increasing android app security for free - roberto gassirà, roberto piccirillo - codemotion milan...
TRANSCRIPT
Increasing Android app security for free
Roberto Gassirà - Roberto Piccirillo
MILAN 25-26 NOVEMBER 2016
2
● Senior Security Analysts for Mobile Security Lab○ Vulnerability Assessment (IT, Mobile Application)○ Android Secure Development
Increasing Android app security for freeWho we are
● Roberto Gassirà@robgas
● Roberto Piccirillo@robpicone
4
Mobile Application can run in a Potentially Hostile Environment
Potentially Hostile EnvironmentIntroduction
5
Free Open Wifi ...
Potentially Hostile EnvironmentUnreliable Communication Channels
… Free user data
Threat:Traffic Snooping
6
Potentially Hostile EnvironmentUnreliable Communication Channels
Free WPA2 Wifi ...
… Free user data (MITM)
Threat: MITM
7
Potentially Hostile EnvironmentUnreliable Communication Channels
Under attack...
Threat: Information Gathering
9
Rooting -> Android platform security compromised
Potentially Hostile EnvironmentTampered Device
No more application
sandbox
10
Potentially Hostile EnvironmentTampered Device
Hooking/Instrumentation
Threat:Code Hijacking
onCreate()
isDeviceTampered()
...()EXIT
falsetrue
Hooking...
isDeviceTampered()
false
11
Mobile Threats for Developers
● Advanced Device Owner○ Remove Bloatware/Customization
Attacker
● Mobile Cybercriminal○ Application analysis
● Potentially Harmful Applications○ Steal info/money
12
Mobile Threats for DevelopersMalware Infection
Apps from “Unknown sources”
Apps from “Unknown sites”
13
Mobile Threats for DevelopersGoogle Security Services for Android
From Android Security 2015
Year in Review - April 2016
14
Mobile Threats for Developers
Tampered Device Detection
Free Weapons for Developers
SafetyNet API
● Allows an app to analyze the device where it is installed
● Check if the device has passed the Compatibility Test Suite (CTS)
Check the integrity of the device
(Rooted?Hooked?Infected?)
● Provided by Google Play Services
15
Mobile Threats for Developers
Key Material Protection
Free Weapons for Developers
AndroidKeyStore
● Asymmetric and Symmetric Keys (API 23+) Secure Container with Hardware Backend
Secure CommunicationNetwork Security
Configuration
● Network security settings (certificate pinning, trusted CA, ...) customized with a safe and declarative configuration file
17
Detecting Tampered Device
https://developer.android.com/training/safetynet/index.html
Checking Device Compatibility
Access
API
Send
Compatibility
Check
Request
Validate
Compatibility
Check
Response
18
Detecting Tampered Device
https://developers.google.com/android/guides/api-client
Access Google API
SafetyNet service
build.gradle
Create an instance of Google API Client
19
Detecting Tampered DeviceSend Compatibility Check Request
Generate a random one time nonce to defeat
replay attacks
Send the request
AttestationResult
20
● Formatted in JSON Web Signature format○ RSA256 Signed JSON
Detecting Tampered DeviceAttestation Result
JWS Signature
JWS Payload
JWS Header
Device passed Compatibility Test Suite
Device integrity statustrue: OK
false: TAMPERED
21
Detecting Tampered Device
● Google provides Android Device Verification API for validating the response
Validate Compatibility Check Response
POST "https://www.googleapis.com/androidcheck/v1/attestations/verify?key="
{ "signedAttestation": }JWS
Signature
JWS Payload
JWS Header
{ “isValidSignature”: true }
23
● MITM attack:○ Is a well-known technique used by an attacker to setup a proxy to intercept traffic
between your application and backend servers
● How○ ARP poisoning○ DNS poisoning○ Rouge proxy○ etc
Enhancing Network SecurityMITM attack
24
● HTTP and HTTPS:○ HTTP: all data sent are in clear○ HTTPS: all data sent are ciphered (Digital Certificates and Session Keys)
● Implement MITM attack on HTTP (easier)
● Implement MITM attack on HTTPS (harder)○ Not impossible
Enhancing Network SecurityMITM with HTTP or HTTPS
26
Digital certificateNetwork Security Configuration
