Enviar búsqueda
Cargar
Securing User Data with SQLCipher
•
6 recomendaciones
•
8,103 vistas
C
CommonsWare
Seguir
from AnDevCon IV conference
Leer menos
Leer más
Tecnología
Denunciar
Compartir
Denunciar
Compartir
1 de 62
Descargar ahora
Descargar para leer sin conexión
Recomendados
Backwards Compatibility: Strategies and Tactics
Backwards Compatibility: Strategies and Tactics
CommonsWare
Securing Android
Securing Android
Marakana Inc.
What & How to Customize Android?
What & How to Customize Android?
Industrial Technology Research Institute (ITRI)(工業技術研究院, 工研院)
Debugging embedded devices using GDB
Debugging embedded devices using GDB
Chris Simmonds
Introduction to android
Introduction to android
krishnastudent88
Introduction to NodeJS
Introduction to NodeJS
Claudio Cicali
Introduction to android sessions new
Introduction to android sessions new
Joe Jacob
Protecting data on device with SQLCipher, Stephen Lombardo
Protecting data on device with SQLCipher, Stephen Lombardo
Xamarin
Recomendados
Backwards Compatibility: Strategies and Tactics
Backwards Compatibility: Strategies and Tactics
CommonsWare
Securing Android
Securing Android
Marakana Inc.
What & How to Customize Android?
What & How to Customize Android?
Industrial Technology Research Institute (ITRI)(工業技術研究院, 工研院)
Debugging embedded devices using GDB
Debugging embedded devices using GDB
Chris Simmonds
Introduction to android
Introduction to android
krishnastudent88
Introduction to NodeJS
Introduction to NodeJS
Claudio Cicali
Introduction to android sessions new
Introduction to android sessions new
Joe Jacob
Protecting data on device with SQLCipher, Stephen Lombardo
Protecting data on device with SQLCipher, Stephen Lombardo
Xamarin
Android Security: Defending Your Users
Android Security: Defending Your Users
CommonsWare
App Integration (Revised and Updated)
App Integration (Revised and Updated)
CommonsWare
iOS application (in)security
iOS application (in)security
iphonepentest
What's New in Jelly Bean
What's New in Jelly Bean
CommonsWare
App integration: Strategies and Tactics
App integration: Strategies and Tactics
CommonsWare
X Means Y
X Means Y
CommonsWare
Android Attacks
Android Attacks
Michael Scovetta
Evaluating iOS Applications
Evaluating iOS Applications
iphonepentest
Android Security Humla Part 1
Android Security Humla Part 1
Nikhil Kulkarni
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Sebastián Guerrero Selma
Mobile Application Security Code Reviews
Mobile Application Security Code Reviews
Denim Group
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensics
viaForensics
Smart Phones Dumb Apps
Smart Phones Dumb Apps
Denim Group
ABS 2012 - Android Device Porting Walkthrough
ABS 2012 - Android Device Porting Walkthrough
Benjamin Zores
SmartTV Security
SmartTV Security
Ulisses Albuquerque
JVM Multitenancy (JavaOne 2012)
JVM Multitenancy (JavaOne 2012)
Graeme_IBM
Is Android the New King of Embedded OSes at Embedded World 2014
Is Android the New King of Embedded OSes at Embedded World 2014
Opersys inc.
