Security in Android Applications / Александр Смирнов (RedMadRobot)

SECURITYIN ANDROID APPLICATION

31/05/2016ALEXANDER SMIRNOV

- 3+ years Android dev- 6+ years commercial dev- 1 year bank app dev- Addicted to info security since 2007- DC7499 member

WhoAmI

Why?

- Android Security Model- Reality- Vulnerabilities- One more sentence- Appendix

Agenda

Security

• I •

Android Security Model

Application Isolation- isolate CPU, RAM, devices, files in

private directory


private directory

- every app run in own process


private directory


- every app has own UserID and GroupID


private directory


- every app has own UserID and GroupID

- every app run in own instance of Dalvik VM

Application Isolation





- Is the parent of all App processesZygote

App 1

App 2

App 3

Zygote

fork()

fork()

fork()

start newApp


App 1

App 2

App 3

Zygote

fork()

fork()

fork()

start newApp

- COW(Copy On Write) strategy


App 1

App 2

App 3

Zygote

fork()

fork()

fork()

start newApp

- COW(Copy On Write) strategy

- /dev/socket/zygote

- Before M- After M- Custom permissions- Protection level

Permissions

- Protect user dataAndroid Security Overview


- Protect system resources


- Protect system resources

- Provide application isolation

• II •

Android Security ModelReality

Security

Root

Triada

Security

• III•

Vulnerabilities

- Memory CacheData Storage


- Internal Storage


- Internal Storage

- SharedPreference + MODE_PRIVATE + Cipher


- Internal Storage


- DB + SQLCipher


- Internal Storage


- DB + SQLCipher

- 21+ setStorageEncryption


- Internal Storage


- DB + SQLCipher

- 21+ setStorageEncryption

- KeyStore

- MITM Has YouTransport


- Check network – why?



- Diffie–Hellman key exchange



- Diffie–Hellman key exchange

- Certificate Pinning == SSL Pinning (okhttp 2.7.4 || 3.1.2)

Intent- Use explicit intents


- Validate Input


- Validate Input

- Manifest: intent-filter = exported="true"

2FA: SMS- Secure PUSH


- Mobile application



- SIMApplets



- SIMApplets

- DCV (Dynamic Code Verification)

Insecure Device- Secure persistent datastore


- No immutable (Strings -> char[])



- Notify if root



- Notify if root

- Custom keyboard



- Notify if root

- Custom keyboard

- No EditText

Reverse Protection- Check for debug mode


- Emulator check


- Emulator check

- Verify sign


- Emulator check

- Verify sign

- Obfuscation

- JNI


- Emulator check

- Verify sign

- Obfuscation

Security

• IV •

One more sentence

One more sentence- Convenience vs Security


- Socialization & Tools



- Layered Security



- Layered Security

- Better than others

- OWASP TOP 10 Mobile Risks



- Layered Security

- Better than others

Security

• V •

Appendix

- Cyber Risk Report: bit.ly/1MuoIDS- OWASP Top 10 Mobile Risks: bit.ly/1FAIJiv- DefCon Groups List: bit.ly/1JQlNgC- Triada Malware: bit.ly/1qvyFqY- Obfuscation tools list: bit.ly/1XiHf6Z- Security Official Docs: bit.ly/1qvw1BK- Diffie–Hellman Video: bit.ly/23jV7Se- Tools for SA and Hacking: bit.ly/1qvxpUM

Additional Information

http://bit.ly/1MuoIDS

http://bit.ly/1FAIJiv

http://bit.ly/1JQlNgC

http://bit.ly/1qvyFqY

http://bit.ly/1XiHf6Z

http://bit.ly/1qvw1BK

http://bit.ly/23jV7Se

http://bit.ly/1qvxpUM

- Android Security Model- Reality- Vulnerabilities- One more sentence

Result

Any Questions, Please?

[email protected] @_smred

mailto:[email protected]?subject=

Engineering

Security in Android Applications / Александр Смирнов (RedMadRobot)