Modern Security in Android (part 1)
A fast guide to be safe
This post is related to my latest talk about “Modern Security for Android Developers”.
Here is the list of the blogs in this series:
- Part 1 — Encryption Vol 1
- Part 2 — Encryption Vol 2
- Part 3 — Encryption Vol 3
- Part 4 — Biometric as Local Auth
- Part 5 — Native Code Modules
- Part 6 — SSL, TLS, Secure Data layer
First of all, let speak about why security inside smartphones is so important, in the ’90s the television was what the cellphone is today, everybody has one, even if you were middle class you have one television, so imagine all the persons that have an Android phone right now, this number goes to over 2.5 billions of active phones, it is our job as developers to be aware of the danger outside, we need to be careful in favor of the company we work on, but mostly we should be careful with the management of the data our users give to us.
Inside Google, the Android Team has been working harder than ever to manage a more secure operative system.
In 2018 Android got 0 security vulnerabilities and we have almost 84% of devices with security updates, but we still have problems, cause not all the phones get updates, cause we depend on carriers to make updates and thus represents one of the biggest problems in Android, so pretty much, is our job to do it right, at the end of the day, we have users that are not tech able and that’s okay we need to start thinking in our users as a person on the other side of the screen.
The first time we hear about encryption we get all dizzy ’cause we think this is going to be really hard to handle but in reality, the things are completely different, let's see this scheme:
We have our data that we want to encrypt, this could be our server token, information important for our user, or some other token that we want to keep private. This data goes through an algorithm, this algorithm creates a key for encryption and we end up with our cipher data.
What is Cipher, Mac, Signature, and MessageDigest?
In this post, we only cover Cipher, ’cause is one of the most common in Android, and all the other ones, work almost the same, take into consideration that all these methods are algorithms that decrypt and encrypt data. Usually, in Mobile, we need to use a combination of a Scheme of encryption, a Mode, and Padding to create a Cipher. For example:
The scheme can be:
Advanced Encryption Standard (AES) or Rivest–Shamir–Adleman (RSA)
The mode can be:
Symmetric or not symmetric, usually must be a CBG or GCM with a 256 bit-keys
Padding scheme:
It is the part of the encryption that can help you to save data that is bigger than your key, pretty much, they put information not relevant depending on your data.
In Android there is a Cipher class, where you can create your Cipher scheme, do no create your own encryption system, is unnecessary and incredibly dangerous, so please absent of doing it, in the second post of this thread of stories, I will show you how to do it.
You can see all the algorithms supported by Android and Android Versions here
Do all the phones have an encryption system?
The short answer is no, because when we are talking about encryption we are also talking about hardware.
Probably you have seen this option in your manifest hardware-accelerated is used for too many things, is okay if you are using it for doing fancy animations, actually, you can put it on in all your app, in only one activity or even a specif view, but it also is fully necessary for encryption. In the past, specifically, before Android 6.0, the encryption implementation was based on the dm-crypt device-mapper target, it performs cryptographic operations via the interfaces provided by the Linux kernel with crypto API. But now, things have changed, our new phones can have disk encryption that can be accelerated cause the providers have added a kernel crypto API driver that takes advantage of the SoC’s cryptographic hardware. This allows block encryption to be offloaded from the main CPU’s and improves disk access times.
Data encryption
The future has already changed, on Android 7.0 and higher supports file-based encryption (FBE). File-based encryption allows different files to be encrypted with different keys that can be unlocked independently, without leaking your key on the app.
Google is working on a new library that will be delivered on Android Jetpack: androidx.security:security-crypto:1.0.0-alpha02
UPDATE for 23/May/2020: This library has now, reach Release Candidate Phase but there’s a new alpha too with a couple of changes we will discuss in the next part of the serial
Files and data for your application will be protected by system Linux style user permissions, this prevents access from other applications or attackers on non-rooted devices. Taking special care in a mixture of good performance and strong security, using hardware-backed Keystore and user presence for providing key access, so this is going to get fun.
We are going to talk a little bit more about this library in the next part of this article, but before we finish, we need to talk about limitation, the library is in Alpha, so please take this into consideration, the second thing left in the table, is that due to dependency on the Google encryption library Tink we will require a min SDK23 for Android Keystore operations, but Google is working to make this a Full support library, so the support for Android 23 and below is coming.
This is all for this part of the post, If you need help:
I’m always happy to help, you can find me here:
Medium: https://medium.com/@dinorahto
StackOverflow: https://stackoverflow.com/users/4613259/dinorah-tovar
Happy Coding! 👩🏻💻
