Kristian Monsen Software Engineer Google Android for Work ... · 3 Developing Secure Applications...
Transcript of Kristian Monsen Software Engineer Google Android for Work ... · 3 Developing Secure Applications...
![Page 1: Kristian Monsen Software Engineer Google Android for Work ... · 3 Developing Secure Applications for Android Tips for developing secure Android apps Overview of Google Play Services](https://reader033.fdocuments.us/reader033/viewer/2022042222/5ec8241c7425c446d25a0607/html5/thumbnails/1.jpg)
Developing secure Android for Work apps
Kristian MonsenSoftware EngineerGoogle
![Page 2: Kristian Monsen Software Engineer Google Android for Work ... · 3 Developing Secure Applications for Android Tips for developing secure Android apps Overview of Google Play Services](https://reader033.fdocuments.us/reader033/viewer/2022042222/5ec8241c7425c446d25a0607/html5/thumbnails/2.jpg)
2
http://tinyurl.com/AndroidSecurity2015
![Page 3: Kristian Monsen Software Engineer Google Android for Work ... · 3 Developing Secure Applications for Android Tips for developing secure Android apps Overview of Google Play Services](https://reader033.fdocuments.us/reader033/viewer/2022042222/5ec8241c7425c446d25a0607/html5/thumbnails/3.jpg)
3
Developing Secure Applications for Android
Tips for developing secure Android apps
Overview of Google Play Services for secure app
development
Introduce the Application Security Improvement
Program
![Page 4: Kristian Monsen Software Engineer Google Android for Work ... · 3 Developing Secure Applications for Android Tips for developing secure Android apps Overview of Google Play Services](https://reader033.fdocuments.us/reader033/viewer/2022042222/5ec8241c7425c446d25a0607/html5/thumbnails/4.jpg)
4
Security best practicesFor developers of Android applications
![Page 5: Kristian Monsen Software Engineer Google Android for Work ... · 3 Developing Secure Applications for Android Tips for developing secure Android apps Overview of Google Play Services](https://reader033.fdocuments.us/reader033/viewer/2022042222/5ec8241c7425c446d25a0607/html5/thumbnails/5.jpg)
5
Networking
Always use HTTPS➔ Should always do this for all network traffic➔ Even more important for mobile, devices are often on untrusted networks
Use Android APIs for IPC communication➔ Services (Binder or Messenger)➔ Intents➔ Broadcast Receiver
![Page 6: Kristian Monsen Software Engineer Google Android for Work ... · 3 Developing Secure Applications for Android Tips for developing secure Android apps Overview of Google Play Services](https://reader033.fdocuments.us/reader033/viewer/2022042222/5ec8241c7425c446d25a0607/html5/thumbnails/6.jpg)
6
New networking APIs in N developer preview
![Page 7: Kristian Monsen Software Engineer Google Android for Work ... · 3 Developing Secure Applications for Android Tips for developing secure Android apps Overview of Google Play Services](https://reader033.fdocuments.us/reader033/viewer/2022042222/5ec8241c7425c446d25a0607/html5/thumbnails/7.jpg)
7
Storage
Use internal storage provided by Android
➔ Only accessible to the current application➔ Avoid MODE_WORLD_(WRITEABLE|READABLE)
◆ Not fine grained to specific applications◆ Most used alternative is content provider
➔ Optional: Encrypt files with key not available on device
External storage is world writeable/readable by default
➔ Be careful as other apps can read and modify➔ This is also true for expansion files (saved to
external storage)
![Page 8: Kristian Monsen Software Engineer Google Android for Work ... · 3 Developing Secure Applications for Android Tips for developing secure Android apps Overview of Google Play Services](https://reader033.fdocuments.us/reader033/viewer/2022042222/5ec8241c7425c446d25a0607/html5/thumbnails/8.jpg)
8
Don’t dynamically load code
➔ Large security risk, very difficult to get right◆ External storage◆ Insecure network
➔ Expansion files are in world writeable store and very unsafe
➔ Adds complexity (testing, version management etc)
![Page 9: Kristian Monsen Software Engineer Google Android for Work ... · 3 Developing Secure Applications for Android Tips for developing secure Android apps Overview of Google Play Services](https://reader033.fdocuments.us/reader033/viewer/2022042222/5ec8241c7425c446d25a0607/html5/thumbnails/9.jpg)
9
Input Validation
➔ Important on all platforms➔ External storage is world writable➔ Many issues with native code, but also Java can be vulnerable➔ Script injection➔ Use well-formatted data formats and verify before using
![Page 10: Kristian Monsen Software Engineer Google Android for Work ... · 3 Developing Secure Applications for Android Tips for developing secure Android apps Overview of Google Play Services](https://reader033.fdocuments.us/reader033/viewer/2022042222/5ec8241c7425c446d25a0607/html5/thumbnails/10.jpg)
10
More information
➔ Security tips:http://developer.android.com/training/articles/security-tips.html
➔ Best practises:http://developer.android.com/training/best-security.html
Links with security tips and best practises for Android
![Page 11: Kristian Monsen Software Engineer Google Android for Work ... · 3 Developing Secure Applications for Android Tips for developing secure Android apps Overview of Google Play Services](https://reader033.fdocuments.us/reader033/viewer/2022042222/5ec8241c7425c446d25a0607/html5/thumbnails/11.jpg)
11
Play services APIs
![Page 12: Kristian Monsen Software Engineer Google Android for Work ... · 3 Developing Secure Applications for Android Tips for developing secure Android apps Overview of Google Play Services](https://reader033.fdocuments.us/reader033/viewer/2022042222/5ec8241c7425c446d25a0607/html5/thumbnails/12.jpg)
12
Updating the security provider
Make sure the application is using an updated security provider
There have been various vulnerabilities in the security providers
