the android security jungle
play

The Android security jungle: pitfalls, threats and survival tips - PowerPoint PPT Presentation

Apr 21, 2023 •434 likes •888 views

The Android security jungle: pitfalls, threats and survival tips Scott Alexander-Bown @scottyab The Jungle Ecosystem Googles protection Threats Risks Survival Network Data protection (encryption) App/device

  1. The Android security jungle: pitfalls, threats and survival tips Scott Alexander-Bown @scottyab

  2. The Jungle • Ecosystem • Google’s protection • Threats • Risks

  3. Survival • Network • Data protection (encryption) • App/device integrity • App binary security • Testing

  4. Scott Alexander-Bown • Lead Android Dev (remote) at Intohand • Co-Author - Android Security Cookbook • Co-Founder of SWmobile

  5. 1.4 Billion users

  6. OpenSignals.com

  8. Security Services • Google Play Approval process (human approval since 2015) • Developer security notifications • Android Bouncer • • Android device manager (Device security) • Safety net (intrusion detection) • Android at Work

  9. Slide Adrian Ludwig’s - Android Security State of the Union

  10. Newer version of Android are more secure 1.5 stack buffer, integer overflow protection 2.3+ null pointer dereference mitigation, NX 4.0+ ASLR 4.1+ ASLR strengthened 4.3 Security-Enhanced Linux 5.0 Security-Enhanced Linux - enforcing Updatabled Webview (via playstore)

  11. Threats

  12. Threats: App Hijacking • Taking an app and adding malware • Concerns • Reversing Android apps is easy • No need for certificate authority • Sideload

  13. “I ain’t got time to (heart)bleed”

  16. OWASP • Mobile Security Project • iOS and Android • Top 10 risks • attack vectors • threat agents • impacts

  17. OWASP top 10 risks • M1: Weak Server Side • M6: Broken Cryptography Controls • M7: Client Side Injection • M2: Insecure Data Storage • M8: Security Decisions Via • M3: Insufficient Transport Untrusted Inputs Layer Protection • M9: Improper Session Handling • M4: Unintended Data Leakage • M10: Lack of Binary Protections • M5: Poor Authorization and Authentication

  18. Survival kit

  19. Survival tips 1. Harden the network communications 2. Protect stored data (encryption) 3. Validate the device and app integrity 4. Increase binary security

  20. Network communications • Use SSL / TLS! • Use the platform SSL/TLS validation (i.e don’t disable it!) • Use only strong cipher suites (128bit+) and TLS versions (TLS v1.2) • OkHttp 2.1 - https://publicobject.com/2014/11/12/okhttp-2-1/

  21. Looks like you’re not using SSL pinning? • Devices ship with 100+ Certificate Authorities (CA) and users can install their own • Pinning limits the trusted root CA’s • Two types • Certificate pinning • Public Key pinning

  22. Public key pinning

  23. Patch against SSL exploits • Google Play Services provides a dynamic security provider • ProviderInstaller.installIfNeeded(getContext()); • https://developer.android.com/training/articles/security-gms- provider.html#patching

  24. Tips

  25. Code in a slide :’( Password based encryption

  26. Encryption libraries • Conceal • https://facebook.github.io/conceal • SQL cipher https://www.zetetic.net/sqlcipher/sqlcipher-for-android/ • Secure-Preferences (or Hawk) • https://github.com/scottyab/secure-preferences

  27. Hardcoded encryption key

  28. Verifying App integrity • Debuggable check • Apk Checksum • Signing certificate verification

  29. Signing Certificate Verification Build-time Runtime 3. Get the Signature from the 1. Get you certificate signature PackageManager $keytool -list -v -keystore your_app.keystore 4. Hash the Signature 2. Embed in app 5. Compare the signature hashes strings String CERTIFICATE_SHA1 = “71920AC9486E087DCBCF5C7F6F…”;

  30. Verifying device integrity • Emulator check • https://github.com/strazzere/a nti-emulator • Google SafteyNet test • https://github.com/scottyab/sa fetynethelper

  31. root@android:/ # • Root apps / Dangerous apps • Suspect system properties • SU/BusyBox binaries • RW /system • https://github.com/scottyab/rootbeer

  32. Obfuscation

  33. ProGuard • Java code obfuscator • Part of the Android SDK • Free as in Beer! • ReTrace - Supported by Error handling services such as Crashlytics

  34. DexGuard • Commercial version of ProGuard • Designed for Android and protection • Useful security utils - SSL Pinning, Root check, logging removal etc • My favourite features • String Encryption • API hiding

  36. Quick Android Review Kit (Quak) • Python script • Works with .apk or source code • Automated tests • weaknesses • exploits • Creates exploit .apks • https://github.com/linkedin/qark

