Android N Security Overview - Mobile Security Saturday at Ciklum
- 1. Android N Security Overview Constantine Mars, Sr. Android Developer @ DataArt, GDG Dnipro Co-Organizer +ConstantineMars @ConstantineMars
- 3. What happens if you do security right?
- 4. What happens if you do security right? Right. Absolutely nothing
- 5. What happens if you do security wrong?
- 7. The first simplest rule of security
- 8. Don’t use the same password everywhere
- 9. Security tool everyone has
- 10. A key
- 11. Hardware keys
- 12. Presence of user when action happens
- 13. Disclaimer: no more security basics
- 14. Google I/O 2016 announces
- 15. Allo messenger
- 18. Google’s focus on Users
- 19. 8 billion everyday app scans
- 22. Permissions
- 23. Runtime Permissions (M) ● Request permissions at runtime ● Selective control permissions
- 24. Runtime Permissions (M) ● Simplified installation process ● Easier application upgrades ● More understandable for users
- 27. UX Guidelines for Permissions (M) ● Educate in context for secondary ● Educate up-front for critical ● Receive “yes” in 85% ● 15.8% “no” ● 3% “never ask again”
- 28. Keystore
- 29. Android Keystore lets you store cryptographic keys in a container to make it more difficult to extract from the device. Once keys are in the keystore, they can be used for cryptographic operations with the key material remaining non-exportable. The Keystore system is used by the KeyChain API as well as the Android Keystore provider feature that was introduced in Android 4.3 (API level 18).
- 30. Android Keystore Key material may be bound to the secure hardware (e.g., Trusted Execution Environment (TEE), Secure Element (SE)) of the Android device Supporting wide range of algorithms
- 31. Generating new key pair
- 32. Signing data
- 33. Verifying data
- 34. Key Attestation (N) Key Attestation gives you more confidence that the keys you use in your app are stored in a device's hardware-backed keystore. Key attestation allows you to verify that an RSA or EC key pair has been created and stored in a device’s hardware-backed keystore within the device’s trusted execution environment (TEE).
- 35. Get Certificate Chain from the KeyStore
- 36. Key attestation
- 37. Authentication
- 38. Remembering and entering passwords and patterns is pain
- 39. Smart Lock ● Smart Lock’s on-body detection reduces lock screen prompts by 50%
- 40. Fingerprint ● Fingerprint increased usage of lockscreen to 90%+ on Nexus devices
- 41. AndroidPay is critical about authentication
- 42. Stronger authentication ● Tied to app secrets (KeyStore) ● Credential verification in hardware (Trustzone)
- 45. PIN security, Fingerprint and Gatekeeper
- 46. Best practices ● Check KeyguardManager.isDeviceSecure() to identify that device has lockscreen or password protection. ● Use setUserAuthenticationValidityDurationSeconds during the key generation to set the duration for which authentication is valid:
- 47. Best practices When generating key - set authentication timeout and on body detection:
- 48. Best practices
- 49. Best practices If no Fingerprint available - fall back to Gatekeeper and KeyguardManager.createConfirmDeviceCredentialIntent:
- 50. Network security
- 51. Restrict HTTP in Manifest
- 52. Network Security Configuration (N)
- 54. Debug-overrides ● Eliminate debugging-related code in your release build ● Avoid writing custom code that removes security for debug and shipping it When debugging an app that connects over HTTPS you may want to connect to a local development server, which does not have the SSL certificate for your production server. In order to support this without any modification to your app's code you can specify debug-only CAs that are only trusted when android:debuggable is true by using debug-overrides.
- 55. Debug-overrides
- 56. Trusted CAs
- 58. And one more thing: User CAs are not trusted by default anymore
- 60. Storage Encryption ● Encryption required for all capable devices (M) ● Backed by hardware and TrustZone (N) ● Better UX with DirectBoot (N)
- 61. Direct Boot ● Boot directly to the lock screen ● Calls, SMS, TalkBack, alarms work after device reboot before unlock ● Per-user disk encryption
- 62. DirectBoot ● Credential encrypted storage, which is the default storage location and only available after the user has unlocked the device. ● Device encrypted storage, which is a storage location available both during Direct Boot mode and after the user has unlocked the device.
- 63. directBootAware
- 65. Verified Boot
- 66. Verified Boot Verified boot guarantees the integrity of the device software starting from a hardware root of trust up to the system partition. During boot, each stage verifies the integrity and authenticity of the next stage before executing it. This capability can be used to warn users of unexpected changes to the software when they acquire a used device, for example.
- 67. SafetyNet
- 68. SafetyNet A SafetyNet compatibility check allows your app to check if the device where it is running matches the profile of a device that has passed Android compatibility testing. The compatibility check creates a device profile by gathering information about the device hardware and software characteristics, including the platform build.
- 71. Sandboxing
- 72. Sandboxing ● SELinux ● Seccomp (N) ● Mediaserver hardening ● ASLR randomness ● Library load order randomization ● Integrity monitoring
- 74. What’s outside N security topic? ● Security Assesment Tools (Santoku, drozer, etc.) ● Eternal secrets of ADB and Manifest, Logs, etc. ● Exploits: sniffing network traffic, attacking services, providers ● SQL-injections ● Man-in-the-middle attacks ● Custom permissions protection ● ProGuard and DexGuard ● Reverse Engineering, DEX, GDB ● Cross-compiling native executables ● Securing SharedPreferences ● SQLCipher ● etc...
- 75. Links ● Adrian Ludwig talk on Google I/O 2016 https://youtu.be/XZzLjllizYs?list=PLOU2XLYxmsILe6_eGvDN3GyiodoV3qNSC ● FingerprintDialog sample https://github.com/googlesamples/android-FingerprintDialog ● Authentication samples for M http://android-developers.blogspot.com/2015/10/new-in-android-samples-authenticating.html ● Android Security Essentials by Pagati Ogal Rai https://www.packtpub.com/application-development/android-application-security-essentials ● Google Security Blog https://security.googleblog.com/ ● Android Security Bulletins https://source.android.com/security/bulletin/ ● Annual Security Review https://goo.gl/VpYom1
- 78. Thank you :) Constantine Mars, Sr. Android Developer @ DataArt, GDG Dnipro Co-Organizer +ConstantineMars @ConstantineMars