safety first – best practices in app security
TRANSCRIPT
Safety first Best practices in app security
ANA BAOTIĆTECHNICAL MANAGER, MOBILE BANKING @ INFINUM
We're an independent design & developmentagency.
HOW TO INCREASE SECURITY
BUILD INTEGRITY
DATA PRIVACY
NETWORK SECURITY
THINGS TO ADD TO A NEW PROJECT
Release keystoreObfuscation
KEYSTORE
Should be used for ALL buildsYou should NEVER lose itNo one should EVER acquire it
signingConfigs { release { storeFile file("myapp.keystore") storePassword "password123" keyAlias "keyAlias" keyPassword "password789" } }
DO NOT!
DO!
gradle.properties
KEYSTORE_PASSWORD=password123 KEY_PASSWORD=password789
try { storeFile file("myapp.keystore") storePassword KEYSTORE_PASSWORD keyAlias "keyAlias" keyPassword KEY_PASSWORD
} catch (ex) { throw new InvalidUserDataException(“…”) }
OBFUSCATION
Proguard
DexGuard
DexProtector
release { minifyEnabled true
proguardFiles getDefaultProguardFile( 'proguard-android.txt'), ‘proguard-rules.txt' signingConfig signingConfigs.release}
public abstract class e { private int a = -1; private String b = null; protected boolean k = false; public abstract void a(Intent var1); public void run() { this.a((Intent)null); } protected final void a(String var1) { this.b = var1; } public final void c() { this.a = -1; this.b = null; } public final boolean d() { return this.k; }}
WILL THIS KEEP THE APK SAFE?
No.
TAMPERING DETECTION
Verify signing certificate at runtime
Verify the installercontext.getPackageManager().getInstallerPackageName(context.getPackageName()).startsWith("com.android.vending")
Check if app is debuggable (or run on emulator)
DATA PRIVACY
USERS ARE SENSITIVE ABOUT THEIR DATA
WAYS TO STORE (AND RETRIEVE) DATA
Internal storageExternal storageContent providers
INTERNAL STORAGE
Is (generally) sufficiently safePrivate to the your app
EXTERNAL STORAGE
Globally readable and writable
CONTENT PROVIDERS
Structured storage mechanismCan be exported to allow access by other apps
<provider android:name="com.example.android.datasync.provider.StubProvider" android:authorities="com.example.android.datasync.provider" android:exported="false"/>
android:protectionLevel="signature"
SHARED PREFERENCES
Useful for primitive key-value based data
private readable safe
Internal storage yes yes yes
External storage no yes no
Content providers depends yes yes
Shared prefs. yes yes yes
SO EVERYTHING IS FINE?
Yes, until you root the device.
USE LIBRARIES
Bouncy Castle Spongy CastleKeyczarAeroGear CryptoConceal
ENCRYPT USING A PIN/PASSWORD
4 digits - 10 000 attemptsNo effort to crack or even guess
BCRYPT
Key derivation functionSlowCost of the hash function depends on the work factor
CAN DATA REMAIN PRIVATE?
Rooting your device allows accessNot encrypting allows (mis)use
NETWORK SECURITY
HTTP
Still (frequently) usedMiTM
HTTPS
Encrypts dataValidation of server’s identity
android:usesCleartextTraffic="false"
ANDROID M
StrictMode.setVmPolicy(new StrictMode.VmPolicy.Builder().detectCleartextNetwork().penaltyLog().build());
ANDROID N
Network Security Configuration featureFiner grained control
CERTIFICATE PINNING
Defines which CAs are trustedReduces effectiveness of MiTM
okhttpbuilder .pinClientCertificate(resources, R.raw.client_cert, "pass".toCharArray(), “PKCS12”) .pinServerCertificates(resources, R.raw.server_cert, "pass".toCharArray(), "BKS") .build();
return new OkClient(client);
WHAT IF THE CERTIFICATES CHANGE?
INFORM THE USERS
Implement a mechanism for notifying users (GCM) and forcing updates
PLAN AHEAD
Check server security’s impact on Android deviceshttps://www.ssllabs.com/
INCLUDE THE CLIENT IN THE PROCESS
Keep them up-to-dateHelp them understand risks and advise themInsist on updates and security patches
RECAP
ANDROID IS NOT SECURE
But you can make it less easy to abuse
THINGS TO REMEMBER
Use internal storage if applicableEncrypt dataUse HTTPSPin certificatesBe aware of the update cycle
REFERENCES• Gradle configuration
• http://developer.android.com/guide/topics/data/data-storage.html#db
• https://codahale.com/how-to-safely-store-a-password/
• http://www.developereconomics.com/android-cryptography-tools-for-beginners/
• https://www.airpair.com/android/posts/adding-tampering-detection-to-your-android-app
REFERENCES
• https://www.ssllabs.com/
• http://developer.android.com/preview/features/security-config.html
• https://www.ionic.com/mitm-attacks-ssl-pinning-what-is-it-and-why-you-should-care/
Thank you!
Questions?
Visit www.infinum.co or find us on social networks:
infinum.co infinumco infinumco infinum
[email protected]@ABAOTIC