● Most important:○ Common name
○ Issuer name
○ Not Valid Before
○ Not Valid After
○ Public Key
○ Signature
Remember “Public Key Info” section
27
● Use HTTPS is not enough to mitigate some risks due to MITM Attacks○ But in almost all cases should be mandatory use it
● To be more secure it’s important:○ Check the common name of server digital certificate○ Verify the issuer of server digital certificate○ Trust the issuer of server digital certificate
● In the last years is usual:○ Check the server public key (Pinning certificate or sometime called SSL Pinning)○ More code to implement this technique
Enhancing Network SecurityHTTPS key security points
Android Nougat offers new features to perform easily checks to make HTTPS more secure
28
● Uses declarative configuration file to:○ Enforce HTTPS for specified domain used into your application○ Use certificate pinning ○ Trust only specific Certification Authority or use specific Self-signed certificate○ Debug secure connections without modify code
● What you need:
Enhancing Network SecurityNetwork Security Configuration
AndroidManifest.xml
29
Enhancing Network SecurityConfiguration file format
Contains all Network Configuration
Default configuration for all connections
Configurations for one or more domains
Configurations valid only for debug purpose
30
● Get error when try to connect using HTTP
Enhancing Network SecurityEnforce HTTPS
Enforce HTTPS
HTTP Connection
Error:“Cleartext HTTP traffic to
android-developers.blogspot.it not permitted”
31
● Use yours CA to verify yours certificate
Enhancing Network SecurityDigital Certificate with custom CA
Enforce HTTPS for the domaincodemotion.milan.2016
Use cacert certificate to verify server certificate
● If cacert is not used the app get an error
32
● Force your application to use a specific public key● In previous Android version you had to write boring code to implement
certificate pinning● Now you need calculate the sha256 of Public Key Info of X509 digital
certificate
Enhancing Network SecurityCertificate pinning
sha256 base64
PinDigest
33
● If server public key is different the application get an error
Enhancing Network SecurityCertificate pinning
● Add PinDigest with Expiration date
34
● In our analysis is horrible to find out the all SSL checks are off to overcame problem into development environment
● Now it is possible to add debug configuration without modify any line of code
● When you build in “release-mode” debug configuration is not considered
Enhancing Network SecuritySafe debug
35
● You could define a base configuration for all connections
● You could insert more PinDigest
● You could define which CA store will be used to verify certificates:○ User○ System
● You could use self signed-certificate
Enhancing Network SecurityOther options
37
Key Management Evolution
● Android KeyStore Provider introduced with API level 18○ Based on Android Keystore System to store cryptographic keys
● Until API level 22 only asymmetric keys○ For info: https://speakerdeck.com/mseclab/android-key-management
● With API level 23+ also symmetric Keys
AndroidKeyStore Provider
Asymmetric
Asymmetric + Symmetric
40
Key Management EvolutionAndroidKeyStore Security Features
● Preventing extraction of the key material from application process
● Preventing extraction of the key material from Android device
● Key material never enters the application process:○ App cryptographic operations are performed by system process ○
● Key materials may be bound to the secure hardware:○ Trust Execution Environment (TEE)○ Secure Element
● More and more processors are equipped with TEE:○ Snapdragon 808 (Nexus 5x), Snapdragon 810 (Nexus 6P), Snapdragon 820 (Galaxy S7)
etc
42
The Bill
● Detecting Tampered Device: Free
● Enhancing Network Security: Free
● Key Management Evolution: Free
Total = Free :)
How much costs
Web: www.mseclab.com www.consulkthink.itMail: [email protected]:+39-06-4549 2416Fax:+39-06-4549 2454
Grazie per l’attenzione