【Javier Cuesta Gómez】Android安全执行

真夜梅

2017/12/31 发布于 技术 分类

2017年,droidcon 第2次来到中国,并将于2017年11月在北京盛大开幕。参会人群包括业界领袖、技术大咖、技术开发者、大众创业者及领域从业者。大会将邀请来自Google、微软、Facebook、Ebay、Intel、Telenav、阿里巴巴、腾讯、小米、乐视、联想等国内外安卓技术与应用领域的大咖,沿袭历年国际大会特色,聚焦行业最前沿技术,碰撞切磋技术火花。

文字内容
1. Android security enforcements
2. Hello DroidCon! Javier Cuesta Gómez Android Engineer manager @Grab
3. Android 2017 security 450 reports $1.1 payout The most difficult OWASP security risks: ● Unintended data leakage - 65% ● Weak server side controls - 62% ● Client side injections - 60% ● Poor Authorization and Authentication - 50% ● Insufficient transport layer protection - 47%
4. Main vulnerable code reasons 1 Rush to release 2 3 Accidental Lack of policies coding errors requirements
5. ANDROID
6. SOFTWARE ARCHITECTURE Android application perimeter PRESENTATION S Information, display E C U DOMAIN R Business logic, calculations I T Y DATA Database, messaging systems
7. SECURITY ENHANCED ARCHITECTURE Android application perimeter SECURITY Threat prevention, authentication, authorisation, sla PRESENTATION Information, display DOMAIN Business logic, calculations DATA Database, messaging systems
8. ANDROID O - PROJECT TREBLE Android Apps CTS Developer api Android OS framework VTS Vendor Interface Vendor implementation
9. CODE DATA COMMS ROOT
10. Enforce security... In your code
11. REVERSE ENGINEERING extracting knowledge or design information from anything man-made. ● Download APK from black markets APK MIRROR ● Use reverse engineering tools APK TOOL ● Knowledge taking: ○ Consumer basis: Analysing and understanding behaviour ○ White hat: security analysis, penetration tests, bug detection, reporting ○ Black hat: updating features, malware, exploits, virus
12. REVERTING TESTAPP.APK decode resources to nearly original form rebuild them after making some modifications Apktool ● UNZIP Apks are nothing more than a zip file containing resources and assembled java code. classes.dex and resources.arsc. ● DECODING: apktool d testapp.apk apktool d foo.jar ● BEHAVIOURAL MODIFICATION. Check bypass ● BUILDING: apktool b foo.jar.out
13. WhatsApp PLUS became one of the best and most used unofficial modes for WhatsApp, allowing users to customize many aspects of the popular instant messaging service with features that the official client doesn't include by default. WhatsApp Plus has been forced to shut down by WhatsApp in January 2015 due to a cease and desist order.
14. Proguard & DexGuard Smaller sized .apk file that is more difficult to Reverse engineer ● Build.gradle MinifyEnabled true ● proguard-rules.txt create proguard-rule ○ -keepattributes *Annotation* ○ -keep public class * extends java.lang.Exception ○ -dontwarn com.crashlytics.** ○ -printmapping mapping.txt
15. NEW IN ANDROID O Better App Management and Controls - malware Lot of verification at Play Store to ensure no malware is present, but users can side-load an application from a third-party app store. setting permissions on a per-app basis, instead of globally allowing all applications to install if the checkbox is enabled, will forced to decide whether they want to download it and what it’s permissions should be.
16. Enforce security... In your data
17. CRYPTOGRAPHY Techniques for secure data in the presence of third parties called intruders Keychain or Android Keystore Provider? ● KeyChain API, system-wide credentials ● Android Keystore provider, individual app store its own credentials. only the app itself can access Common usages ● Android lock up screen methods. Pattern, Pin, FingerPrint ● Android pay
18. CRYPTOGRAPHY Keystore and fingerprint ● APIs ○ Javax.crypto Ciphers ○ Java.security (available since Android API 1) ● Algorithms ○ Symmetric: same key (secret), to encrypt and decrypt. AES, DES, Blowfish ○ Asymmetric: different keys. Public and Private. RSA, SHA-512 ● Passphrase & seeds ○ Preprocessed hashed (gradle scripts) ○ App specific Os information ● Where to store the keys ○ KeyChain, KeyStore (API 18 4.3 Jelly Bean) ○ SP, DB (being keys encrypted symmetric)
19. RECOMMENDED Do not save data on the device ● Android EXTERNAL data storage ○ Use a binary serialized format ○ Secure sensitive data that does not need to be displayed (such as passwords) as a hash. A hash is one-way, it cannot be un-hashed or decrypted. ○ encrypt all sensitive information. Facebook conceal library. ● Android INTERNAL data storage ○ secure because of Android sand boxing its apps. UID level control on the files. ○ Unprotected against rooting and ADB allowing developers to copy data off devices,
