String userQuery = "SELECT lastName FROM useraccounts WHERE

userID = ?";

SQLiteStatement prepStatement =db.compileStatement(userQuery);

prepStatement.bindString(1, "userID");

prepStatement.simpleQueryForString();

Prepared statements to avoid sql injection

rawQuery

compileStatement

Page 51: Securing android applications

SQLite Cipher

https://github.com/sqlcipher/android-database-sqlcipher

public void initDB(Context context, String password) { SQLiteDatabase database = SQLiteDatabase.openOrCreateDatabase(DB_NAME,password, null); database.execSQL("create table MyTable(a, b)"); }

import net.sqlcipher.database.*;

import android.database.sqlite.*;

Page 52: Securing android applications

Static analysis

Page 53: Securing android applications

Static analysis

Page 54: Securing android applications

LINT ECLIPSE /ANDROID STUDIO Scans Android project sources for potential bugs

Comes with the SDK and detects common programming errors

Page 55: Securing android applications

Lint

$ lint --check Security --html security_report.html <project_home>

http://developer.android.com/tools/help/lint.html

Page 56: Securing android applications

ANDROID STUDIO

Page 57: Securing android applications

SONARQuBE http://www.sonarqube.org/

Page 58: Securing android applications
Page 59: Securing android applications
Page 60: Securing android applications

Encryption in phone

Supported since Android 3.0

Encrypts the entire device with AES 128.

Based on dm-crypt implementation

PBKDF2 algorithm for password

Takes at Least 1 h for Encryption of Data.

Denoted to reduce in performance.

Page 61: Securing android applications

Encryption in applications

Android Crypto API

Based in javax.crypto from javaSE

Obtain secretKey

public static SecretKey generateKey(char[] password, byte[] salt)

throws Exception {

int iterations = 1000;

int outputKeyLength = 256;

SecretKeyFactory secretKeyFactory

= SecretKeyFactory.getInstance(“PBKDF2WithHmacSHA1”);

KeySpec keySpec = new PBEKeySpec(password, salt,iterations,

outputKeyLength);

byte[] keyBytes = secretKeyFactory.generateSecret(keySpec).getEncoded();

return new SecretKeySpec(keyBytes, “AES”);

}

import java.security.*;

import javax.crypto.*;

Page 62: Securing android applications

Encryption in applications public static String encryptText(char[] password, String plainText)

throws Exception {

//Obtain secretkey

SecureRandom secureRandom = new SecureRandom();

int saltLength = 8;

byte[] salt = new byte[saltLength];

secureRandom.nextBytes(salt);

SecretKey secretKey = generateKey(password, salt);

Cipher cipher = Cipher.getInstance(“AES/CBC/PKCS5Padding”);

byte[] initVector = new byte[cipher.getBlockSize()];

secureRandom.nextBytes(initVector);

IvParameterSpec ivParameterSpec = new IvParameterSpec(initVector);

cipher.init(Cipher.ENCRYPT_MODE, secretKey, ivParameterSpec);

byte[] cipherData = cipher.doFinal(plainText.getBytes(“UTF-8”));

return Base64.encodeToString(cipherData,Base64.NO_WRAP | Base64.NO_PADDING)

+ “]” + Base64.encodeToString(initVector,Base64.NO_WRAP | Base64.NO_PADDING)

+ “]” + Base64.encodeToString(salt,Base64.NO_WRAP | Base64.NO_PADDING);

}

Page 63: Securing android applications
Page 64: Securing android applications

Obsfuscation

Renames classes, fields and methods using short

names (a,b,c,..)

Page 65: Securing android applications

Obsfuscation in android projects Proguard

Integrated in SDK

http://developer.android.com/tools/help/proguard.html

Enable Proguard in eclipse

proguard.config=${sdk.dir}/tools/proguard/proguard-android.txt:proguard-

project.txt

Page 66: Securing android applications

Obsfuscation in android projects Enable Proguard in android STUDIO

In build.gradle

android {

buildTypes {

release {

runProguard true

proguardFile getDefaultProguardFile('proguard-android.txt') ,

'proguard-rules.pro'

}

}

Page 67: Securing android applications

Proguard.config -optimizationpasses 5

-dontusemixedcaseclassnames

-dontskipnonpubliclibraryclasses

-dontpreverify

-verbose

-optimizations !code/simplification/arithmetic,!field/*,!class/merging/*

-keep public class * extends android.app.Activity

-keep public class * extends android.app.Application

-keep public class * extends android.app.Service

-keep public class * extends android.content.BroadcastReceiver

-keep public class * extends android.content.ContentProvider

-keep public class * extends android.app.backup.BackupAgentHelper

-keep public class * extends android.preference.Preference

-keep public class com.android.vending.licensing.ILicensingService

-keepclasseswithmembernames class * {

native <methods>;

