A Fortress for your Android Application Jian Wang Head of Technology, certgate
A Fortress for your Android Application
Jian Wang Head of Technology, certgate
Slide 3
Agenda
Business and the Mobile World
About certgate
Mobile Security Solutions
Android Security Concept
certgate Mobile Application Protection Layer
[Live Demonstration]
Q & A
Slide 4
About certgate
Business and the Mobile World
Mobile IT security innovator
Founded in 2008, located in Nuremberg, Germany
certgate is mastering the secure mobile IT device from hardware to application level
Created the first microSD memory card with full smartcard capabilities, bringing hardware-based crypto functions to smartphones and tablets (Patent protected)
Slide 5
certgate Smartcard microSD
Business and the Mobile World
Slide 6
The Challenge
Business and the Mobile World
Most businesses and administrations today
• Either deploy smartphones and tablets to their employees
• Or accept their employees to use their own devices for business purposes
Those who don‘t do either have a reason:
• They don‘t feel safe doing it
• They would love to introduce new business models and applications like mobile e-D, payment, physical access and much, much more if only they COULD feel safe
Slide 7
There Are Solutions on the Market
Business and the Mobile World
Digital signing and encryption of emails with S/MIME
Certificates stored in a fully-fledged (yet small-in-format) smartcard
VPN Client requiring digital user authentication
Banking client requiring digital user authentication and digital signature
VoIP client creating session keys on the smartcard sitting inside the device
Version 11-05 Slide 9
Secfone – Voice Encryption for Android
certgate – Use Cases
• Tap-proof worldwide voice communication
• Latest Android smartphones supported
• End-to-end encryption with hardware protected keys
• Authenticates user by a privately or publicly owned server – no data pass through the server
• Directly integrates in fixed-line enterprise communication
Version 11-05 Slide 10
TouchDown – Exchange Integration for Android
certgate – Use Cases
• Secure Exchange synchronization for Android smartphones
• Consistent PKI integration of mobile devices
• Authentication and secure data transfer based on hardware certificates
• S/MIME protection for your confidential data: messages, contacts, appointments
Slide 11
Here Is A New One
certgate MAPL™ for Android
Slide 12
Why Did We Do This In the First Place
certgate MAPL™ for Android
Protect confidential data on the device
Protect an application against unauthorized users
Provide security with minimal integration effort
Qualify the device to fit the BYOD concept
Enable surplus security functions by the same hardware token, e.g. S/MIME encryption and secure VoIP
Slide 13
Android Security Overview
certgate MAPL™ for Android
The Application Sandbox
• Each application is assigned with a UID
• Each application is running as a user in a separate process
• IPC through Binder, Intents, Services, and Content Provider
The Android Permission Model
• Permissions are GIDs
• Declared in the app’s Android manifest
• Need to be explicitly confirmed by the user
Slide 14
Which Concerns Are Being Addressed?
certgate MAPL™ for Android
Extension of rights by „rooting“ the device: Allows free access to all system resources
Shortcomings in platform specific knowledge: Process boundaries can be violated e.g. by Intents
Limitations in cryptographical comprehension: Sub-optimal choice of algorithms and cipher modes and less than perfect implementation of same
Slide 15
certgate MAPL™ for Android
Picture: Larry Ewing
Original
Encrypted using CBC mode
Encrypted using ECB mode
Different Cipher Modes
Slide 16
The Solution
certgate MAPL™ for Android
Mobile Application Protection Layer (MAPL)
• No app execution without correct user PIN
• Standard Android API
• Transparent Encryption of Files and Database
• Android SharedPreferences encryption
• Tamper-proof key storage on cgCard™
Slide 17
Solution Architecture
certgate MAPL™ for Android
Android Framework
Database / File Access
Crypto Service
Application
JCE Provider certgate MAPLTM
Slide 18
Live Demo
certgate MAPL™ for Android
Howto: User Login
Howto: Encrypt InternalStorage
Howto: Encrypt SharedPreferences
Howto: Encrypt Datenbank
Slide 19
Add MAPL library into your project
certgate MAPL™ for Android
Slide 20
An example Android-Manifest
certgate MAPL™ for Android
Slide 21
Modification of your Android manifest file
certgate MAPLTM for Android
Using MAPL applikation class
Set MAPL activity as your entry activity
Declare your application entry activity
Slide 22
A MAPL ready Android manifest
certgate MAPLTM for Android
Slide 24
MAPL Effects
certgate MAPL™ for Android
Login:
Before:
After:
Slide 25
What‘s In It For You?
certgate MAPL™ for Android
certgate MAPL™ can be integrated into virtually every app
Secure hardware element beats every software approach by attack resistance level
Powerful tool to really become security policy compliant
Enables company-wide BYOD practice