Android Development Tutorial V3
Android Development Tutorial V3
Diego Torres Milano
Androidoverview 100405150711-phpapp01
Androidoverview 100405150711-phpapp01
Santosh Sh
Hybrid Cloud Approach for Secure Authorized Deduplication
Hybrid Cloud Approach for Secure Authorized Deduplication
Prem Rao
Gradle and Your Android Wearable Projects
Gradle and Your Android Wearable Projects
CommonsWare
Getting Android Developers for Your Wearables
Getting Android Developers for Your Wearables
CommonsWare
Más contenido relacionado
Similar a Securing User Data with SQLCipher
Android Security: Defending Your Users
Android Security: Defending Your Users
CommonsWare
App Integration (Revised and Updated)
App Integration (Revised and Updated)
CommonsWare
iOS application (in)security
iOS application (in)security
iphonepentest
What's New in Jelly Bean
What's New in Jelly Bean
CommonsWare
App integration: Strategies and Tactics
App integration: Strategies and Tactics
CommonsWare
X Means Y
X Means Y
CommonsWare
Android Attacks
Android Attacks
Michael Scovetta
Evaluating iOS Applications
Evaluating iOS Applications
iphonepentest
Android Security Humla Part 1
Android Security Humla Part 1
Nikhil Kulkarni
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Sebastián Guerrero Selma
Mobile Application Security Code Reviews
Mobile Application Security Code Reviews
Denim Group
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensics
viaForensics
Smart Phones Dumb Apps
Smart Phones Dumb Apps
Denim Group
ABS 2012 - Android Device Porting Walkthrough
ABS 2012 - Android Device Porting Walkthrough
Benjamin Zores
SmartTV Security
SmartTV Security
Ulisses Albuquerque
JVM Multitenancy (JavaOne 2012)
JVM Multitenancy (JavaOne 2012)
Graeme_IBM
Is Android the New King of Embedded OSes at Embedded World 2014
Is Android the New King of Embedded OSes at Embedded World 2014
Opersys inc.
Android Development Tutorial V3
Android Development Tutorial V3
Diego Torres Milano
Androidoverview 100405150711-phpapp01
Androidoverview 100405150711-phpapp01
Santosh Sh
Hybrid Cloud Approach for Secure Authorized Deduplication
Hybrid Cloud Approach for Secure Authorized Deduplication
Prem Rao
Similar a Securing User Data with SQLCipher
(20)
Android Security: Defending Your Users
Android Security: Defending Your Users
App Integration (Revised and Updated)
App Integration (Revised and Updated)
iOS application (in)security
iOS application (in)security
What's New in Jelly Bean
What's New in Jelly Bean
App integration: Strategies and Tactics
App integration: Strategies and Tactics
X Means Y
X Means Y
Android Attacks
Android Attacks
Evaluating iOS Applications
Evaluating iOS Applications
Android Security Humla Part 1
Android Security Humla Part 1
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Mobile Application Security Code Reviews
Mobile Application Security Code Reviews
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensics
Smart Phones Dumb Apps
Smart Phones Dumb Apps
ABS 2012 - Android Device Porting Walkthrough
ABS 2012 - Android Device Porting Walkthrough
SmartTV Security
SmartTV Security
JVM Multitenancy (JavaOne 2012)
JVM Multitenancy (JavaOne 2012)
Is Android the New King of Embedded OSes at Embedded World 2014
Is Android the New King of Embedded OSes at Embedded World 2014
Android Development Tutorial V3
Android Development Tutorial V3
Androidoverview 100405150711-phpapp01
Androidoverview 100405150711-phpapp01
Hybrid Cloud Approach for Secure Authorized Deduplication
Hybrid Cloud Approach for Secure Authorized Deduplication
Más de CommonsWare
Gradle and Your Android Wearable Projects
Gradle and Your Android Wearable Projects
CommonsWare
Getting Android Developers for Your Wearables
Getting Android Developers for Your Wearables
CommonsWare
When Microwatts Are Precious: Battery Tips for Wearable Apps
When Microwatts Are Precious: Battery Tips for Wearable Apps
CommonsWare
The Action Bar: Front to Back
The Action Bar: Front to Back
CommonsWare
Secondary Screen Support Using DisplayManager
Secondary Screen Support Using DisplayManager
CommonsWare
Mastering the Master Detail Pattern
Mastering the Master Detail Pattern
CommonsWare
Not Quite As Painful Threading
Not Quite As Painful Threading
CommonsWare
Android Development: The 20,000-Foot View
Android Development: The 20,000-Foot View
CommonsWare
Maps V2... And You!
Maps V2... And You!
