security in android applications / Александр Смирнов (redmadrobot)

SECURITYIN ANDROID APPLICATION

31/05/2016ALEXANDER SMIRNOV

- 3+ years Android dev- 6+ years commercial dev- 1 year bank app dev- Addicted to info security since 2007- DC7499 member

WhoAmI

Why?

- Android Security Model- Reality- Vulnerabilities- One more sentence- Appendix

Agenda

Security

• I •

Android Security Model

Application Isolation- isolate CPU, RAM, devices, files in

private directory

Application Isolation- isolate CPU, RAM, devices, files in

private directory

- every app run in own process

Application Isolation- isolate CPU, RAM, devices, files in

private directory

- every app run in own process

- every app has own UserID and GroupID

Application Isolation- isolate CPU, RAM, devices, files in

private directory

- every app run in own process

- every app has own UserID and GroupID

- every app run in own instance of Dalvik VM

Application Isolation

Application Isolation

Application Isolation

Application Isolation

Application Isolation

- Is the parent of all App processesZygote

App 1

App 2

App 3

Zygote

fork()

fork()

fork()

start newApp

- Is the parent of all App processesZygote

App 1

App 2

App 3

Zygote

fork()

fork()

fork()

start newApp

- COW(Copy On Write) strategy

- Is the parent of all App processesZygote

App 1

App 2

App 3

Zygote

fork()

fork()

fork()

start newApp

- COW(Copy On Write) strategy

- /dev/socket/zygote

- Before M- After M- Custom permissions- Protection level

Permissions

- Protect user dataAndroid Security Overview

- Protect user dataAndroid Security Overview

- Protect system resources

- Protect user dataAndroid Security Overview

- Protect system resources

- Provide application isolation

• II •

Android Security ModelReality

Security

Root

Triada

Security

• III•

Vulnerabilities

- Memory CacheData Storage

- Memory CacheData Storage

- Internal Storage

- Memory CacheData Storage

- Internal Storage

- SharedPreference + MODE_PRIVATE + Cipher

- Memory CacheData Storage

- Internal Storage

- SharedPreference + MODE_PRIVATE + Cipher

- DB + SQLCipher

- Memory CacheData Storage

- Internal Storage

- SharedPreference + MODE_PRIVATE + Cipher

- DB + SQLCipher

- 21+ setStorageEncryption

- Memory CacheData Storage

- Internal Storage

- SharedPreference + MODE_PRIVATE + Cipher

- DB + SQLCipher

- 21+ setStorageEncryption

- KeyStore

- MITM Has YouTransport

- MITM Has YouTransport

- Check network – why?

- MITM Has YouTransport

- Check network – why?

- Diffie–Hellman key exchange

- MITM Has YouTransport

- Check network – why?

- Diffie–Hellman key exchange

- Certificate Pinning == SSL Pinning (okhttp 2.7.4 || 3.1.2)

Intent- Use explicit intents

Intent- Use explicit intents

- Validate Input

Intent- Use explicit intents

- Validate Input

- Manifest: intent-filter = exported="true"

2FA: SMS- Secure PUSH

2FA: SMS- Secure PUSH

- Mobile application

2FA: SMS- Secure PUSH

- Mobile application

- SIMApplets

2FA: SMS- Secure PUSH

- Mobile application

- SIMApplets

- DCV (Dynamic Code Verification)

Insecure Device- Secure persistent datastore

Insecure Device- Secure persistent datastore

- No immutable (Strings -> char[])

Insecure Device- Secure persistent datastore

- No immutable (Strings -> char[])

- Notify if root

Insecure Device- Secure persistent datastore

- No immutable (Strings -> char[])

- Notify if root

- Custom keyboard

Insecure Device- Secure persistent datastore

- No immutable (Strings -> char[])

- Notify if root

- Custom keyboard

- No EditText

Reverse Protection- Check for debug mode

Reverse Protection- Check for debug mode

- Emulator check

Reverse Protection- Check for debug mode

- Emulator check

- Verify sign

Reverse Protection- Check for debug mode

- Emulator check

- Verify sign

- Obfuscation

- JNI

Reverse Protection- Check for debug mode

- Emulator check

- Verify sign

- Obfuscation

Security

• IV •

One more sentence

One more sentence- Convenience vs Security

One more sentence- Convenience vs Security

- Socialization & Tools

One more sentence- Convenience vs Security

- Socialization & Tools

- Layered Security

One more sentence- Convenience vs Security

- Socialization & Tools

- Layered Security

- Better than others

- OWASP TOP 10 Mobile Risks

One more sentence- Convenience vs Security

- Socialization & Tools

- Layered Security

- Better than others

Security

• V •

Appendix

- Cyber Risk Report: bit.ly/1MuoIDS- OWASP Top 10 Mobile Risks: bit.ly/1FAIJiv- DefCon Groups List: bit.ly/1JQlNgC- Triada Malware: bit.ly/1qvyFqY- Obfuscation tools list: bit.ly/1XiHf6Z- Security Official Docs: bit.ly/1qvw1BK- Diffie–Hellman Video: bit.ly/23jV7Se- Tools for SA and Hacking: bit.ly/1qvxpUM

Additional Information

- Android Security Model- Reality- Vulnerabilities- One more sentence

Result

Any Questions, Please?

smredkey@gmail.com @_smred