Being A Socially Responsible Social Developer: Mobile App Security

© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T.

Doug Sillars

Being a Socially Responsible Social Developer: How Secure is Your App?

Technical ArchitectAT&T@Dougsillars


Security: An Analogy


Gain Customers


Keep Them Happy


Receive Payments


If We Forget to Protect Our Customers

• Data Breaches happen every day

• Few are publically announced

• Announcements seem to occur several times a week


Are You Protecting Your Customer’s Data?

http://www.geograph.org.uk/photo/2958201https://www.flickr.com/photos/emdot/145432


Securing Mobile Apps is Hard

Easy Moderate Hard0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

http://ibm.co/1EPVh8ihttps://www.flickr.com/photos/mscheltgen/219606006

http://ibm.co/1EPVh8i



How Do you Test Your App?


Proprietary software/

tools

Cloud Services

Do Not Test Security

0% 5% 10% 15% 20% 25% 30% 35% 40%

25%

14%

13%

10%

38%




App Security is a Problem


52% of apps are NOT tested

63% of those tested HAVE issues




What Do We Need to Secure Our App?

• Knowledge• What are common issues?• Tooling?• How do I learn about new

vulnerabilities?


• Giving up too much information• Exposing data in logs• Not locking down Activities/Intents

• Encryption• Network Transmissions• Local Data Storage

• Secure Encryption• Heartbleed• POODLE

• Third Party Code

What Are Common Issues?

3rd Party SDKs too!


• Logs are not protected• Ice Cream Sandwich• Rooted devices

• Data seen in logs:• Lat/Lon• Logins/passwords• Credit Card numbers• Passport numbers

Giving Up Too Much InformationExposing Data in Logs

https://www.flickr.com/photos/knowmybackyard/5314941146

Leak of Privileged data!


Exposing Data in LogsExample

(18468): Preference updated:com.analytics.MIN_BATCH_INTERVAL(18468): PushService startService(18468): *Received GCM Registration ID: <Yes, the GCM Cloud registration ID was here>*(18468): Saving preference: com.analytics.push.APP_VERSION value: 22(18468): Adding event: {"data":{"push_enabled":true,"carrier":"AT&T","session_id":"240d5059-c976-4fb3-b59d-44553649b08c","transport":"GCM","connection_type":"wifi","apid":”xxxxxx-xxxx-xxx-xxxx-xxxxxxxx"},"type":"push_service_started","event_id":"171da614-50f9-468c-b60a-1a97d39e226c","time":"1424166468"}

3rd Party SDK!

Try it on your phone:Adb logcat –v thread

Search for terms like your lat/lon (“48.”) or usernames: “dougsillars”


• Ensure that you remove logging in Proguard when you perform your final build:

-assumenosideeffects class android.util.Log { <methods>;}

• Protect your Customer’s data

Exposing Data in Logs

Solution


• Activities, processes, Intents should be locked to your application, and not publically accessible

• Publically accessible activities can be accessed without authentication.

You built a fence, but your data can still pass through it.

Giving Up Too Much InformationLocking Down Activities


• Drozer: Free/Open Source Penetration testing tool• PC tool with agent on Android device• https://www.mwrinfosecurity.com/products/drozer/• Finds potential attack surfaces in your app

Locking Down Activities

Example


• Sample app Sieve: Password manager app with 3 exposed activities:


Example


• Sample app Sieve: Password manager app with 3 exposed activities:


Example


• PWList seems interesting…


Example/Solution

Lock Down Your Activities!AndroidManifest.xml:

android:exported="false"


Encryption

Communicating to a Remote ServerOR: Why did the chicken cross the road?


