New Privacy in Android 11 and OWASP Mobile Security

Albert Hsieh

OWASP現有大約200個開源免費專案

OWASP Flagship Projects

Tool ProjectsOWASP AmassOWASP CSRFGuardOWASP DefectdojoOWASP Dependency-CheckOWASP Dependency-TrackOWASP Juice ShopOWASP OWTFOWASP Security ShepherdOWASP ZAP

Code ProjectsOWASP ModSecurity Core Rule Set

Documentation ProjectsOWASP Application Security Verification StandardOWASP Cheat Sheet SeriesOWASP Mobile Security Testing GuideOWASP SAMMOWASP Top TenOWASP Web Security Testing Guide

OWASP.Mobile

What’s new on Android 11

1. Scoped storage enforcement

2. One-time permissions

3. Permissions auto-reset

4. Background location access

5. Package visibility

6. Foreground service typeshttps://developer.android.com/preview/privacy

Is That Security Or Privacy?

保護可辨識個人之非公開資訊

Privacy保護所有資訊and more!

Security

Permissions

How Powerful is Your Flashlight?

https://www.zdnet.com/article/most-android-flashlight-

apps-request-an-absurd-number-of-permissions/

Permissions, Permissions Everywhere!

One-time Permissions

Only this time!

Only this time!

Only this time!

Background Location Access

Foreground access (App is visible or running a Foreground Service with

Location type)

● ACCESS_COARSE_LOCATION

● ACCESS_FINE_LOCATION (accurate location)

Background access (i.e Geofence or WorkManager/AlarmManager in BG)

● ACCESS_BACKGROUND_LOCATION

Location Permission is specialit’s split in Foreground and Background access

Foreground location accessACCESS_COARSE_LOCATION or ACCESS_FINE_LOCATION

●On all versions, this requests foreground access.

●On pre-Android 10, background access is implied.

ActivityCompat.requestPermissions(

/* Activity */ this,

/* Request BG alone */ arrayOf(ACCESS_COARSE_LOCATION),

/* RequestCode */ 100

)

RequestACCESS_BACKGROUND_LOCATION

At some pointACCESS_COARSE_LOCATION

My App

Target API level

'R'If show rational is true:

IN-CONTEXT UI (you define it)

Background location accessrequest incrementally only after Foreground has been granted

Permissions Auto-reset

Target API level

'R'Auto-reset permissions

Target API level

'R'Auto-reset permissions

Provide family safety

Sync data

Smart device connectivity app

Paired to companion devices

Settings.ACTION_APPLICATION_DETAILS_SETTINGS

Foreground Service Types

Companion device

Media Projection

Location

Foreground Service TypesAndroid 10

●Introduced the concept of types

Sync

Media Player

Phone Call

c

Enforced to ensure accountability for access

Foreground Service TypesAndroid 11

Target API level

'R'

<manifest>

...

<service ... android:foregroundServiceType="camera" />

</manifest>

Foreground Service TypesAndroid 11

Target API level

'R'

<manifest>

...

<service ... android:foregroundServiceType="camera|microphone" />

</manifest>

Package Visibility

Seeing all installed apps

packageManager.getInstalledPackages(0)

On Android 10 and older….

Default behavior

getPackageInfo("another.app", 0)

NameNotFoundException

'R'

Target API level

Query and interact with specific apps

Declare package names in <queries> element of manifest to ‘see’ specific apps.

<manifest><queries>

<package android:name="com.example.store" />

<package android:name="com.example.service" />

...</queries>...

</manifest>

Query and interact with apps based on intent filters

Declare intents in <queries> element to ‘see’ apps that handle certain intents.

<manifest>

<queries>

<intent>

<action android:name="android.intent.action.SEND" />

<data android:mimeType="image/jpeg" />

</intent>

</queries>

...

</manifest>

Interacting with all apps

●Shouldn’t be necessary for most apps.

●Available “Normal” permission that allows querying and interacting with all installed apps.

<uses-permission android:name="android.permission.QUERY_ALL_PACKAGES">

Look for Google Play to provide upcoming guidelines for apps that need this permission.

"Let us know your use cases” by Google….

Scoped Storage

Exactly the data that user wants to share and no more

New in Android 11

OWASP.Mobile

OWASP.Mobile

https://owasp.org/www-project-mobile-security/

Secure Software Development Life Cycle (SSDLC)

M Top 10 MASVS MSTG Response

M Security ChklstHacking Playground

Mobile Application Security Verification Standard (MASVS)

• Forked from OWASP ASVS

• Best practices for security requirements

• Mobile-specific

• high-level

• OS-agnostic

Security Requirements

•V1: Architecture, Design and Threat Modeling•V2: Data Storage and Privacy•V3: Cryptography•V4: Authentication and Session Management•V5: Network Communication•V6: Platform Interaction•V7: Code Quality and Build Setting•V8: Resilience

Levels

MASVS-L1: all mobile apps.

MASVS-L2: apps handling sensitive data

and/or functionality.

MASVS-R: apps handling highly

sensitive data and may serve as a means

of protecting intellectual

property or tamper-proofing an app.

▪ L1 Alarm App

▪ L2 Health App

▪ L1+R Game App

▪ L2+R Banking App

V2: Data Storage and Privacy (part)

V3: Cryptography (part)

V5: Network Communication (part)

V5: Network Communication (part)

V6: Platform Interaction (part)

Yes, resilience!

RESILIENCE?

V8: Resilience (part)

HOW TO USE THE MASVS?

Bring Security to system requirement phase!

▸ As secure coding checklist▸ As security testing methodologies▸ For secure development training

To Conclude….

Why do we need security?

How much does that cost

Find the bugs earlier

Create fewer bugs

https://blog.parasoft.com/what-is-the-shift-left-approach-to-software-testing

OWASP.Mobile

https://owasp.org/www-project-mobile-security/

SHIFT LEFT!

M Top 10 MASVS MSTG Response

M Security ChklstHacking Playground

Shift Left for Security!

Thank you!