View
903
Download
3
Tags:
Embed Size (px)
DESCRIPTION
AnDevCon IV presentation by Carlo Longino (WIP) and Brent Melson (Intertek)
Citation preview
www.wipconnector.com@caaarlo#wipjam
Security and User Privacy In Android Apps
Agenda• About the Speakers/Companies• Why should I care about user privacy?• Privacy By Design• Appstore privacy rules• Regulations you should know about• How to create a privacy policy• Common privacy technical issues• How to test for user data• Accommodating for user mistakes• Q&A
About the Speakers• Carlo Longino, Director of Developer
Marketing Services, WIP– [email protected]–@caaarlo
• Brent Melson, Director of Technology and Development, Intertek Testing Services– [email protected]
About their companies• WIP – http://www.wipconnector.com–WIP connects mobile developers with
information, resources and people. Find an event, partner, API or connection through us.
• Intertek – http://www.intertek.com/it – Intertek is a leading provider of quality
and safety solutions serving a wide range of industries around the world.
Remember these?
The Long Arm of the Law• Lots of rules and regulations to be aware of• Constantly shifting and evolving, so pay
attention• COPPA– Restricts collection of personal info from kida
under 13• Financial Services Modernization Act– Requires privacy policies from financial
institutions• HIPAA– Standards for healthcare information
Mutiple Jurisdictions, Too• In the EU– Data Protection Directive– E-Privacy Directive
• In California– CalOPPA– AG has started enforcement– Requires privacy policy for apps that
collect personal info from Californians and make it “reasonably accessible”
– $2,500 fine per download
Working With User Data• Plan Ahead–What data does my app need to function?– Am I collecting more than necessary?
• Collecting unneeded data is not a good idea– Invites user suspicion– Creates unnecessary risk for you
• Limiting data = limiting potential impact of breach
• What do you gain from unnecessary data?
Handling Data You Do Collect• Don’t send data off the device unless
it’s necessary–More potential user suspicion– Another potential breach point
• If you store data locally, make sure it’s encrypted
• Can you use hash values instead?– Vs MEID/IMEI or other personal info
Watch Out For Data Logging• It’s 10pm. Do you know what your
app is logging?– Android logs are a shared resource – so
info your app logs can be read by other apps
Give Users Choices• Let your users decide how much data
is collected and how it’s shared• The more sensitive information you
collect, the more careful you need to be about giving users information and choices
• Let users opt out of data collection and sharing– It’s okay to make them aware of
functionality tradeoffs
Expectations about the Unexpected
• Are you using any data in an unexpected way?– Grabbing contacts without transparency– Logging data– Publishing data
• Inform users first• Don’t expect users to have the same
expectations as you do
Privacy Policies: Required• Android Market:
4.3 You agree that if you use the Market to distribute Products, you will protect the privacy and legal rights of users. If the users provide you with, or your Product accesses or uses, user names, passwords, or other login information or personal information, you must make the users aware that the information will be available to your Product, and you must provide legally adequate privacy notice and protection for those users. Further, your Product may only use that information for the limited purposes for which the user has given you permission to do so. If your Product stores personal or sensitive information provided by users, it must do so securely and only for as long as it is needed. But if the user has opted into a separate agreement with you that allows you or your Product to store or use personal or sensitive information directly related to your Product (not including other products or applications) then the terms of that separate agreement will govern your use of such information. If the user provides your Product with Google Account information, your Product may only use that information to access the user's Google Account when, and for the limited purposes for which, the user has given you permission to do so.
