In this talk I talked about my experiences with Android security when it comes to storing secrets in apps on the device. It uses oauth as an example but contained practical hints on how to store any secret securely. Presented at DroidconNL in Amsterdam, November 23 2011.
11. Sandboxing
‣ Apps only have access to their own data
‣ Access is based on Linux user ID
‣ Further protected by application signature
11
12. Storage + Secure Storage
‣ USB Storage
• External storage, sharable between apps
‣ Device Storage
• Apps have their own location, within sandbox
‣ Secure Storage
• Java KeyStores with strong encryption algorithms
• Unfortunately no hardware encrypted storage like iPhone
12
13. The Main Problem
‣ How can I securely store secrets?
• Is sandboxing a solution? -> Not when device is rooted
• Is device storage a solution? -> Not when device is rooted
• Is encryption a solution?
‣ Yes, but where do you store your encryption keys?
13
14. It’s a common question
Stackoverflow search for ‘store secrets android’:
14
15. With common answers
- Huh?
- Don’t store secrets
- Don’t use OAuth
- Obfuscate
- Encrypt
15
31. Credits
‣ ‘Tege in Sandbox’ by Judi Cox - http://www.flickr.com/photos/madaise/3406217980/
‣ ‘Locker (KHS up close) by Travis Hymas - http://www.flickr.com/photos/
travishasphotos/3481640534/
‣ ‘Mask’ by Ben Fredericson - http://www.flickr.com/photos/xjrlokix/3932488768/