android secure offline storage - cc mobile
TRANSCRIPT
![Page 1: Android secure offline storage - CC Mobile](https://reader036.vdocuments.mx/reader036/viewer/2022062503/5884a58d1a28ab76798b4af9/html5/thumbnails/1.jpg)
Secure offline storageSteve De Zitter
![Page 2: Android secure offline storage - CC Mobile](https://reader036.vdocuments.mx/reader036/viewer/2022062503/5884a58d1a28ab76798b4af9/html5/thumbnails/2.jpg)
Secure offline storage Agenda
▪ Sample-app
▪ Android offline storage possibilities
▪ Android Sandbox model
▪ Some Best practices when using offline storage
▪ Performing back-up on demo app
▪ Secure file storage
▪ Secure database storage
▪ Tamper detection
![Page 3: Android secure offline storage - CC Mobile](https://reader036.vdocuments.mx/reader036/viewer/2022062503/5884a58d1a28ab76798b4af9/html5/thumbnails/3.jpg)
SAMPLE-APP
![Page 4: Android secure offline storage - CC Mobile](https://reader036.vdocuments.mx/reader036/viewer/2022062503/5884a58d1a28ab76798b4af9/html5/thumbnails/4.jpg)
Sample application
▪ Sample application
- https://github.com/SteveDZ/OfflineStorage.git
![Page 5: Android secure offline storage - CC Mobile](https://reader036.vdocuments.mx/reader036/viewer/2022062503/5884a58d1a28ab76798b4af9/html5/thumbnails/5.jpg)
Android offline storage possibilities
▪ Several ways to store data in Android
- SharedPreferences
- Files (Internal and external storage)
- SqlLite
- These are not secure!▪ Back-up▪ Rooted devices
![Page 6: Android secure offline storage - CC Mobile](https://reader036.vdocuments.mx/reader036/viewer/2022062503/5884a58d1a28ab76798b4af9/html5/thumbnails/6.jpg)
Android sandbox model
MyApp, UID: 12345 MyOtherApp, UID: 9876
Preferences Preferences
Internal storage Internal storage
databases Databases
![Page 7: Android secure offline storage - CC Mobile](https://reader036.vdocuments.mx/reader036/viewer/2022062503/5884a58d1a28ab76798b4af9/html5/thumbnails/7.jpg)
Android sandbox model (Rooted device)
MyApp, UID: 12345 MyOtherApp, UID: 9876
Preferences Preferences
Internal storage Internal storage
databases Databases
ROOT
![Page 8: Android secure offline storage - CC Mobile](https://reader036.vdocuments.mx/reader036/viewer/2022062503/5884a58d1a28ab76798b4af9/html5/thumbnails/8.jpg)
Offline storage Best Practices
▪ Avoid it (if possible)
▪ Avoid external storage (outside of sandbox, globally readable)
▪ set android:allowBackup=”false”
▪ set android:saveEnabled=”false”
▪ MODE_PRIVATE with files
![Page 9: Android secure offline storage - CC Mobile](https://reader036.vdocuments.mx/reader036/viewer/2022062503/5884a58d1a28ab76798b4af9/html5/thumbnails/9.jpg)
ADB shell
▪ When app is debuggable (default in DEV) or device is rooted
- adb shell
- run-as be.ordina.offlinestorage (Not necessary on rooted device)
- cd /data/data/be.ordina.offlinestorage/
▪ shared_prefs
▪ db
▪ files
![Page 10: Android secure offline storage - CC Mobile](https://reader036.vdocuments.mx/reader036/viewer/2022062503/5884a58d1a28ab76798b4af9/html5/thumbnails/10.jpg)
Backup extractor -> https://github.com/nelenkov/android-backup-extractor
▪ Command line: adb backup be.ordina.offlinestorage
▪ Unlock the device and confirm backup operation
▪ Command line: java -jar abe-all.jar unpack backup.ab backup.tar
▪ Unzip the tar and check it’s contents (including the prefs file)
Backing up application
![Page 11: Android secure offline storage - CC Mobile](https://reader036.vdocuments.mx/reader036/viewer/2022062503/5884a58d1a28ab76798b4af9/html5/thumbnails/11.jpg)
DEMO
![Page 12: Android secure offline storage - CC Mobile](https://reader036.vdocuments.mx/reader036/viewer/2022062503/5884a58d1a28ab76798b4af9/html5/thumbnails/12.jpg)
Files on internal storage
▪ Internal storage mode MODE_PRIVATE (MODE_WORLD_READABLE and
MODE_WORLD_WRITEABLE deprecated)
▪ Files saved on internal storage in MODE_PRIVATE are private to the application.
