Modern Security in Android (part 5)

A fast guide to be safe

This post is related to my lastest talk about “Modern Security for Android Developers”.

Here is the list of the blogs in this series:

• Part 1 — Encryption Vol 1
• Part 2 — Encryption Vol 2
• Part 3 — Encryption Vol 3
• Part 4 — Biometric as Local Auth
• Part 5 — Native Code Modules
• Part 6 — SSL, TLS, Secure Data layer

Modern Security for Android Developers

One of the things I usually say about Android that surprise people is that you can write code in C and C++ and usually they think is cool stuff cause Java and Kotlin code can be decompiled easily, (if a mobile application has obfuscation, probably the task will be a little harder) but C and C++ not, at least not in the same way that java, C code can’t be decompiled but can be disassembled

In Android, we have a special thing that manages runtime called ART (Android Runtime) is the predecessor of Dalvik, ART uses an executable format of Dalvik and Dex bytecode, this supports the JNI (Java Native Interface) that is the magic part that let Java code operate and interact with code written in C/C++, let’s remember that Android is a Linux based OS native code is packaged (compiled) into ELF dynamic libraries (*.so), which the Android app loads at runtime via the System.load

In the next example:

init {
    try {
        System.loadLibrary("someKeyWeWantSafe")
    } catch (e: UnsatisfiedLinkError) {
        Log.e(TAG, "Error loading library " + e.toString());
    }
}

This load happens using System.loadLibrary that is a library written in C/C++ if you navigate inside the code of loadLibrary, you will see a Security Exception, thrown by the security manager to indicate a security violation, whatsoever the violation is not called when dissembling the code.

You can create a module, and add your private secure key here, inside the C Module, using something like this:

#include <jni.h>


JNIEXPORT jstring JNICALL
Java_com_secure_project_keymodule_NdkKeys_getKey(JNIEnv *env, jobject instance) {
    return (*env)->NewStringUTF(env, "someCoolKey");
}

When reversing an Android application containing native code, we need to understand a couple of data structures related to the JNI bridge between Java and native code. From the reversing perspective, we need to be aware of two key data structures: JavaVM and JNIEnv. Both of them are pointers to pointers to function tables:

• JavaVM provides an interface to invoke functions for creating and destroying a JavaVM. Android allows only one JavaVM per process and is not really relevant for our reversing purposes
• JNIEnv provides access to most of the JNI functions which are accessible at a fixed offset through the JNIEnv pointer. This JNIEnv a pointer is the first parameter passed to every JNI function. Is also used for thread-local storage. For this reason, you cannot share a JNIEnv between threads. If a piece of code has no other way to get its JNIEnv, you should share the JavaVM, and use GetEnv it to discover the thread's JNIEnv.

It is worth highlighting that it’s never a good idea to leave your API keys lying around your codebase in a way that’s easily decodable, analyzing disassembled C/C++ code is much more difficult than disassembled Java code.

While it is possible to get any key stored with the NDK, it makes it harder for beginners to get the information they are looking for inside your app, whatsoever, is easier for Internal Leaks to get what they want doing some basic research, is not a secure option for important keys, but it will make the trick for something simpler.

This is all for this part of the post, If you need help:

I’m always happy to help, you can find me here:
Medium: https://medium.com/@dinorahto
StackOverflow: https://stackoverflow.com/users/4613259/dinorah-tovar

Happy Coding! 👩🏻‍💻

I’m really happy to join Droidcon, Android Summit, and DevFest in the next couple of weeks for delivering this talk (especially the last part of this serial), I will show code, and I will try to answer all your questions!
Thank you so much for your support!

DroidconEMEA: Get your #dcEMEA ticket for as much as you want to pay until Oct. 2nd https://online.droidcon.com/emea2020 (please remember this is going to be at Central Time)

AndroidSummit: I have a special discount of 35% off https://eventbrite.com/e/android-summit-2020-tickets-116528595165?discount=AndroidSummitSpeakerDiscount2020…

DevFest Latam (this is only for Spanish speakers): https://www.meetup.com/es/gdg-costarica/events/272473635/