CommonsWare
A Deep Dive Into ViewPager
A Deep Dive Into ViewPager
CommonsWare
Second-Screen Support in Android 4.2
Second-Screen Support in Android 4.2
CommonsWare
Integrate Android Apps and Web Apps
Integrate Android Apps and Web Apps
CommonsWare
From Android to the Mobile Web
From Android to the Mobile Web
CommonsWare
The Wonderful World of Wearables
The Wonderful World of Wearables
CommonsWare
Beaming Data to Devices with NFC
Beaming Data to Devices with NFC
CommonsWare
Making Money at Mobile: 60 Business Models
Making Money at Mobile: 60 Business Models
CommonsWare
AppsWorld Keynote
AppsWorld Keynote
CommonsWare
Rich Text Editing and Beyond
Rich Text Editing and Beyond
CommonsWare
Android Hardware That's A Little Bit... Odd
Android Hardware That's A Little Bit... Odd
CommonsWare
Google TV For Fun
Google TV For Fun
CommonsWare
Más de CommonsWare
(20)
Gradle and Your Android Wearable Projects
Gradle and Your Android Wearable Projects
Getting Android Developers for Your Wearables
Getting Android Developers for Your Wearables
When Microwatts Are Precious: Battery Tips for Wearable Apps
When Microwatts Are Precious: Battery Tips for Wearable Apps
The Action Bar: Front to Back
The Action Bar: Front to Back
Secondary Screen Support Using DisplayManager
Secondary Screen Support Using DisplayManager
Mastering the Master Detail Pattern
Mastering the Master Detail Pattern
Not Quite As Painful Threading
Not Quite As Painful Threading
Android Development: The 20,000-Foot View
Android Development: The 20,000-Foot View
Maps V2... And You!
Maps V2... And You!
A Deep Dive Into ViewPager
A Deep Dive Into ViewPager
Second-Screen Support in Android 4.2
Second-Screen Support in Android 4.2
Integrate Android Apps and Web Apps
Integrate Android Apps and Web Apps
From Android to the Mobile Web
From Android to the Mobile Web
The Wonderful World of Wearables
The Wonderful World of Wearables
Beaming Data to Devices with NFC
Beaming Data to Devices with NFC
Making Money at Mobile: 60 Business Models
Making Money at Mobile: 60 Business Models
AppsWorld Keynote
AppsWorld Keynote
Rich Text Editing and Beyond
Rich Text Editing and Beyond
Android Hardware That's A Little Bit... Odd
Android Hardware That's A Little Bit... Odd
Google TV For Fun
Google TV For Fun
Último
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
BookNet Canada
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
LoriGlavin3
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
ScyllaDB
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
Alex Barbosa Coqueiro
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
Rizwan Syed
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
LoriGlavin3
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
Raghuram Pandurangan
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
BookNet Canada
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
Curtis Poe
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
Mattias Andersson
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Precisely
How to write a Business Continuity Plan
How to write a Business Continuity Plan
Databarracks
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
LoriGlavin3
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
UiPathCommunity
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
2toLead Limited
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
Stephanie Beckett
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
Dubai Multi Commodity Centre
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
BookNet Canada
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
Lars Bell
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
Sergiu Bodiu
Último
(20)
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
How to write a Business Continuity Plan
How to write a Business Continuity Plan
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
Securing User Data with SQLCipher
1.
AnDevCon IV Securing User
Data with SQLCipher Copyright © 2012 CommonsWare, LLC
2.
Workshop Overview ●
Who Is At Risk? ● Offense and Defense ● SQLCipher Integration ● SQLCipher: Hands On! ● Encrypting SharedPreferences & Files ● Passphrases ● Encrypted Communications Copyright © 2012 CommonsWare, LLC
3.
Who Is At
Risk? ● The Clumsy – Leaving phones lie around – Some percentage get personal data lifted ● The Traveler – Spear-fishing attack on a specific business – Corporate espionage or just garden-variety theft Copyright © 2012 CommonsWare, LLC
4.
Who Is At
Risk? ● The Freedom Fighter – Devices used for communication, coordination – Devices confiscated upon arrest ● The Terrorist – Devices used for communication, coordination – Devices confiscated upon arrest Copyright © 2012 CommonsWare, LLC
5.
Who Is At
Risk? ● The Citizen (of Repressive Regimes) – Arrests ranging from freedom of expression (protest rallies) to “just because” (race, religion, etc.) ● The User – May fall into any of the above categories – Even for apps not normally thought of as requiring such security Copyright © 2012 CommonsWare, LLC
6.
