SydMobNet March 2016: Matthew Robbins - Android M Security Policies

Network Security In Android M

@matthewrdev | matthew.ch.robbins@gmail.com | 0431 197 349 | mfractor.com

Hi, I’m Matt➔Making stuff with Xamarin since ‘13

➔ Like hanging out on big cliffs

➔ The mobile guy at

➔ Passionate about improving our trades tooling!◆ Ask me about MFractor later :)

Background➔Why is this important?

◆ Post Assange, Post Snowden

◆ Users expect security

◆ Users expect privacy

◆ It’s trendy!

Security in Android M➔ Implements 3 mechanisms

◆ ‘usesClearTextTraffic’ within manifest

◆ NetworkSecurityPolicy

◆ StrictMode

➔ These are only available in API 23 and higher

UsesClearTextTraffic➔Manifest option to flag support of clear text traffic

➔ Exposed via NetworkSecurityPolicy

➔What it looks like:

Network Security Policy➔ Singleton class containing apps traffic policy

➔Does not enforce policy!

◆ Merely exposes it.

➔ Expects application components to adhere to it.

◆ But is opt-in!

➔ That honour usesClearTextTraffic

◆ DownloadManager

◆ MediaPlayer

◆ SocketHandler

◆ Java.* or Android.* HTTP, FTP, WebSockets, XMPP, IMAP, SMTP network components

◆ Some third party libraries

● OkHttp

● ModernHttpClient

➔ That dishonour usesClearTextTraffic:

◆ Android.WebKit.WebView

◆ Java.* or Android.* UDP and TCP connections.

◆ Any related low-level network stacks.

◆ All managed networking components

Components

Honours usesClearTextTraffic

Dishonours usesClearTextTraffic

Honours usesClearTextTraffic

Enforcing Secure Traffic➔ Check for apps clear text configuration:

➔Use StrictMode!

StrictMode➔ Exposes ability to monitor for clear-text traffic

➔Detect and log:

➔Detect and crash:

Detecting Insecure Traffic➔ So, how do they do it?

◆ StrictMode.DetectClearText() registers firewall rule

● Within the apps user-space.

◆ Firewall watches for outgoing TLS packets

◆ Flags non-conforming packets

◆ Notifies app process of violation.

◆ Logs or crashes

StrictMode - TLS Header

StrictMode Implementation➔Uses ‘iptables’ to register firewall rules

➔ Logs outgoing packets that violate rules.

➔ StrictController.cpp:

StrictMode - Limitations➔Only detects TLS wrapped traffic.

➔Unknown behaviour for TCP or UDP connections.

◆ Gut feeling is they will cause a violation

➔ Should only be used in debug builds.

Demo Time

Implications➔ For app developers:

◆ Be aware of new security policies.

● Don’t necessarily need to use it.

◆ Be aware of non-cleartext compliant libraries:

● Nugets

● Xamarin Components

● Etc etc etc

◆ If in doubt, turn on StrictMode

➔ For component developers:

◆ Play nice and make libraries cleartext compliant:

● By avoiding vanilla .NET web components

● Or checking for the apps security policy

● Or use ModernHttpClient for web requests

Summary➔ Cleartext traffic is under the microscope

◆ Google -> Network Security Policy

◆ Apple -> App Transport Security

➔ Be aware of new policies

◆ Android N will only enforce them more

➔ Try to comply with the policies

◆ Using compliant libraries like ModernHttpClient

◆ Checking the NetworkSecurityPolicy

➔ Be aware 3rd party libraries may not conform

Resources➔Demo Source Code

➔NetworkSecurityPolicy API Reference

➔Network Security Policy for Android apps

SydMobNet March 2016: Matthew Robbins - Android M Security Policies

Mobile

Robbins Chapter15

Designing CAPS markers using SGN CAPS Designer Matthew Robbins and Heather Merk The Ohio State University, OARDC

Winter 10 Cindy Robbins About Tom Robbins Speech #1

SydMobNet September 2014: ReactiveUI, Genymotion, Xamarin.UITest and Xamarin Test Cloud

Robbins Chapter02

Liana Taylor, Matthew Hiller, Cynthia Robbins, … · CJ-DATS is funded by NIDA in collaboration with SAMHSA and BJA Liana Taylor, Matthew Hiller, Cynthia Robbins, Wayne Welsh, Gary

Robbins ob14

Robbins Chapter10

Baskin robbins

Neurologic Emergencies September 4, 2009 Matthew Robbins, MD Assistant Professor of Neurology Montefiore Headache Center Albert Einstein College of Medicine

Daniel Rivera Inc. and Rivera & Associates (A/K/A ... · 16. Daniel Rivera and Matthew Rivera founded Robbins Lane in March 2008. 17. Shortly after founding Robbins Lane, Matthew

Nicollette Robbins Craig Bell Nicollette Robbins Craig Bell

Vol III-R File 05 - muskogeecount · PDF fileRuby Carlene, Muskogee, Sep 12, 1982, 1-1; 2-1; sep 13, llbert Warren, Muskogee, Nov 4, ... ROBBINS, ROBBINS , ROBBINS, ROBBINS, ROBBINS,

Robbins Cap2

Dale A Robbins · Dale A Robbins

Sydney Mobile .Net Developers Group Mar 2014 SydMobNet

U.S. District Court DISTRICT OF ARIZONA (Phoenix Division ...securities.stanford.edu/filings-documents/1041/MRX... · Matthew P Montgomery Coughlin Stoia Geller Rudman & Robbins LLP

Robbins Ch03

· PDF filesanyo sf-hd65 (pskf) pionner miyota sin referencia escritura china escritura china daewood, sony jingo robbins jingo robbins robbins robbins drago robbins

#SydMobNet Nov 2014: Evolve 2014 recap