www.wipconnector.com@caaarlo#wipjam

Security and User Privacy In Android Apps

Agenda• About the Speakers/Companies• Why should I care about user privacy?• Privacy By Design• Appstore privacy rules• Regulations you should know about• How to create a privacy policy• Common privacy technical issues• How to test for user data• Accommodating for user mistakes• Q&A

Slides

Most current slides are up at: http://slideshare.net/carloWIP

About the Speakers• Carlo Longino, Director of Developer

Marketing Services, WIP– carlo@wipconnector.com–@caaarlo

• Brent Melson, Director of Technology and Development, Intertek Testing Services– Brent.melson@intertek.com

About their companies• WIP – http://www.wipconnector.com–WIP connects mobile developers with

information, resources and people. Find an event, partner, API or connection through us.

• Intertek – http://www.intertek.com/it – Intertek is a leading provider of quality

and safety solutions serving a wide range of industries around the world.

Remember these?

The Long Arm of the Law• Lots of rules and regulations to be aware of• Constantly shifting and evolving, so pay

attention• COPPA– Restricts collection of personal info from kida

under 13• Financial Services Modernization Act– Requires privacy policies from financial

institutions• HIPAA– Standards for healthcare information

Mutiple Jurisdictions, Too• In the EU– Data Protection Directive– E-Privacy Directive

• In California– CalOPPA– AG has started enforcement– Requires privacy policy for apps that

collect personal info from Californians and make it “reasonably accessible”

– $2,500 fine per download

Working With User Data• Plan Ahead–What data does my app need to function?– Am I collecting more than necessary?

• Collecting unneeded data is not a good idea– Invites user suspicion– Creates unnecessary risk for you

• Limiting data = limiting potential impact of breach

• What do you gain from unnecessary data?

Handling Data You Do Collect• Don’t send data off the device unless

it’s necessary–More potential user suspicion– Another potential breach point

• If you store data locally, make sure it’s encrypted

• Can you use hash values instead?– Vs MEID/IMEI or other personal info

Watch Out For Data Logging• It’s 10pm. Do you know what your

app is logging?– Android logs are a shared resource – so

info your app logs can be read by other apps

Give Users Choices• Let your users decide how much data

is collected and how it’s shared• The more sensitive information you

collect, the more careful you need to be about giving users information and choices

• Let users opt out of data collection and sharing– It’s okay to make them aware of

functionality tradeoffs

Expectations about the Unexpected

• Are you using any data in an unexpected way?– Grabbing contacts without transparency– Logging data– Publishing data

• Inform users first• Don’t expect users to have the same

expectations as you do

Privacy Policies: Required• Android Market:

4.3 You agree that if you use the Market to distribute Products, you will protect the privacy and legal rights of users. If the users provide you with, or your Product accesses or uses, user names, passwords, or other login information or personal information, you must make the users aware that the information will be available to your Product, and you must provide legally adequate privacy notice and protection for those users. Further, your Product may only use that information for the limited purposes for which the user has given you permission to do so. If your Product stores personal or sensitive information provided by users, it must do so securely and only for as long as it is needed. But if the user has opted into a separate agreement with you that allows you or your Product to store or use personal or sensitive information directly related to your Product (not including other products or applications) then the terms of that separate agreement will govern your use of such information. If the user provides your Product with Google Account information, your Product may only use that information to access the user's Google Account when, and for the limited purposes for which, the user has given you permission to do so.