Who Is At
Risk? ● The Developer – Press reports of “plaintext” stuff on internal storage – Negative publicity leads to negative reputation Copyright © 2012 CommonsWare, LLC
7.
Offense and Defense ●
Defense: Lock Screen Security – Swipe: um, not really – Face: well, better than nothing – PIN: we're getting somewhere – Password: secure! ● Right? Copyright © 2012 CommonsWare, LLC
8.
Offense and Defense ●
Offense: Exploits – Example: USB Debugging ● Create app that dismisses keyguard ● Run via USB cable and adb shell am ● Net: bypass lock screen regardless of security settings ● (according to Google: not a bug) Copyright © 2012 CommonsWare, LLC
9.
Offense and Defense ●
Defense: Internal Storage – Read-write for app, deny-all for everyone else – User has no direct access via USB cable – Net: only way to get at the data is via the app! ● Right? Copyright © 2012 CommonsWare, LLC
10.
Offense and Defense ●
Offense: Rooting – Most devices can be rooted – Can run apps as root, with access to all parts of internal storage – Run a file manager, copy off whatever is desired ● Or write an app that bulk-copies entire internal storage for later analysis Copyright © 2012 CommonsWare, LLC
11.
Offense and Defense ●
Defense: Full-Disk Encryption – Entire internal storage bulk encrypted – Reboot locks down device, requiring manual entry of password – Many root attacks require a reboot – Net: only way to get at data is via encryption password! ● Right? Copyright © 2012 CommonsWare, LLC
12.
Offense and Defense ●
Offense: Exploits – Ineffective against many temporary root attacks – Weak full-disk encryption passwords ● Same as lock screen for most devices ● Can be brute-forced – Assumes users know of, apply full-disk encryption ● Not offered during initial setup Copyright © 2012 CommonsWare, LLC
13.
Offense and Defense ●
Defense: Cloud – Keep data off the device – Many Web sites and apps have decent defenses against brute-forcing attacks – So long as user is willing to enter password every time, the data is secure! ● Right? Copyright © 2012 CommonsWare, LLC
14.
Offense and Defense
xkcd comics reproduced under CC license from Randall Munroe, despite Hat Guy's best efforts. Copyright © 2012 CommonsWare, LLC
15.
General Strategy ●
Use Base Defenses – Lockscreen – Internal Storage – Full-Disk Encryption Copyright © 2012 CommonsWare, LLC
16.
General Strategy ●
Per-App Crypto – More flexible authentication models ● Help to mitigate “always entering password” problem – Containers with better brute-force resistance – Storage Models ● Database ● SharedPreferences ● General files Copyright © 2012 CommonsWare, LLC
17.
Introducing SQLCipher ●
SQLCipher – Modified version of SQLite – AES-256 encryption by default, of all data – Relatively low overhead – Cross-platform – BSD license Copyright © 2012 CommonsWare, LLC
18.
Introducing SQLCipher ●
SQLCipher Security – Customizable encryption algorithm ● Based on OpenSSL libcrypto – Individual pages encrypted, with own initialization vector – Message authentication code (MAC) per page, to detect tampering – Hashed passphrase (PBKDF2) for key Xkcd comics reproduced under CC license from Randall Munroe. Hat guy is not impressed. Copyright © 2012 CommonsWare, LLC
19.
Introducing SQLCipher ●
SQLCipher for Android – NDK-compiled binaries – Drop-in replacement classes for Android's SQLite classes ● SQLiteDatabase ● SQLiteOpenHelper ● Etc. Copyright © 2012 CommonsWare, LLC
20.
Introducing SQLCipher ●
SQLCipher for Android Limitations – Adds ~3MB to APK size per CPU architecture – x86 binaries not available for public download right now ● Must build them yourself, versus downloading ARM binaries ● Available for this workshop! Copyright © 2012 CommonsWare, LLC
21.
Introducing SQLCipher ●
SQLCipher and Third Party Code – Typically should work for open source via fork ● Replace their references to SQLite classes the same way you would replace your references ● Find way to pass in passphrase ● Either package as separate JAR or blend their source into your project as needed ● Examples: ORMLite, SQLiteAssetHelper Copyright © 2012 CommonsWare, LLC
22.