EncryptionCommunicating to a Remote Server

• HTTP: Not secure. Any eavesdropping tool can read• Sports League sending login/password/DOB unencrypted

https://www.flickr.com/photos/compujeramey/244345344/


EncryptionCommunicating to a Remote Server

• HTTP Connection every 15 minutes with Lat/Lon

3rd Party SDK

https://en.wikipedia.org/wiki/Wolf_Chess#/media/File:Grey_wolf_P1130270.jpg


Communicating to a Remote ServerSolution

• HTTPS• Secure for 99% of activities• Port 443: data encrypted from basic infiltration

https://www.flickr.com/photos/compujeramey/244345344/


Communicating over HTTPS

https://en.wikipedia.org/wiki/Heartbleed

Even with HTTPS, you may have exposed vulnerabilities

Nogotofail: Man in the Middle Server in Google CloudInspects traffic for many common HTTPS vulnerabilities

http://bit.ly/nogotofailbloghttps://github.com/google/nogotofail

http://bit.ly/nogotofailblog

http://bit.ly/nogotofailblog

https://github.com/google/nogotofail

https://github.com/google/nogotofail


• Android local storage is sandboxed

• Only accessible to the application for use

• UNLESS• Device is rooted• Backup of user data is made

EncryptionKeeping Stored Data Safe

https://pixabay.com/en/garbage-can-dustbin-waste-garbage-231881/https://www.flickr.com/photos/photocindy/4301171521https://commons.wikimedia.org/wiki/File:Brown_wood_fence.JPG

https://pixabay.com/en/garbage-can-dustbin-waste-garbage-231881/

https://pixabay.com/en/garbage-can-dustbin-waste-garbage-231881/

https://www.flickr.com/photos/photocindy/4301171521

https://www.flickr.com/photos/photocindy/4301171521


• App sandbox is /data/data/<yourappname>• Generally secure

• Applications with Root access can read or write in your app’s sandbox

• Application Backups store all app data

Keeping Stored Data Safe

No file system is 100% safe from hiding login data/keys


• Adb backup –all• Android Backup Extractor

• https://github.com/nelenkov/android-backup-extractor

Keeping Stored Data SafeBackups

https://github.com/nelenkov/android-backup-extractor

https://github.com/nelenkov/android-backup-extractor


• SQLite Database

• Easily readable

• Encrypt sensitive data

Keeping Stored Data SafeDatabases

No file system is 100% safe from hiding login data/keys


• Key stores in sandbox are not safe• Key manipulation in apps are not safe: Apps can be decompiled

• Ex. Tools: Dex2jar, APKtool

Keeping Stored Data SafeApp Decompilation


• Your code can be decompiled.• Make it harder to read – Obfuscation• Proguard tools in Android Studio

App DecompilationObfuscation

NOTE: This will not stop a hacker, but you will slow him/her down


• Read the Terms and Conditions:

• Verify the Terms and Conditions:

3rd Party SDKs

“encrypted values of your email address and phone number. We encrypt such information on your device before collecting it, so we do not ever collect your actual email address or phone number. We will maintain such information in encrypted form and will not attempt to re-identify it.”

&longitude=-122.1232254&latitude=47.6694187&<snip>&email=drstest1%40gmail.com&phonenumber=1425xxxxxxxx&language=English&country=United+States&zip=98052&

Your customer’s data MAY be at

risk!


• Open Source is Awesome• 11% of top npm packages carry known vulnerabilities.• 59% of Maven vulnerabilities remain unfixed.

• Mean time to resolution is 390 days.

3rd Party Code

https://snyk.io/


Data Loss and Testing Schedules

No Matter how safe your Coop is – if the hens are escaping…

Coop

Run

Barn

Goat field


• Usernames/Passwords• Location• Contacts• Read Phone logs• Read SMS• Biometrics – step

counts/heart rate

• Use camera/Microphone• Photo gallery

Commonly Collected Customer Data


Security TestingTest Early – And Often




Test Early – And Often


Test Early – And Often




Protect Your Customers


You Will Be Rewarded


http://bit.ly/HighPerfAndroidApps


Q&A

http://developer.att.com/application-resource-optimizer

http://bit.ly/HighPerfAndroidApps


Thank You