Download Android Security Basics

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
Document related concepts
no text concepts found
Transcript 
Android Security Basics
How to keep your users and apps safe
ABOUT ME
Android Developer at
ADT
MAIN AREAS WE ARE
COVERING
• Data Transmission
Security
• Data Storage Security
• APK Security
DATA TRANSMISSION
SECURITY
•
Inter Process/Component Communication
•
•
•
•
Safe Network usage
•
•
•
•
The Android Security Model
Broadcast permissions
Content Provider Permissions
SSL/ PKI Overview
SSL pain points
Pinning
Misc.
•
WebView pitfalls
Android Security Model: Each App is a Linux User
INTERPOSES
COMMUNICATION
Mostly through intents
Also
•
Binding
•
Messaging
•
etc
Image source http://css.csail.mit.edu/6.858/2012/readings/android.pdf
PERMISSIONS
Protection levels
• normal
• dangerous
• signature
• signature or system – Not allowed in 3rd party apps
For internal only components exported=false
For a more in-depth discussion of permissions read
http://www.cs.berkeley.edu/~emc/papers/android_permissions.pdf and
http://css.csail.mit.edu/6.858/2012/readings/android.pdf
EXAMPLE INSECURE
BROADCAST RECEIVER
<receiver
android:name="Your receiver”
<intent-filter>
<action android:name=“com.example.mybroadcast"/>
</intent-filter>
</receiver>
Q: Who can send this receiver broadcasts?
Any component which uses <intent-filter> before android 4.2 is exported by
default
<receiver android:name=".MyListener”>
<intent-filter>
<action android:name=
"android.provider.Telephony.SMS_RECEIVED" />
</intent-filter>
</receiver>
Could this permission be better?
Add <receiver android:name=".MyListener"
android:permission="android.permission.READ_SMS">
BROADCASTS CAN ALSO
PUT PERMISSIONS ON
INTENTS
Intent intent = new Intent();
intent.setAction(MY_BROADCAST_ACTION);
sendBroadcast(intent,"android.provider.Telephony.SMS_RECEIVED");
CONTENT PROVIDER
<provider android:name=”com.example.testprovider
android:read_permissions =
“android.provider.Telephony.SMS_RECEIVED”
android:write_permissions =
“android.provider.Telephony.SMS_RECEIVED”
</provider>
Warning before 4.2 all content providers were exported by
default!
URI-PERMISSIONS
<provider android:name=”com.example.testprovider"
android:authorities=“"
android:grantUriPermission="true”
<grant-uri-permission android:pathPattern="/notes/" />
</provider>
Uri uri = Uri.parse("content://com.example.testprovider/notes/1");
Intent intent = new Intent();
intent.setAction(NOTE_ACTION_VIEW); // SET CUSTOM INTENT ACTION
intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
intent.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
intent.setData(uri);
startActivity(intent)
See Jason Wei’s http://thinkandroid.wordpress.com/2012/08/07/granting-content-provider-uri-permissions/ for more details
IMPLICIT INTENT
ATTACKS
Broadcast Eavesdropping
Broadcast Denial of Service
for ordered broadcasts
Activity/Service Hijacking
Image source: http://www.eecs.berkeley.edu/~emc/papers/mobi168-chin.pdf
TARGET VERSION
GOTACHAS
If a permission has been added since the target in your
androids manifest Android will automatically apply the new
permission request to the app's manifest
You can see permission changes at each release
http://developer.android.com/reference/android/os/Build.VERSION_CODES.html
SSL
Image source: http://www.awghost.com/ssl.html
SSL and the Public Key Infrastructure
http://software-engineer-tips-and-tricks.blogspot.com/2012/09/what-is-pki.html
SSL PAIN POINTS
• There are A LOT of trust anchors
• Vary by Android version and manufacturer
• Occasionally get hacked (TurkTrust)
• Internal Servers
• Download manager doesn’t support SSL before ICS
Alvinjs has suggested a custom download manager which can handle ssl at at
https://github.com/alvinsj/android-https-downloadmanager-demo
HOW TO VIEW TRUSTED CAS
PER PHONE
ICS onwards, go to Settings->Security->Trusted credentials
Before ICS
adb pull /system/etc/security/cacerts.bks`
keytool -keystore cacerts.bks -storetype BKS -provider
org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -v
–list
*OnionKit offers a consistent set of CAs based on Debian but is requires adding its library to your app.
http://commonsware.com/blog/2013/03/07/ssl-android-onionkit.html
ANTI-PATTERN!
