security in android applications / Александр Смирнов (redmadrobot)
TRANSCRIPT
SECURITYIN ANDROID APPLICATION
31/05/2016ALEXANDER SMIRNOV
- 3+ years Android dev- 6+ years commercial dev- 1 year bank app dev- Addicted to info security since 2007- DC7499 member
WhoAmI
Why?
- Android Security Model- Reality- Vulnerabilities- One more sentence- Appendix
Agenda
Security
• I •
Android Security Model
Application Isolation- isolate CPU, RAM, devices, files in
private directory
Application Isolation- isolate CPU, RAM, devices, files in
private directory
- every app run in own process
Application Isolation- isolate CPU, RAM, devices, files in
private directory
- every app run in own process
- every app has own UserID and GroupID
Application Isolation- isolate CPU, RAM, devices, files in
private directory
- every app run in own process
- every app has own UserID and GroupID
- every app run in own instance of Dalvik VM
Application Isolation
Application Isolation
Application Isolation
Application Isolation
Application Isolation
- Is the parent of all App processesZygote
App 1
App 2
App 3
Zygote
fork()
fork()
fork()
start newApp
- Is the parent of all App processesZygote
App 1
App 2
App 3
Zygote
fork()
fork()
fork()
start newApp
- COW(Copy On Write) strategy
- Is the parent of all App processesZygote
App 1
App 2
App 3
Zygote
fork()
fork()
fork()
start newApp
- COW(Copy On Write) strategy
- /dev/socket/zygote
- Before M- After M- Custom permissions- Protection level
Permissions
- Protect user dataAndroid Security Overview
- Protect user dataAndroid Security Overview
- Protect system resources
- Protect user dataAndroid Security Overview
- Protect system resources
- Provide application isolation
• II •
Android Security ModelReality
Security
Root
Triada
Security
• III•
Vulnerabilities
- Memory CacheData Storage
- Memory CacheData Storage
- Internal Storage
- Memory CacheData Storage
- Internal Storage
- SharedPreference + MODE_PRIVATE + Cipher
- Memory CacheData Storage
- Internal Storage
- SharedPreference + MODE_PRIVATE + Cipher
- DB + SQLCipher
- Memory CacheData Storage
- Internal Storage
- SharedPreference + MODE_PRIVATE + Cipher
- DB + SQLCipher
- 21+ setStorageEncryption
- Memory CacheData Storage
- Internal Storage
- SharedPreference + MODE_PRIVATE + Cipher
- DB + SQLCipher
- 21+ setStorageEncryption
- KeyStore
- MITM Has YouTransport
- MITM Has YouTransport
- Check network – why?
- MITM Has YouTransport
- Check network – why?
- Diffie–Hellman key exchange
- MITM Has YouTransport
- Check network – why?
- Diffie–Hellman key exchange
- Certificate Pinning == SSL Pinning (okhttp 2.7.4 || 3.1.2)
Intent- Use explicit intents
Intent- Use explicit intents
- Validate Input
Intent- Use explicit intents
- Validate Input
- Manifest: intent-filter = exported="true"
2FA: SMS- Secure PUSH
2FA: SMS- Secure PUSH
- Mobile application
2FA: SMS- Secure PUSH
- Mobile application
- SIMApplets
2FA: SMS- Secure PUSH
- Mobile application
- SIMApplets
- DCV (Dynamic Code Verification)
Insecure Device- Secure persistent datastore
Insecure Device- Secure persistent datastore
- No immutable (Strings -> char[])
Insecure Device- Secure persistent datastore
- No immutable (Strings -> char[])
- Notify if root
Insecure Device- Secure persistent datastore
- No immutable (Strings -> char[])
- Notify if root
- Custom keyboard
Insecure Device- Secure persistent datastore
- No immutable (Strings -> char[])
- Notify if root
- Custom keyboard
- No EditText
Reverse Protection- Check for debug mode
Reverse Protection- Check for debug mode
- Emulator check
Reverse Protection- Check for debug mode
- Emulator check
- Verify sign
Reverse Protection- Check for debug mode
- Emulator check
- Verify sign
- Obfuscation
- JNI
Reverse Protection- Check for debug mode
- Emulator check
- Verify sign
- Obfuscation
Security
• IV •
One more sentence
One more sentence- Convenience vs Security
One more sentence- Convenience vs Security
- Socialization & Tools
One more sentence- Convenience vs Security
- Socialization & Tools
- Layered Security
One more sentence- Convenience vs Security
- Socialization & Tools
- Layered Security
- Better than others
- OWASP TOP 10 Mobile Risks
One more sentence- Convenience vs Security
- Socialization & Tools
- Layered Security
- Better than others
Security
• V •
Appendix
- Cyber Risk Report: bit.ly/1MuoIDS- OWASP Top 10 Mobile Risks: bit.ly/1FAIJiv- DefCon Groups List: bit.ly/1JQlNgC- Triada Malware: bit.ly/1qvyFqY- Obfuscation tools list: bit.ly/1XiHf6Z- Security Official Docs: bit.ly/1qvw1BK- Diffie–Hellman Video: bit.ly/23jV7Se- Tools for SA and Hacking: bit.ly/1qvxpUM
Additional Information
- Android Security Model- Reality- Vulnerabilities- One more sentence
Result