Hardening your

Android App



Scott Alexander-Bown

Head of Android

Mubaloo

@scottyab

me: Scott Alexander-Bown •  Head of Android at Mubaloo •  Passionate about Android and mobile security •  Co-run SWmobile meetup group •  Follow me @scottyab

Favourite apps

It's not about...

Fear!

It's not about...

100%

Agenda •  Why? o 

Attacker motivations

o 

Reverse engineering

•  Hardening techniques o 

Android Permissions

o 

Encryption and key management on Android

o 

Using SSL better

o 

Make it harder to pirate/repackage your app

o 

Device Administration policies

o 

Miscellaneous tips

Motivations for hacking an app • 

Different ads

• 

Different market

• 

Extract assets or API keys

• 

Insert malware

• 

Software piracy

• 

Malware and security research

• 

Fun!

Reverse engineering Android app

Apktool •  http://bit.ly/apktool •  Apktool o 

apktool d myapp.apk

o 

apktool b myapp newmyapp.apk

Santoku Linux •  Linux ISO •  Pre-installed platform SDKs, drivers, and utilities •  Decompilation and disassembly tools •  Scripts to detect common issues in mobile applications •  Scripts to automate decrypting binaries, deploying apps, enumerating app details, and more

•  https://santoku-linux.com/

*Disclaimer: I work for Via Forensics as of Monday

Techniques for hardening

Protecting internal storage Creating world-readable files is very dangerous •  Do o 

File creation mode: Context.MODE_PRIVATE

•  Don't use o  MODE_WORLD_READABLE o  MODE_WORLD_WRITEABLE o  (deprecated in API level 17)

Permissions •  Are all the permissions required?

Instead of

•  Permission types (protection level) o  Normal o  Dangerous o  Signature

Custom Permission example •  Declared custom permission

•  Another app/component using the permission

Don't leak permissions •  Protect entry points (receivers, services, content providers) •  Exported=false •  Context.checkCallingPermission("android.permission. CAMERA") •  Context.enforceCallingPerrmissions(...) •  Tip: Local broadcast manager for in app notifications

Encryption: 3rd party libs •  SQL Cipher o  256-bit AES Encrypt SQLite database o  http://sqlcipher.net/sqlcipher-for-android

•  Keyczar - Open source cryptographic toolkit o  http://www.keyczar.org o  https://github.com/kruton/android-keyczar-demo

•  IO Chiper - virtual encrypted disk o  Clone of java.io o  https://guardianproject.info/code/iocipher

Encryption: Key management Two 'ideal world' solutions •  Don't store the key on the device •  Use a system service (such as keychain) •  Tip: Minimise keys time in ram (null after using them)

Encryption: Generate random key

•  Note: New Implementation of SecureRandom in Android 4.2

Password based encryption (PBE)

•  Use a key derivation algorithm: PBK2F2 •  (secure)random salt and iteration count •  Tip: Ensure derivation method takes more than 100ms •  Code for what to do and what not to do: https://github.com/ nelenkov/android-pbe

Password based encryption (PBE)

Encryption: no no's •  Store encryption keys in app •  Log/debug statements with encryption keys •  Rely on OS encryption •  Write your own encryption algorithms

SSL •  Use Https by default •  What about Man in the middle (MITM) attacks? o  Trusting all certificates o  Compromised CA

SSL Tips •  Pay attention to security exceptions •  Verify the certificate issuing hostname •  SSL Pinning (public key pinning) o Android pinning - https://github.com/moxie0/ AndroidPinning

o Android 4.2 - X509TrustManagerExtensions

SSL: wipe the slate clean •  Don't use a CA! •  Server side

o  create your own 4096bit signing certificate (keep offline) o  sign your certs for the web services

•  Client/app

o  include the signing cert (in a keystore) o  validate against it

Make your app harder to pirate •  Google

License Verification Library o  Modify LVL source as much as possible o  com.android.vending.licensing.* o  Focus on core of the LVL logic: LicenseChecker and LicenseValidator.

•  Offload license validation to a trusted server

Tamper resistance •  Checksum of the app code with validation check on server or unlocker app •  Reflection based tamper checks •  Check installer is from play store

Obfuscation: Proguard

•  Proguard been around for 10+ years •  Project properties file, uncomment #proguard.config= •  Only applied when building release versions •  Entry points should be excluded • 

-keep public class * extends android.app.Activity Most popular 3rd party libs/jars come with proguard config

•  Bonus: ~50% reduction in .apk size

Obfuscation: Dexguard • 

Optimize and obfuscate tuned for the Android platform/ Dalvik bytecode.

• 

Encrypt strings

• 

Encrypt entire classes

• 

Hide access to sensitive APIs

• 

Add tamper detection

• 

Thoroughly remove Android logging code

• 

More info: http://www.saikoa.com/

Remove logging using Proguard

Device Management Policies •  Since Android 2.2 •  Enforce o  o  o  o  o 

Device lock Passcode type (pin, pattern) Password complexity Device encryption (3.0+) Device wipe

•  New policies are added in each release •  Policies set by different apps can only change policies to make them stronger

•  Cannot uninstall an app while the device admin is still active

Device Management Policies •  Define a policy as an xml resource •  Reference in manifest •  Create a Device Administration broadcast receiver •  Implement a Device Policy Controller o  DevicePolicyManager.isAdminActive?

Misc tips Validation User input - SQL Injection

• 

Anti tamper Detect rooted device Detect emulator isDebuggable?

•  •  • 

Web views Disable Javascript Use https Validate URLS Restrict JavaScript interface

•  •  •  • 

Misc tips Avoid unsecured components Don't use SMS for sensitive data Don't use SD card Avoid sensitive data in public intents Avoid sensitive data in sticky broadcasts allowBackups=“false”

•  •  •  •  • 

GUID (Privacy concern) Generate a large unique number Don't use phone number or IMEI

•  • 

Misc tips: development practices Infrastructure Code Keystore and password App store user credentials o  Enable 2 step authentication o  Grant access rather than share account details

•  •  • 

Process Educate developers o  Don't ignore the lint warnings Audit / security code review

•  • 

Summary •  Go hack your own apps •  Using https isn't enough pin your certs •  Encrypt app data •  Proguard your apps •  Android is getting more secure

@scottyab [email protected]

Q&A

Bonus Slides

Security features of Jelly Bean (Android 4.1 & 4.2)

Security enhancements in Jelly Bean

*Data collected during a 14-day period ending on March 4, 2013

Security enhancements in Jelly Bean •  New implementation of SecureRandom •  Javascript Interface methods in WebViews must now be annotated (@JavascriptInterface) •  Application verification

Security enhancements in Jelly Bean •  Content Provider default access has changed •  Remote blacklisting CAs •  Secure USB debugging •  Hidden developer options

Ref/More info... Using Cryptography to Store Credentials Safely http://android-developers.blogspot.co.uk/2013/02/using-cryptography-to-store-credentials.html Security Enhancements in Jelly Bean http://android-developers.blogspot.co.uk/2013/02/security-enhancements-in-jelly-bean.html Security Tips https://developer.android.com/training/articles/security-tips.html 42 tips on app security https://viaforensics.com/resources/reports/best-practices-ios-android-secure-mobiledevelopment/ Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security http://www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf

@scottyab [email protected]