ACCEPT ALL CERTIFICATES
SSLSocketFactory.ALLOW_ALLHOSTNAME_VERIFIER
Or
TrustManager where checkServerTrusted() always returns true
An Oct. 2012 study found that 8% of the most popular app on the app store were vulnerable to man in the
middle attacks http://www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf
Image: https://www.owasp.org/index.php/Man-in-the-middle_attack
NOT REGISTERED WITH CA
AFTER ICS:
Just add the your own certificate to list of trusted CA
BEFORE ICS:
Create a dynamic TrustManager
1. Store new public certificate in app
2. Uses system default TrustManager for most checks
3. If check fails then uses custom TrustManager
*For more info about dynamic TrustManager http://nelenkov.blogspot.com/2011/12/using-custom-certificate-trust-store-on.html
Or http://commonsware.com/blog/2013/03/04/ssl-android-basics.html
Or http://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https/6378872#6378872 (response by emmby)
Ps Certificates don’t have to be expensive.
Check out http://webdesign.about.com/od/ssl/tp/cheapest-ssl-certificates.htm
KITKAT SSL
IMPROVEMENTS
• SSL CA Certificate
Warnings
• Android Certificate
Pinning for Google Certs
http://www.xda-developers.com/android/android-4-4-security-enhancements/
WEBVIEW PITFALLS
• If you are using webviews try to
setJavascriptEnabled(false)
addJavaScriptInterface()
• If you are sending sensitive information clearCache()
afterwards to delete local files
You can also do this serverside with no-cache headers
STORING DATA
• Public data areas
• Database security
• Encryption
Do you Have To Store it?
PUBLIC DATA AREAS
All Logs
Any files MODE_WORLD_*
Data on SD cards
If you must store large amounts of data in public storage consider encrypting it. Facebook has a new fast encryption library that might be worth looking
at http://facebook.github.io/conceal/
SQL INJECTION
ATTACKS
http://xkcd.com/327/
SQL
INJECTION
EXAMPLE
IF YOU MUST USE A
RAW QUERY
Be sure to sanitize your inputs!
Quotes are not the only problems.
•
Cleaver attacks using spaces
•
comments
•
Strange ascii characters
•
Things we haven’t thought of yet
Use allowed characters vs disallowed characters if possible.
http://ha.ckers.org/sqlinjection/
Store hashes not passwords
http://www.unixwiz.net/techtips/iguide-crypto-hashes.html
ENCRYPTION
GOTCHAS
• Before Jellybean 4.2
secureRandom.setSeed(b)
replaces, not supplements, the existing seed.
So it produced a deterministic number
• In Jellybean 4.1-4.3
the securerandom isn’t guaranteed to give you a random
number unless you implement the fix in SomeSecurerandom-thoughts
To read more about the
http://android-developers.blogspot.co.uk/2013/08/some-securerandom-thoughts.html
And
http://blog.k3170makan.com/2013/08/more-details-on-android-jca-prng-flaw.html
KEYSTORE
See Code
APK SECURITY
• Application Signing
• How does signing work?
• Master Key Exploit
• Tamper detection
• Decompiling
•
•
•
•
How an APK gets built/ What’s in an APK?
Demo of Decompiling an APK
Progaurd
What is still visible even after obfuscation?
APP SIGNING
• purpose of certificates in Android is to distinguish
application authors
• Android won't allow application to be upgraded unless
signed with same certificate the applications are signed
with the same key.
• Android allows applications that are signed with the same
certificate to run in the same processes
Never put your private key in the source code!
Detect Non-Playstore
Installation
SEE CODE
OTHER TAMPER
DETECTION
• Is the application in debug mode?
context.getApplicationInfo().flags &
ApplicationInfo.FLAG_DEBUGGABLE) != 0
• Is the app running on the emulator?
is Emulator = Build.FINGERPRINT.contains("generic") or
is Emulator = "goldfish".equals(Build.HARDWARE)
OTHER RESOURCES
• Android Developers blog on LVL: Old but
interestinghttp://androiddevelopers.blogspot.com/2010/09/securing-android-lvlapplications.html
• Android Licensing tutorial:
http://stackoverflow.com/questions/18324963/are-there-anygood-android-licensing-tutorials
DECOMPILING
Image source: http://developer.android.com/tools/building/index.html
Inside the .dex binary
Inside the .apk
Image source http://developer.android.com/tools/building/index.html
*Are are curious about why Android uses .dex files and the Davlik virtual machine?
