Presentation is loading. Please wait.

Presentation is loading. Please wait.

CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.

Published byPreston McLaughlin Modified over 9 years ago

Similar presentations

Presentation on theme: "CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University."— Presentation transcript:

1 CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University

2 Why Cryptography Programming? Mobile devices store tremendous amount of personal and financial data Mobile apps access the data over the Internet Mobile devices are easier to get lost or stolen Websites vs. Mobile apps E.g. On desktop use amazon.com (website) to shop, on mobile devices use Amazon app to shop

3 Android’s Storage Options Internal Storage vs. External Storage Internal storage is only accessible by the apps Not safe if device is rooted. Bugs External storage (SD card) is world-readable Full Disk Encryption (FDE) Provide protection when device is lost or rooted Has performance issues and not turned on by default Use encryption for sensitive data!

4 Android’s Crypto Library Android’s SDK includes JCE (Java Cryptography Extension) Symmetric Key, Public Key Ciphers PBE (Password Based Encryption) Hash Functions MAC and Digital Signatures Random Number Generation Android’s SDK includes additional Java library that supports SSL X.509 certificate

5 Common Mistakes in Cipher Programming - PBE What is PBE? Password Based Encryption Use password as the key for symmetric key ciphers Problems with PBE Passwords are usually not strong Not random enough They are not long enough Needs padding Other problems Using constant IV Using ECB mode instead of stronger CBC mode Storing password in the source code

6 An example of secure implementation of PBE Use password based key derivation functions (PBKDF) Use password and salt as input Salt to protection against rainbow table Hash function or MAC to output encryption key Run above function 1000+ times Make password cracking very very slow Weak passwords are still vulnerable Use strong ciphers Use random IV Use strong mode CBC

7 Common Mistakes in Cipher Programming - SSL What is SSL (Secure Socket Layer)? Secure transport layer communication between client-server. Based on public key cipher. Server sends digital certificate to client for authentication and key exchange. MITM (Man-In-The-Middle) attacks are the biggest threat to SSL More vulnerable on public wi-fi or public Ethernet. MITM intercepts digital certificates and replaces with another one. If client fails to detect this fake certificate, attacker can obtain all traffic.

8 Common Mistakes in Cipher Programming - SSL Must authenticate digital certificates Web Browsers authenticate the certificate Check if it is signed by a trusted certificate authority (CA) Check if the subject of the certificate is the same as the hostname Check if it has expired Mobile apps have to verify the digital certificate Some mobile apps simply skip verification

9 Common Mistakes in Cipher Programming - SSL Two ways Android use SSL HttpsURLConnection Applicable to web traffic Digital certificate verification is done by the library. Also does hostname verification Good for certificates signed by trusted CAs SSLSocket Applicable to non-web or web traffic Verification is not done by this library

10 Self-Signed Digital Certificates A lot of mobile apps use self-signed digital certificates Digital certificate signed by trusted CA are expensive Easy to create using OpenSSL Free Not a big problem for mobile apps compared to websites that use self-signed certificates Why? Studies show that A lot of apps on Google Play store do not verify certificates Bad verification that simply accepts all certificates Self-signed digital certificate can be secure if programmed correctly

11 An example of secure implementation of verification Let HttpsURLConnection to trust the self-signed CA Steps: (from Android) Load CA’s digital certificate into the app Create a KeyStore that contains the self-signed CA Create a TrustManager and initialize it with KeyStore Create SSLContext that uses TrustManager Let HttpsURLConnection to use SSLContext https://developer.android.com/training/articles/security-ssl.html

12 Hostname Verification If the hostname of a URL is different from the the subject name in the digital certificate, hostname verification will fail Mobile apps needs to override HostnameVerifier to accept the mismatching certificate

13 SecureAddressBook: Hands-on Lab Based on Derek Bana’s Youtube tutorial Changes made to the original program Address book is saved to a Internet server instead of local SQLite database Address book is accessed with web service API calls Server accepts both clear text requests and SSL requests Server’s Digital Certificate is provided Login activity is added Username and password are sent to server for authentication Has option to ‘save password’ Password is saved in SQLite database in clear text

14 SecureAddressBook: Hands-on Lab Goals Secure the client-server communication with SSL Encrypt the passwords before saving them to the SQLite database

Download ppt "CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University."

Similar presentations

Why Eve & Mallory Love Android

Why Eve & Mallory Love Android
An Application Package Configuration Approach to Mitigating Android SSL Vulnerabilities Vasant Tendulkar NC State University William.

An Application Package Configuration Approach to Mitigating Android SSL Vulnerabilities Vasant Tendulkar NC State University William.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Cryptography and Network Security

Cryptography and Network Security
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.

SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.
COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?

COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.

More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Web Security CS-431. HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password.

Web Security CS-431. HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Introduction to PKI, Certificates & Public Key Cryptography Erwan Lemonnier.

Introduction to PKI, Certificates & Public Key Cryptography Erwan Lemonnier.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)

Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)
LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.

LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.
Cryptography and Network Security Chapter 17

Cryptography and Network Security Chapter 17
FIT3105 Smart card based authentication and identity management Lecture 4.

FIT3105 Smart card based authentication and identity management Lecture 4.

Similar presentations

Ads by Google