What does all that mean?• Have a policy, for starters• Be transparent about data you

collect and how you use it• Stick to your policy, and update it• Collect only data you need, and get

rid of it when you no longer need it• “Legally adequate”– Be aware of where your users and apps

are

How Do I Make a Privacy Policy?• Think about your data collection and

usage, and what you need to disclose• Err on the side of caution• Consult resources:– FTC guidance– CDT Best Practices– Privacy Choice Policy Maker– BuildMobile Sample Policies

• Copying is not a good idea, but comparing is

Going A Step Beyond• Minimum requirements are just that• Make your policy clear and concise• Don’t hide behind legalese or

grammatical sleight of hand

Two Key Policy Points• This isn’t a place to dump all the

nasty things you do, just to CYA– Total opposite – a place for you to inform

and build trust• Your policy is just a starting point for

responsible behavior– Remember user choice and notifications

Don’t Forget Third-Party Code• Once it goes in your app, you’re

responsible for it• Advertising, Analytics, anything• Vet it, understand it, make sure your

policy reflects it• If you don’t understand it, don’t use

it• Your ad libraries have the same

permissions as your app

Where is data going?• http://www.privacychoice.org/

mobilescaninfo

Think of the children• If your app is for kids, take extreme

care• Tailor your app appropriately• Ensure parents understand what

you’re doing• Avoid personal information if possible• Use stricter privacy defaults• Do you need age verification?

Observed issues• Usernames and Passwords in the

clear.– Generally debug vs. production problem.– Third party API usage

• Tracking user information– Location, IMEI, MEID– Phone Numbers

• Expired or Self-signed certifications– Identify risk

Capturing traffic and analysis• Black box capture tools/scenarios• Creating a set of filters– Usernames, passwords, IMED/MEID, others?– Using services for service blacklists (e.g.

websense)• Integration in to regression testing– Automation– False positives

• Final build validations

Testing for user data• Create test cases against your privacy policy, use them.• Regression testing for bugs

– Validation that encryption hasn’t been disabled for debug– Test Setup

• Validation of your third party libraries– IMEI / MEID (Ok? Not Ok?) refer to privacy policy– Location, how important is it?– Validation of encryption, certificates

• Scanning the filesystem– Test cases to verify your encryption– Creating a “malware” application to exercise your security

• Sharing information well– MODE_WORLD_READABLE, MODE_WORLD_WRITABLE– External Storage concerns– ContentProvider API and Interprocess Communication (IPC)– HTTPS vs. HTTP– SMS (Avoid it)

Third Party Libraries• Checking the hosts for know malware

hosts• Validation of the source code– Reading others code = fun– How to manage changes in those

libraries• Justification for all permissions

necessary.

Best Practices / Common Mistakes• Remove your debug code• Allow for opt-in/opt-out at any time• Don’t save private data to public places• Moving privacy management out of the

application (e.g. website) and ramifications• Keep privacy policy up to date with your

application as it changes• Data retention policies

– Validating your data retention policy– Aligning third-party solutions with your policies

Top 10 Privacy Best Practices1. Build privacy and security planning

from the start2. Limit the data you collect to what’s

absolutely necessary3. Don’t transfer data off the device

unless you have do; and use encryption.

4. Delete data that’s no longer needed, and encrypt any that is stored.

Top 10 Privacy Best Practices5. Use hash values instead of raw data.6. Give your users choices about how

much data is collected, stored and shared.

7. Have a solid privacy policy and follow it!

8. Be careful with 3rd party code.9. Take extra care with kids.

Tip Number 10• Don’t forget the obvious!– Don’t send passwords in the clear– Encrypt data in transit– Follow laws, rules and regulations

Resources• https://developer.android.com/training/articles/security-tips.html(the value and understanding of this document cannot be overstated)• http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/Guidanc

eDocuments/ucm263280.htm

(your application is a device)• http://www.wireshark.org• http://www.tcpdump.org (tcpdump and libpcap)(invaluable for black box testing/manual packet inspection)• http://sourceforge.net/projects/jpcap/ or Net::Pcap for Perl(for packet inspection automation)• FTC guidance on app privacy policies -

http://business.ftc.gov/documents/bus81-marketing-your-mobile-app• CDT Best Practices -

https://www.cdt.org/files/pdfs/Best-Practices-Mobile-App-Developers.pdf• Privacy Choice Policy Maker - http://www.privacychoice.org/policymaker• BuildMobile Sample Policies -

http://buildmobile.com/5-critical-contracts-for-mobile-app-developers/