Check out http://davidehringer.com/software/android/The_Dalvik_Virtual_Machine.pdf
How about further decompiling dex files? Check out https://code.google.com/p/smali/wiki/
FOR FUN:
MASTERKEY EXPLOIT
•
Want to see if you are vulnerable? Check out the Bluebox Security Scanner on the app store.
•
Additional details on exactly how the masterkey vulnerability works
http://vrt-blog.snort.org/2013/08/bytecode-covering-android.html
DECOMPILING
DEMO
WHAT IS PROGUARD?
• Shrinking
• Obfuscation
• Prevarifacation
*Fun random fact: you can run Scala on android by using progaurd to remove the unneeded library classes
http://www.gamlor.info/wordpress/2011/10/running-scala-on-android/
ENABLING PROGAURD IN
ECLIPSE
In project.properties
Uncomment
#proguard.config=${sdk.dir}/tools/proguard/proguard-android.txt:proguard-project.txt
*For versions past 17 the documentation on android developers is slightly misleading
1) You can ignore the warning when it comes to progaurd
2) the default progaurd config file will be proguard-project.txt instead of proguard.cfg
ENABLING PROGUARD
IN ANDROID STUDIO
In build.gradel
android {
buildTypes {
release {
runProguard true
proguardFile getDefaultProguardFile('proguard-android.txt')
}
}
For more detailed descriptions see http://tools.android.com/tech-docs/new-build-system/user-guide#TOC-Running-ProGuard
and http://stackoverflow.com/questions/20885725/how-to-use-the-proguard-in-android-studio
TROUBLESHOOTING
PROGUARD
•
What if I get a file not found error after running Proguard?
add –keep public class <MyClass> to your progaurd config
file.
• How do a read stacktraces from my production app?
Use the retrace tool
retrace.sh mapping.txt [<stacktrace_file]
* Remember to keep the mapping.txt file for each build
*It is possible to reuse mapping files with -applymapping filename but this has pros and cons see
http://proguard.sourceforge.net/index.html#
THINGS PROGUARD
DOES NOT DO
• Strings Encryption
• Class Encryption
• Hide Android API calls
• Tamper Detection
Dexguard is a paid product by the makers of proguard that
can help with some of these, but it can be pricy.
http://www.saikoa.com/dexguard
DashO is also an option
EXTRA STUFF
CHECK OUT CURRENT KNOWN
VULNERABILITIES
http://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id19997/Google-Android.html
ADDITIONAL
RESOURCES
Android Security Cookbook
There is a 50% off coupon at http://www.packtpub.com/article/knowing-sql-injection-attacks-securingandroid-applications
Learning Pentesting for Android Devices
Android Application Security Essentials
Android Explorations blog by Nikolay Elenkov
http://nelenkov.blogspot.ie/
Open Web Application Security Project
https://www.owasp.org/
SELinux
https://www.ibm.com/developerworks/library/l-selinux/
Thank you.
Questions?
Related documents
Slides - NUS Security Research
Slides - NUS Security Research
ZomDroid Using Intents to Transfer Data Between Activities
ZomDroid Using Intents to Transfer Data Between Activities
Android Life Cycle
Android Life Cycle
Tutorial #7: Custom Graphics
Tutorial #7: Custom Graphics
Automated Unit Testing Android Studio
Automated Unit Testing Android Studio
Creating Android user interfaces
Creating Android user interfaces
Nikhil Jain`s presentation onAndroid OS Security
Nikhil Jain`s presentation onAndroid OS Security
[intro.pptx]
[intro.pptx]
Android Overview
Android Overview
CS378 - Mobile Computing
CS378 - Mobile Computing
Emerging Platform#4: Android
Emerging Platform#4: Android
Android Application Model
Android Application Model
IELM 511: Information System design Introduction Part 1. ISD for
IELM 511: Information System design Introduction Part 1. ISD for
intents
intents
INTENTS
INTENTS
Week 6 Power Point Slides
Week 6 Power Point Slides
Lecture 17 - Florida State University
Lecture 17 - Florida State University
Content Providers
Content Providers