http://www.egeniq.cominfo@egeniq.com

@egeniq

Droidcon, 23 November 2011Ivo Jansch - @ijansch

Apps, APIs and third party servicesA Love Triangle

About Me

@ijanschDeveloperAuthorEntreprenerdiOS/Java/PHP

2

About Egeniq

StartupMobileTechKnowledge GeeksDevelopment

3

Tiqr - Learning about Android Security

4

1

23

4

5

6

http://www.tiqr.org

The Use Case

5

Android App Third Party Service

API

Timeline

6

OAuth

7

Your AndroidApplication Twitter

OAuth

8

OAuthConsumer

OAuthProvider

Why do you need to protect keys?

98

OAuthProvider

The Android Security Model

10

Sandboxing

‣Apps only have access to their own data‣Access is based on Linux user ID‣Further protected by application signature

11

Storage + Secure Storage

‣USB Storage• External storage, sharable between apps

‣Device Storage • Apps have their own location, within sandbox

‣Secure Storage• Java KeyStores with strong encryption algorithms• Unfortunately no hardware encrypted storage like iPhone

12

The Main Problem

‣How can I securely store secrets?• Is sandboxing a solution? -> Not when device is rooted• Is device storage a solution? -> Not when device is rooted• Is encryption a solution?‣ Yes, but where do you store your encryption keys?

13

It’s a common question

Stackoverflow search for ‘store secrets android’:

14

With common answers

- Huh? - Don’t store secrets- Don’t use OAuth

- Obfuscate- Encrypt

15

Know what? I’ll just use a library

16

Scribe

https://github.com/fernandezpablo85/scribe-java

17

A Couple Of Solutions

18

Option 1 - Obfuscation

19

Option 2 - Encryption

20

Option 2 - Encryption

21

Option 2 - Encryption

22

Option 2 - Encryption

23

Option 3 - Using the KeyStore

24

Option 3 - Using the KeyStore

25

Option 4 - Retrieve key from API

26

Android App OAuthProvider

Your API

?

Option 5 - Transparent Proxy

27

AndroidApp

OAuthProvider

Proxy

Conclusion

It’s all about

awareness

28

Recommended Reading

‣ ISBN: 2147483647

‣ Authors:• Himanshu Dwivedi

• Chris Clark

• David Thiel

‣ Covers:• Android

• Apple

• WinMo

29

Thank you! Questions?

http://www.egeniq.cominfo@egeniq.com

@egeniq

http://www.egeniq.comivo@egeniq.com

@ijansch

Credits

‣ ‘Tege in Sandbox’ by Judi Cox - http://www.flickr.com/photos/madaise/3406217980/

‣ ‘Locker (KHS up close) by Travis Hymas - http://www.flickr.com/photos/travishasphotos/3481640534/

‣ ‘Mask’ by Ben Fredericson - http://www.flickr.com/photos/xjrlokix/3932488768/