  38. Click here for more! • 42+ Secure mobile development tips http://bit.ly/viafor42 • OWASP Mobile security risks http://bit.ly/owaspmobile • Android security cookbook [book] http://bit.ly/MscEFu • Android security internals [book] http://bit.ly/andsecint • Droidsec (whitepapers) droidsec.org/wiki

  41. Thanks • @gotocph • @intohand • 20th Century Fox • Android security team

  42. Questions? dev@scottyab.com @scottyab github.com/scottyab Please Remember to rate this session Thank you

  45. WebView • Before • getSettings().setJavaScriptEnabled(false) • getSettings().setAllowFileAccess(false) • During • WebViewClient.shouldOverrideUrlLoading() • enforce local content or Https • Whitelisted hosts/urls • .shouldInterceptRequest() to intercept XmlHttpRequests • After • webview.clearCache(true)

Recommend

Security Enhanced (SE) Android: Bringing Flexible MAC to Android Stephen Smalley and Robert Craig

Security Enhanced (SE) Android: Bringing Flexible MAC to Android Stephen Smalley and Robert Craig

Security Enhanced (SE) Android: Bringing Flexible MAC to Android Stephen Smalley and Robert Craig Trusted Systems Research National Security Agency Motivation Android security relies on Linux DAC. To protect the system from apps. To

480 views • 21 slides
Security & Pie Android 9.0 & APK Security Plan of Attack Start at the hardware

Security & Pie Android 9.0 & APK Security Plan of Attack Start at the hardware

Security & Pie Android 9.0 & APK Security Plan of Attack Start at the hardware Work up to Android OS Climb into the Play Store Discuss Application (APK) Connor Tumbleson Senior Software Engineer @Sourcetoad

672 views • 56 slides
Runtime verification meets Android security Gil Vegliach Joint work with Andreas Bauer and

Runtime verification meets Android security Gil Vegliach Joint work with Andreas Bauer and

Runtime verification meets Android security Gil Vegliach Joint work with Andreas Bauer and Jan-Christoph K uster Background, what Android is Developed by Android Inc. (acquired by Google in 2005) Open Handset Alliance (founded in 2007)

161 views • 15 slides
Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security

Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security

Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security Evaluation with Comparative Analysis Robbie MacGregor 5 th Who Are You?! Adventures in Authentication (WAY), Santa Clara, CA, USA, 2019. I did a thing so

132 views • 10 slides
Security Enhancements (SE) for Android Stephen Smalley Trusted Systems Research Natjonal

Security Enhancements (SE) for Android Stephen Smalley Trusted Systems Research Natjonal

Security Enhancements (SE) for Android Stephen Smalley Trusted Systems Research Natjonal Security Agency CLASSIFICATION HEADER Agenda Motjvatjon/Background Current State Using SELinux in Android What's Next for SELinux in

762 views • 72 slides
management scenario jungle Nicola Suter Workplace Engineer itnetX (Switzerland) AG Blog

management scenario jungle Nicola Suter Workplace Engineer itnetX (Switzerland) AG Blog

A safari through the Intune device management scenario jungle Nicola Suter Workplace Engineer itnetX (Switzerland) AG Blog tech.nicolonsky.ch Twitter @nicolonsky Content Intune basics MAM Android Enterprise iOS / macOS

554 views • 34 slides
CS-527 Software Security Mobile Security Asst. Prof. Mathias Payer Department of Computer

CS-527 Software Security Mobile Security Asst. Prof. Mathias Payer Department of Computer

CS-527 Software Security Mobile Security Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017 Android Security Table of Contents Android

562 views • 15 slides
Android Security CS 4720 Mobile Application Development CS 4720 Security through Obscurity

Android Security CS 4720 Mobile Application Development CS 4720 Security through Obscurity

Android Security CS 4720 Mobile Application Development CS 4720 Security through Obscurity It used to be that phones had so little connectivity to devices other than the phone network that security wasn't a huge deal Phone number

660 views • 15 slides
Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2 Anthony Morris Jan-Felix Schmakeit Tech Lead, Android Maps API Android Developer Relations Code, Slides, Worksheet: http://goo.gl/MfY67 Welcome!

