Safety first – best practices in app security

Safety ﬁrst
Best practices in app security
ANA BAOTIĆ
TECHNICAL MANAGER, MOBILE BANKING @ INFINUM

We're an independent
design &
development
agency.

HOW TO INCREASE SECURITY
BUILD INTEGRITY
DATA PRIVACY
NETWORK SECURITY

THINGS TO ADD TO A NEW PROJECT
Release keystore
Obfuscation

KEYSTORE
Should be used for ALL builds
You should NEVER lose it
No one should EVER acquire it

signingConfigs {
release {
storeFile file("myapp.keystore")
storePassword "password123"
keyAlias "keyAlias"
keyPassword "password789"
}
}
DO NOT!

DO!
gradle.properties
KEYSTORE_PASSWORD=password123
KEY_PASSWORD=password789

try {
storeFile file("myapp.keystore")
storePassword KEYSTORE_PASSWORD
keyAlias "keyAlias"
keyPassword KEY_PASSWORD
} catch (ex) {
throw new InvalidUserDataException(“…”)
}

OBFUSCATION
Proguard
DexGuard
DexProtector

release {
 
minifyEnabled true
proguardFiles getDefaultProguardFile(
'proguard-android.txt'), ‘proguard-rules.txt'
 
signingConfig signingConfigs.release 
}

public abstract class e { 
private int a = -1; 
private String b = null; 
protected boolean k = false; 
 
public abstract void a(Intent var1); 
 
public void run() { 
this.a((Intent)null); 
} 
protected final void a(String var1) { 
this.b = var1; 
} 
public final void c() { 
this.a = -1; 
this.b = null; 
} 
public final boolean d() { 
return this.k; 
} 
}

WILL THIS KEEP THE APK SAFE?
No.

TAMPERING DETECTION
Verify signing certiﬁcate at runtime
Verify the installer
context.getPackageManager()
.getInstallerPackageName(context.getPackageName())
.startsWith("com.android.vending")
Check if app is debuggable (or run on emulator)

USERS ARE SENSITIVE ABOUT THEIR DATA

WAYS TO STORE (AND RETRIEVE) DATA
Internal storage
External storage
Content providers

INTERNAL STORAGE
Is (generally) sufﬁciently safe
Private to the your app

EXTERNAL STORAGE
Globally readable and writable

CONTENT PROVIDERS
Structured storage mechanism
Can be exported to allow access by other apps

<provider
android:name="com.example.android.datasync.provider.StubProvider"
android:authorities="com.example.android.datasync.provider"
android:exported="false"/>
android:protectionLevel="signature"

SHARED PREFERENCES
Useful for primitive key-value based data

private readable safe
Internal storage yes yes yes
External
storage
no yes no
Content
providers
depends yes yes
Shared prefs. yes yes yes

SO EVERYTHING IS FINE?
Yes, until you root the device.

USE LIBRARIES
Bouncy Castle
Spongy Castle
Keyczar
AeroGear Crypto
Conceal

ENCRYPT USING A PIN/PASSWORD
4 digits - 10 000 attempts
No effort to crack or even guess

BCRYPT
Key derivation function
Slow
Cost of the hash function depends on the work factor

CAN DATA REMAIN PRIVATE?
Rooting your device allows access
Not encrypting allows (mis)use

HTTP
Still (frequently) used
MiTM

HTTPS
Encrypts data
Validation of server’s identity

android:usesCleartextTraffic="false"
ANDROID M
StrictMode.setVmPolicy(
new StrictMode.VmPolicy.Builder()
.detectCleartextNetwork()
.penaltyLog().build());

ANDROID N
Network Security Conﬁguration feature
Finer grained control

CERTIFICATE PINNING
Deﬁnes which CAs are trusted
Reduces effectiveness of MiTM

okhttpbuilder 
.pinClientCertificate(resources,
R.raw.client_cert, "pass".toCharArray(), “PKCS12”)
.pinServerCertificates(resources,  
R.raw.server_cert, "pass".toCharArray(), "BKS") 
.build();
return new OkClient(client);

WHAT IF THE CERTIFICATES CHANGE?

INFORM THE USERS
Implement a mechanism for notifying users
(GCM) and forcing updates

PLAN AHEAD
Check server security’s impact on Android
devices
https://www.ssllabs.com/

INCLUDE THE CLIENT IN THE PROCESS
Keep them up-to-date
Help them understand risks and advise them
Insist on updates and security patches

ANDROID IS NOT SECURE
But you can make it less easy to abuse

THINGS TO REMEMBER
Use internal storage if applicable
Encrypt data
Use HTTPS
Pin certiﬁcates
Be aware of the update cycle

REFERENCES
• Gradle conﬁguration
• http://developer.android.com/guide/topics/data/data-
storage.html#db
• https://codahale.com/how-to-safely-store-a-password/
• http://www.developereconomics.com/android-
cryptography-tools-for-beginners/
• https://www.airpair.com/android/posts/adding-tampering-
detection-to-your-android-app

REFERENCES
• https://www.ssllabs.com/
• http://developer.android.com/preview/features/security-
conﬁg.html
• https://www.ionic.com/mitm-attacks-ssl-pinning-what-is-it-
and-why-you-should-care/

Thank you! 
Questions?
Visit www.infinum.co or find us on social networks:
infinum.co infinumco infinumco infinum
ANA@INFINUM.CO
@ABAOTIC

Safety first – best practices in app security

More Related Content

What's hot (20)

Similar to Safety first – best practices in app security (20)

Recently uploaded (20)