Android Security Basics

Android Security Basics How to keep your users and apps safe

About Me • Android Developer at ADT

Main Areas We are Covering • Data Transmission Security • Data Storage Security • APK Security

Data Transmission Security • Inter Process/Component Communication • The Android Security Model • Broadcast permissions • Content Provider Permissions • Safe Network usage • SSL/ PKI Overview • SSL pain points • Pinning • Misc. • WebView pitfalls

Android Security Model: Each App is a Linux User

Interposes communication Mostly through intents Also Binding Messaging etc Image source http://css.csail.mit.edu/6.858/2012/readings/android.pdf

Permissions • Protection levels • normal • dangerous • signature • signature or system – Not allowed in 3rd party apps • For internal only components exported=false For a more in-depth discussion of permissions read http://www.cs.berkeley.edu/~emc/papers/android_permissions.pdf and http://css.csail.mit.edu/6.858/2012/readings/android.pdf

Example Insecure Broadcast Receiver • <receiver • android:name="Your receiver” • <intent-filter> • <action android:name=“com.example.mybroadcast"/> • </intent-filter> • </receiver> • Q: Who can send this receiver broadcasts? Any component which uses <intent-filter> before android 4.2 is exported by default

<receiver android:name=".MyListener”> <intent-filter> <action android:name= "android.provider.Telephony.SMS_RECEIVED" /> </intent-filter> </receiver> Couldthis permission bebetter? Add <receiver android:name=".MyListener" android:permission="android.permission.READ_SMS">

Broadcasts can also put permissions on intents • Intent intent = new Intent(); • intent.setAction(MY_BROADCAST_ACTION); • sendBroadcast(intent,"android.provider.Telephony.SMS_RECEIVED");

Content Provider • <providerandroid:name=”com.example.testprovider • android:read_permissions = “android.provider.Telephony.SMS_RECEIVED” • android:write_permissions = “android.provider.Telephony.SMS_RECEIVED” • </provider> • Warning before 4.2 all content providers were exported by default!

uri-permissions • <providerandroid:name=”com.example.testprovider" • android:authorities=“" • android:grantUriPermission="true” • <grant-uri-permissionandroid:pathPattern="/notes/" /> • </provider> • Uri uri = Uri.parse("content://com.example.testprovider/notes/1"); • Intent intent = new Intent(); • intent.setAction(NOTE_ACTION_VIEW); // SET CUSTOM INTENT ACTION • intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK); • intent.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION); • intent.setData(uri); • startActivity(intent) See Jason Wei’s http://thinkandroid.wordpress.com/2012/08/07/granting-content-provider-uri-permissions/ for more details

Implicit Intent Attacks Broadcast Eavesdropping Broadcast Denial of Service for ordered broadcasts Activity/Service Hijacking Image source: http://www.eecs.berkeley.edu/~emc/papers/mobi168-chin.pdf

Target Version Gotachas • If a permission has been added since the target in your androids manifest Android will automatically apply the new permission request to the app's manifest • You can see permission changes at each release • http://developer.android.com/reference/android/os/Build.VERSION_CODES.html

SSL Image source: http://www.awghost.com/ssl.html

SSL and the Public Key Infrastructure http://software-engineer-tips-and-tricks.blogspot.com/2012/09/what-is-pki.html

SSL Pain points • There are A LOT of trust anchors • Vary by Android version and manufacturer • Occasionally get hacked (TurkTrust) • Internal Servers • Download manager doesn’t support SSL before ICS Alvinjs has suggested a custom download manager which can handle ssl at at https://github.com/alvinsj/android-https-downloadmanager-demo

How to View Trusted Cas per Phone • ICS onwards, go to Settings->Security->Trusted credentials • Before ICS • adb pull /system/etc/security/cacerts.bks` • keytool -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -v –list *OnionKit offers a consistent set of CAs based on Debian but is requires adding its library to your app. http://commonsware.com/blog/2013/03/07/ssl-android-onionkit.html

Anti-Pattern! Accept all certificates SSLSocketFactory.ALLOW_ALLHOSTNAME_VERIFIER Or TrustManager where checkServerTrusted() always returns true An Oct. 2012 study found that 8% of the most popular app on the app store were vulnerable to man in the middle attacks http://www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf Image: https://www.owasp.org/index.php/Man-in-the-middle_attack

Not Registered with CA • AFTER ICS: • Just add the your own certificate to list of trusted CA • BEFORE ICS: • Create a dynamic TrustManager • Store new public certificate in app • Uses system default TrustManager for most checks • If check fails then uses custom TrustManager *For more info about dynamic TrustManager http://nelenkov.blogspot.com/2011/12/using-custom-certificate-trust-store-on.html Or http://commonsware.com/blog/2013/03/04/ssl-android-basics.html Or http://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https/6378872#6378872 (response by emmby) Ps Certificates don’t have to be expensive. Check out http://webdesign.about.com/od/ssl/tp/cheapest-ssl-certificates.htm

Kitkat SSL improvements • SSL CA Certificate Warnings • Android Certificate Pinning for Google Certs http://www.xda-developers.com/android/android-4-4-security-enhancements/

Webview Pitfalls • If you are using webviews try to setJavascriptEnabled(false) • addJavaScriptInterface() • If you are sending sensitive information clearCache() afterwards to delete local files • You can also do this serverside with no-cache headers

Storing DATA • Public data areas • Database security • Encryption

Do you Have To Store it?