Integrating SQLCipher ●
Step #1: Add to Project – Download ZIP file from: https://github.com/sqlcipher/android-database-sqlcipher – Copy ZIP's assets/ into project's assets/ – Copy ZIP's libs/ into project's libs/ Copyright © 2012 CommonsWare, LLC
23.
Integrating SQLCipher ●
Step #2: Replace Import Statements – Eclipse ● Delete all android.database.* and android.database.sqlite.* imports ● Use Ctrl-Shift-O and choose the net.sqlcipher equivalents Copyright © 2012 CommonsWare, LLC
24.
Integrating SQLCipher ●
Step #2: Replace Import Statements – Outside of Eclipse ● Replace all occurrences of android.database with net.sqlcipher, revert back as needed ● Replace all occurrences of android.database.sqlite with net.sqlcipher.database Copyright © 2012 CommonsWare, LLC
25.
Integrating SQLCipher ●
Step #3: Supply Passphrases – SQLiteDatabase openOrCreateDatabase(), etc. – SQLiteOpenHelper getReadableDatabase() and getWritableDatabase() – Collect passphrase from user via your own UI Copyright © 2012 CommonsWare, LLC
26.
Integrating SQLCipher ●
Step #4: Testing – Tests should work when starting with a clean install ● No existing unencrypted database ● Step #5: Beer! – Hooray, beer! Copyright © 2012 CommonsWare, LLC
27.
Integrating SQLCipher ●
Upgrading to Encryption – Open unencrypted original – Create and ATTACH new encrypted database – sqlcipher_export() – Save schema version from old database – DETACH and close databases – Open encrypted database and set schema version Copyright © 2012 CommonsWare, LLC
28.
SQLCipher: Hands On! ●
Option #1: Tutorial – Materials on USB thumb drive – Step-by-step instructions (PDF) – Live walkthrough of all steps ● Designed to supplement instructions – Goal: add SQLCipher to an existing Android app, including handling the database upgrade Copyright © 2012 CommonsWare, LLC
29.
SQLCipher: Hands On! ●
Option #2: Upgrade Your Own App – Use instructions, walkthrough as guide for applying similar changes to your own code ● Warning: tutorial probably smaller than your app! ● Support – Ask questions of presenter, who will be up front or wandering around aimlessly between walkthrough sections Copyright © 2012 CommonsWare, LLC
30.
SQLCipher: Hands On! ●
Option #3: Return at 11:25am for more exciting slides! – ...though we will all miss you... Copyright © 2012 CommonsWare, LLC
31.
SQLCipher: Hands On! ●
Step #1: Getting Your Starting Point ● Step #2: Adding SQLCipher for Android ● Step #3: Adding a New Launcher Activity ● Step #4: Collect Passphrase For New Encryption ● Step #5: Create or Encrypt the Database ● Step #6: Collect Passphrase For Decryption Copyright © 2012 CommonsWare, LLC
32.
SQLCipher: Hands On! ●
Step #1: Getting Your Starting Point ● Step #2: Adding SQLCipher for Android ● Step #3: Adding a New Launcher Activity ● Step #4: Collect Passphrase For New Encryption ● Step #5: Create or Encrypt the Database ● Step #6: Collect Passphrase For Decryption Copyright © 2012 CommonsWare, LLC
33.
SQLCipher: Hands On! ●
Step #1: Getting Your Starting Point ● Step #2: Adding SQLCipher for Android ● Step #3: Adding a New Launcher Activity ● Step #4: Collect Passphrase For New Encryption ● Step #5: Create or Encrypt the Database ● Step #6: Collect Passphrase For Decryption Copyright © 2012 CommonsWare, LLC
34.
SQLCipher: Hands On! ●
Step #1: Getting Your Starting Point ● Step #2: Adding SQLCipher for Android ● Step #3: Adding a New Launcher Activity ● Step #4: Collect Passphrase For New Encryption ● Step #5: Create or Encrypt the Database ● Step #6: Collect Passphrase For Decryption Copyright © 2012 CommonsWare, LLC
35.
SQLCipher: Hands On! ●
Step #1: Getting Your Starting Point ● Step #2: Adding SQLCipher for Android ● Step #3: Adding a New Launcher Activity ● Step #4: Collect Passphrase For New Encryption ● Step #5: Create or Encrypt the Database ● Step #6: Collect Passphrase For Decryption Copyright © 2012 CommonsWare, LLC
36.