Example: OpenSSL (CVE-2014-0224)
Does not work if the developer use SSLCertificateSocketFactory directly
It takes up to 350 ms on older devices
There is an async and synchronous method available
![Page 13: Kristian Monsen Software Engineer Google Android for Work ... · 3 Developing Secure Applications for Android Tips for developing secure Android apps Overview of Google Play Services](https://reader033.fdocuments.us/reader033/viewer/2022042222/5ec8241c7425c446d25a0607/html5/thumbnails/13.jpg)
13
Device compatibility attestation
Google API to tell you the CTS compatibility of the device
Read the response Verify the response Validating the response with Google
Simple async API
1 2 3 4
![Page 14: Kristian Monsen Software Engineer Google Android for Work ... · 3 Developing Secure Applications for Android Tips for developing secure Android apps Overview of Google Play Services](https://reader033.fdocuments.us/reader033/viewer/2022042222/5ec8241c7425c446d25a0607/html5/thumbnails/14.jpg)
14
More information
➔ Play services: https://developers.google.com/android/guides/overview#the_google_play_services_client_library
➔ Attestation:https://developer.android.com/training/safetynet/index.html
➔ Updating security providerhttp://developer.android.com/training/articles/security-gms-provider.html
Links to play services APIs
![Page 15: Kristian Monsen Software Engineer Google Android for Work ... · 3 Developing Secure Applications for Android Tips for developing secure Android apps Overview of Google Play Services](https://reader033.fdocuments.us/reader033/viewer/2022042222/5ec8241c7425c446d25a0607/html5/thumbnails/15.jpg)
15
Application Security Improvement Program
How Google can protect users and developers in Google Play
![Page 16: Kristian Monsen Software Engineer Google Android for Work ... · 3 Developing Secure Applications for Android Tips for developing secure Android apps Overview of Google Play Services](https://reader033.fdocuments.us/reader033/viewer/2022042222/5ec8241c7425c446d25a0607/html5/thumbnails/16.jpg)
16
Program overview
Find vulnerabilities
External reportsInternal research
Scan all apps in the Play store for vulnerability
Notify developer
Dev consoleEmail to primary contact
Remediation deadline
90 days after notificationNo app updates or new apps with vulnerabilities after this
![Page 17: Kristian Monsen Software Engineer Google Android for Work ... · 3 Developing Secure Applications for Android Tips for developing secure Android apps Overview of Google Play Services](https://reader033.fdocuments.us/reader033/viewer/2022042222/5ec8241c7425c446d25a0607/html5/thumbnails/17.jpg)
17
Example vulnerability
![Page 18: Kristian Monsen Software Engineer Google Android for Work ... · 3 Developing Secure Applications for Android Tips for developing secure Android apps Overview of Google Play Services](https://reader033.fdocuments.us/reader033/viewer/2022042222/5ec8241c7425c446d25a0607/html5/thumbnails/18.jpg)
18
Notify DeveloperMessage on the Play Developer Console
Contains a link to a help article explaining more about the vulnerability
![Page 19: Kristian Monsen Software Engineer Google Android for Work ... · 3 Developing Secure Applications for Android Tips for developing secure Android apps Overview of Google Play Services](https://reader033.fdocuments.us/reader033/viewer/2022042222/5ec8241c7425c446d25a0607/html5/thumbnails/19.jpg)
19
Notify developerEmail to primary contact
Vulnerability type
Remediation details
Affected apps
Relevant Play policy
![Page 20: Kristian Monsen Software Engineer Google Android for Work ... · 3 Developing Secure Applications for Android Tips for developing secure Android apps Overview of Google Play Services](https://reader033.fdocuments.us/reader033/viewer/2022042222/5ec8241c7425c446d25a0607/html5/thumbnails/20.jpg)
20
Remediation deadlineTypical campaign progression, user installations
![Page 21: Kristian Monsen Software Engineer Google Android for Work ... · 3 Developing Secure Applications for Android Tips for developing secure Android apps Overview of Google Play Services](https://reader033.fdocuments.us/reader033/viewer/2022042222/5ec8241c7425c446d25a0607/html5/thumbnails/21.jpg)
21
Current results Mostly successful, but not always
15 campaigns done so far Best result:
installed apps are fixed
15%
Worst result: installed apps are fixed, this was a
warning only campaign
It strongly depends if it is a warning and if it has a deadline
97% 15%
![Page 22: Kristian Monsen Software Engineer Google Android for Work ... · 3 Developing Secure Applications for Android Tips for developing secure Android apps Overview of Google Play Services](https://reader033.fdocuments.us/reader033/viewer/2022042222/5ec8241c7425c446d25a0607/html5/thumbnails/22.jpg)
22
Other activities
➔ Add lint warnings for Android Studio➔ Improve APIs so apps are safe by default
![Page 23: Kristian Monsen Software Engineer Google Android for Work ... · 3 Developing Secure Applications for Android Tips for developing secure Android apps Overview of Google Play Services](https://reader033.fdocuments.us/reader033/viewer/2022042222/5ec8241c7425c446d25a0607/html5/thumbnails/23.jpg)
23
Tips about vulnerabilities
If you know of any vulnerability we should scan for we are always interested
Send email to [email protected]
Report security bug: https://source.android.com/security/overview/updates-resources.html#report-issues
![Page 24: Kristian Monsen Software Engineer Google Android for Work ... · 3 Developing Secure Applications for Android Tips for developing secure Android apps Overview of Google Play Services](https://reader033.fdocuments.us/reader033/viewer/2022042222/5ec8241c7425c446d25a0607/html5/thumbnails/24.jpg)
Q & Aand THANK YOU for your time.
Kristian [email protected]
www.SDC2016.com
© 2016 Samsung Developer Conference. All rights reserved.