IQSOFT - John Brice Oktatóközpont
ENGEDÉLYEZETT KÉPZÉSEK

Android Java and native code security

Tanfolyam célja

Android is an open platform for mobile devices such as handsets and tablets. It has a large variety of security features to make developing secure software easier; however, it is also missing certain security aspects that are present in other hand-held platforms. The course gives a comprehensive overview of these features, and points out the most critical shortcomings to be aware of related to the underlying Linux, the file system and the environment in general, as well as regarding using permissions and other Android software development components.

Typical security pitfalls and vulnerabilities are described both for native code and Java applications, along with recommendations and best practices to avoid and mitigate them. In case of native code applications we go into more details, discussing memory management related issues, protection techniques as well as their circumvention (such as Return Oriented Programming). Finally, the most important cryptographic algorithms in symmetric cryptography, hashing, asymmetric cryptography and PKI are also discussed and put into the context of Android.

In many cases discussed issues are supported with real-life examples and case studies. Finally, we give a brief overview on how to use security testing tools to reveal any programming bugs.

  •     Understand basic concepts of security, IT security and secure coding
  •     Learn the security solutions on Android
  •     Learn to use various security features of the Android platform
  •     Have a practical understanding of cryptography
  •     Get understanding on native code vulnerabilities on Android
  •     Realize the severe consequences of unsecure buffer handling in native code
  •     Understand the architectural protection techniques and their weaknesses
  •     Get information about some recent vulnerabilities in Java on Android
  •     Learn about typical coding mistakes and how to avoid them
  •     Get practical knowledge in using security testing tools for Android
  •     Get sources and further readings on secure coding practices
Tematika
  •     IT security and secure coding
  •     Android security overview
  •     Android application security
  •     Practical cryptography
  •     Protecting Android applications
  •     Android native code security
  •     Android and Java vulnerabilities
  •     Testing Android code
  •     Principles of security and secure coding
  •     Knowledge sources

1. IT security and secure coding

  •         Nature of security
  •         What is risk?
  •         IT security vs. secure coding
  •         From vulnerabilities to botnets and cybercrime
    •             Nature of security flaws
    •             Reasons of difficulty
    •             From an infected computer to targeted attacks
  •         Classification of security flaws
    •             Landwehr’s taxonomy
    •             The Seven Pernicious Kingdoms
    •             OWASP Top Ten 2017
    •             OWASP Mobile Top Ten 2016 (release candidate)

    Android security overview

  •         Android fragmentation challenges
  •         The Android software stack
  •         OS security features and exploit mitigation techniques
  •         The Linux kernel
    •             User and process separation
    •             Anonymous shared memory (ashmem)
    •             ANDROID_PARANOID_NETWORK kernel option
    •             SELinux Type Enforcement policies
    •             SELinux policies
    •             SELinux policy example –
    •             Adding custom policy files
    •             Exercise: compiling and using SELinux policies
    •             SELinux Role-Based Access Control
    •             SELinux Multi-Level Security
  •         Filesystem security
    •             Filesystems used for external storage
    •             Filesystem encryption
    •             Encrypting individual files and external SD cards
  •         Dalvik
    •             Dalvik VM
    •             VM Separation
    •             Zygote
    •             Bytecode verifier
  •         Android Runtime (ART)
    •             ART architecture
    •             ART backward compatibility
    •             ART security features
    •             Ahead-of-time (AOT) compilation
  •         Deploying applications
    •             Application signing
    •             No validation of developer identity
    •             Google’s review process
    •             Installing using Google Play
    •             Installing outside of Google Play
    •             Verify App

    Android application security

  •         Permissions
    •             Using permissions
    •             Exercise – using permissions
    •             Using custom permissions
    •             Exercise – using custom permissions
    •             Permissions – best practices
  •         Writing secure Android applications
  •             Activity, Fragment and Service – basics
    •             Intents
    •             Implicit intents
    •             Intent hijacking
    •             BroadcastReceiver security
    •             Activity hijacking
    •             Best practices against activity hijacking
    •             Sticky broadcasts
    •             Content provider
    •             Content provider permissions

2. Practical cryptography

  •         Cryptosystems
    •             Elements of a cryptosystem
  •         Symmetric-key cryptography
    •             Providing confidentiality with symmetric cryptography
    •             Symmetric encryption algorithms
    •             Block ciphers – modes of operation
  •         Other cryptographic algorithms
    •             Hash or message digest
    •             Hash algorithms
    •             SHAttered
    •             Message Authentication Code (MAC)
    •             Providing integrity and authenticity with a symmetric key
    •             Random numbers and cryptography
    •             Cryptographically-strong PRNGs
    •             Hardware-based TRNGs
  •         Asymmetric (public-key) cryptography
    •             Providing confidentiality with public-key encryption
    •             Rule of thumb – possession of private key
    •             Combining symmetric and asymmetric algorithms
  •         Public Key Infrastructure (PKI)
    •             Man-in-the-Middle (MitM) attack
    •             Digital certificates against MitM attack
    •             Certificate Authorities in Public Key Infrastructure
    •             X.509 digital certificate
  •         Cryptography on Android
    •             Java Cryptography Architecture / Extension (JCA/JCE)
    •             Using Cryptographic Service Providers
    •             Engine classes and algorithms
  •     Protecting Android applications
    •         Digital Rights Management (DRM)
      •             DRM architecture
      •             Android DRM overview
      •             Challenges of DRM protection
      •             DRM protection without hardware support - hardening
      •             DRM protection – decrypted content
    •         Reverse engineering and debugging
      •             Reverse engineering methods and tools
      •             Getting the package name
      •             Reverse engineering exercise

