Transcription
New Privacy in Android 11and OWASP Mobile SecurityAlbert Hsieh
OWASP現有大約200個開源免費專案
OWASP Flagship ProjectsTool ProjectsOWASP AmassOWASP CSRFGuardOWASP DefectdojoOWASP Dependency-CheckOWASP Dependency-TrackOWASP Juice ShopOWASP OWTFOWASP Security ShepherdOWASP ZAPCode ProjectsOWASP ModSecurity Core Rule SetDocumentation ProjectsOWASP Application Security Verification StandardOWASP Cheat Sheet SeriesOWASP Mobile Security Testing GuideOWASP SAMMOWASP Top TenOWASP Web Security Testing Guide
OWASP.Mobile
What’s new on Android 111. Scoped storage enforcement2. One-time permissions3. Permissions auto-reset4. Background location access5. Package visibility6. Foreground service typeshttps://developer.android.com/preview/privacy
Is That Security Or 公開資訊保護所有資訊and more!
Permissions
How Powerful is Your Flashlight?
Permissions, Permissions missions/
One-time Permissions
Only this time!
Only this time!
Only this time!
Background Location Access
Location Permission is specialit’s split in Foreground and Background accessForeground access (App is visible or running a Foreground Service with Location type)ACCESS COARSE LOCATIONACCESS FINE LOCATION (accurate location)Background access (i.e Geofence or WorkManager/AlarmManager in BG) ACCESS BACKGROUND LOCATION
Foreground location accessACCESS COARSE LOCATION or ACCESS FINE LOCATIONActivityCompat.requestPermissions(/* Activity */ this,/* Request BG alone */ arrayOf(ACCESS COARSE LOCATION),/* RequestCode */ 100 )On all versions, this requests foreground access.On pre-Android 10, background access is implied.
Target API levelBackground location access'R'request incrementally only after Foreground has been grantedAt some pointACCESS COARSE LOCATIONIf show rational is true:IN-CONTEXT UI (you define it)RequestACCESS BACKGROUND LOCATIONMy App
Permissions Auto-reset
Auto-reset permissionsTarget API level'R'
Target API levelAuto-reset permissions'R'Provide family safetySmart deviceconnectivity appPaired to companiondevicesSync dataSettings.ACTION APPLICATION DETAILS SETTINGS
Foreground Service Types
Foreground Service TypesAndroid 10 Introduced the concept of typesSyncCompanion deviceMedia PlayerMedia ProjectioncPhone CallLocationEnforced to ensureaccountability foraccess
Foreground Service TypesAndroid 11 manifest . service . android:foregroundServiceType "camera" / /manifest Target API level'R'
Foreground Service TypesAndroid 11 manifest . service . android:foregroundServiceType "camera microphone" / /manifest Target API level'R'
Package Visibility
Seeing all installed appsOn Android 10 and older .packageManager.getInstalledPackages(0)
Target API levelDefault behavior'R'getPackageInfo("another.app", 0)NameNotFoundException
Query and interact with specific appsDeclare package names in queries element of manifest to ‘see’ specific apps. manifest queries "com.example.store" / package android:name "com.example.service" / package android:name . /queries . /manifest
Query and interact with apps based on intent filtersDeclare intents in queries element to ‘see’ apps that handle certain intents. manifest queries intent "android.intent.action.SEND" / action android:name data android:mimeType "image/jpeg" / /intent /queries . /manifest
Interacting with all apps Shouldn’t be necessary for most apps.Available “Normal” permission that allows querying and interacting with allinstalled apps. uses-permission android:name "android.permission.QUERY ALL PACKAGES" Look for Google Play to provide upcoming guidelines for apps that need this permission."Let us know your use cases” by Google .
Scoped Storage
Exactly the data that user wants to share and no more
New in Android 11
OWASP.Mobile
ecurity/
Secure Software Development Life Cycle (SSDLC)M Top 10MASVSHacking PlaygroundMSTGM Security ChklstResponse
Mobile Application Security Verification Standard (MASVS) Forked from OWASP ASVS Best practices for security requirements Mobile-specific high-level OS-agnostic
Security Requirements V1: Architecture, Design and Threat Modeling V2: Data Storage and Privacy V3: Cryptography V4: Authentication and Session Management V5: Network Communication V6: Platform Interaction V7: Code Quality and Build Setting V8: Resilience
LevelsMASVS-L1: all mobile apps.MASVS-L2: apps handling sensitive dataand/or functionality.MASVS-R: apps handling highlysensitive data and may serve as a meansof protecting intellectualproperty or tamper-proofing an app. L1 L2 L1 R L2 RAlarm AppHealth AppGame AppBanking App
V2: Data Storage and Privacy (part)
V3: Cryptography (part)
V5: Network Communication (part)
V5: Network Communication (part)
V6: Platform Interaction (part)
RESILIENCE?Yes, resilience!
V8: Resilience (part)
HOW TO USE THE MASVS?Bring Security to system requirement phase! As secure coding checklist As security testing methodologies For secure development training
To Conclude .
Why do we need security?
How much does that cost
Find the bugs earlier
Create fewer ft-approach-to-software-testing
ecurity/
SHIFT LEFT!M Top 10MASVSHacking PlaygroundMSTGM Security ChklstShift Left for Security!Response
Thank you!
OWASP Mobile Security Testing Guide OWASP SAMM OWASP Top Ten OWASP Web Security Testing Guide. OWASP.Mobile. What’s new on Android 11 1. Scoped storage enforcement 2. One-time permissions 3. Permissions auto-reset . V4: Authentication and Session Management