Android Application Security from consumer and developer perspectives
2 likes578 views
This document discusses Android application security from both consumer and developer perspectives. It begins with statistics showing the rise in mobile malware and vulnerabilities found in mobile applications. It then covers the OWASP Mobile Top 10 security risks, additional best practices for developers, and examples of Android malware like AndroRAT and a custom remote access tool. The document also discusses prevention and detection options for consumers like reviewing application permissions, using firewalls, and analyzing network traffic. It emphasizes the importance of data security and privacy considerations for both developers and users.
![Android
Application
Security
from Consumer and
Developer Perspectives
http://www.meetup.com/Colombo-White-Hat-Security
https://www.facebook.com/colombowhitehat
https://twitter.com/ColomboWhiteHat
Ayoma Wijethunga
WSO2, Platform Security Team
[ayomawdb]](https://image.slidesharecdn.com/androidapplicationsecurity-fromconsumeranddeveloperperspectives-170106090259/85/Android-Application-Security-from-consumer-and-developer-perspectives-1-320.jpg)
![Modify Application Permissions
App Opps (Not available with 4.4.2. Use “App Ops [Root]” or similar from Sore)](https://image.slidesharecdn.com/androidapplicationsecurity-fromconsumeranddeveloperperspectives-170106090259/85/Android-Application-Security-from-consumer-and-developer-perspectives-23-320.jpg)
Android Application Security from consumer and developer perspectives
- 1. Android Application Security from Consumer and Developer Perspectives http://www.meetup.com/Colombo-White-Hat-Security https://www.facebook.com/colombowhitehat https://twitter.com/ColomboWhiteHat Ayoma Wijethunga WSO2, Platform Security Team [ayomawdb]
- 2. Ayoma Wijethunga api android arduino automation building developing discusses diy electronics engineering iot jaggery java kali linux modular osgi prusa reprap security software ublox web wireshark wso2 o WSO2, Platform Security Team. o Get in touch o Email : ayoma@wso2.com o LinkedIn : https://lk.linkedin.com/in/ayoma o Blog : http://ayomaonline.com o Twitter / Facebook / Github / Hangout : ayomawdb
- 3. Agenda ● Statistics ● Developer Perspective ○ OWASP Mobile Top 10 ○ Additional Security Best Practices ● Consumer Perspective ○ Android Malware (Demo and code walkthrough) ■ AndroRAT - Android Remote Administration Tool ■ Android Chat - Custom made RAT demo ○ Prevention and Detection Options
- 4. Statistics
- 5. Source; McAfee Labs - 2016 Threats Predictions
- 6. Mobile and Non-mobile Application Weaknesses Source: HPE Security Research Cyber Risk Report 2016
- 7. Mobile Applications Threats Source: HPE Security Research Cyber Risk Report 2016
- 8. OWASP Mobile Top 10
- 9. OWASP Mobile Top 10 M1: Weak Server Side Controls (Relates to OWASP Top 10) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards ConsideringRESTAPIbasedServerSide
- 10. OWASP Mobile Top 10 (Cntd.) M2: Insecure Data Storage Storage Options: ● Shared Preferences ● Internal Storage ● External Storage ● SQLite Databases ● Network Connection Encrypt sensitive data before storing Encryption keys should not be hardcoded (KeyStore, ‘FireAndForget’ key) Shared preferences should not be MODE_WORLD_READABLE/WRITABLE (deprecated in API level 17) Transport Layer Protection
- 11. OWASP Mobile Top 10 (Cntd.) M3: Insufficient Transport Layer Protection General transport layer protection practices ● SSL/TLS (TLS 1.2 prefered) with strong cipher suite & appropriate key lengths ● Certificates issued by trusted CA provider ● SSL chain verification / Hostname verification ● Always alert user if any validation goes wrong When possible, do application level encryption before sending data over transport layer (avoid future transport layer vulnerabilities) M4: Unintended Data Leakage ● Keyboard Caching / Suggestions ○ For non-password informtion : android:inputType="textNoSuggestions" ○ For passwords : andorid:inputType="password" ● Analytics Data ● Logs (!)
