Upload
ayoma-wijethunga
View
215
Download
3
Embed Size (px)
Citation preview
Android ApplicationSecurityfrom Consumer and
Developer Perspectives
http://www.meetup.com/Colombo-White-Hat-Security
https://www.facebook.com/colombowhitehat
https://twitter.com/ColomboWhiteHat
Ayoma Wijethunga WSO2, Platform Security Team
[ayomawdb]
Ayoma Wijethunga
api android arduino automation building developing
discusses diy electronics engineering iot jaggery java kali linux modular osgi prusa reprap
security software ublox web wireshark wso2o WSO2, Platform Security Team.o Get in touch
o Email : [email protected] LinkedIn : https://lk.linkedin.com/in/ayoma o Blog : http://ayomaonline.com o Twitter / Facebook / Github / Hangout : ayomawdb
Agenda
● Statistics
● Developer Perspective
○ OWASP Mobile Top 10
○ Additional Security Best Practices
● Consumer Perspective
○ Android Malware (Demo and code walkthrough)
■ AndroRAT - Android Remote Administration Tool
■ Android Chat - Custom made RAT demo
○ Prevention and Detection Options
OWASP Mobile Top 10
M1: Weak Server Side Controls (Relates to OWASP Top 10)
A1 Injection
A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS)
A4 Insecure Direct Object References
A5 Security Misconfiguration
A6 Sensitive Data Exposure
A7 Missing Function Level Access Control
A8 Cross-Site Request Forgery (CSRF)
A9 Using Components with Known Vulnerabilities
A10 Unvalidated Redirects and Forwards
Con
side
ring
RE
ST
AP
I bas
ed S
erve
r Sid
e
OWASP Mobile Top 10 (Cntd.)
M2: Insecure Data Storage
Storage Options:
● Shared Preferences● Internal Storage● External Storage● SQLite Databases● Network Connection
Encrypt sensitive data before storing
Encryption keys should not be hardcoded (KeyStore, ‘FireAndForget’ key)
Shared preferences should not be MODE_WORLD_READABLE/WRITABLE (deprecated in API level 17)
Transport Layer Protection
OWASP Mobile Top 10 (Cntd.)M3: Insufficient Transport Layer Protection
General transport layer protection practices
● SSL/TLS (TLS 1.2 prefered) with strong cipher suite & appropriate key lengths
● Certificates issued by trusted CA provider● SSL chain verification / Hostname verification● Always alert user if any validation goes wrong
When possible, do application level encryption before sending data over transport layer (avoid future transport layer vulnerabilities)
M4: Unintended Data Leakage
● Keyboard Caching / Suggestions ○ For non-password informtion : android:inputType="textNoSuggestions"○ For passwords : andorid:inputType="password"
● Analytics Data● Logs (!)
OWASP Mobile Top 10 (Cntd.)
M5: Poor Authorization and Authentication
● Never persistent credentials locally● Avoid spoofable values during authentication (MAC/IMEI)● Ensure authorization controls cannot be bypassed● Token based authentication with backend APIs (OAuth 2)
○ Google “Dulanja API Security”
● Discourage use of 4 digit or all digit pass-codes
M6: Broken Cryptography
M7: Client Side Injection
SQL Injection (SQL Lite), XSS, File Inclusion
OWASP Mobile Top 10 (Cntd.)
M8: Security Decisions Via Untrusted Inputs
Intents
PackageManager.getLaunchIntentForPackage(-)
Intent intent = new Intent(Intent.ACTION_MAIN);intent.setComponent(ComponentName.unflattenFromString("com.example.app/com.ex ample.app.ExampleAction"));intent.addCategory(Intent.CATEGORY_LAUNCHER);intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);intent.putExtra(“SESSION_DATA”, sessionData);startActivity(intent);
Binder Framework
http://blog.checkpoint.com/wp-content/uploads/2015/02/Man-In-The-Binder-He-Who-Controls-IPC-Controls-The-Droid-wp.pdf
BroadcastReceiver
OWASP Mobile Top 10 (Cntd.)
M9: Improper Session Handling : Timeouts, cookie or token rotation
M10: Lack of Binary Protections
● Bytecode Conversion (apktool; dex2jar)● Runtime Analysis (ADB)● Reverse Engineering (IDA Pro)
○ https://www.hex-rays.com/products/ida/support/tutorials/debugging_dalvik.pdf ● Disassembly (baksmali)
Let’s keep these for another sessions...(Maybe: Android Application Security - from Pentester Perspective)
Image credit: http://www.gograph.com/vector-clip-art/complex.html
Android Malware
Image credit: http://www.ibtimes.co.uk/new-android-threat-prowl-krysanec-malware-masquerades-legitimate-apps
-unleashes-remote-access-1462013
AndroRAT (Remote Administration Tool)
Demo and code walkthrough
Image credit: http://combiboilersleeds.com/
Android Chat - Custom Made RAT
Demo and code walkthrough
Image credit: http://combiboilersleeds.com/
Prevention and Detection Options
Image Credit: http://maxpixel.freegreatpicture.com/Detective-Finger-Mystery-Fingerprints-Find-Clues-1520
85
Application permissionsAlways double check application permissions!
Facebook:
●●●●●●●●●●●●●
○○○
Viber:
●●●●●●●●●●●●●
○○○○
Application permissions
Pokémon GO:
● In-app purchases● Identity● Location● Photos/Media/Files● Camera● Other
○ receive data from Internet
MX Player:
● Photos/Media/Files● Wi-Fi connection information● Other
○ receive data from Internet
VLC Player:
● Photos/Media/Files
New Permission Model
Android 6.0 (API level 23)+
● Users grant permissions at run-time
● User can control what permissions to allow (and what to revoke)
● Developers see warnings if code will break due to not handling permission revocations properly.
● Dangerous permission must be approved manually.
https://developer.android.com/guide/topics/permissions/requesting.html
Dangerous permissions
●●
●
●●●
●●
●
●●
●●●●●●●
●
●●●●●
https://www.owasp.org/images/c/ca/ASDC12-An_InDepth_Introduction_to_the_Android_Permissions_Modeland_How_to_Secure_MultiComponent_Applicati
ons.pdf
https://developer.android.com/guide/topics/permissions/requesting.html
Modify Application Permissions
App Opps (Not available with 4.4.2. Use “App Ops [Root]” or similar from Sore)
Additional Security Best PracticesApart from what was discussed in OWASP Mobile Top 10
● Request least number of permissions possible (avoid dangerous permissions)
● Update dependent libraries and frameworks
● Properly define Content Provider’s exposed attribute and permissions
● Avoid storing and transmitting personal / sensitive data as much as possible
● Using WebView can introduce web application vulnerabilities (XSS, Cache Poisoning, ..) to mobile apps. Use with caution!
● Be cautious with dynamic class loading and usage of reflection (do not allow external parties to tamper dynamic values)
● https://developer.android.com/training/articles/security-tips.html
Point to Ponder Is there any option but to sacrifice privacy?
https://github.com/will3942/uber-hackhttp://motherboard.vice.com/read/ubers-god-view-was-once-available-to-drivers
Uber God View
Image credit: https://www.pinterest.com/pin/453245149972280324/