Post on 21-Jan-2018
SECURITYIN ANDROID APPLICATION
22/04/2016ALEXANDER SMIRNOV
- 3+ years Android dev- 6+ years commercial dev- 1 year bank app dev- BlackHat friends since 2007- DC7499 member
WhoAmI
2
Why?
3
- Android Security Model- Reality- Vulnerabilities- One more sentence- Appendix
Agenda
4
Security
• I •
Android Security Model
5
6
Application Isolation
7
- isolate CPU, RAM, devices, files in private directory
- every app run in own process- every app has own UserID and
GroupID- every app run in own instance of
Dalvik VM
Application Isolation
8
- Is the parent of all App processes- COW(Copy On Write) strategy- /dev/socket/zygote
Zygote
9
App 1
App 2
App 3
Zygote
fork()
fork()
fork()
start newApp
- Before M- After M- Custom permissions- Protection level
Permissions
10
- Protect user data- Protect system resources- Provide application isolation
Android Security Overview
11
• II •
Android Security ModelReality
Security
12
13
Root
14
TRIADA
Security
15
• III•
Vulnerabilities
- Memory Cache- DB + SQLCipher- SharedPreference +
MODE_PRIVATE + Cipher- 21+ setStorageEncryption for
local files- KeyStore
Data Storage
16
- MITM has you- Check network – why?- Diffie–Hellman key exchange- Certificate Pinning == SSL Pinning
(okhttp 2.7.4 || 3.1.2)
Transport
17
- Use explicit intents- Validate Input- Manifest:
intent-filter = exported=«yes»
Intent
18
- Secure PUSH- Mobile application- SIMApplets- DCV (Dynamic Code Verification)
2FA: SMS
19
- Custom keyboard- Secure persistent datastore- No EditText- No immutable (Strings -> char[])- Notify if root
Insecure Device
20
- Check debug- Verify sign- Emulator check- Obfuscation- JNI
Reverse Protection
21
Security
22
• IV •
One more sentence
- Convenience vs Security- Socialization & Tools- Layered Security- Better than others- OWASP TOP 10 Mobile Risks
One more sentence
23
Security
24
• V •
Appendix
- Cyber Risk Report: bit.ly/1MuoIDS- OWASP Top 10 Mobile Risks: bit.ly/1FAIJiv- DefCon Groups List: bit.ly/1JQlNgC- Triada Malware: bit.ly/1qvyFqY- Obfuscation tools list: bit.ly/1XiHf6Z- Security Official Docs: bit.ly/1qvw1BK- Diffie–Hellman Video: bit.ly/23jV7Se- Tools for SA and Hacking: bit.ly/1qvxpUM
Additional Information
25
- Android Security Model- Reality- Vulnerabilities- One more sentence
Result
26