Android Security Development Part 1: App Development How to create safe App ?

1. Android Security
Development
PART 1 – App Development
SEAN

2. Sean
• Developer
• erinus.startup@gmail.com
• https://www.facebook.com/erinus

3. Something you need to know
• USB
• Screen
• Clipboard
• Permission
• Database
• Network
• Cryptography
• API Management
• Validation

4. Security about USB

5. SAFE
ANDROID:ALLOWBACKUP = "FALSE"

6. DANGEROUS
ANDROID:ALLOWBACKUP = "TRUE"
It will allow someone can backup databases and
preferences.

7. SAFE
ANDROID:DEBUGGABLE = "FALSE"

8. DANGEROUS
ANDROID:DEBUGGABLE = "TRUE"
It will let someone can see logcat messages and do
something more …

9. WHY ?
If you do not set android:debuggable="false",
debug mode will depend on system settings.

10. IF ERROR NOTIFICATION SHOWS IN ECLIPSE
WHEN SET ANDROID:DEBUGGABLE, IT IS ALL
ABOUT ADT LINT.

11. CLICK ON "PROBLEMS" TAB

12. RIGHT CLICK ON ITEM
AND CHOOSE "QUICK FIX"

13. CHOOSE "DISABLE CHECK"

14. Security about SCREEN

15. GETWINDOW().SETFLAGS(LAYOUTPARAMS.FL
AG_SECURE, LAYOUTPARAMS.FLAG_SECURE);
It disable all screen capture (except rooted device)
• [POWER] + [VOL-DWN]
• OEM feature like SAMSUNG / HTC

16. Security about CLIPBOARD

17. WHEN USER LEAVE APP
You want to clear clipboard

18. YOU WANT TO ALLOW
User can use something copied from other apps
in your app

19. ALSO WANT TO REJECT
User can not use something copied from your app
in other apps

20. FIRST

21. SAVE THE STATE OF APPLICATION
onResume => FOREGROUND
onPause => BACKGROUND

22. SECOND

23. USE RUNNABLE AND POSTDELAYED 500 MS
When onPause is triggered, you can detect
the state of application after ~500ms.

24. LAST

25. DETECT STATE AND SETPRIMARYCLIP
If STATE equals BACKGROUND, executes
BaseActivity.this.mClipboardManager
.setPrimaryClip(ClipData.newPlainText("", ""));

26. THE TOP ITEM WILL BE EMPTY
IN CLIPBOARD STACK
Android only lets app access the top item in
clipboard stack on non-rooted device.

27. Security on PERMISSION

28. ONLY USE NECESSARY PERMISSIONS

29. IT IS COMMON SENSE

30. BUT SOMETHING MORE

31. GOOGLE CLOUD MESSAGING
NEEDS
ANDROID.PERMISSION.GET_ACCOUNTS

32. BUT

33. GOOGLE CLOUD MESSAGING
NEEDS
ANDROID.PERMISSION.GET_ACCOUNTS

34. ONE YEAR LATER

35. YOU SHOULD REMOVE "GET_ACCOUNTS"
When you do not support
Android 4.0.3 and older version

36. Security on Database

37. SQLITE

38. RECOMMENDED
SQLCipher
Support iOS / Android
https://www.zetetic.net/sqlcipher/open-source

39. SQLite Encryption Extension
http://www.sqlite.org/see/

40. Security on NETWORK

41. USE HTTPS WITH SELF-SIGNED CERTIFICATE

42. BUT

43. SOMETHING IGNORED ?

44. DO YOU CHECK
HOSTNAME IS VALID ?

45. VERIFY HOSTNAME

46. DO YOU AVOID
IMPORTING MALICIOUS CERT ?

47. CREATE BRAND NEW KEYSTORE
AND IMPORT SERVER CERT

48. DOUBLE CHECK
THE BINARY CONTENT OF CERT ?

49. VERIFY BINARY CONTENT OF SERVER CERT
Avoid Man-in-the-Middle attack

50. WHY ?

52. SSL MECHANISM IN OS MAY BE WRONG
APPLE SSL / TLS Bug ( CVE-2014-1266 )

53. Chinese MITM Attack on iCloud

54. POODLE Bites

55. Lenovo Superfish

56. FREAK

57. SSL TUNNEL KEEP DATA SAFE ?

58. NO

59. YOU STILL NEED ENCRYPT DATA

60. HTTPS WEB PROXY

61. DO NOT PUT KEY IN YOUR DATA

62. Security on CRYPTOGRAPHY

63. USE ANDROID SDK OR ANDROID NDK ?

64. ANDROID SDK: JAVA
DECOMPILE EASY
ANALYSIS EASY

65. ANDROID NDK: C AND C++
DISASSEMBLE EASY
ANALYSIS HARD

66. ANDROID NDK
OpenSSL Inside

67. ANDROID NDK
Can I customize ?

68. ANDROID NDK
PolarSSL
https://polarssl.org

69. PolarSSL
You can change SBOX of AES, ...

70. AES
AES-256 / CBC / PKCS7Padding

71. RSA
RSA-4096

72. ALL KEY GENERATION AND ENCRYPTION
MUST BE DONE IN ANDROID NDK

73. EVERYTHING IS DONE ?

74. NO

75. HOW TO GENERATE KEY ?

76. RANDOM
KEY
HARDWARE
ID
USER
KEY

77. RANDOM KEY
One Key – One Encryption

78. HARDWARE ID
IMEI / MEID
WIFI MAC Address
Bluetooth Address

79. IMEI / MEID
ANDROID.PERMISSION.READ_PHONE_STATE
WIFI MAC Address
ANDROID.PERMISSION.ACCESS_WIFI_STATE
Bluetooth Address
ANDROID.PERMISSION.BLUETOOTH

80. USER KEY
Input from user
Only exist in memory
Just clear when exit

81. ONLY CIPHERTEXT ?

82. SCRAMBLE YOUR CIPHERTEXT
WEP can be cracked by collecting large amount
packet and analyzing ciphertext.

83. SCRAMBLED CIPHERTEXT
CIPHERTEXT

84. HOW TO SCRAMBLE ?

85. MORE COMPLEX THAN BASE64
WIKI: Common Scrambling Algorithm
http://goo.gl/eP6lXj

86. IF ALL KEY LOST ?

87. SORRY

88. GOD BLESS YOU

89. Security on API MANAGEMENT

90. ACCESS TOKEN
REFRESH PERIODICALLY
RANDOM GENERATE

91. HOW TO USE ACCESS TOKEN ?

92. ACCESS TOKEN
↓
USER ID

93. ACCESS TOKEN
↓
USER ID
↓
HARDWARE ID

94. ACCESS TOKEN
↓
USER ID
↓
HARDWARE ID
↓
ENCRYPT OR DECRYPT

95. ALL API ACCESS MUST USE ACCESS TOKEN

96. Security on VALIDATION

97. PASSWORD
HASH Algorithms

98. MD5
Not Secure

99. SHA-1
Almost Secure

100. SHA-256
Secure

101. Suggestion
MD5(SHA-1(Password + Salt))
+
SHA-256(SHA-1(Password + Salt))

102. Next Part

103. Malicious Android App
Dynamic Analyzing System