Android N Security Overview

Constantine Mars,Sr. Android Developer @ DataArt,GDG Dnipro Co-Organizer

+ConstantineMars@ConstantineMars

Security?!! WTF?!!

What happens if you do security right?

What happens if you do security right?

Right. Absolutely nothing

What happens if you do security wrong?

Bad things happen

The first simplest rule of security

Don’t use the same password everywhere

Security tool everyone has

A key

Hardware keys

Presence of user when action happens

Disclaimer: no more security basics

Google I/O 2016 announces

Allo messenger

Android SecurityArchitecture

Android Security Architecture

Google’s focus on Users

8 billion everyday app scans

Security Services

Security Features

Permissions

Runtime Permissions (M)

● Request permissions at runtime● Selective control permissions

Runtime Permissions (M)

● Simplified installation process● Easier application upgrades● More understandable for users

Requesting a Permission

Handling Permissions Result

UX Guidelines for Permissions (M)

● Educate in context for secondary

● Educate up-front for critical● Receive “yes” in 85%● 15.8% “no”● 3% “never ask again”

Keystore

Android Keystore

lets you store cryptographic keys in a container to make it more difficult to extract from the device. Once keys are in the keystore, they can be used for cryptographic operations with the key material remaining non-exportable.

The Keystore system is used by the KeyChain API as well as the Android Keystore provider feature that was introduced in Android 4.3 (API level 18).

Android Keystore

Key material may be bound to the secure hardware (e.g., Trusted Execution Environment (TEE), Secure Element (SE)) of the Android device

Supporting wide range of algorithms

Generating new key pair

Signing data

Verifying data

Key Attestation (N)

Key Attestation gives you more confidence that the keys you use in your app are stored in a device's hardware-backed keystore.

Key attestation allows you to verify that an RSA or EC key pair has been created and stored in a device’s hardware-backed keystore within the device’s trusted execution environment (TEE).

Get Certificate Chain from the KeyStore

Key attestation

Authentication

Remembering and entering passwords and patterns is pain

Smart Lock

● Smart Lock’s on-body detection reduces lock screen prompts by 50%

Fingerprint

● Fingerprint increased usage of lockscreen to 90%+ on Nexus devices

AndroidPay is critical about authentication

Stronger authentication

● Tied to app secrets (KeyStore)● Credential verification in hardware (Trustzone)

Fingerprint API (M)

Fingerprint API (M)

PIN security, Fingerprint and Gatekeeper

Best practices

● Check KeyguardManager.isDeviceSecure() to identify that device has lockscreen or password protection.

● Use setUserAuthenticationValidityDurationSeconds during the key generation to set the duration for which authentication is valid:

Best practices

When generating key - set authentication timeout and on body detection:

Best practices

Best practices

If no Fingerprint available - fall back to Gatekeeper and KeyguardManager.createConfirmDeviceCredentialIntent:

Network security

Restrict HTTP in Manifest

Network Security Configuration (N)

Domain level rules

Debug-overrides

● Eliminate debugging-related code in your release build● Avoid writing custom code that removes security for debug and shipping it

When debugging an app that connects over HTTPS you may want to connect to a local development server, which does not have the SSL certificate for your production server. In order to support this without any modification to your app's code you can specify debug-only CAs that are only trusted when android:debuggable is true by using debug-overrides.

Debug-overrides

Trusted CAs

Certificate pinning

And one more thing:

User CAs are not trusted by default anymore

Storage Encryption

Storage Encryption

● Encryption required for all capable devices (M)● Backed by hardware and TrustZone (N)● Better UX with DirectBoot (N)

Direct Boot

● Boot directly to the lock screen● Calls, SMS, TalkBack, alarms work after device reboot before unlock● Per-user disk encryption

DirectBoot

● Credential encrypted storage, which is the default storage location and only available after the user has unlocked the device.

● Device encrypted storage, which is a storage location available both during Direct Boot mode and after the user has unlocked the device.

directBootAware

Using DirectBoot storage

Verified Boot

Verified Boot

Verified boot guarantees the integrity of the device software starting from a hardware root of trust up to the system partition. During boot, each stage verifies the integrity and authenticity of the next stage before executing it.

This capability can be used to warn users of unexpected changes to the software when they acquire a used device, for example.

SafetyNet

SafetyNet

A SafetyNet compatibility check allows your app to check if the device where it is running matches the profile of a device that has passed Android compatibility testing. The compatibility check creates a device profile by gathering information about the device hardware and software characteristics, including the platform build.

SafetyNet attestation request

SafetyNet response

Sandboxing

Sandboxing

● SELinux● Seccomp (N)● Mediaserver

hardening● ASLR randomness● Library load order

randomization● Integrity monitoring

Mediaserver hardening

What’s outside N security topic?

● Security Assesment Tools (Santoku, drozer, etc.)

● Eternal secrets of ADB and Manifest, Logs, etc.

● Exploits: sniffing network traffic, attacking services, providers

● SQL-injections● Man-in-the-middle attacks● Custom permissions protection● ProGuard and DexGuard● Reverse Engineering, DEX, GDB● Cross-compiling native

executables● Securing SharedPreferences● SQLCipher● etc...

Links

● Adrian Ludwig talk on Google I/O 2016 https://youtu.be/XZzLjllizYs?list=PLOU2XLYxmsILe6_eGvDN3GyiodoV3qNSC

● FingerprintDialog sample https://github.com/googlesamples/android-FingerprintDialog ● Authentication samples for M

http://android-developers.blogspot.com/2015/10/new-in-android-samples-authenticating.html ● Android Security Essentials by Pagati Ogal Rai

https://www.packtpub.com/application-development/android-application-security-essentials ● Google Security Blog https://security.googleblog.com/ ● Android Security Bulletins https://source.android.com/security/bulletin/ ● Annual Security Review https://goo.gl/VpYom1

Security Bulletins

Android Annual Security Review

Thank you :)

Constantine Mars,Sr. Android Developer @ DataArt,GDG Dnipro Co-Organizer

+ConstantineMars@ConstantineMars