In this lecture we will talk about what you should know and consider in the construction of an application developer to ensure the safe use of confidential user data.

1. Ways of Enhancing Application Security
Denis Zhuchinski
Android Developer
EVO.company

2. Ways of Enhancing Application Security
Denis Zhuchinski
Android Developer
EVO.company

3. What are we talking about today?
- Android & Security
- Interprocess Communication
- Networking
- Data safety
- Analyzing tools

4. Why should care about?

5. What Android know about you?
- Calls
- Messages
- Emails
- Contacts
- Calendar
- Location
- Photos, Videos
- Camera
- ...

6. Enemies
- ADB
- Malicious Apps
- Unprotect Network
- Sniffers

7. Android security model

8. Application sandboxing

9. Permissions

10. Inter Process Communication

11. Code Signing

12. SELinux

13. Google’s Android Security Rewards has given
researchers over $550,000 in 1 year

14. Interprocess Communication
“In the Android platform, the binder is used for nearly
everything that happens across processes in the core platform."
– Dianne Hackborn

15. Binder

16. Interprocess Communication
- Intents
- Content Providers
- Messenger
- System services (Telephone, Vibrator, Wifi,
Battery, Notification, etc.)
- Lifecycle callbacks in your Activity like
onStart(),onResume(), onDestroy() are invoked
by ActivityManagerServer via binders

17. Man in the Binder

18. Android IPC is not secure!

19. Networking

20. HTTPS is a must have!

21. But...

22. HTTPS in not enough!

23. Man in the Middle

24. Pinning
- Certificate
- Public key
RFC 5280

25. Certificate pinning
CertificateFactory cf = CertificateFactory.getInstance("X.509");
InputStream caInput = new BufferedInputStream(new FileInputStream("load-der.crt"));
Certificate ca;
try {
ca = cf.generateCertificate(caInput);
System.out.println("ca=" + ((X509Certificate) ca).getSubjectDN());
} finally {
caInput.close();
}
OkHttpClient client = new OkHttpClient();
String certPin = CertificatePinner.pin(ca);
CertificatePinner certificatePinner = new CertificatePinner.Builder()
.add(API_HOST, certPin)
.build();
client.setCertificatePinner(certificatePinner);

26. android.security.net.config
res/xml/network_security_config.xml:
<domain-config hstsEnforced=[True|False] cleartextTrafficPermitted=[True|False]>
<domain includeSubdomains=[True|False]>example.com</domain>
<pin-set expiration="exp-date">
<pin digest=sha256>PaJOmDNhWkVBvuXfzqXMyfo7kgtGpcyZp6L8EqvM8Ck=</pin>
</pin-set>
</domain-config>
Android N

27. Risks
- Insecure Data Storage
- Weak Server Side Controls
- Insufficient Transport Layer Protection
- Client Side Injection
- Poor Authorization and Authentication
- Security Decisions Via Untrusted Inputs
- Broken Cryptography

28. Where is the rescue, Bro?

29. Cryptography

30. Encryption Tools
- Cipher (javax.crypto)
- Spongy Castle
- Conceal
- SQLCipher
- AESCrypt-Android
- Secure-preferences
(https://github.com/scottyab/secure-preferences
)
- etc.

31. Conceal

32. Resources / Importance
- Secure key storage
- Suitable algorithm
- Right key length

33. ONLINE ANALYZERS
1. AndroTotal
2. Dexter
3. Tracedroid
4. Visual Threat
5. Mobile Malware Sandbox
6. MobiSec Eacus
7. IBM Security AppScan Mobile Analyzer - not free
8. NVISO ApkScan
...

34. STATIC ANALYSIS TOOLS
1. QUARK
2. ApkAnalyser
3. APKInspector
4. Droid Intent Data Flow Analysis for Information
Leakage
5. Drozer
6. Several tools from PSU
7. Smali CFG generator
8. FlowDroid
...

35. Apktool
$ apktool d app-test.apk
I: Using Apktool 2.2.0 on app-prod-release.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: /home/oem/.local/share/apktool/framework/1.apk
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...

36. Apktool

37. QARK

38. QARK

39. Drozer
adb install agent.apk
$ drozer console connect
dz> run app.package.attacksurface
com.app.test
dz> run app.package.attacksurface com.app.test
Attack Surface:
3 activities exported
0 broadcast receivers exported
2 content providers exported
2 services exported
is debuggable

40. Thing to remember
1. Never trust any input (use whitelists not blacklists)
1. Store data securely
4. Use HTTPS with certificate pinning
5. Use Cryptography
6. Don't write your own crypto
2. Make code obfuscation
7. Audit third-party code and services that you use
3. Avoid excessive logging
8. Perform security code review

41. Plan for security from the start - it's not something
you can bolt on at the end

42. Links
1. https://www.androidpit.com/android-m-release-date-news-features-name#s
ecurity
2. https://www.nowsecure.com/blog/2015/07/16/android-m-a-security-research
-perspective-part-1/
3. https://koz.io/network-security-policy-configuration-for-android-apps/
4. http://blog.riskfinder.co.jp/2016/03/network-security-configuration-android-n.
html
5. http://markup.su/highlighter/
6. https://www.securecoding.cert.org/confluence/display/android/Android+Sec
ure+Coding+Standard
7. https://www.securecoding.cert.org/confluence/display/android/DRD06.+Do+
not+act+on+malicious+intents
8. https://github.com/ashishb/android-security-awesome

43. And That’s It…Thanks!
Questions? Comments?

44. What are we talking about today?
- Android & Security
- Interprocess Communication
- Networking
- Data safety
- Analyzing tools

45. Why should care about?

46. What Android know about you?
- Calls
- Messages
- Emails
- Contacts
- Calendar
- Location
- Photos, Videos
- Camera
- ...