▪ FILE CONTENT IS NOT SECURE! -> BY BACKING-UP these files are also perfectly
readable
![Page 13: Android secure offline storage - CC Mobile](https://reader036.vdocuments.mx/reader036/viewer/2022062503/5884a58d1a28ab76798b4af9/html5/thumbnails/13.jpg)
Safe file storage
▪ Encryption of files!
▪ See fragment.EncryptedInternalStorageFragment class for implementation details
![Page 14: Android secure offline storage - CC Mobile](https://reader036.vdocuments.mx/reader036/viewer/2022062503/5884a58d1a28ab76798b4af9/html5/thumbnails/14.jpg)
CODE + DEMO
![Page 15: Android secure offline storage - CC Mobile](https://reader036.vdocuments.mx/reader036/viewer/2022062503/5884a58d1a28ab76798b4af9/html5/thumbnails/15.jpg)
SQLite
▪ Relational database
▪ Saved on internal storage automatically
▪ can be pulled or backed up with adb
▪ sqlitebrowser: (http://sqlitebrowser.org)
▪ SQLite3 command line interface: https://www.sqlite.org/download.html
▪ NOT SAFE
![Page 16: Android secure offline storage - CC Mobile](https://reader036.vdocuments.mx/reader036/viewer/2022062503/5884a58d1a28ab76798b4af9/html5/thumbnails/16.jpg)
DEMO
![Page 17: Android secure offline storage - CC Mobile](https://reader036.vdocuments.mx/reader036/viewer/2022062503/5884a58d1a28ab76798b4af9/html5/thumbnails/17.jpg)
SQLCipher
▪ Symmetrically encrypted Sqlite database (AES-256)
▪ Drop-in replacement for regular sqlite
▪ SQLCipher for Android: https://www.zetetic.net/sqlcipher/sqlcipher-for-android/
▪ Installation instructions IntelliJ: https://discuss.zetetic.net/t/android-studio-integration/65
![Page 18: Android secure offline storage - CC Mobile](https://reader036.vdocuments.mx/reader036/viewer/2022062503/5884a58d1a28ab76798b4af9/html5/thumbnails/18.jpg)
SQLCipher Command Line Interface
▪ Download SqlCipher command line interface: https://github.com/sqlcipher/sqlcipher
▪ Build sqlcipher command line tool:
http://stackoverflow.com/questions/25132477/how-to-decrypt-an-encrypted-sqlcipher-datab
ase-file-on-command-line
▪ Run sqlcipher command line interface:
![Page 19: Android secure offline storage - CC Mobile](https://reader036.vdocuments.mx/reader036/viewer/2022062503/5884a58d1a28ab76798b4af9/html5/thumbnails/19.jpg)
SQLCipher design
How does SQLCipher actually work?▪ https://www.zetetic.net/sqlcipher/design/
![Page 20: Android secure offline storage - CC Mobile](https://reader036.vdocuments.mx/reader036/viewer/2022062503/5884a58d1a28ab76798b4af9/html5/thumbnails/20.jpg)
CODE + DEMO
![Page 21: Android secure offline storage - CC Mobile](https://reader036.vdocuments.mx/reader036/viewer/2022062503/5884a58d1a28ab76798b4af9/html5/thumbnails/21.jpg)
Hiding the key
▪ Ask each time
▪ In the code
▪ In de NDK
▪ Android KeyStore (apple KeyChain equivalent)
▪ Server-side
![Page 22: Android secure offline storage - CC Mobile](https://reader036.vdocuments.mx/reader036/viewer/2022062503/5884a58d1a28ab76798b4af9/html5/thumbnails/22.jpg)
Ask each time
▪ At Startup, always ask the users password.
▪ This password can be used to decrypt the database.
