Apps, apis, third party services (Droidcon)

Post on 12-May-2015

1.616 views 1 download

Preview:

Click to see full reader

Tags:

Report this document
SHARE

description

In this talk I talked about my experiences with Android security when it comes to storing secrets in apps on the device. It uses oauth as an example but contained practical hints on how to store any secret securely. Presented at DroidconNL in Amsterdam, November 23 2011.

Transcript of Apps, apis, third party services (Droidcon)

http://www.egeniq.cominfo@egeniq.com

@egeniq

Droidcon, 23 November 2011Ivo Jansch - @ijansch

Apps, APIs and third party servicesA Love Triangle

http://www.egeniq.com
http://www.egeniq.com
mailto:ivo@egeniq.com
mailto:ivo@egeniq.com

About Me

@ijanschDeveloperAuthorEntreprenerdiOS/Java/PHP

2

About Egeniq

StartupMobileTechKnowledge GeeksDevelopment

3

Tiqr - Learning about Android Security

4

1

23

4

5

6

http://www.tiqr.org

http://www.tiqr.org
http://www.tiqr.org

The Use Case

5

Android App Third Party Service

API

Timeline

6

OAuth

7

Your AndroidApplication Twitter

OAuth

8

OAuthConsumer

OAuthProvider

Why do you need to protect keys?

98

OAuthProvider

The Android Security Model

10

Sandboxing

‣Apps only have access to their own data‣Access is based on Linux user ID‣Further protected by application signature

11

Storage + Secure Storage

‣USB Storage• External storage, sharable between apps

‣Device Storage • Apps have their own location, within sandbox

‣Secure Storage• Java KeyStores with strong encryption algorithms• Unfortunately no hardware encrypted storage like iPhone

12

The Main Problem

‣How can I securely store secrets?• Is sandboxing a solution? -> Not when device is rooted• Is device storage a solution? -> Not when device is rooted• Is encryption a solution?‣ Yes, but where do you store your encryption keys?

13

It’s a common question

Stackoverflow search for ‘store secrets android’:

14

With common answers

- Huh? - Don’t store secrets- Don’t use OAuth

- Obfuscate- Encrypt

15

Know what? I’ll just use a library

16

Scribe

https://github.com/fernandezpablo85/scribe-java

17

https://github.com/fernandezpablo85/scribe-java
https://github.com/fernandezpablo85/scribe-java

A Couple Of Solutions

18

Option 1 - Obfuscation

19

Option 2 - Encryption

20

Option 2 - Encryption

21

Option 2 - Encryption

22

Option 2 - Encryption

23

Option 3 - Using the KeyStore

24

Option 3 - Using the KeyStore

25

Option 4 - Retrieve key from API

26

Android App OAuthProvider

Your API

?

Option 5 - Transparent Proxy

27

AndroidApp

OAuthProvider

Proxy

Conclusion

It’s all about

awareness

28

Recommended Reading

‣ ISBN: 2147483647

‣ Authors:• Himanshu Dwivedi

• Chris Clark

• David Thiel

‣ Covers:• Android

• Apple

• WinMo

29

Thank you! Questions?

http://www.egeniq.cominfo@egeniq.com

@egeniq

http://www.egeniq.comivo@egeniq.com

@ijansch

http://www.egeniq.com
http://www.egeniq.com
mailto:ivo@egeniq.com
mailto:ivo@egeniq.com
http://www.egeniq.com
http://www.egeniq.com

Credits

‣ ‘Tege in Sandbox’ by Judi Cox - http://www.flickr.com/photos/madaise/3406217980/

‣ ‘Locker (KHS up close) by Travis Hymas - http://www.flickr.com/photos/travishasphotos/3481640534/

‣ ‘Mask’ by Ben Fredericson - http://www.flickr.com/photos/xjrlokix/3932488768/

http://www.flickr.com/photos/madaise/3406217980/
http://www.flickr.com/photos/madaise/3406217980/
http://www.flickr.com/photos/travishasphotos/3481640534/
http://www.flickr.com/photos/travishasphotos/3481640534/
http://www.flickr.com/photos/travishasphotos/3481640534/
http://www.flickr.com/photos/travishasphotos/3481640534/
http://www.flickr.com/photos/xjrlokix/3932488768/
http://www.flickr.com/photos/xjrlokix/3932488768/

Top related

APIs for API Management: Consume and Develop Apps
 Technology
Protecting apps and APIs using Nordic eIDs
 Technology
Building Maintainable Android Apps (DroidCon NYC 2014)
 Software
Extending your apps to wearables - DroidCon Paris 2014
 Technology
Droidcon 2013 accessible android apps sharma_google
 Business
Building Adaptive Apps with APIs and Data: I Love APIs 2014 CTO Keynote
 Technology
The Anatomy of Apps - How iPhone, Android & Facebook Apps Consume APIs
 Technology
Droidcon: Benefits of Cross-Operator APIs
 Technology
rd 2015 APP SERVICE WEB APPS - files.meetup.comfiles.meetup.com/17528742/App Service.pdf · API Apps addresses key pains around building and consuming APIs Consume APIs Authentication,
 Documents
Re-Inventing Enterprise IT Around APIs & Apps
 Technology
Building Smarter Apps with Cognitive APIs · Title: Building Smarter Apps with Cognitive APIs Author: Pavel Veller (EPAM Systems) Subject: This session introduces cognitive APIs,
 Documents
Firefox OS Apps and Web APIs
 Technology
Using 3rd party apis in car apps
 Internet
Firefox OS Apps & Apis - WebRebels App day 2013
 Technology
Testable Android Apps DroidCon Italy 2015
 Technology
Logic apps and PowerApps - Integrate across your APIs
 Technology
Droidcon citizen-apps
 Documents
Firing up business apps through collaboration APIs
 Technology
Orange apps and new APIs
 Technology
Location and AR (Augmented Reality) APIs @ Mobile Backend Apps and APIs meetup London
 Technology

Copyright © 2022 FDOCUMENTS