Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Android Security Basics How to keep your users and apps safe ABOUT ME Android Developer at ADT MAIN AREAS WE ARE COVERING • Data Transmission Security • Data Storage Security • APK Security DATA TRANSMISSION SECURITY • Inter Process/Component Communication • • • • Safe Network usage • • • • The Android Security Model Broadcast permissions Content Provider Permissions SSL/ PKI Overview SSL pain points Pinning Misc. • WebView pitfalls Android Security Model: Each App is a Linux User INTERPOSES COMMUNICATION Mostly through intents Also • Binding • Messaging • etc Image source http://css.csail.mit.edu/6.858/2012/readings/android.pdf PERMISSIONS Protection levels • normal • dangerous • signature • signature or system – Not allowed in 3rd party apps For internal only components exported=false For a more in-depth discussion of permissions read http://www.cs.berkeley.edu/~emc/papers/android_permissions.pdf and http://css.csail.mit.edu/6.858/2012/readings/android.pdf EXAMPLE INSECURE BROADCAST RECEIVER <receiver android:name="Your receiver” <intent-filter> <action android:name=“com.example.mybroadcast"/> </intent-filter> </receiver> Q: Who can send this receiver broadcasts? Any component which uses <intent-filter> before android 4.2 is exported by default <receiver android:name=".MyListener”> <intent-filter> <action android:name= "android.provider.Telephony.SMS_RECEIVED" /> </intent-filter> </receiver> Could this permission be better? Add <receiver android:name=".MyListener" android:permission="android.permission.READ_SMS"> BROADCASTS CAN ALSO PUT PERMISSIONS ON INTENTS Intent intent = new Intent(); intent.setAction(MY_BROADCAST_ACTION); sendBroadcast(intent,"android.provider.Telephony.SMS_RECEIVED"); CONTENT PROVIDER <provider android:name=”com.example.testprovider android:read_permissions = “android.provider.Telephony.SMS_RECEIVED” android:write_permissions = “android.provider.Telephony.SMS_RECEIVED” </provider> Warning before 4.2 all content providers were exported by default! URI-PERMISSIONS <provider android:name=”com.example.testprovider" android:authorities=“" android:grantUriPermission="true” <grant-uri-permission android:pathPattern="/notes/" /> </provider> Uri uri = Uri.parse("content://com.example.testprovider/notes/1"); Intent intent = new Intent(); intent.setAction(NOTE_ACTION_VIEW); // SET CUSTOM INTENT ACTION intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK); intent.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION); intent.setData(uri); startActivity(intent) See Jason Wei’s http://thinkandroid.wordpress.com/2012/08/07/granting-content-provider-uri-permissions/ for more details IMPLICIT INTENT ATTACKS Broadcast Eavesdropping Broadcast Denial of Service for ordered broadcasts Activity/Service Hijacking Image source: http://www.eecs.berkeley.edu/~emc/papers/mobi168-chin.pdf TARGET VERSION GOTACHAS If a permission has been added since the target in your androids manifest Android will automatically apply the new permission request to the app's manifest You can see permission changes at each release http://developer.android.com/reference/android/os/Build.VERSION_CODES.html SSL Image source: http://www.awghost.com/ssl.html SSL and the Public Key Infrastructure http://software-engineer-tips-and-tricks.blogspot.com/2012/09/what-is-pki.html SSL PAIN POINTS • There are A LOT of trust anchors • Vary by Android version and manufacturer • Occasionally get hacked (TurkTrust) • Internal Servers • Download manager doesn’t support SSL before ICS Alvinjs has suggested a custom download manager which can handle ssl at at https://github.com/alvinsj/android-https-downloadmanager-demo HOW TO VIEW TRUSTED CAS PER PHONE ICS onwards, go to Settings->Security->Trusted credentials Before ICS adb pull /system/etc/security/cacerts.bks` keytool -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -v –list *OnionKit offers a consistent set of CAs based on Debian but is requires adding its library to your app. http://commonsware.com/blog/2013/03/07/ssl-android-onionkit.html ANTI-PATTERN! ACCEPT ALL CERTIFICATES SSLSocketFactory.ALLOW_ALLHOSTNAME_VERIFIER Or TrustManager where checkServerTrusted() always returns true An Oct. 2012 study found that 8% of the most popular app on the app store were vulnerable to man in the middle attacks http://www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf Image: https://www.owasp.org/index.php/Man-in-the-middle_attack NOT REGISTERED WITH CA AFTER ICS: Just add the your own certificate to list of trusted CA BEFORE ICS: Create a dynamic TrustManager 1. Store new public certificate in app 2. Uses system default TrustManager for most checks 3. If check fails then uses custom TrustManager *For more info about dynamic TrustManager http://nelenkov.blogspot.com/2011/12/using-custom-certificate-trust-store-on.html Or http://commonsware.com/blog/2013/03/04/ssl-android-basics.html Or http://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https/6378872#6378872 (response by emmby) Ps Certificates don’t have to be expensive. Check out http://webdesign.about.com/od/ssl/tp/cheapest-ssl-certificates.htm KITKAT SSL IMPROVEMENTS • SSL CA Certificate Warnings • Android Certificate Pinning for Google Certs http://www.xda-developers.com/android/android-4-4-security-enhancements/ WEBVIEW PITFALLS • If you are using webviews try to setJavascriptEnabled(false) addJavaScriptInterface() • If you are sending sensitive information clearCache() afterwards to delete local files You can also do this