What does all that mean?• Have a policy, for starters• Be transparent about data you
collect and how you use it• Stick to your policy, and update it• Collect only data you need, and get
rid of it when you no longer need it• “Legally adequate”– Be aware of where your users and apps
are
How Do I Make a Privacy Policy?• Think about your data collection and
usage, and what you need to disclose• Err on the side of caution• Consult resources:– FTC guidance– CDT Best Practices– Privacy Choice Policy Maker– BuildMobile Sample Policies
• Copying is not a good idea, but comparing is
Going A Step Beyond• Minimum requirements are just that• Make your policy clear and concise• Don’t hide behind legalese or
grammatical sleight of hand
Two Key Policy Points• This isn’t a place to dump all the
nasty things you do, just to CYA– Total opposite – a place for you to inform
and build trust• Your policy is just a starting point for
responsible behavior– Remember user choice and notifications
Don’t Forget Third-Party Code• Once it goes in your app, you’re
responsible for it• Advertising, Analytics, anything• Vet it, understand it, make sure your
policy reflects it• If you don’t understand it, don’t use
it• Your ad libraries have the same
permissions as your app
Where is data going?• http://www.privacychoice.org/
mobilescaninfo
Think of the children• If your app is for kids, take extreme
care• Tailor your app appropriately• Ensure parents understand what
you’re doing• Avoid personal information if possible• Use stricter privacy defaults• Do you need age verification?
Observed issues• Usernames and Passwords in the
clear.– Generally debug vs. production problem.– Third party API usage
• Tracking user information– Location, IMEI, MEID– Phone Numbers
• Expired or Self-signed certifications– Identify risk
Capturing traffic and analysis• Black box capture tools/scenarios• Creating a set of filters– Usernames, passwords, IMED/MEID, others?– Using services for service blacklists (e.g.
websense)• Integration in to regression testing– Automation– False positives
• Final build validations
Testing for user data• Create test cases against your privacy policy, use them.• Regression testing for bugs
– Validation that encryption hasn’t been disabled for debug– Test Setup
• Validation of your third party libraries– IMEI / MEID (Ok? Not Ok?) refer to privacy policy– Location, how important is it?– Validation of encryption, certificates
• Scanning the filesystem– Test cases to verify your encryption– Creating a “malware” application to exercise your security
• Sharing information well– MODE_WORLD_READABLE, MODE_WORLD_WRITABLE– External Storage concerns– ContentProvider API and Interprocess Communication (IPC)– HTTPS vs. HTTP– SMS (Avoid it)
Third Party Libraries• Checking the hosts for know malware
hosts• Validation of the source code– Reading others code = fun– How to manage changes in those
libraries• Justification for all permissions
necessary.
Best Practices / Common Mistakes• Remove your debug code• Allow for opt-in/opt-out at any time• Don’t save private data to public places• Moving privacy management out of the
application (e.g. website) and ramifications• Keep privacy policy up to date with your
application as it changes• Data retention policies
– Validating your data retention policy– Aligning third-party solutions with your policies
Top 10 Privacy Best Practices1. Build privacy and security planning
from the start2. Limit the data you collect to what’s
absolutely necessary3. Don’t transfer data off the device
unless you have do; and use encryption.
4. Delete data that’s no longer needed, and encrypt any that is stored.
Top 10 Privacy Best Practices5. Use hash values instead of raw data.6. Give your users choices about how
much data is collected, stored and shared.
7. Have a solid privacy policy and follow it!
8. Be careful with 3rd party code.9. Take extra care with kids.
Tip Number 10• Don’t forget the obvious!– Don’t send passwords in the clear– Encrypt data in transit– Follow laws, rules and regulations
Resources• https://developer.android.com/training/articles/security-tips.html(the value and understanding of this document cannot be overstated)• http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/Guidanc
eDocuments/ucm263280.htm
(your application is a device)• http://www.wireshark.org• http://www.tcpdump.org (tcpdump and libpcap)(invaluable for black box testing/manual packet inspection)• http://sourceforge.net/projects/jpcap/ or Net::Pcap for Perl(for packet inspection automation)• FTC guidance on app privacy policies -
http://business.ftc.gov/documents/bus81-marketing-your-mobile-app• CDT Best Practices -
https://www.cdt.org/files/pdfs/Best-Practices-Mobile-App-Developers.pdf• Privacy Choice Policy Maker - http://www.privacychoice.org/policymaker• BuildMobile Sample Policies -
http://buildmobile.com/5-critical-contracts-for-mobile-app-developers/