Public Data areas • All Logs • Any files MODE_WORLD_* • Data on SD cards If you must store large amounts of data in public storage consider encrypting it. Facebook has a new fast encryption library that might be worth looking at http://facebook.github.io/conceal/

SQL Injection Attacks http://xkcd.com/327/

SQL Injection Example

IF you must use a RAW Query • Be sure to sanitize your inputs! • Quotes are not the only problems. • Cleaver attacks using spaces • comments • Strange ascii characters • Things we haven’t thought of yet • Use allowed characters vs disallowed characters if possible. • http://ha.ckers.org/sqlinjection/

Store hashes not passwords http://www.unixwiz.net/techtips/iguide-crypto-hashes.html

Encryption Gotchas • Before Jellybean 4.2 • secureRandom.setSeed(b) • replaces, not supplements, the existing seed. • So it produced a deterministic number • In Jellybean 4.1-4.3 • the securerandom isn’t guaranteed to give you a random number unless you implement the fix in Some-Securerandom-thoughts To read more about the http://android-developers.blogspot.co.uk/2013/08/some-securerandom-thoughts.html And http://blog.k3170makan.com/2013/08/more-details-on-android-jca-prng-flaw.html

Keystore • See Code

APK Security • Application Signing • How does signing work? • Master Key Exploit • Tamper detection • Decompiling • How an APK gets built/ What’s in an APK? • Demo of Decompiling an APK • Progaurd • What is still visible even after obfuscation?

App signing • purpose of certificates in Android is to distinguish application authors • Android won't allow application to be upgraded unless signed with same certificate the applications are signed with the same key. • Android allows applications that are signed with the same certificate to run in the same processes Never put your private key in the source code!

See Code Detect Non-Playstore Installation

Other Tamper Detection • Is the application in debug mode? • context.getApplicationInfo().flags & ApplicationInfo.FLAG_DEBUGGABLE) != 0 • Is the app running on the emulator? • is Emulator = Build.FINGERPRINT.contains("generic") or • is Emulator = "goldfish".equals(Build.HARDWARE)

Other Resources • Android Developers blog on LVL: Old but interestinghttp://android-developers.blogspot.com/2010/09/securing-android-lvl-applications.html • Android Licensing tutorial: • http://stackoverflow.com/questions/18324963/are-there-any-good-android-licensing-tutorials

Decompiling

Image source: http://developer.android.com/tools/building/index.html

Inside the .dex binary Inside the .apk Image source http://developer.android.com/tools/building/index.html *Are are curious about why Android uses .dex files and the Davlik virtual machine? Check out http://davidehringer.com/software/android/The_Dalvik_Virtual_Machine.pdf How about further decompiling dex files? Check out https://code.google.com/p/smali/wiki/

For Fun:MasterKey Exploit • Want to see if you are vulnerable? Check out the Bluebox Security Scanner on the app store. • Additional details on exactly how the masterkey vulnerability works • http://vrt-blog.snort.org/2013/08/bytecode-covering-android.html

Decompiling Demo

What is ProgUArd? • Shrinking • Obfuscation • Prevarifacation *Fun random fact: you can run Scala on android by using progaurd to remove the unneeded library classes http://www.gamlor.info/wordpress/2011/10/running-scala-on-android/

Enabling Progaurd in Eclipse • In project.properties • Uncomment • #proguard.config=${sdk.dir}/tools/proguard/proguard-android.txt:proguard-project.txt *For versions past 17 the documentation on android developers is slightly misleading You can ignore the warning when it comes to progaurd the default progaurd config file will be proguard-project.txt instead of proguard.cfg

Enabling Proguard in Android Studio • In build.gradel • android { • buildTypes { • release { • runProguard true • proguardFile getDefaultProguardFile('proguard-android.txt') • } • } For more detailed descriptions see http://tools.android.com/tech-docs/new-build-system/user-guide#TOC-Running-ProGuard and http://stackoverflow.com/questions/20885725/how-to-use-the-proguard-in-android-studio

Troubleshooting Proguard • What if I get a file not found error after running Proguard? • add –keep public class <MyClass> to your progaurd config file. • How do a read stacktraces from my production app? • Use the retrace tool • retrace.sh mapping.txt[<stacktrace_file] • * Remember to keep the mapping.txt file for each build *It is possible to reuse mapping files with -applymappingfilename but this has pros and cons see http://proguard.sourceforge.net/index.html#

Things Proguard Does not do • Strings Encryption • Class Encryption • Hide Android API calls • Tamper Detection • Dexguard is a paid product by the makers of proguard that can help with some of these, but it can be pricy. • http://www.saikoa.com/dexguard • DashO is also an option

Extra Stuff

Check out Current known Vulnerabilities http://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-19997/Google-Android.html

Additional Resources • Android Security Cookbook • There is a 50% off coupon at http://www.packtpub.com/article/knowing-sql-injection-attacks-securing-android-applications • Learning Pentesting for Android Devices • Android Application Security Essentials • Android Explorations blog by Nikolay Elenkov • http://nelenkov.blogspot.ie/ • Open Web Application Security Project • https://www.owasp.org/ • SELinux • https://www.ibm.com/developerworks/library/l-selinux/

Thank you. Questions?

Android Security Basics

Android Security Basics

Presentation Transcript

Security Basics

Android Security

Android Security #1

Android App Basics

Android Security

Android Security Essentials

Understanding Android Security

Android OS Security

Android OS Security

Android Security

Android Security Architecture

Security Basics

Android App Dev. Basics

Security Basics

Android Training Basics

Building Android Security

Android Basics

Understanding Android Security

Android Security Architecture

Android Security Management - Android Security Patches | Android Maintenance | Sasken