SQLCipher: Hands On! ●
Step #1: Getting Your Starting Point ● Step #2: Adding SQLCipher for Android ● Step #3: Adding a New Launcher Activity ● Step #4: Collect Passphrase For New Encryption ● Step #5: Create or Encrypt the Database ● Step #6: Collect Passphrase For Decryption Copyright © 2012 CommonsWare, LLC
37.
SQLCipher: Hands On! ●
Step #1: Getting Your Starting Point ● Step #2: Adding SQLCipher for Android ● Step #3: Adding a New Launcher Activity ● Step #4: Collect Passphrase For New Encryption ● Step #5: Create or Encrypt the Database ● Step #6: Collect Passphrase For Decryption Copyright © 2012 CommonsWare, LLC
38.
Encrypted SharedPreferences ●
How They Are Normally Stored – Unencrypted XML files – Internal storage in shared_prefs/ directory ● Peer to your databases/, files/ directories ● Precise root path may vary, especially on Android 4.2 with multiple accounts Copyright © 2012 CommonsWare, LLC
39.
Encrypted SharedPreferences ●
Introducing CWSharedPreferences – Strategy-based pluggable storage model ● SQLite ● SQLCipher ● Others as you wish via interfaces – Implements SharedPreferences ● Manual preference-using code requires no changes once you have your SharedPreferences object Copyright © 2012 CommonsWare, LLC
40.
Encrypted SharedPreferences ●
Creating a SQLCipherStrategy – Supply name of preferences, passphrase, LoadPolicy ● LoadPolicy.SYNC: loads on main application thread ● LoadPolicy.ASYNC_BLOCK: loads in background thread, blocks if you try using them before loaded ● LoadPolicy.ASYNC_EXCEPTION: loads in background thread, raises exception if you try using them before loaded ● Test Case Walkthrough Copyright © 2012 CommonsWare, LLC
41.
Encrypted SharedPreferences ●
Limitation: No PreferenceActivity – Hard-wired to use stock SharedPreferences ● Alternative: Encrypt at GUI Level – Custom Preference classes with encryption, decryption logic, also available for use outside of preference UI – Requires more manual fussing with encryption – Encrypts values, perhaps not keys Copyright © 2012 CommonsWare, LLC
42.
Encrypted Files ●
Option #1: javax.crypto – Standard solution for Java for years – Plenty of online recipes – Search StackOverflow for Android-specific idiosyncrasies Copyright © 2012 CommonsWare, LLC
43.
Encrypted Files ●
Option #2: SpongyCastle – Refactored version of BouncyCastle, to avoid VM collisions ● Android's javax.crypto based on BouncyCastle, but with somewhat hacked version – Fairly popular, probably less likely to run into Android-specific headaches Copyright © 2012 CommonsWare, LLC
44.
Encrypted Files ●
Future Option: IOCipher – Uses SQLCipher as a backing store for virtual filesystem ● You work with drop-in replacement File class that stores, reads “files” as BLOBs from database – Benefits: less work, benefits of SQLCipher container – Pre-alpha Copyright © 2012 CommonsWare, LLC
45.
Passphrases ●
Passphrase Entry Pain – Users do not like typing long passwords – Result = weaker quality – Option: “diceware” ● Choose ~5 words from stock list ● Can offer scrolling lists, auto-complete to help speed data entry ● Downside: more annoying for accessibility Copyright © 2012 CommonsWare, LLC
46.
Passphrases xkcd comics reproduced
under CC license from Randall Munroe, even though Hat Guy owns a $5 wrench Copyright © 2012 CommonsWare, LLC
47.
Passphrases xkcd comics reproduced
under CC license from Randall Munroe, but BYO talking horse Copyright © 2012 CommonsWare, LLC
48.
Passphrases ●
Multi-Factor Authentication – Passphrase generated in code from user- supplied pieces – Organization options ● Simple concatenation ● Concatenation with factor prefix, un-typeable divider characters Copyright © 2012 CommonsWare, LLC
49.
