View
317
Download
3
Category
Preview:
Citation preview
SECURITYIN ANDROID APPLICATION
08/04/2016ALEXANDER SMIRNOV
v1.0
- 3+ years Android dev- 6+ years commercial dev- 1 year bank app dev- BlackHat friends since 2007- DC7499 member
WhoAmI
2
Why?
3
- Android Security Model- Reality- Vulnerabilities- One more sentence- Appendix
Agenda
4
Security
• I •
Android Security Model
5
6
Application Isolation
7
- Is the parent of all App processes- COW(Copy On Write) strategy- /dev/socket/zygote
Zygote
8
App 1
App 2
App 3
Zygote
fork()
fork()
fork()
start newApp
- Before M- After M- Custom permissions- Protection level
Permissions
9
- Protect user data- Protect system resources- Provide application isolation
Android Security Overview
10
• II •
Android Security ModelReality
Security
11
12
Root
13
TRIADA
Security
14
• III•
Vulnerabilities
- Memory Cache- DB + SQLCipher- SharedPreference +
MODE_PRIVATE + Cipher- 21+ setStorageEncryption for
local files- KeyStore
Data Storage
15
- MITM has you- Check network – why?- Diffie–Hellman key exchange- Certificate Pinning == SSL Pinning
(okhttp 2.7.4 || 3.1.2)
Transport
16
- Use explicit intents- Validate Input- Manifest:
intent-filter = exported=«yes»
Intent
17
- Secure PUSH- Mobile application- SIMApplets- DCV (Dynamic Code Verification)
2FA: SMS
18
- Custom keyboard- Secure persistent datastore- No EditText- No immutable (Strings -> char[])- Notify if root
Insecure Device
19
- Check debug- Verify sign- Emulator check- Obfuscation- JNI
Reverse Protection
20
Security
21
• IV •
One more sentence
- Convenience vs Security- Socialization & Tools- Layered Security- Better than others- OWASP TOP 10 Mobile Risks
One more sentence
22
Security
23
• V •
Appendix
- Cyber Risk Report: bit.ly/1MuoIDS- OWASP Top 10 Mobile Risks: bit.ly/1FAIJiv- DefCon Groups List: bit.ly/1JQlNgC- Triada Malware: bit.ly/1qvyFqY- Obfuscation tools list: bit.ly/1XiHf6Z- Security Official Docs: bit.ly/1qvw1BK- Diffie–Hellman Video: bit.ly/23jV7Se- Tools for SA and Hacking: bit.ly/1qvxpUM
Additional Information
24
- Android Security Model- Reality- Vulnerabilities- One more sentence
Result
25
Recommended