Embed Size (px)
DESCRIPTION
In this talk I talked about my experiences with Android security when it comes to storing secrets in apps on the device. It uses oauth as an example but contained practical hints on how to store any secret securely. Presented at DroidconNL in Amsterdam, November 23 2011.
Citation preview
http://[email protected]
@egeniq
Droidcon, 23 November 2011Ivo Jansch - @ijansch
Apps, APIs and third party servicesA Love Triangle
About Me
@ijanschDeveloperAuthorEntreprenerdiOS/Java/PHP
2
About Egeniq
StartupMobileTechKnowledge GeeksDevelopment
3
Tiqr - Learning about Android Security
4
1
23
4
5
6
http://www.tiqr.org
The Use Case
5
Android App Third Party Service
API
Timeline
6
OAuth
7
Your AndroidApplication Twitter
OAuth
8
OAuthConsumer
OAuthProvider
Why do you need to protect keys?
98
OAuthProvider
The Android Security Model
10
Sandboxing
‣Apps only have access to their own data‣Access is based on Linux user ID‣Further protected by application signature
11
Storage + Secure Storage
‣USB Storage• External storage, sharable between apps
‣Device Storage • Apps have their own location, within sandbox
‣Secure Storage• Java KeyStores with strong encryption algorithms• Unfortunately no hardware encrypted storage like iPhone
12
The Main Problem
‣How can I securely store secrets?• Is sandboxing a solution? -> Not when device is rooted• Is device storage a solution? -> Not when device is rooted• Is encryption a solution?‣ Yes, but where do you store your encryption keys?
13
It’s a common question
Stackoverflow search for ‘store secrets android’:
14
With common answers
- Huh? - Don’t store secrets- Don’t use OAuth
- Obfuscate- Encrypt
15
Know what? I’ll just use a library
16
Scribe
https://github.com/fernandezpablo85/scribe-java
17
A Couple Of Solutions
18
Option 1 - Obfuscation
19
Option 2 - Encryption
20
Option 2 - Encryption
21
Option 2 - Encryption
22
Option 2 - Encryption
23
Option 3 - Using the KeyStore
24
Option 3 - Using the KeyStore
25
Option 4 - Retrieve key from API
26
Android App OAuthProvider
Your API
?
Option 5 - Transparent Proxy
27
AndroidApp
OAuthProvider
Proxy
Conclusion
It’s all about
awareness
28
Recommended Reading
‣ ISBN: 2147483647
‣ Authors:• Himanshu Dwivedi
• Chris Clark
• David Thiel
‣ Covers:• Android
• Apple
• WinMo
29
Credits
‣ ‘Tege in Sandbox’ by Judi Cox - http://www.flickr.com/photos/madaise/3406217980/
‣ ‘Locker (KHS up close) by Travis Hymas - http://www.flickr.com/photos/travishasphotos/3481640534/
‣ ‘Mask’ by Ben Fredericson - http://www.flickr.com/photos/xjrlokix/3932488768/