Passphrases ●
Multi-Factor Authentication Objectives – Longer passphrase without as much user input – Help defeat casual attacks ● Need all factors to access via your UI ● Otherwise, need to brute-force Copyright © 2012 CommonsWare, LLC
50.
Passphrases xkcd comics reproduced
under CC license from Randall Munroe. Hat Guy is not amused. Copyright © 2012 CommonsWare, LLC
51.
Passphrases ●
Multi-Factor Authentication Sources – NFC tag – QR code – Paired Bluetooth device – Wearable app – Gesture (e.g., pattern lock) – Biometrics (e.g., fingerprint scanner) Copyright © 2012 CommonsWare, LLC
52.
Passphrases ●
Password Managers – Some offer APIs (e.g., OI Password Safe) – Benefit ● Easier: user does not have to remember as many passphrases – Downside ● Reliant upon third-party app and its security Copyright © 2012 CommonsWare, LLC
53.
Passphrases ●
Changing SQLCipher Password – PRAGMA rekey = 'new passphrase'; – Requires access to database with existing key – Execution time proportional to database size ● Background thread, please! Copyright © 2012 CommonsWare, LLC
54.
Encrypted Communications ●
BackupManager – No control over exactly where this data is sent ● Could be replaced by device manufacturers, carriers – Ideally, all data backed up should be encrypted with user passphrase ● Either because that data is always encrypted, or encrypt especially for backup/restore ● No sense in using static passphrase, as can be reverse-engineered Copyright © 2012 CommonsWare, LLC
55.
Encrypted Communications ●
GCM and C2DM – Data is encrypted during transmission – Data is not encrypted at Google's servers – Options ● Encrypt the message payloads ● Message payloads are pointers to encrypted data held elsewhere Copyright © 2012 CommonsWare, LLC
56.
Encrypted Communications ●
SSL: Basics – Use https:// URLs with URL or HttpClient – Use normally – Pray that your certificates are installed ● Self-signed certs ● Unusual certificate authorities ● Varying certificate authorities – http://goo.gl/8anF9 Copyright © 2012 CommonsWare, LLC
57.
Encrypted Communications ●
SSL Attack: Hack the CA – Comodo, DigiNotar, etc. – Forged certificates claiming to be Google, Mozilla, Microsoft, etc. – “When an attacker obtains a fraudulent certificate, he can use it to eavesdrop on the traffic between a user and a website even while the user believes that the connection is secure.” Copyright © 2012 CommonsWare, LLC
58.
Encrypted Communications ●
SSL Defense #1: Avoid CAs – CAs are needed for general-purpose clients (e.g., Web browsers) – If you control front end (app) and back end (Web service), use private SSL certificates that can be verified by the app itself – Moxie Marlinspike Implementation ● http://goo.gl/DYTrb ● See Option 1 Copyright © 2012 CommonsWare, LLC
59.
Encrypted Communications ●
SSL Defense #2: Pinning – Assumes that you need to use a CA for some reason (e.g., Web site + Web service) – Validates issuing CA ● Rather than the certificate itself ● Limits attacks to ones where your CA gets hacked – Moxie Marlinspike Implementation ● http://goo.gl/DYTrb ● See Option 2 Copyright © 2012 CommonsWare, LLC
60.
Encrypted Communications ●
SSL Defense #3: User Validation – Assume that attacks are infrequent – Alert user when you see a different certificate than used before ● May indicate a MITM attack – https://github.com/ge0rg/MemorizingTrustManager/wiki ● Implementation of trust store and UI Copyright © 2012 CommonsWare, LLC
61.
Encrypted Communications ●
OnionKit – StrongTrustManager ● Customized set of CAs based on Debian cacerts file ● Full chain verification ● Limited pinning – Proxying through Orbot ● Tor implementation for Android – https://github.com/guardianproject/OnionKit Copyright © 2012 CommonsWare, LLC
62.
Summary ●
Consider Encryption – ...even if you don't think you need it ● SQLCipher: Easiest Option for Encrypted Database – ...if you can live with the APK footprint ● Think About Encrypting Other Data Stores, Means of Collecting Passphrases ● Q&A Copyright © 2012 CommonsWare, LLC
Descargar ahora