serverside with no-cache headers STORING DATA • Public data areas • Database security • Encryption Do you Have To Store it? PUBLIC DATA AREAS All Logs Any files MODE_WORLD_* Data on SD cards If you must store large amounts of data in public storage consider encrypting it. Facebook has a new fast encryption library that might be worth looking at http://facebook.github.io/conceal/ SQL INJECTION ATTACKS http://xkcd.com/327/ SQL INJECTION EXAMPLE IF YOU MUST USE A RAW QUERY Be sure to sanitize your inputs! Quotes are not the only problems. • Cleaver attacks using spaces • comments • Strange ascii characters • Things we haven’t thought of yet Use allowed characters vs disallowed characters if possible. http://ha.ckers.org/sqlinjection/ Store hashes not passwords http://www.unixwiz.net/techtips/iguide-crypto-hashes.html ENCRYPTION GOTCHAS • Before Jellybean 4.2 secureRandom.setSeed(b) replaces, not supplements, the existing seed. So it produced a deterministic number • In Jellybean 4.1-4.3 the securerandom isn’t guaranteed to give you a random number unless you implement the fix in SomeSecurerandom-thoughts To read more about the http://android-developers.blogspot.co.uk/2013/08/some-securerandom-thoughts.html And http://blog.k3170makan.com/2013/08/more-details-on-android-jca-prng-flaw.html KEYSTORE See Code APK SECURITY • Application Signing • How does signing work? • Master Key Exploit • Tamper detection • Decompiling • • • • How an APK gets built/ What’s in an APK? Demo of Decompiling an APK Progaurd What is still visible even after obfuscation? APP SIGNING • purpose of certificates in Android is to distinguish application authors • Android won't allow application to be upgraded unless signed with same certificate the applications are signed with the same key. • Android allows applications that are signed with the same certificate to run in the same processes Never put your private key in the source code! Detect Non-Playstore Installation SEE CODE OTHER TAMPER DETECTION • Is the application in debug mode? context.getApplicationInfo().flags & ApplicationInfo.FLAG_DEBUGGABLE) != 0 • Is the app running on the emulator? is Emulator = Build.FINGERPRINT.contains("generic") or is Emulator = "goldfish".equals(Build.HARDWARE) OTHER RESOURCES • Android Developers blog on LVL: Old but interestinghttp://androiddevelopers.blogspot.com/2010/09/securing-android-lvlapplications.html • Android Licensing tutorial: http://stackoverflow.com/questions/18324963/are-there-anygood-android-licensing-tutorials DECOMPILING Image source: http://developer.android.com/tools/building/index.html Inside the .dex binary Inside the .apk Image source http://developer.android.com/tools/building/index.html *Are are curious about why Android uses .dex files and the Davlik virtual machine? Check out http://davidehringer.com/software/android/The_Dalvik_Virtual_Machine.pdf How about further decompiling dex files? Check out https://code.google.com/p/smali/wiki/ FOR FUN: MASTERKEY EXPLOIT • Want to see if you are vulnerable? Check out the Bluebox Security Scanner on the app store. • Additional details on exactly how the masterkey vulnerability works http://vrt-blog.snort.org/2013/08/bytecode-covering-android.html DECOMPILING DEMO WHAT IS PROGUARD? • Shrinking • Obfuscation • Prevarifacation *Fun random fact: you can run Scala on android by using progaurd to remove the unneeded library classes http://www.gamlor.info/wordpress/2011/10/running-scala-on-android/ ENABLING PROGAURD IN ECLIPSE In project.properties Uncomment #proguard.config=${sdk.dir}/tools/proguard/proguard-android.txt:proguard-project.txt *For versions past 17 the documentation on android developers is slightly misleading 1) You can ignore the warning when it comes to progaurd 2) the default progaurd config file will be proguard-project.txt instead of proguard.cfg ENABLING PROGUARD IN ANDROID STUDIO In build.gradel android { buildTypes { release { runProguard true proguardFile getDefaultProguardFile('proguard-android.txt') } } For more detailed descriptions see http://tools.android.com/tech-docs/new-build-system/user-guide#TOC-Running-ProGuard and http://stackoverflow.com/questions/20885725/how-to-use-the-proguard-in-android-studio TROUBLESHOOTING PROGUARD • What if I get a file not found error after running Proguard? add –keep public class <MyClass> to your progaurd config file. • How do a read stacktraces from my production app? Use the retrace tool retrace.sh mapping.txt [<stacktrace_file] * Remember to keep the mapping.txt file for each build *It is possible to reuse mapping files with -applymapping filename but this has pros and cons see http://proguard.sourceforge.net/index.html# THINGS PROGUARD DOES NOT DO • Strings Encryption • Class Encryption • Hide Android API calls • Tamper Detection Dexguard is a paid product by the makers of proguard that can help with some of these, but it can be pricy. http://www.saikoa.com/dexguard DashO is also an option EXTRA STUFF CHECK OUT CURRENT KNOWN VULNERABILITIES http://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id19997/Google-Android.html ADDITIONAL RESOURCES Android Security Cookbook There is a 50% off coupon at http://www.packtpub.com/article/knowing-sql-injection-attacks-securingandroid-applications Learning Pentesting for Android Devices Android Application Security Essentials Android Explorations blog by Nikolay Elenkov http://nelenkov.blogspot.ie/ Open Web Application Security Project https://www.owasp.org/ SELinux https://www.ibm.com/developerworks/library/l-selinux/ Thank you. Questions?