}

-keepclasseswithmembernames class * {

public <init>(android.content.Context, android.util.AttributeSet);

}

-keepclasseswithmembernames class * {

public <init>(android.content.Context, android.util.AttributeSet, int);

}

-keepclassmembers enum * {

public static **[] values();

public static ** valueOf(java.lang.String);

}

-keep class * implements android.os.Parcelable {

public static final android.os.Parcelable$Creator *;

}

Page 68: Securing android applications

Proguard tool http://proguard.sourceforge.net

Page 69: Securing android applications
Page 70: Securing android applications
Page 71: Securing android applications

Reverse Engineering Android Application

Page 72: Securing android applications

Rename Android app (.apk) to .zip

Extract zip

Run dex2jar on the extracted file

Open the .jar in a java decompiler

Reverse Engineering Android Application

Page 73: Securing android applications

Apk Tool

Reverses .apk file to an android project

$ apktool d target.apk output_directory

Page 74: Securing android applications

Apk Tool

Page 75: Securing android applications

Java vs Smali

Reverses .apk file to an android project

Learning smali through dalvik codes

http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html

Page 76: Securing android applications

Dex2jar http://code.google.com/p/dex2jar

Converts Android’s Dalvik executables into Java jar files.

$ unzip target.apk

$ d2jdex2jar.sh classes.dex -o target.jar

Page 77: Securing android applications

Dex2jar

activity_main.xml

Page 78: Securing android applications

Java Decompiler

http://java.decompiler.free.fr

Page 79: Securing android applications

Dex to Java Decompiler https://github.com/skylot/jadx

Decompile directly form apk or dex

Page 80: Securing android applications
Page 81: Securing android applications

Android Application Vulnerability Scanner

java –jar ScanAndroidApps.jar

Page 82: Securing android applications

Virtuous Ten Studio

http://virtuous-ten-studio.com/

Only for windows

Page 83: Securing android applications

Virtuous Ten Studio

Page 84: Securing android applications

Virtuous Ten Studio

Page 85: Securing android applications

Apk Analyser

https://github.com/maaaaz/androwarn

https://github.com/sonyxperiadev/ApkAnalyser

https://github.com/honeynet/apkinspector

https://code.google.com/p/droidbox

Page 86: Securing android applications

Apk Analyser http://developer.sonymobile.com/knowledge-base/tools/analyse-your-apks-with-apkanalyser/

java -jar ApkAnalyser.jar

Page 87: Securing android applications

Androwarn

python androwarn.py -i my_apk.apk -r html -v 3

Page 88: Securing android applications

DroidBox python apimonitor.py my_apk.apk

Page 89: Securing android applications
Page 90: Securing android applications
Page 91: Securing android applications

Dexter online

https://dexter.bluebox.com

Page 92: Securing android applications

Dexter online

Page 93: Securing android applications

TraceDroid

http://tracedroid.few.vu.nl

Records the behavior of the executed app, such as its network communication, the

UI, but also its internal function calls and Java code that is executed.

Emulates a few actions, such as user interaction, incoming calls and SMS

messages, etc. - this will reveal most malicious intents of an app.

Page 94: Securing android applications

Pentesting

Virtual Machine with tools for Reverse Engineering

https://redmine.honeynet.org/projects/are/wiki

https://appsec-labs.com/AppUse

Hacking distro dedicated to Mobile forensics and Security

Page 95: Securing android applications

https://github.com/viaforensics/android-forensics

http://andriller.com/

Forensics analisys

Page 96: Securing android applications

Intent Snifer —Sees Activity’s startup Intents

—android.permission.GET_TASKS: Recent tasks Intents

ActivityManager am = (ActivityManager)

getSystemService(ACTIVITY_SERVICE);

List<RecentTaskInfo> rti =

am.getRecentTasks(1000,ActivityManager.RECENT_WITH_EXCLUDED);

for (RecentTaskInfo c : rti) {

log.append("received: " + rti.toString() + "\n");

}

Page 97: Securing android applications
Page 98: Securing android applications

Books

Page 99: Securing android applications

References http://code.google.com/p/dex2jar/

https://code.google.com/p/android-apktool

https://code.google.com/p/androguard/wiki/Installation

http://ashishb.net/security/android-security-related-tools

http://androidcracking.blogspot.com.es

http://developer.android.com/guide/topics/security/permissions.html

http://source.android.com/devices/tech/security/#android-

application-security

http://siis.cse.psu.edu/android_sec_tutorial.html

Page 100: Securing android applications