Security Tips for Securing Your Android App
•Transferir como PPTX, PDF•
0 gostou•151 visualizações
Are you interested how to make android app more secure against common threats? He is the one who might help ;) Check out Volodymyr Kimak speech "Security Tips for Android App" OWASP Ukraine 2017 Security Conference https://www.facebook.com/events/914991308665427/
Recomendados
Recomendados
Mais conteúdo relacionado
Mais procurados
Semelhante a Security Tips for Securing Your Android App
Semelhante a Security Tips for Securing Your Android App (20)
Mais de Igor Beliaiev
Mais de Igor Beliaiev (7)
Último
Último (20)
Security Tips for Securing Your Android App
- 1. Security Tips for Android App Volodymyr Kimak Softjourn, Inc
- 2. Why Android?
- 5. Android Platform Version Usage
- 6. API Security
- 7. API Security: Tips ● Use JWT or Bearer Tokens for Session management and validation, do not rely on mobile app judgements ● Validate every API method properly (parameters, roles and permissions), even if it is hidden somewhere in the mobile app ● Do not disclose Direct Object References to backend entities, because it leads to enumeration and easy guessing of them
- 9. Authentication and Authorization: Tips ● Require strong Session management ● Do not store passwords locally, instead store tokens even for “Remember Me” functionality ● Do not allow users to provide 4-6 digit PIN codes instead of passwords, use FingerPrint authentication instead
- 10. Cryptography
- 11. Cryptography: Tips ● Store sensitive data locally, only if it is really needed ● Use only modern, strong, approved cryptographic algorithms, do not create your own crypto ● Use strong random number generators ● Protect your keys in a key vault ● Do not store hardcoded encryption keys in app code
- 13. Communication: Tips ● Remove all debug HTTP(S) settings ● Use the latest HTTP standards: ○ HTTP 1.1 or HTTP 2.0 ○ HTTPS/TLS 1.2 ● Verify SSL certificate: ○ Hostname ○ Information (SSL Pinning) ■ Pin Certificate ■ Pin Public Key Info (SPKI) ○ In case of Hybrid app (Xamarin), it is possible to verify certificate on 2 levels (native and hybrid) to increase security ○ Inform User about SSL error and drop connection
- 15. Data Storage: Locations ● Internal ● External
- 17. Data Storage: Tips ● Use Shared Preferences for only simple app preferences, but not for sensitive data ● Use KeyStore for storing small amount of sensitive data ● Use Internal Storage for app’s generated content ● Use External Storage for user’s files, but not for sensitive data, unless you encrypt it ● Use Encrypted Database (Realm or SQLite) for storing large amount of sensitive data ● Do not store sensitive data in logs or analytics
- 18. Content Provider
- 19. Content Provider: Tips ● Use Content Provider to share data between apps ● If used only by your app, set flag android:exported=false ● If shared apps are only your own apps, set flag android:protectionLevel=signature ● Prefer to use android:grantUriPermissions over android:permissions, because if gives more granular and dynamic access to data ● Use parametrized query methods such as query/update/delete to avoid potential SQL injections from untrusted sources
- 21. Activity/Service/Broadcast Receiver: Tips ● Provide shared access from other apps to only those activities/services/receivers, which are aimed at it, using android:exported/intent-filter/permission attributes
- 23. Binary Protection: Tips ● Use native code obfuscators: ○ Proguard ○ Dexguard ○ In case of hybrid app (Xamarin), use corresponding obfuscators also ● Use SafetyNet API from Google: ○ Attestation API - check if device environment is safe and app has not been modified ○ Verify Apps API - check if device contains potentially harmful apps
- 25. Redundant functionality: Tips ● Remove debug flag from Application manifest ● Remove internal functionality ● Remove all hardcoded/test passwords ● Remove all test and non-production ready endpoints ● Verify that log messages do not expose application flow and critical info
- 26. Links ● https://developer.android.com/training/best-security.html ● https://www.owasp.org/index.php/Mobile_Top_10_2016- Top_10 ● https://developer.android.com/training/safetynet/index.htm l ● https://www.guardsquare.com/en/proguard
Notas do Editor
- https://pages.nokia.com/8859.Threat.Intelligence.Report.html https://www.networkworld.com/article/3185766/security/malware-infection-rate-of-smartphones-is-soaring-android-devices-often-the-target.html https://developer.android.com/about/dashboards/index.html
- https://pages.nokia.com/8859.Threat.Intelligence.Report.html https://www.networkworld.com/article/3185766/security/malware-infection-rate-of-smartphones-is-soaring-android-devices-often-the-target.html https://developer.android.com/about/dashboards/index.html
- https://pages.nokia.com/8859.Threat.Intelligence.Report.html https://www.networkworld.com/article/3185766/security/malware-infection-rate-of-smartphones-is-soaring-android-devices-often-the-target.html https://developer.android.com/about/dashboards/index.html
- https://pages.nokia.com/8859.Threat.Intelligence.Report.html https://www.networkworld.com/article/3185766/security/malware-infection-rate-of-smartphones-is-soaring-android-devices-often-the-target.html https://developer.android.com/about/dashboards/index.html
- http://factmyth.com/factoids/cryptography-is-the-art-of-writing-and-solving-codes/
- https://www.synopsys.com/blogs/software-security/ineffective-certificate-pinning-implementations/ https://koz.io/pinning-cve-2016-2402/ https://www.cloudflare.com/learning/cdn/cdn-ssl-tls-security/
- https://www.synopsys.com/blogs/software-security/ineffective-certificate-pinning-implementations/ https://koz.io/pinning-cve-2016-2402/
- https://stackoverflow.com/questions/9986734/which-android-data-storage-technique-to-use Shared preferences are good for storing ... an application's preferences, and other small bits of data. It's a just really simple persistent string key store for a few data types: boolean, float, int, long and string. So for instance if my app had a login, I might consider storing the session key as string within SharedPreferences. SQLite databases are great whenever you are going to use a lot of structured data and a relatively rigid schema for managing it. Put in layman's terms, SQLite is like MySQL or PostgreSQL except instead of the database acting as a server daemon which then takes queries from the CGI scripts like php, it is simply stored in a .db file, and accessed and queried through a simple library within the application. While SQLite cannot scale nearly as big as the dedicated databases, it is very quick and convenient for smaller applications, like Android apps. I would use an SQLite db if I were making an app for aggregating and downloading recipes, since that kind of data is relatively structured and a database would allow for it to scale well. Databases are nice because writing all of your data to a file, then parsing it back in your own proprietary format it no fun. Then again, storing data in XML or JSON wouldn't be so bad.
- https://stackoverflow.com/questions/9986734/which-android-data-storage-technique-to-use Internal storage is good for storing application data that the user doesn't need access to, because the user cannot easily access internal storage. Possibly good for caching, logs, other things. Anything that only the app intends to Create Read Update or Delete. External storage. Great for the opposite of what I just said. The dropbox app probably uses external storage to store the user's dropbox folder, so that the user has easy access to these files outside the dropbox application, for instance, using the file manager.
- What is KeyStore? https://developer.android.com/training/articles/keystore.html
- Attestation API provides services for determining whether a device running your app satisfies Android compatibility tests. Verify Apps API allows your app to protecting the device against potentially harmful apps.