View
126
Download
6
Category
Preview:
Citation preview
Android N Security Overview
Constantine Mars,Sr. Android Developer @ DataArt,GDG Dnipro Co-Organizer
+ConstantineMars@ConstantineMars
Security?!! WTF?!!
What happens if you do security right?
What happens if you do security right?
Right. Absolutely nothing
What happens if you do security wrong?
Bad things happen
The first simplest rule of security
Don’t use the same password everywhere
Security tool everyone has
A key
Hardware keys
Presence of user when action happens
Disclaimer: no more security basics
Google I/O 2016 announces
Allo messenger
Android SecurityArchitecture
Android Security Architecture
Google’s focus on Users
8 billion everyday app scans
Security Services
Security Features
Permissions
Runtime Permissions (M)
● Request permissions at runtime● Selective control permissions
Runtime Permissions (M)
● Simplified installation process● Easier application upgrades● More understandable for users
Requesting a Permission
Handling Permissions Result
UX Guidelines for Permissions (M)
● Educate in context for secondary
● Educate up-front for critical● Receive “yes” in 85%● 15.8% “no”● 3% “never ask again”
Keystore
Android Keystore
lets you store cryptographic keys in a container to make it more difficult to extract from the device. Once keys are in the keystore, they can be used for cryptographic operations with the key material remaining non-exportable.
The Keystore system is used by the KeyChain API as well as the Android Keystore provider feature that was introduced in Android 4.3 (API level 18).
Android Keystore
Key material may be bound to the secure hardware (e.g., Trusted Execution Environment (TEE), Secure Element (SE)) of the Android device
Supporting wide range of algorithms
Generating new key pair
Signing data
Verifying data
Key Attestation (N)
Key Attestation gives you more confidence that the keys you use in your app are stored in a device's hardware-backed keystore.
Key attestation allows you to verify that an RSA or EC key pair has been created and stored in a device’s hardware-backed keystore within the device’s trusted execution environment (TEE).
Get Certificate Chain from the KeyStore
Key attestation
Authentication
Remembering and entering passwords and patterns is pain
Smart Lock
● Smart Lock’s on-body detection reduces lock screen prompts by 50%
Fingerprint
● Fingerprint increased usage of lockscreen to 90%+ on Nexus devices
AndroidPay is critical about authentication
Stronger authentication
● Tied to app secrets (KeyStore)● Credential verification in hardware (Trustzone)
Fingerprint API (M)
Fingerprint API (M)
PIN security, Fingerprint and Gatekeeper
Best practices
● Check KeyguardManager.isDeviceSecure() to identify that device has lockscreen or password protection.
● Use setUserAuthenticationValidityDurationSeconds during the key generation to set the duration for which authentication is valid:
Best practices
When generating key - set authentication timeout and on body detection:
Best practices
Best practices
If no Fingerprint available - fall back to Gatekeeper and KeyguardManager.createConfirmDeviceCredentialIntent:
Network security
Restrict HTTP in Manifest
Network Security Configuration (N)
Domain level rules
Debug-overrides
● Eliminate debugging-related code in your release build● Avoid writing custom code that removes security for debug and shipping it
When debugging an app that connects over HTTPS you may want to connect to a local development server, which does not have the SSL certificate for your production server. In order to support this without any modification to your app's code you can specify debug-only CAs that are only trusted when android:debuggable is true by using debug-overrides.
Debug-overrides
Trusted CAs
Certificate pinning
And one more thing:
User CAs are not trusted by default anymore
Storage Encryption
Storage Encryption
● Encryption required for all capable devices (M)● Backed by hardware and TrustZone (N)● Better UX with DirectBoot (N)
Direct Boot
● Boot directly to the lock screen● Calls, SMS, TalkBack, alarms work after device reboot before unlock● Per-user disk encryption
DirectBoot
● Credential encrypted storage, which is the default storage location and only available after the user has unlocked the device.
● Device encrypted storage, which is a storage location available both during Direct Boot mode and after the user has unlocked the device.
directBootAware
Using DirectBoot storage
Verified Boot
Verified Boot
Verified boot guarantees the integrity of the device software starting from a hardware root of trust up to the system partition. During boot, each stage verifies the integrity and authenticity of the next stage before executing it.
This capability can be used to warn users of unexpected changes to the software when they acquire a used device, for example.
SafetyNet
SafetyNet
A SafetyNet compatibility check allows your app to check if the device where it is running matches the profile of a device that has passed Android compatibility testing. The compatibility check creates a device profile by gathering information about the device hardware and software characteristics, including the platform build.
SafetyNet attestation request
SafetyNet response
Sandboxing
Sandboxing
● SELinux● Seccomp (N)● Mediaserver
hardening● ASLR randomness● Library load order
randomization● Integrity monitoring
Mediaserver hardening
What’s outside N security topic?
● Security Assesment Tools (Santoku, drozer, etc.)
● Eternal secrets of ADB and Manifest, Logs, etc.
● Exploits: sniffing network traffic, attacking services, providers
● SQL-injections● Man-in-the-middle attacks● Custom permissions protection● ProGuard and DexGuard● Reverse Engineering, DEX, GDB● Cross-compiling native
executables● Securing SharedPreferences● SQLCipher● etc...
Links
● Adrian Ludwig talk on Google I/O 2016 https://youtu.be/XZzLjllizYs?list=PLOU2XLYxmsILe6_eGvDN3GyiodoV3qNSC
● FingerprintDialog sample https://github.com/googlesamples/android-FingerprintDialog ● Authentication samples for M
http://android-developers.blogspot.com/2015/10/new-in-android-samples-authenticating.html ● Android Security Essentials by Pagati Ogal Rai
https://www.packtpub.com/application-development/android-application-security-essentials ● Google Security Blog https://security.googleblog.com/ ● Android Security Bulletins https://source.android.com/security/bulletin/ ● Annual Security Review https://goo.gl/VpYom1
Security Bulletins
Android Annual Security Review
Thank you :)
Constantine Mars,Sr. Android Developer @ DataArt,GDG Dnipro Co-Organizer
+ConstantineMars@ConstantineMars
Recommended