android secure offline storage - cc mobile
Post on 12-Apr-2017
206 Views
Preview:
TRANSCRIPT
Secure offline storageSteve De Zitter
Secure offline storage Agenda
▪ Sample-app
▪ Android offline storage possibilities
▪ Android Sandbox model
▪ Some Best practices when using offline storage
▪ Performing back-up on demo app
▪ Secure file storage
▪ Secure database storage
▪ Tamper detection
SAMPLE-APP
Sample application
▪ Sample application
- https://github.com/SteveDZ/OfflineStorage.git
Android offline storage possibilities
▪ Several ways to store data in Android
- SharedPreferences
- Files (Internal and external storage)
- SqlLite
- These are not secure!▪ Back-up▪ Rooted devices
Android sandbox model
MyApp, UID: 12345 MyOtherApp, UID: 9876
Preferences Preferences
Internal storage Internal storage
databases Databases
Android sandbox model (Rooted device)
MyApp, UID: 12345 MyOtherApp, UID: 9876
Preferences Preferences
Internal storage Internal storage
databases Databases
ROOT
Offline storage Best Practices
▪ Avoid it (if possible)
▪ Avoid external storage (outside of sandbox, globally readable)
▪ set android:allowBackup=”false”
▪ set android:saveEnabled=”false”
▪ MODE_PRIVATE with files
ADB shell
▪ When app is debuggable (default in DEV) or device is rooted
- adb shell
- run-as be.ordina.offlinestorage (Not necessary on rooted device)
- cd /data/data/be.ordina.offlinestorage/
▪ shared_prefs
▪ db
▪ files
Backup extractor -> https://github.com/nelenkov/android-backup-extractor
▪ Command line: adb backup be.ordina.offlinestorage
▪ Unlock the device and confirm backup operation
▪ Command line: java -jar abe-all.jar unpack backup.ab backup.tar
▪ Unzip the tar and check it’s contents (including the prefs file)
Backing up application
DEMO
Files on internal storage
▪ Internal storage mode MODE_PRIVATE (MODE_WORLD_READABLE and
MODE_WORLD_WRITEABLE deprecated)
▪ Files saved on internal storage in MODE_PRIVATE are private to the application.
▪ FILE CONTENT IS NOT SECURE! -> BY BACKING-UP these files are also perfectly
readable
Safe file storage
▪ Encryption of files!
▪ See fragment.EncryptedInternalStorageFragment class for implementation details
CODE + DEMO
SQLite
▪ Relational database
▪ Saved on internal storage automatically
▪ can be pulled or backed up with adb
▪ sqlitebrowser: (http://sqlitebrowser.org)
▪ SQLite3 command line interface: https://www.sqlite.org/download.html
▪ NOT SAFE
DEMO
SQLCipher
▪ Symmetrically encrypted Sqlite database (AES-256)
▪ Drop-in replacement for regular sqlite
▪ SQLCipher for Android: https://www.zetetic.net/sqlcipher/sqlcipher-for-android/
▪ Installation instructions IntelliJ: https://discuss.zetetic.net/t/android-studio-integration/65
SQLCipher Command Line Interface
▪ Download SqlCipher command line interface: https://github.com/sqlcipher/sqlcipher
▪ Build sqlcipher command line tool:
http://stackoverflow.com/questions/25132477/how-to-decrypt-an-encrypted-sqlcipher-datab
ase-file-on-command-line
▪ Run sqlcipher command line interface:
SQLCipher design
How does SQLCipher actually work?▪ https://www.zetetic.net/sqlcipher/design/
CODE + DEMO
Hiding the key
▪ Ask each time
▪ In the code
▪ In de NDK
▪ Android KeyStore (apple KeyChain equivalent)
▪ Server-side
Ask each time
▪ At Startup, always ask the users password.
▪ This password can be used to decrypt the database.
In the code
▪ Generate a device specific key (See fragment.DeviceSpecificKeyFragment.java)
▪ As we saw earlier, this can be reverse engineered and used to recreate the device specific
key (Not very safe…)
In the NDK
▪ Install the NDK: https://developer.android.com/tools/sdk/ndk/index.html
▪ Documentation: <ndk>/docs/Programmers_Guide/html/index.html
- Samples/hello-jni: Example Java Native Interface
- Building/ndk-build: How to build your native c files
- Building/Android.mk: Android .mk file describing c-library
In the NDK
▪ Android studio
- Create folder app/jni
▪ Create Android.mk, Application.mk, <your-module>.c
- Create folder src/main/jniLibs
- Compile c module:
▪ cd in <project-path>/app directory
▪ <ndk-path>/ndk-build
Decompile jar with .so modules
▪ http://reverseengineering.stackexchange.com/questions/4624/how-do-i-reverse-enginee
r-so-files-found-in-android-apks
▪ online disassembler: http://onlinedisassembler.com/odaweb/
CODE + DEMO
Android KeyStore (as of 4.3)
▪ Android hardware backed KeyStore
▪ Standard Java JCA (Java Cryptography Architecture) api but ‘AndroidKeyStore’ as
provider
▪ http://developer.android.com/training/articles/keystore.html
▪ http://nelenkov.blogspot.be/2013/08/credential-storage-enhancements-android-43.html
Server side decryption
▪ Communication over HTTPS (of course…)
▪ Send bytes or Strings that need to be decrypted to server
▪ Server decrypts and sends unencrypted data back.
Advantages:
▪ Key information doesn’t leave the server (more secure)
Disadvantages:
▪ Application needs to be connected to internet to function correctly.
▪ More server round-trips to perform the encryption and decryption of data.
Tamper Detection
▪ Check if app is installed through play store
▪ Check if app is debuggable
▪ Check if app is running on emulator
▪ Check if device is rooted
Installed through play store
Check if app is debuggable
Check if your app is running on an emulator
Check if device is rooted
▪ Check for typical rooted binaries
- /sbin/, /system/bin/, /system/xbin/, /data/local/xbin/, /data/local/bin/, /system/sd/xbin/,
/system/bin/failsafe/, /data/local/, /system/app/
▪ Check for rooted run command: su
▪ @See RootDetectionUtils.java in Sample project
Sources
▪ Bulletproof Android. Practical advice for building secure apps (ISBN: 978-0-13-399332-5)
▪ https://www.parleys.com/tutorial/android-application-security
▪ http://nelenkov.blogspot.be/2013/08/credential-storage-enhancements-android-43.html
▪ http://developer.android.com/training/articles/keystore.html
▪ http://nelenkov.blogspot.be/
QUESTIONS???
top related