Secure offline storageSteve De Zitter

Secure offline storage Agenda

▪ Sample-app

▪ Android offline storage possibilities

▪ Android Sandbox model

▪ Some Best practices when using offline storage

▪ Performing back-up on demo app

▪ Secure file storage

▪ Secure database storage

▪ Tamper detection

SAMPLE-APP

Sample application

▪ Sample application

- https://github.com/SteveDZ/OfflineStorage.git

Android offline storage possibilities

▪ Several ways to store data in Android

- SharedPreferences

- Files (Internal and external storage)

- SqlLite

- These are not secure!▪ Back-up▪ Rooted devices

Android sandbox model

MyApp, UID: 12345 MyOtherApp, UID: 9876

Preferences Preferences

Internal storage Internal storage

databases Databases

Android sandbox model (Rooted device)

MyApp, UID: 12345 MyOtherApp, UID: 9876

Preferences Preferences

Internal storage Internal storage

databases Databases

ROOT

Offline storage Best Practices

▪ Avoid it (if possible)

▪ Avoid external storage (outside of sandbox, globally readable)

▪ set android:allowBackup=”false”

▪ set android:saveEnabled=”false”

▪ MODE_PRIVATE with files

ADB shell

▪ When app is debuggable (default in DEV) or device is rooted

- adb shell

- run-as be.ordina.offlinestorage (Not necessary on rooted device)

- cd /data/data/be.ordina.offlinestorage/

▪ shared_prefs

▪ db

▪ files

Backup extractor -> https://github.com/nelenkov/android-backup-extractor

▪ Command line: adb backup be.ordina.offlinestorage

▪ Unlock the device and confirm backup operation

▪ Command line: java -jar abe-all.jar unpack backup.ab backup.tar

▪ Unzip the tar and check it’s contents (including the prefs file)

Backing up application

DEMO

Files on internal storage

▪ Internal storage mode MODE_PRIVATE (MODE_WORLD_READABLE and

MODE_WORLD_WRITEABLE deprecated)

▪ Files saved on internal storage in MODE_PRIVATE are private to the application.

▪ FILE CONTENT IS NOT SECURE! -> BY BACKING-UP these files are also perfectly

readable

Safe file storage

▪ Encryption of files!

▪ See fragment.EncryptedInternalStorageFragment class for implementation details

CODE + DEMO

SQLite

▪ Relational database

▪ Saved on internal storage automatically

▪ can be pulled or backed up with adb

▪ sqlitebrowser: (http://sqlitebrowser.org)

▪ SQLite3 command line interface: https://www.sqlite.org/download.html

▪ NOT SAFE

DEMO

SQLCipher

▪ Symmetrically encrypted Sqlite database (AES-256)

▪ Drop-in replacement for regular sqlite

▪ SQLCipher for Android: https://www.zetetic.net/sqlcipher/sqlcipher-for-android/

▪ Installation instructions IntelliJ: https://discuss.zetetic.net/t/android-studio-integration/65

SQLCipher Command Line Interface

▪ Download SqlCipher command line interface: https://github.com/sqlcipher/sqlcipher

▪ Build sqlcipher command line tool:

http://stackoverflow.com/questions/25132477/how-to-decrypt-an-encrypted-sqlcipher-datab

ase-file-on-command-line

▪ Run sqlcipher command line interface:

SQLCipher design

How does SQLCipher actually work?▪ https://www.zetetic.net/sqlcipher/design/

CODE + DEMO

Hiding the key

▪ Ask each time

▪ In the code

▪ In de NDK

▪ Android KeyStore (apple KeyChain equivalent)

▪ Server-side

Ask each time

▪ At Startup, always ask the users password.

▪ This password can be used to decrypt the database.

In the code

▪ Generate a device specific key (See fragment.DeviceSpecificKeyFragment.java)

▪ As we saw earlier, this can be reverse engineered and used to recreate the device specific

key (Not very safe…)

In the NDK

▪ Install the NDK: https://developer.android.com/tools/sdk/ndk/index.html

▪ Documentation: <ndk>/docs/Programmers_Guide/html/index.html

- Samples/hello-jni: Example Java Native Interface

- Building/ndk-build: How to build your native c files

- Building/Android.mk: Android .mk file describing c-library

In the NDK

▪ Android studio

- Create folder app/jni

▪ Create Android.mk, Application.mk, <your-module>.c

- Create folder src/main/jniLibs

- Compile c module:

▪ cd in <project-path>/app directory

▪ <ndk-path>/ndk-build

Decompile jar with .so modules

▪ http://reverseengineering.stackexchange.com/questions/4624/how-do-i-reverse-enginee

r-so-files-found-in-android-apks

▪ online disassembler: http://onlinedisassembler.com/odaweb/

CODE + DEMO

Android KeyStore (as of 4.3)

▪ Android hardware backed KeyStore

▪ Standard Java JCA (Java Cryptography Architecture) api but ‘AndroidKeyStore’ as

provider

▪ http://developer.android.com/training/articles/keystore.html

▪ http://nelenkov.blogspot.be/2013/08/credential-storage-enhancements-android-43.html

Server side decryption

▪ Communication over HTTPS (of course…)

▪ Send bytes or Strings that need to be decrypted to server

▪ Server decrypts and sends unencrypted data back.

Advantages:

▪ Key information doesn’t leave the server (more secure)

Disadvantages:

▪ Application needs to be connected to internet to function correctly.

▪ More server round-trips to perform the encryption and decryption of data.

Tamper Detection

▪ Check if app is installed through play store

▪ Check if app is debuggable

▪ Check if app is running on emulator

▪ Check if device is rooted

Installed through play store

Check if app is debuggable

Check if your app is running on an emulator

Check if device is rooted

▪ Check for typical rooted binaries

- /sbin/, /system/bin/, /system/xbin/, /data/local/xbin/, /data/local/bin/, /system/sd/xbin/,

/system/bin/failsafe/, /data/local/, /system/app/

▪ Check for rooted run command: su

▪ @See RootDetectionUtils.java in Sample project

Sources

▪ Bulletproof Android. Practical advice for building secure apps (ISBN: 978-0-13-399332-5)

▪ https://www.parleys.com/tutorial/android-application-security

▪ http://nelenkov.blogspot.be/2013/08/credential-storage-enhancements-android-43.html

▪ http://developer.android.com/training/articles/keystore.html

▪ http://nelenkov.blogspot.be/

QUESTIONS???