- 12. OWASP Mobile Top 10 (Cntd.) M5: Poor Authorization and Authentication ● Never persistent credentials locally ● Avoid spoofable values during authentication (MAC/IMEI) ● Ensure authorization controls cannot be bypassed ● Token based authentication with backend APIs (OAuth 2) ○ Google “Dulanja API Security” ● Discourage use of 4 digit or all digit pass-codes M6: Broken Cryptography M7: Client Side Injection SQL Injection (SQL Lite), XSS, File Inclusion
- 13. OWASP Mobile Top 10 (Cntd.) M8: Security Decisions Via Untrusted Inputs Intents PackageManager.getLaunchIntentForPackage(-) Intent intent = new Intent(Intent.ACTION_MAIN); intent.setComponent(ComponentName.unflattenFromString("com.example.app/com.ex ample.app.ExampleAction")); intent.addCategory(Intent.CATEGORY_LAUNCHER); intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK); intent.putExtra(“SESSION_DATA”, sessionData); startActivity(intent); Binder Framework http://blog.checkpoint.com/wp-content/uploads/2015/02/Man-In-The-Binder-He-Who-Co ntrols-IPC-Controls-The-Droid-wp.pdf BroadcastReceiver
- 14. OWASP Mobile Top 10 (Cntd.) M9: Improper Session Handling : Timeouts, cookie or token rotation M10: Lack of Binary Protections ● Bytecode Conversion (apktool; dex2jar) ● Runtime Analysis (ADB) ● Reverse Engineering (IDA Pro) ○ https://www.hex-rays.com/products/ida/support/tutorials/debugging_dalvik.pdf ● Disassembly (baksmali) Let’s keep these for another sessions... (Maybe: Android Application Security - from Pentester Perspective) Image credit: http://www.gograph.com/vector-clip-art/complex.html
- 16. AndroRAT (Remote Administration Tool) Demo and code walkthrough Image credit: http://combiboilersleeds.com/
- 17. Android Chat - Custom Made RAT Demo and code walkthrough Image credit: http://combiboilersleeds.com/
- 18. Prevention and Detection Options Image Credit: http://maxpixel.freegreatpicture .com/Detective-Finger-Mystery -Fingerprints-Find-Clues-1520 85
- 19. Application permissions Always double check application permissions! Facebook: ● ● ● ● ● ● ● ● ● ● ● ● ● ○ ○ ○ Viber: ● ● ● ● ● ● ● ● ● ● ● ● ● ○ ○ ○ ○
- 20. Application permissions Pokémon GO: ● In-app purchases ● Identity ● Location ● Photos/Media/Files ● Camera ● Other ○ receive data from Internet MX Player: ● Photos/Media/Files ● Wi-Fi connection information ● Other ○ receive data from Internet VLC Player: ● Photos/Media/Files
- 21. New Permission Model Android 6.0 (API level 23)+ ● Users grant permissions at run-time ● User can control what permissions to allow (and what to revoke) ● Developers see warnings if code will break due to not handling permission revocations properly. ● Dangerous permission must be approved manually. https://developer.android.com/guide/topics/permissions/requesting.html
- 23. Modify Application Permissions App Opps (Not available with 4.4.2. Use “App Ops [Root]” or similar from Sore)
- 24. Network Traffic Analysis Shark for Root Packet Capture
- 25. Firewalls
- 26. Additional Security Best Practices Apart from what was discussed in OWASP Mobile Top 10 ● Request least number of permissions possible (avoid dangerous permissions) ● Update dependent libraries and frameworks ● Properly define Content Provider’s exposed attribute and permissions ● Avoid storing and transmitting personal / sensitive data as much as possible ● Using WebView can introduce web application vulnerabilities (XSS, Cache Poisoning, ..) to mobile apps. Use with caution! ● Be cautious with dynamic class loading and usage of reflection (do not allow external parties to tamper dynamic values) ● https://developer.android.com/training/articles/security-tips.html
- 27. Point to Ponder Is there any option but to sacrifice privacy? https://github.com/will3942/uber-hack http://motherboard.vice.com/read/ubers-god-view-was-once-available-to-drivers Uber God View Image credit: https://www.pinterest.com/pin/453245149972280324/
- 28. BE WITHIN LEGAL LIMITS Only test with your own devices, or test with proper authorization. Thank you!