Hardening your
Android App
Scott Alexander-Bown
Head of Android
Mubaloo
@scottyab
me: Scott Alexander-Bown • Head of Android at Mubaloo • Passionate about Android and mobile security • Co-run SWmobile meetup group • Follow me @scottyab
Favourite apps
It's not about...
Fear!
It's not about...
100%
Agenda • Why? o
Attacker motivations
o
Reverse engineering
• Hardening techniques o
Android Permissions
o
Encryption and key management on Android
o
Using SSL better
o
Make it harder to pirate/repackage your app
o
Device Administration policies
o
Miscellaneous tips
Motivations for hacking an app •
Different ads
•
Different market
•
Extract assets or API keys
•
Insert malware
•
Software piracy
•
Malware and security research
•
Fun!
Reverse engineering Android app
Apktool • http://bit.ly/apktool • Apktool o
apktool d myapp.apk
o
apktool b myapp newmyapp.apk
Santoku Linux • Linux ISO • Pre-installed platform SDKs, drivers, and utilities • Decompilation and disassembly tools • Scripts to detect common issues in mobile applications • Scripts to automate decrypting binaries, deploying apps, enumerating app details, and more
• https://santoku-linux.com/
*Disclaimer: I work for Via Forensics as of Monday
Techniques for hardening
Protecting internal storage Creating world-readable files is very dangerous • Do o
File creation mode: Context.MODE_PRIVATE
• Don't use o MODE_WORLD_READABLE o MODE_WORLD_WRITEABLE o (deprecated in API level 17)
Permissions • Are all the permissions required?
Instead of
• Permission types (protection level) o Normal o Dangerous o Signature
Custom Permission example • Declared custom permission
• Another app/component using the permission
Don't leak permissions • Protect entry points (receivers, services, content providers) • Exported=false • Context.checkCallingPermission("android.permission. CAMERA") • Context.enforceCallingPerrmissions(...) • Tip: Local broadcast manager for in app notifications
Encryption: 3rd party libs • SQL Cipher o 256-bit AES Encrypt SQLite database o http://sqlcipher.net/sqlcipher-for-android
• Keyczar - Open source cryptographic toolkit o http://www.keyczar.org o https://github.com/kruton/android-keyczar-demo
• IO Chiper - virtual encrypted disk o Clone of java.io o https://guardianproject.info/code/iocipher
Encryption: Key management Two 'ideal world' solutions • Don't store the key on the device • Use a system service (such as keychain) • Tip: Minimise keys time in ram (null after using them)
Encryption: Generate random key
• Note: New Implementation of SecureRandom in Android 4.2
Password based encryption (PBE)
• Use a key derivation algorithm: PBK2F2 • (secure)random salt and iteration count • Tip: Ensure derivation method takes more than 100ms • Code for what to do and what not to do: https://github.com/ nelenkov/android-pbe
Password based encryption (PBE)
Encryption: no no's • Store encryption keys in app • Log/debug statements with encryption keys • Rely on OS encryption • Write your own encryption algorithms
SSL • Use Https by default • What about Man in the middle (MITM) attacks? o Trusting all certificates o Compromised CA
SSL Tips • Pay attention to security exceptions • Verify the certificate issuing hostname • SSL Pinning (public key pinning) o Android pinning - https://github.com/moxie0/ AndroidPinning
o Android 4.2 - X509TrustManagerExtensions
SSL: wipe the slate clean • Don't use a CA! • Server side
o create your own 4096bit signing certificate (keep offline) o sign your certs for the web services
• Client/app
o include the signing cert (in a keystore) o validate against it
Make your app harder to pirate • Google
License Verification Library o Modify LVL source as much as possible o com.android.vending.licensing.* o Focus on core of the LVL logic: LicenseChecker and LicenseValidator.
• Offload license validation to a trusted server
Tamper resistance • Checksum of the app code with validation check on server or unlocker app • Reflection based tamper checks • Check installer is from play store
Obfuscation: Proguard
• Proguard been around for 10+ years • Project properties file, uncomment #proguard.config= • Only applied when building release versions • Entry points should be excluded •
-keep public class * extends android.app.Activity Most popular 3rd party libs/jars come with proguard config
• Bonus: ~50% reduction in .apk size
Obfuscation: Dexguard •
Optimize and obfuscate tuned for the Android platform/ Dalvik bytecode.
•
Encrypt strings
•
Encrypt entire classes
•
Hide access to sensitive APIs
•
Add tamper detection
•
Thoroughly remove Android logging code
•
More info: http://www.saikoa.com/
Remove logging using Proguard
Device Management Policies • Since Android 2.2 • Enforce o o o o o
Device lock Passcode type (pin, pattern) Password complexity Device encryption (3.0+) Device wipe
• New policies are added in each release • Policies set by different apps can only change policies to make them stronger
• Cannot uninstall an app while the device admin is still active
Device Management Policies • Define a policy as an xml resource • Reference in manifest • Create a Device Administration broadcast receiver • Implement a Device Policy Controller o DevicePolicyManager.isAdminActive?
Misc tips Validation User input - SQL Injection
•
Anti tamper Detect rooted device Detect emulator isDebuggable?
• • •
Web views Disable Javascript Use https Validate URLS Restrict JavaScript interface
• • • •
Misc tips Avoid unsecured components Don't use SMS for sensitive data Don't use SD card Avoid sensitive data in public intents Avoid sensitive data in sticky broadcasts allowBackups=“false”
• • • • •
GUID (Privacy concern) Generate a large unique number Don't use phone number or IMEI
• •
Misc tips: development practices Infrastructure Code Keystore and password App store user credentials o Enable 2 step authentication o Grant access rather than share account details
• • •
Process Educate developers o Don't ignore the lint warnings Audit / security code review
• •
Summary • Go hack your own apps • Using https isn't enough pin your certs • Encrypt app data • Proguard your apps • Android is getting more secure
@scottyab
[email protected]
Q&A
Bonus Slides
Security features of Jelly Bean (Android 4.1 & 4.2)
Security enhancements in Jelly Bean
*Data collected during a 14-day period ending on March 4, 2013
Security enhancements in Jelly Bean • New implementation of SecureRandom • Javascript Interface methods in WebViews must now be annotated (@JavascriptInterface) • Application verification
Security enhancements in Jelly Bean • Content Provider default access has changed • Remote blacklisting CAs • Secure USB debugging • Hidden developer options
Ref/More info... Using Cryptography to Store Credentials Safely http://android-developers.blogspot.co.uk/2013/02/using-cryptography-to-store-credentials.html Security Enhancements in Jelly Bean http://android-developers.blogspot.co.uk/2013/02/security-enhancements-in-jelly-bean.html Security Tips https://developer.android.com/training/articles/security-tips.html 42 tips on app security https://viaforensics.com/resources/reports/best-practices-ios-android-secure-mobiledevelopment/ Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security http://www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf
@scottyab
[email protected]