47. Enemies
- ADB
- Malicious Apps
- Unprotect Network
- Sniffers

48. Android security model

49. Application sandboxing

50. Permissions

51. Inter Process Communication

52. Code Signing

53. SELinux

54. Google’s Android Security Rewards has given
researchers over $550,000 in 1 year

55. Interprocess Communication
“In the Android platform, the binder is used for nearly
everything that happens across processes in the core platform."
– Dianne Hackborn

56. Binder

57. Interprocess Communication
- Intents
- Content Providers
- Messenger
- System services (Telephone, Vibrator, Wifi,
Battery, Notification, etc.)
- Lifecycle callbacks in your Activity like
onStart(),onResume(), onDestroy() are invoked
by ActivityManagerServer via binders

58. Man in the Binder

59. Android IPC is not secure!

60. Networking

61. HTTPS is a must have!

62. But...

63. HTTPS in not enough!

64. Man in the Middle

65. Pinning
- Certificate
- Public key
RFC 5280

66. Certificate pinning
CertificateFactory cf = CertificateFactory.getInstance("X.509");
InputStream caInput = new BufferedInputStream(new FileInputStream("load-der.crt"));
Certificate ca;
try {
ca = cf.generateCertificate(caInput);
System.out.println("ca=" + ((X509Certificate) ca).getSubjectDN());
} finally {
caInput.close();
}
OkHttpClient client = new OkHttpClient();
String certPin = CertificatePinner.pin(ca);
CertificatePinner certificatePinner = new CertificatePinner.Builder()
.add(API_HOST, certPin)
.build();
client.setCertificatePinner(certificatePinner);

67. android.security.net.config
res/xml/network_security_config.xml:
<domain-config hstsEnforced=[True|False] cleartextTrafficPermitted=[True|False]>
<domain includeSubdomains=[True|False]>example.com</domain>
<pin-set expiration="exp-date">
<pin digest=sha256>PaJOmDNhWkVBvuXfzqXMyfo7kgtGpcyZp6L8EqvM8Ck=</pin>
</pin-set>
</domain-config>
Android N

68. Where is the rescue, Bro?

69. Cryptography

70. Encryption Tools
- Cipher (javax.crypto)
- Spongy Castle
- Conceal
- SQLCipher
- AESCrypt-Android
- Secure-preferences
(https://github.com/scottyab/secure-preferences
)
- etc.

71. Conceal

72. Resources / Importance
- Secure key storage
- Suitable algorithm
- Right key length

73. ONLINE ANALYZERS
1. AndroTotal
2. Dexter
3. Tracedroid
4. Visual Threat
5. Mobile Malware Sandbox
6. MobiSec Eacus
7. IBM Security AppScan Mobile Analyzer - not free
8. NVISO ApkScan
...

74. STATIC ANALYSIS TOOLS
1. QUARK
2. ApkAnalyser
3. APKInspector
4. Droid Intent Data Flow Analysis for Information
Leakage
5. Drozer
6. Several tools from PSU
7. Smali CFG generator
8. FlowDroid
...

75. Apktool
$ apktool d app-test.apk
I: Using Apktool 2.2.0 on app-prod-release.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: /home/oem/.local/share/apktool/framework/1.apk
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...

76. Apktool

77. QARK

78. QARK

79. Drozer
adb install agent.apk
$ drozer console connect
dz> run app.package.attacksurface
com.app.test
dz> run app.package.attacksurface com.app.test
Attack Surface:
3 activities exported
0 broadcast receivers exported
2 content providers exported
2 services exported
is debuggable

80. Thing to remember
1. Never trust any input (use whitelists not blacklists)
1. Store data securely
4. Use HTTPS with certificate pinning
5. Use Cryptography
6. Don't write your own crypto
2. Make code obfuscation
7. Audit third-party code and services that you use
3. Avoid excessive logging
8. Perform security code review

81. Plan for security from the start - it's not something
you can bolt on at the end

82. Links
1. https://www.androidpit.com/android-m-release-date-news-features-name#s
ecurity
2. https://www.nowsecure.com/blog/2015/07/16/android-m-a-security-research
-perspective-part-1/
3. https://koz.io/network-security-policy-configuration-for-android-apps/
4. http://blog.riskfinder.co.jp/2016/03/network-security-configuration-android-n.
html
5. http://markup.su/highlighter/
6. https://www.securecoding.cert.org/confluence/display/android/Android+Sec
ure+Coding+Standard
7. https://www.securecoding.cert.org/confluence/display/android/DRD06.+Do+
not+act+on+malicious+intents
8. https://github.com/ashishb/android-security-awesome

83. And That’s It…Thanks!
Questions? Comments?