The Android security jungle:

pitfalls, threats and survival tips Scott Alexander-Bown

@scottyab

The Jungle

• Ecosystem

• Google’s protection

• Threats

• Risks

• Network

• Data protection (encryption)

• App/device integrity

• App binary security

• Testing

Survival

• Lead Android Dev (remote) at Intohand

• Co-Author - Android Security Cookbook

• Co-Founder of SWmobile

Scott Alexander-Bown

1.4 Billion users

OpenSignals.com

Security Services • Google Play

• Approval process (human approval since 2015)

• Developer security notifications

• Android Bouncer

• Android device manager (Device security)

• Safety net (intrusion detection)

• Android at Work

Slide Adrian Ludwig’s - Android Security State of the Union

Newer version of Android are more secure

1.5 stack buffer, integer overflow protection

2.3+ null pointer dereference mitigation, NX

4.0+ ASLR

4.1+ ASLR strengthened

4.3 Security-Enhanced Linux

5.0 Security-Enhanced Linux - enforcing

Updatabled Webview (via playstore)

Threats

Threats: App Hijacking

• Taking an app and adding malware

• Concerns

• Reversing Android apps is easy

• No need for certificate authority

• Sideload

“I ain’t got time to (heart)bleed”

OWASP • Mobile Security Project

• iOS and Android

• Top 10 risks

• attack vectors

• threat agents

• impacts

OWASP top 10 risks • M1: Weak Server Side

Controls

• M2: Insecure Data Storage

• M3: Insufficient Transport

Layer Protection

• M4: Unintended Data Leakage

• M5: Poor Authorization and

Authentication

• M6: Broken Cryptography

• M7: Client Side Injection

• M8: Security Decisions Via

Untrusted Inputs

• M9: Improper Session Handling

• M10: Lack of Binary Protections

Survival

kit

Survival tips

1. Harden the network communications

2. Protect stored data (encryption)

3. Validate the device and app integrity

4. Increase binary security

Network communications

• Use SSL / TLS!

• Use the platform SSL/TLS validation (i.e don’t disable it!)

• Use only strong cipher suites (128bit+) and TLS versions (TLS v1.2)

• OkHttp 2.1 - https://publicobject.com/2014/11/12/okhttp-2-1/

Looks like you’re not using SSL pinning?

• Devices ship with 100+ Certificate Authorities (CA) and

users can install their own

• Pinning limits the trusted root CA’s

• Two types

• Certificate pinning

• Public Key pinning

Public key

pinning

Patch against SSL exploits

• Google Play Services provides a dynamic security provider

• ProviderInstaller.installIfNeeded(getContext());

• https://developer.android.com/training/articles/security-gms-

provider.html#patching

Tips

Password based encryption

Code in a slide :’(

Encryption libraries

• Conceal

• https://facebook.github.io/conceal

• SQL cipher

https://www.zetetic.net/sqlcipher/sqlcipher-for-android/

• Secure-Preferences (or Hawk)

• https://github.com/scottyab/secure-preferences

Hardcoded encryption key

Verifying App integrity

• Debuggable check

• Apk Checksum

• Signing certificate verification

Signing Certificate Verification

Build-time Runtime

1. Get you certificate signature

$keytool -list -v -keystore

your_app.keystore

2. Embed in app

String CERTIFICATE_SHA1 =

“71920AC9486E087DCBCF5C7F6F…”;

3. Get the Signature from the

PackageManager

4. Hash the Signature

5. Compare the signature hashes

strings

Verifying device integrity

• Emulator check

• https://github.com/strazzere/a

nti-emulator

• Google SafteyNet test

• https://github.com/scottyab/sa

fetynethelper

root@android:/ #

• Root apps / Dangerous apps

• Suspect system properties

• SU/BusyBox binaries

• RW /system

• https://github.com/scottyab/rootbeer

Obfuscation

ProGuard

• Java code obfuscator

• Part of the Android SDK

• Free as in Beer!

• ReTrace - Supported by Error handling services such as Crashlytics

DexGuard • Commercial version of ProGuard

• Designed for Android and protection

• Useful security utils - SSL Pinning, Root check, logging removal etc

• My favourite features

• String Encryption

• API hiding

Quick Android Review Kit (Quak) • Python script

• Works with .apk or source code

• Automated tests

• weaknesses

• exploits

• Creates exploit .apks

• https://github.com/linkedin/qark

Click here for more! • 42+ Secure mobile development tips

http://bit.ly/viafor42

• OWASP Mobile security risks

http://bit.ly/owaspmobile

• Android security cookbook [book]

http://bit.ly/MscEFu

• Android security internals [book]

http://bit.ly/andsecint

• Droidsec (whitepapers)

droidsec.org/wiki

• @gotocph

• @intohand

• 20th Century Fox

• Android security team

Thanks

Questions?

dev@scottyab.com

@scottyab

github.com/scottyab Please

Remember to

rate this session

Thank you

WebView • Before

• getSettings().setJavaScriptEnabled(false)

• getSettings().setAllowFileAccess(false)

• During

• WebViewClient.shouldOverrideUrlLoading()

• enforce local content or Https

• Whitelisted hosts/urls

• .shouldInterceptRequest() to intercept XmlHttpRequests

• After

• webview.clearCache(true)