687 views • 49 slides
What is Jungle Beat? Remember when kids were kids and

What is Jungle Beat? Remember when kids were kids and

What is Jungle Beat? Remember when kids were kids and playing meant grass burns, bare feet and muddy faces? Jungle Beat is a fun,

722 views • 39 slides
Android Security Security Philosophy Humans have difficulty understanding risk Safer to

Android Security Security Philosophy Humans have difficulty understanding risk Safer to

Android Security Security Philosophy Humans have difficulty understanding risk Safer to assume that Most developers do not understand security Most users do not understand security Security philosophy cornerstones Need to

582 views • 37 slides
Finding your way through the QEMU parameter jungle 2018-02-04 Thomas Huth

Finding your way through the QEMU parameter jungle 2018-02-04 Thomas Huth

Finding your way through the QEMU parameter jungle 2018-02-04 Thomas Huth <thuth@redhat.com> Legal Disclaimer: Opinions are my own and not necessarily the views of my employer Jungle Leaves background license: CC BY 3.0 US

492 views • 28 slides
Introduction to Android Development What is Android? Android is the customizable, easy to

Introduction to Android Development What is Android? Android is the customizable, easy to

Introduction to Android Development What is Android? Android is the customizable, easy to use operating system that powers more than a billion devices across the globe - from phones and tablets to watches, TV, cars and more to come.

464 views • 21 slides
Improving Android Reliability and Security Iulian Neamtiu, Assoc. Prof. CS Chairs Meeting June

Improving Android Reliability and Security Iulian Neamtiu, Assoc. Prof. CS Chairs Meeting June

Improving Android Reliability and Security Iulian Neamtiu, Assoc. Prof. CS Chairs Meeting June 14, 2018 Mobile OSes rapidly expanding their device range and user base. Android: 2 billion monthly active users but

403 views • 15 slides
Android Oren Laadan orenl@cellrox.com Android Builders 2014 www.cellrox.com aprilzosia Mobile

Android Oren Laadan orenl@cellrox.com Android Builders 2014 www.cellrox.com aprilzosia Mobile

Multi-Persona Android Oren Laadan orenl@cellrox.com Android Builders 2014 www.cellrox.com aprilzosia Mobile devices have multiple uses - - the device needs to reflect that. 2 Android Builders 2014 Security Use Case Personal Phone

874 views • 55 slides
Exploratory Android Surgery Digging into droids. Jesse Burns Black Hat USA 2009 Android is a

Exploratory Android Surgery Digging into droids. Jesse Burns Black Hat USA 2009 Android is a

Exploratory Android Surgery Digging into droids. Jesse Burns Black Hat USA 2009 Android is a trademark of Google Inc. Use of this trademark is subject to Google Permissions. https://www.isecpartners.com Agenda Android Security Model

725 views • 47 slides
Mobile security: Tips and tricks for securing your iPhone, Android and other mobile devices

Mobile security: Tips and tricks for securing your iPhone, Android and other mobile devices

Mobile security: Tips and tricks for securing your iPhone, Android and other mobile devices Presented by Michael Harris [MS, CISSP, WAPT] Systems Security Analyst University of Missouri Overview What data needs to be protected, what

407 views • 18 slides
CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest <manifest

CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest <manifest

Project #1: Color Guess Game CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="net.cserna.bence.colorguess

201 views • 3 slides
What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4

What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4

What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4 Development, Meier, Ch 11, pg 437 Speech recognition: Accept inputs as speech (instead of typing) e.g. dragon dictate app? Note: Google

333 views • 16 slides
File format fuzzing in Android: Giving Stagefright to the Android installer Alexandru Blanda

File format fuzzing in Android: Giving Stagefright to the Android installer Alexandru Blanda

File format fuzzing in Android: Giving Stagefright to the Android installer Alexandru Blanda Intel OTC Security SQE Agenda File format fuzzing in Android Fuzzing the Stagefright media framework Fuzzing the Android application

614 views • 40 slides
the Android Ecosystem Yury Zhauniarovich Advisor: Bruno Crispo University of Trento Agenda

the Android Ecosystem Yury Zhauniarovich Advisor: Bruno Crispo University of Trento Agenda

Improving the Security of the Android Ecosystem Yury Zhauniarovich Advisor: Bruno Crispo University of Trento Agenda Introduction Providing Software and Data Isolation on Android Enabling Attestation Service for the Android

575 views • 41 slides
Android AsyncTask AsyncTask Android AsyncTask is an abstract class provided by Android

Android AsyncTask AsyncTask Android AsyncTask is an abstract class provided by Android

Android AsyncTask AsyncTask Android AsyncTask is an abstract class provided by Android which gives us the liberty to perform heavy tasks in the background and keep the UI thread light thus making the application more responsive. Basic

240 views • 5 slides
Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC Is the

Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC Is the

Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC Is the permission model working? Are users making good decisions? Most Popular Android App Demo App abusing permissions Demo explained Permissions:

819 views • 43 slides
Defeating Android security solutions by exploiting fuzzy hashing (updated) Arash Vahidi RISE

Defeating Android security solutions by exploiting fuzzy hashing (updated) Arash Vahidi RISE

Defeating Android security solutions by exploiting fuzzy hashing (updated) Arash Vahidi RISE resund Security Day, 2019 The early morning opening slide... There are two types of crypto talks... 1. We present a third preimage attack on

435 views • 21 slides

More recommend