Post on 17-Sep-2020
New Privacy in Android 11 and OWASP Mobile Security
Albert Hsieh
OWASP現有大約200個開源免費專案
OWASP Flagship Projects
Tool ProjectsOWASP AmassOWASP CSRFGuardOWASP DefectdojoOWASP Dependency-CheckOWASP Dependency-TrackOWASP Juice ShopOWASP OWTFOWASP Security ShepherdOWASP ZAP
Code ProjectsOWASP ModSecurity Core Rule Set
Documentation ProjectsOWASP Application Security Verification StandardOWASP Cheat Sheet SeriesOWASP Mobile Security Testing GuideOWASP SAMMOWASP Top TenOWASP Web Security Testing Guide
OWASP.Mobile
What’s new on Android 11
1. Scoped storage enforcement
2. One-time permissions
3. Permissions auto-reset
4. Background location access
5. Package visibility
6. Foreground service typeshttps://developer.android.com/preview/privacy
Is That Security Or Privacy?
保護可辨識個人之非公開資訊
Privacy保護所有資訊and more!
Security
Permissions
How Powerful is Your Flashlight?
https://www.zdnet.com/article/most-android-flashlight-
apps-request-an-absurd-number-of-permissions/
Permissions, Permissions Everywhere!
One-time Permissions
Only this time!
Only this time!
Only this time!
Background Location Access
Foreground access (App is visible or running a Foreground Service with
Location type)
● ACCESS_COARSE_LOCATION
● ACCESS_FINE_LOCATION (accurate location)
Background access (i.e Geofence or WorkManager/AlarmManager in BG)
● ACCESS_BACKGROUND_LOCATION
Location Permission is specialit’s split in Foreground and Background access
Foreground location accessACCESS_COARSE_LOCATION or ACCESS_FINE_LOCATION
●On all versions, this requests foreground access.
●On pre-Android 10, background access is implied.
ActivityCompat.requestPermissions(
/* Activity */ this,
/* Request BG alone */ arrayOf(ACCESS_COARSE_LOCATION),
/* RequestCode */ 100
)
RequestACCESS_BACKGROUND_LOCATION
At some pointACCESS_COARSE_LOCATION
My App
Target API level
'R'If show rational is true:
IN-CONTEXT UI (you define it)
Background location accessrequest incrementally only after Foreground has been granted
Permissions Auto-reset
Target API level
'R'Auto-reset permissions
Target API level
'R'Auto-reset permissions
Provide family safety
Sync data
Smart device connectivity app
Paired to companion devices
Settings.ACTION_APPLICATION_DETAILS_SETTINGS
Foreground Service Types
Companion device
Media Projection
Location
Foreground Service TypesAndroid 10
●Introduced the concept of types
Sync
Media Player
Phone Call
c
Enforced to ensure accountability for access
Foreground Service TypesAndroid 11
Target API level
'R'
<manifest>
...
<service ... android:foregroundServiceType="camera" />
</manifest>
Foreground Service TypesAndroid 11
Target API level
'R'
<manifest>
...
<service ... android:foregroundServiceType="camera|microphone" />
</manifest>
Package Visibility
Seeing all installed apps
packageManager.getInstalledPackages(0)
On Android 10 and older….
Default behavior
getPackageInfo("another.app", 0)
NameNotFoundException
'R'
Target API level
Query and interact with specific apps
Declare package names in <queries> element of manifest to ‘see’ specific apps.
<manifest><queries>
<package android:name="com.example.store" />
<package android:name="com.example.service" />
...</queries>...
</manifest>
Query and interact with apps based on intent filters
Declare intents in <queries> element to ‘see’ apps that handle certain intents.
<manifest>
<queries>
<intent>
<action android:name="android.intent.action.SEND" />
<data android:mimeType="image/jpeg" />
</intent>
</queries>
...
</manifest>
Interacting with all apps
●Shouldn’t be necessary for most apps.
●Available “Normal” permission that allows querying and interacting with all installed apps.
<uses-permission android:name="android.permission.QUERY_ALL_PACKAGES">
Look for Google Play to provide upcoming guidelines for apps that need this permission.
"Let us know your use cases” by Google….
Scoped Storage
Exactly the data that user wants to share and no more
New in Android 11
OWASP.Mobile
OWASP.Mobile
https://owasp.org/www-project-mobile-security/
Secure Software Development Life Cycle (SSDLC)
M Top 10 MASVS MSTG Response
M Security ChklstHacking Playground
Mobile Application Security Verification Standard (MASVS)
• Forked from OWASP ASVS
• Best practices for security requirements
• Mobile-specific
• high-level
• OS-agnostic
Security Requirements
•V1: Architecture, Design and Threat Modeling•V2: Data Storage and Privacy•V3: Cryptography•V4: Authentication and Session Management•V5: Network Communication•V6: Platform Interaction•V7: Code Quality and Build Setting•V8: Resilience
Levels
MASVS-L1: all mobile apps.
MASVS-L2: apps handling sensitive data
and/or functionality.
MASVS-R: apps handling highly
sensitive data and may serve as a means
of protecting intellectual
property or tamper-proofing an app.
▪ L1 Alarm App
▪ L2 Health App
▪ L1+R Game App
▪ L2+R Banking App
V2: Data Storage and Privacy (part)
V3: Cryptography (part)
V5: Network Communication (part)
V5: Network Communication (part)
V6: Platform Interaction (part)
Yes, resilience!
RESILIENCE?
V8: Resilience (part)
HOW TO USE THE MASVS?
Bring Security to system requirement phase!
▸ As secure coding checklist▸ As security testing methodologies▸ For secure development training
To Conclude….
Why do we need security?
How much does that cost
Find the bugs earlier
Create fewer bugs
https://blog.parasoft.com/what-is-the-shift-left-approach-to-software-testing
OWASP.Mobile
https://owasp.org/www-project-mobile-security/
SHIFT LEFT!
M Top 10 MASVS MSTG Response
M Security ChklstHacking Playground
Shift Left for Security!
Thank you!