Upload
alec-tucker
View
210
Download
0
Embed Size (px)
Citation preview
Network Security In Android M
@matthewrdev | [email protected] | 0431 197 349 | mfractor.com
Hi, I’m Matt➔Making stuff with Xamarin since ‘13
➔ Like hanging out on big cliffs
➔ The mobile guy at
➔ Passionate about improving our trades tooling!◆ Ask me about MFractor later :)
@matthewrdev | [email protected] | 0431 197 349 | mfractor.com
Background➔Why is this important?
◆ Post Assange, Post Snowden
◆ Users expect security
◆ Users expect privacy
◆ It’s trendy!
@matthewrdev | [email protected] | 0431 197 349 | mfractor.com
Security in Android M➔ Implements 3 mechanisms
◆ ‘usesClearTextTraffic’ within manifest
◆ NetworkSecurityPolicy
◆ StrictMode
➔ These are only available in API 23 and higher
@matthewrdev | [email protected] | 0431 197 349 | mfractor.com
UsesClearTextTraffic➔Manifest option to flag support of clear text traffic
➔ Exposed via NetworkSecurityPolicy
➔What it looks like:
@matthewrdev | [email protected] | 0431 197 349 | mfractor.com
Network Security Policy➔ Singleton class containing apps traffic policy
➔Does not enforce policy!
◆ Merely exposes it.
➔ Expects application components to adhere to it.
◆ But is opt-in!
@matthewrdev | [email protected] | 0431 197 349 | mfractor.com
@matthewrdev | [email protected] | 0431 197 349 | mfractor.com
➔ That honour usesClearTextTraffic
◆ DownloadManager
◆ MediaPlayer
◆ SocketHandler
◆ Java.* or Android.* HTTP, FTP, WebSockets, XMPP, IMAP, SMTP network components
◆ Some third party libraries
● OkHttp
● ModernHttpClient
➔ That dishonour usesClearTextTraffic:
◆ Android.WebKit.WebView
◆ Java.* or Android.* UDP and TCP connections.
◆ Any related low-level network stacks.
◆ All managed networking components
Components
@matthewrdev | [email protected] | 0431 197 349 | mfractor.com
Honours usesClearTextTraffic
@matthewrdev | [email protected] | 0431 197 349 | mfractor.com
Dishonours usesClearTextTraffic
@matthewrdev | [email protected] | 0431 197 349 | mfractor.com
Honours usesClearTextTraffic
@matthewrdev | [email protected] | 0431 197 349 | mfractor.com
Enforcing Secure Traffic➔ Check for apps clear text configuration:
➔Use StrictMode!
@matthewrdev | [email protected] | 0431 197 349 | mfractor.com
StrictMode➔ Exposes ability to monitor for clear-text traffic
➔Detect and log:
➔Detect and crash:
@matthewrdev | [email protected] | 0431 197 349 | mfractor.com
Detecting Insecure Traffic➔ So, how do they do it?
◆ StrictMode.DetectClearText() registers firewall rule
● Within the apps user-space.
◆ Firewall watches for outgoing TLS packets
◆ Flags non-conforming packets
◆ Notifies app process of violation.
◆ Logs or crashes
@matthewrdev | [email protected] | 0431 197 349 | mfractor.com
StrictMode - TLS Header
@matthewrdev | [email protected] | 0431 197 349 | mfractor.com
StrictMode Implementation➔Uses ‘iptables’ to register firewall rules
➔ Logs outgoing packets that violate rules.
➔ StrictController.cpp:
@matthewrdev | [email protected] | 0431 197 349 | mfractor.com
StrictMode - Limitations➔Only detects TLS wrapped traffic.
➔Unknown behaviour for TCP or UDP connections.
◆ Gut feeling is they will cause a violation
➔ Should only be used in debug builds.
@matthewrdev | [email protected] | 0431 197 349 | mfractor.com
Implications➔ For app developers:
◆ Be aware of new security policies.
● Don’t necessarily need to use it.
◆ Be aware of non-cleartext compliant libraries:
● Nugets
● Xamarin Components
● Etc etc etc
◆ If in doubt, turn on StrictMode
➔ For component developers:
◆ Play nice and make libraries cleartext compliant:
● By avoiding vanilla .NET web components
● Or checking for the apps security policy
● Or use ModernHttpClient for web requests
@matthewrdev | [email protected] | 0431 197 349 | mfractor.com
Summary➔ Cleartext traffic is under the microscope
◆ Google -> Network Security Policy
◆ Apple -> App Transport Security
➔ Be aware of new policies
◆ Android N will only enforce them more
➔ Try to comply with the policies
◆ Using compliant libraries like ModernHttpClient
◆ Checking the NetworkSecurityPolicy
➔ Be aware 3rd party libraries may not conform
@matthewrdev | [email protected] | 0431 197 349 | mfractor.com
Resources➔Demo Source Code
➔NetworkSecurityPolicy API Reference
➔Network Security Policy for Android apps