Post on 26-May-2020
The Android security jungle:
pitfalls, threats and survival tips Scott Alexander-Bown
@scottyab
The Jungle
• Ecosystem
• Google’s protection
• Threats
• Risks
• Network
• Data protection (encryption)
• App/device integrity
• App binary security
• Testing
Survival
• Lead Android Dev (remote) at Intohand
• Co-Author - Android Security Cookbook
• Co-Founder of SWmobile
Scott Alexander-Bown
1.4 Billion users
OpenSignals.com
Security Services • Google Play
• Approval process (human approval since 2015)
• Developer security notifications
• Android Bouncer
• Android device manager (Device security)
• Safety net (intrusion detection)
• Android at Work
Slide Adrian Ludwig’s - Android Security State of the Union
Newer version of Android are more secure
1.5 stack buffer, integer overflow protection
2.3+ null pointer dereference mitigation, NX
4.0+ ASLR
4.1+ ASLR strengthened
4.3 Security-Enhanced Linux
5.0 Security-Enhanced Linux - enforcing
Updatabled Webview (via playstore)
Threats
Threats: App Hijacking
• Taking an app and adding malware
• Concerns
• Reversing Android apps is easy
• No need for certificate authority
• Sideload
“I ain’t got time to (heart)bleed”
OWASP • Mobile Security Project
• iOS and Android
• Top 10 risks
• attack vectors
• threat agents
• impacts
OWASP top 10 risks • M1: Weak Server Side
Controls
• M2: Insecure Data Storage
• M3: Insufficient Transport
Layer Protection
• M4: Unintended Data Leakage
• M5: Poor Authorization and
Authentication
• M6: Broken Cryptography
• M7: Client Side Injection
• M8: Security Decisions Via
Untrusted Inputs
• M9: Improper Session Handling
• M10: Lack of Binary Protections
Survival
kit
Survival tips
1. Harden the network communications
2. Protect stored data (encryption)
3. Validate the device and app integrity
4. Increase binary security
Network communications
• Use SSL / TLS!
• Use the platform SSL/TLS validation (i.e don’t disable it!)
• Use only strong cipher suites (128bit+) and TLS versions (TLS v1.2)
• OkHttp 2.1 - https://publicobject.com/2014/11/12/okhttp-2-1/
Looks like you’re not using SSL pinning?
• Devices ship with 100+ Certificate Authorities (CA) and
users can install their own
• Pinning limits the trusted root CA’s
• Two types
• Certificate pinning
• Public Key pinning
Public key
pinning
Patch against SSL exploits
• Google Play Services provides a dynamic security provider
• ProviderInstaller.installIfNeeded(getContext());
• https://developer.android.com/training/articles/security-gms-
provider.html#patching
Tips
Password based encryption
Code in a slide :’(
Encryption libraries
• Conceal
• https://facebook.github.io/conceal
• SQL cipher
https://www.zetetic.net/sqlcipher/sqlcipher-for-android/
• Secure-Preferences (or Hawk)
• https://github.com/scottyab/secure-preferences
Hardcoded encryption key
Verifying App integrity
• Debuggable check
• Apk Checksum
• Signing certificate verification
Signing Certificate Verification
Build-time Runtime
1. Get you certificate signature
$keytool -list -v -keystore
your_app.keystore
2. Embed in app
String CERTIFICATE_SHA1 =
“71920AC9486E087DCBCF5C7F6F…”;
3. Get the Signature from the
PackageManager
4. Hash the Signature
5. Compare the signature hashes
strings
Verifying device integrity
• Emulator check
• https://github.com/strazzere/a
nti-emulator
• Google SafteyNet test
• https://github.com/scottyab/sa
fetynethelper
root@android:/ #
• Root apps / Dangerous apps
• Suspect system properties
• SU/BusyBox binaries
• RW /system
• https://github.com/scottyab/rootbeer
Obfuscation
ProGuard
• Java code obfuscator
• Part of the Android SDK
• Free as in Beer!
• ReTrace - Supported by Error handling services such as Crashlytics
DexGuard • Commercial version of ProGuard
• Designed for Android and protection
• Useful security utils - SSL Pinning, Root check, logging removal etc
• My favourite features
• String Encryption
• API hiding
Quick Android Review Kit (Quak) • Python script
• Works with .apk or source code
• Automated tests
• weaknesses
• exploits
• Creates exploit .apks
• https://github.com/linkedin/qark
Click here for more! • 42+ Secure mobile development tips
http://bit.ly/viafor42
• OWASP Mobile security risks
http://bit.ly/owaspmobile
• Android security cookbook [book]
http://bit.ly/MscEFu
• Android security internals [book]
http://bit.ly/andsecint
• Droidsec (whitepapers)
droidsec.org/wiki
• @gotocph
• @intohand
• 20th Century Fox
• Android security team
Thanks
Questions?
dev@scottyab.com
@scottyab
github.com/scottyab Please
Remember to
rate this session
Thank you
WebView • Before
• getSettings().setJavaScriptEnabled(false)
• getSettings().setAllowFileAccess(false)
• During
• WebViewClient.shouldOverrideUrlLoading()
• enforce local content or Https
• Whitelisted hosts/urls
• .shouldInterceptRequest() to intercept XmlHttpRequests
• After
• webview.clearCache(true)