Is it possible to get the network packets / stream prior to encryption? I mean if you are locally root and could compile pretty much everything yourself, even the kernel. Where would be the best place to do it, if it's even possible?
Somewhere inside the android framework might be a good point, where the encryption is actually done.
I know about all the mitm ways to attack, but it would be great if there would be a way without using a "proxy" or any other default gateway.
It would be used for debugging purposes on a special developer device.
Related
I'm creating an Android App which connects to a server through an API. I'm worried about a security issue, as far as I'm concerned, anyone can decompile your .apk and take a look or modify your code.
Knowing that, where do I need to save the API Keys inside the app in order to avoid some bad guy stealing it and access the server, for example, to modify my database?
Thanks
Understand how an attacker will go after your application, 95% of the time in this order:
Inspect traffic between your application and the server by using an intercepting proxy like Burp -- very easy to do. See how I did it on Words With Friends here (this was for iOS device but same concept works with Android).
You can stop traffic inspection with certificate pinning, but they can break that by rooting the device and using some hacker tools on Android. So you need Android root detection.
The other attack is scanning your binary. You will need to obfuscate it with a tool like DexGuard.
None of these methods are bullet-proof: generally trying to hide secrets in client code is a losing game. Don't put more effort into it than it is worth.
If I have an app on the store, is it possible to download it and use the debugger and introspection or some other technique to see the unencrypted Strings requests inside the app? If yes, what could help to prevent such techniques?
If I have an app on the store, is it possible to download it and use the debugger and introspection or some other technique to see the unencrypted Strings requests inside the app?
Sure.
If yes, what could help to prevent such techniques?
Stop writing software for end users.
Software that resides purely on a server somewhere can be assumed to be relatively safe from inspection. Software that runs on user equipment -- whether that is JavaScript in a Web browser, an Android app, a Windows desktop app, or whatever -- is subject to analysis. Different environments may make analysis easier or harder, so it is generally easier to inspect the goings-on of a Web app than it is for an Android app, etc. Obfuscation, such as that offered by ProGuard, will help incrementally, as can writing your HTTP logic in native C/C++ code, but neither approach is proof from reverse-engineering, let alone debugging.
Note that this has little to do with HTTPS, as the same statements hold for anything done by any program.
I have been playing around with the bluetooth options on android, and found an app that gave two connection options (secure and insecure).
I tried to find some information about it on the internet, but everything I found was pretty vague.
I have a general idea that Insecure isn't as safe as using Secure.
What are the advantages of using one over the other?
Should I always stick to Secure or should I go for insecure?
Thank you for your time,
What are the advantages of using one over the other? Should I always stick to Secure or should I go for insecure?
The only advantage in using insecure, is that you don't prompt the user when creating a communication channel (this one would be an easy prey "Man in the middle" attacks), but that doesn't mean that it will always work. Here's a question where the user complains about some devices asks for pairing while others don't.
Also this phrase comes from android API:
For Bluetooth 2.1 devices, the link key will be encrypted, as encryption is mandatory. For legacy devices (pre Bluetooth 2.1 devices) the link key will be not be encrypted. Use createRfcommSocketToServiceRecord(UUID) if an encrypted and authenticated communication channel is desired.
link
So, possibly in the future there would be no way to create an Insecure connection between two devices.
This answer your second question, you should stick with the Secure. When developing ('cause you can't know for sure if it's going to work) and for security reasons when using an app.
The reason that this question was born is that I am totally lost, so please forgive the trivial and senseless parts.
I have an Android app, a web-service, a MicroSD smart card (mobile security card). I need to know how can I use the card with ssl to securely communicate with the web-service. Rebuilding and flashing the OS is not an option.
What I know:
The API used to communicate with the MSC
How to write/deploy applets to the MSC
How to call a web-service
What I don't know:
SSL
Too much about certificates and cryptography (only shady academic stuff from the university)
How things come together and what should I use to accomplish this
seek-for-android has an OpenSC tutorial and library, but the OS needs to be patched for that. Is there a way to avoid that and still use the solution?
I know I could be much further into this with a little research, but my deadline is quite close (a few days), so I need help, much help, and very soon.. Thank you in advance!
EDIT:
More specifically:
I have a Smart Card SD card from Giesecke & Devrient, with Java Card OS and fine applets and dev tools. I also recieved an android service to communicate with the card (the applets) with APDUs. This is quite low-level, it acceps byte codes as commands and data.
I need to call a web-service via SSL authentication. Now I know that SSL uses (can use) hardware tokens with PKCS#11 interfaces.
There is a project called seek-for-android with a guide to patch the OS and have a standard PKCS#11 interface over the smart card (I believe this would be OpenSC). I CAN'T patch the OS.
So the questions again:
Can the Android SSL implementation use (custom) PKCS#11 interfaces in some way, if yes, how? (e.g. possibly with some security providers)
Can I use OpenSC (and other stuff mentioned in the linked guide) without patching the OS (e.g. extract the libs and include it in my application)?
Overall, how should I link the gap between the low-level smart card and the high level SSL? I kindly ask you for any material regarding this.
As this is a special form of a Smart-Card encapsulated inside a microSD-card I assume that the API bases on special SD-Card read and write operations. Such operation may or may not be usable on Android without root access.
That depends on the certain implementation of the API. Usually such a microSD card already comes with Android libraries (as it is the most open relevant mobile platform) from the vendor. You should ask there for getting more information.
Use Bouncycastle (Spongycastle is the fork for Android) and implement your own Security Provider which uses the SmartCard instead of a file for stored certificates.
If you can access your card without patching the ROM, you can roll your own (requires knowledge of cryptography) SSL implementation on top of it.
If not, then AFAIK you need to patch Android to get access to the extra hardware. And the built-in SSL library has no support whatsoever for client-side "hardware tokens" AFAIK.
Does anyone know if an app can be hacked to manipulate anything else beside the actual app or the host phone itself? A web service server perhaps? Is that even possible? So the real question is, if an app is hacked, can the information it might possess or has access to be used for negative purposes?
(I'm looking to secure an app, not hack anyone.) :)
Web services are always vulnerable to being hacked. This is why you use a secure connection such as SSL to transfer any sensitive information.
As far as directly hacking Android applications, I imagine a hacker would have to do something along the lines of decompiling an application to assembly, much as they do for traditional applications.
Any kind of storage on the device in non-compiled format (some XML, text files, preferences) is more vulnerable to being hacked than natively compiled .apk's.
I think everything is hackable...
It is quite easy to get access to all your application's data on a rooted device. Things like your database or your private files are accessible on a rooted device.