20. NEW IN ANDROID O SANDBOXING STRATEGY Separating general Android functionality from manufacturer-specific code has tangible security benefits. Updatability is a big part of it, but Treble is also really good for helping us sandbox different parts of the operating system There’s now this contrast between the [pure Android] pieces and the device-dependent pieces. If you have an exploit in one side, it is now much harder for that to then exploit the other
21. Enforce security... In your Communications
22. MAN-IN-THE-MIDDLE middle between client and server. eavesdropping or changing the data. ● WiFi Analyzer: helps you find a good spot ● Wireless Tether: create ‘free_wifi” hotspot ● ConnectBot: figure out what the WiFi interface is actually called ● Shark for Root: logging packets A STEP FURTHER ● Data Siphon: redirects all traffic from his rogue AP to a network which housed machines. (Real Time)
23. CERTIFICATE PINNING storing the information for digital certificates/public keys ● Store server certificate within app. ○ What if server certificate gets updated/renewed? ● Replacing the system’s TrustStore ○ with one that only contains specific white-listed certificates. ● ping against public certificate Hash
24. CERTIFICATE PINNING public OkHttpClient.Builder getHttpClientBuilder(boolean addSessionId) { CertificatePinner certificatePinner = new CertificatePinner.Builder() .add(getPassengerAPIHost(), BuildConfigHelper.CA_CERT) .build(); OkHttpClient.Builder builder = new OkHttpClient.Builder() .connectTimeout(CONNECTION_TIMEOUT, TimeUnit.MILLISECONDS) .addInterceptor(mLoggingInterceptor) .addInterceptor(HttpHeaderUtils.createRequestInterceptor(addSessionId)); if (getCertPinSwitch().isCertPinOn()) { builder.certificatePinner(certificatePinner); } return builder; }
25. RECOMMENDED 1. Always use SSL connections if there is anything sensitive - apps data. 2. Never use self signed certificates in production. 3. Disable HTTP redirects in your networking library/code. Some libraries disable this by default. Having these enabled can make MITM attacks a lot easier. 4. If the user is inputting data, always escape it using URLEncoder.encode (userInput, “UTF-8”); if the data will be used as part of a URL, DB queries as well as if you’re saving the input to a JSON or XML file. 5. Set a maximum length on every field that requires user input. 6. Validate the input.
26. NEW IN ANDROID O Better, More Secure Protocols Oreo’s attention to deprecating older insecure protocols for network connections. “The use of SSLv3 for secure HTTPS connections is being discontinued, this prevents the device and its apps from using a known insecure protocol that could leak sensitive data,” Google has also hardened certain network connection APIs from not falling back to older TLS versions that can leak sensitive data.
27. Enforce security... In android os
28. ROOTING DEVICES Unlocking the operating system ● Custom ROM Flashing Flash a ROM with a modified operating system ○ Advantages: root access is permanent ○ Disadvantages: updates must be shipped by the ROM provider ○ Risks: trust the ROM provider ● Soft Flashing keep the factory ROM provided by the manufacturer, modifying it ○ How: custom recovery image to the smartphone ● Exploiting ○ Advantages: normally gained through a special one click application. Unroot the device by simply update ○ Disadvantages: root access is just gained temporary
29. ROOT DETECTION specific packages and files, directory permissions, running certain commands. ● Checking the BUILD tag for test-keys. ○ By default, stock Android ROMs from Google are built with release-keys tags ● Checking for Over The Air (OTA) certs. ● Existence of su in the path and some other hard-coded directories ○ Multiple libraries available in Github, most common RootTools ● Installed files and packages ○ Superuser.apk ○ Com.noshufou.android.su / com.thirdparty.superuser/ eu.chainfire.supersu ….
30. NEW IN ANDROID O Verified Boot System Verified Boot goes a step further and prevents users or hackers from booting to older more vulnerable versions of the OS an adversary may have rolled the system back to. The feature also supports the ability for apps and mobile device management firms to secure hardware areas of an Android device upon boot.
31. thanks
32. QUESTIONS @javiCuesta javier.cuesta.gomez@gmail.com