![Page 23: Android secure offline storage - CC Mobile](https://reader036.vdocuments.mx/reader036/viewer/2022062503/5884a58d1a28ab76798b4af9/html5/thumbnails/23.jpg)
In the code
▪ Generate a device specific key (See fragment.DeviceSpecificKeyFragment.java)
▪ As we saw earlier, this can be reverse engineered and used to recreate the device specific
key (Not very safe…)
![Page 24: Android secure offline storage - CC Mobile](https://reader036.vdocuments.mx/reader036/viewer/2022062503/5884a58d1a28ab76798b4af9/html5/thumbnails/24.jpg)
In the NDK
▪ Install the NDK: https://developer.android.com/tools/sdk/ndk/index.html
▪ Documentation: <ndk>/docs/Programmers_Guide/html/index.html
- Samples/hello-jni: Example Java Native Interface
- Building/ndk-build: How to build your native c files
- Building/Android.mk: Android .mk file describing c-library
![Page 25: Android secure offline storage - CC Mobile](https://reader036.vdocuments.mx/reader036/viewer/2022062503/5884a58d1a28ab76798b4af9/html5/thumbnails/25.jpg)
In the NDK
▪ Android studio
- Create folder app/jni
▪ Create Android.mk, Application.mk, <your-module>.c
- Create folder src/main/jniLibs
- Compile c module:
▪ cd in <project-path>/app directory
▪ <ndk-path>/ndk-build
![Page 26: Android secure offline storage - CC Mobile](https://reader036.vdocuments.mx/reader036/viewer/2022062503/5884a58d1a28ab76798b4af9/html5/thumbnails/26.jpg)
Decompile jar with .so modules
▪ http://reverseengineering.stackexchange.com/questions/4624/how-do-i-reverse-enginee
r-so-files-found-in-android-apks
▪ online disassembler: http://onlinedisassembler.com/odaweb/
![Page 27: Android secure offline storage - CC Mobile](https://reader036.vdocuments.mx/reader036/viewer/2022062503/5884a58d1a28ab76798b4af9/html5/thumbnails/27.jpg)
CODE + DEMO
![Page 28: Android secure offline storage - CC Mobile](https://reader036.vdocuments.mx/reader036/viewer/2022062503/5884a58d1a28ab76798b4af9/html5/thumbnails/28.jpg)
Android KeyStore (as of 4.3)
▪ Android hardware backed KeyStore
▪ Standard Java JCA (Java Cryptography Architecture) api but ‘AndroidKeyStore’ as
provider
▪ http://developer.android.com/training/articles/keystore.html
▪ http://nelenkov.blogspot.be/2013/08/credential-storage-enhancements-android-43.html
![Page 29: Android secure offline storage - CC Mobile](https://reader036.vdocuments.mx/reader036/viewer/2022062503/5884a58d1a28ab76798b4af9/html5/thumbnails/29.jpg)
Server side decryption
▪ Communication over HTTPS (of course…)
▪ Send bytes or Strings that need to be decrypted to server
▪ Server decrypts and sends unencrypted data back.
Advantages:
▪ Key information doesn’t leave the server (more secure)
Disadvantages:
▪ Application needs to be connected to internet to function correctly.
▪ More server round-trips to perform the encryption and decryption of data.
![Page 30: Android secure offline storage - CC Mobile](https://reader036.vdocuments.mx/reader036/viewer/2022062503/5884a58d1a28ab76798b4af9/html5/thumbnails/30.jpg)
Tamper Detection
▪ Check if app is installed through play store
▪ Check if app is debuggable
▪ Check if app is running on emulator
▪ Check if device is rooted
![Page 31: Android secure offline storage - CC Mobile](https://reader036.vdocuments.mx/reader036/viewer/2022062503/5884a58d1a28ab76798b4af9/html5/thumbnails/31.jpg)
Installed through play store
![Page 32: Android secure offline storage - CC Mobile](https://reader036.vdocuments.mx/reader036/viewer/2022062503/5884a58d1a28ab76798b4af9/html5/thumbnails/32.jpg)
Check if app is debuggable
![Page 33: Android secure offline storage - CC Mobile](https://reader036.vdocuments.mx/reader036/viewer/2022062503/5884a58d1a28ab76798b4af9/html5/thumbnails/33.jpg)
Check if your app is running on an emulator
![Page 34: Android secure offline storage - CC Mobile](https://reader036.vdocuments.mx/reader036/viewer/2022062503/5884a58d1a28ab76798b4af9/html5/thumbnails/34.jpg)
Check if device is rooted
▪ Check for typical rooted binaries
- /sbin/, /system/bin/, /system/xbin/, /data/local/xbin/, /data/local/bin/, /system/sd/xbin/,
/system/bin/failsafe/, /data/local/, /system/app/
▪ Check for rooted run command: su
▪ @See RootDetectionUtils.java in Sample project
![Page 35: Android secure offline storage - CC Mobile](https://reader036.vdocuments.mx/reader036/viewer/2022062503/5884a58d1a28ab76798b4af9/html5/thumbnails/35.jpg)
Sources
▪ Bulletproof Android. Practical advice for building secure apps (ISBN: 978-0-13-399332-5)
▪ https://www.parleys.com/tutorial/android-application-security
▪ http://nelenkov.blogspot.be/2013/08/credential-storage-enhancements-android-43.html
▪ http://developer.android.com/training/articles/keystore.html
▪ http://nelenkov.blogspot.be/
![Page 36: Android secure offline storage - CC Mobile](https://reader036.vdocuments.mx/reader036/viewer/2022062503/5884a58d1a28ab76798b4af9/html5/thumbnails/36.jpg)
QUESTIONS???