    Android native code security

  •         Buffer overflow possibilities in Android
  •         ARM machine code, memory layout and stack operations
    •             ARM Processors – main registers
    •             ARM Processors – most important instructions
    •             ARM Processors – control instructions
    •             ARM Processors – stack handling instructions
    •             ARM Processors – Condition Field
    •             ARM Processors – Condition Field cont.
    •             Understanding complex ARM instructions
    •             The function calling mechanism in ARM
    •             The local variables and the stack frame
    •             Function calls – prologue and epilogue of a function
    •             Stack frame of nested calls
    •             Stack frame of recursive functions
  •         Buffer overflow on the stack
    •             Classic buffer overflow on the stack
    •             Exercises – trying to exploit a buffer overflow
    •             Stack smashing protection in Android
    •             Effects of stack smashing protection
    •             Bypassing stack smashing protection
    •             Lack of source checking
    •             CVE-2011-1823 in vold's method – Spot the bug!
    •             Exercise – vold vulnerability
    •             Exercise – vold vulnerability exploit analysis
    •             WWW exploit with .got overwrite
    •             Exercise – overwrite .got with write-what-where
    •             Exercise – overwrite .got with WWW after Android 4.1
  •         Protection techniques – ASLR, XN, RELRO, ...
    •             Address Space Layout Randomization (ASLR)
    •             Randomization with ASLR
    •             Access Control on memory segments
    •             The Never eXecute (NX) bit
    •             Read-only relocation and immediate binding – RELRO
    •             Bypassing ASLR, XN, RELRO and stack protection
    •             Information leakage
    •             Spot the bug
    •             Exercise – exploit information leakage
    •             Use after free – Dangling pointers
    •             Use after free – Instance of a class
    •             cString class
    •             Information leakage with use after free
    •             Exercise – information leakage with use after free
    •             Exercise – control information leakage
    •             Virtual method call
    •             Code execution with use after free
    •             Return-oriented programming (ROP)
    •             Creating ROP chain
    •             Exploit using ROP
    •             Exercise – code execution with use after free
    •             App name memory corruption – caused Google Play DoS
    •             Buffer overflow in Android KeyStore

3. Android and Java vulnerabilities

  •         Input validation
    •             Input validation concepts
  •         Injection
    •             SQL Injection on Android
    •             Typical SQL Injection attack methods
    •             SQL Injection protection methods
    •             Using parameterized queries in Android
  •         Cross-site scripting
    •             Android WebView XSS
    •             XSS prevention
    •             Android WebView security best practices
    •             Integer problems
      •                 Representation of negative integers
      •                 Integer overflow
      •                 Exercise IntOverflow
      •                 What is the value of Math.abs(Integer.MIN_VALUE)?
      •                 Integer problem – best practices
      •                 Java case study
      •                 Case study – Android Stagefright
  •         Improper use of security features
    •             Typical problems related to the use of security features
    •             Insecure randomness
      •                 Weak PRNGs in Java
      •                 Exercise RandomTest
      •                 Using random numbers in Java – spot the bug!
  •             Password management
    •                 Exercise – Weakness of hashed passwords
    •                 Password management and storage
    •                 Special purpose hash algorithms for password storage
    •                 Argon2 and PBKDF2 implementations in Java
    •                 bcrypt and scrypt implementations in Java
    •                 Password hash implementations on Android
    •                 KitKat changes concerning SecretKeyFactory
  •         Improper error and exception handling
    •             Typical problems with error and exception handling
    •             Empty catch block
    •             Overly broad throws
    •             Overly broad catch
    •             Using multi-catch
    •             Returning from finally block – spot the bug!
    •             Catching NullPointerException
    •             Exercise – Error handling
    •             Information leakage through logging (LogCat)
    •             GoToMeeting vulnerability
    •             Android best practices
    •             Rooting based on the setuid vulnerability (RATC)
  •         Code quality problems
    •             Dangers arising from poor code quality
    •             Poor code quality – spot the bug!
    •             Unreleased resources
    •             Public method without final – object hijacking
    •             Immutable String – spot the bug!
    •             Immutability and security

    Testing Android code

  •         Testing Android code
  •         Android Lint
  •         Android Lint – Security features
  •         Lint exercise
  •         PMD
  •         PMD exercise
  •         FindBugs
  •         FindBugs exercise

    Principles of security and secure coding

  •         Matt Bishop’s principles of robust programming
  •         The security principles of Saltzer and Schroeder

    Knowledge sources

  •         Secure coding sources – a starter kit
  •         Vulnerability databases
  •         Java secure coding sources
  •         Android secure coding sources
  •         Recommended books – Java
  •         Recommended books – Android
Kinek ajánljuk
Előfeltételek

Professional

Kapcsolódó tanfolyamok