Scanning the Internet for External Cloud Exposures via SSL Certs
Mysterious Crypto in Android Biometrics
1. Mysterious Crypto in Android
Biometrics
Responsible: Mr. Pongsakorn Sommalai
Version (Date): 1.0 (2019-10-02)
Confidentiality class: Public
บจก.สยามถนัดแฮก
2. บจก.สยามถนัดแฮก
Responsible / Version: Mr. Pongsakorn Sommalai / 1.0 (2019-10-02)
Confidentiality class: Public
Mr. Pongsakorn (Bongtrop) Sommalai
Penetration Tester
Siam Thanat Hack Company Limited
Whoami
It’s me.
3. บจก.สยามถนัดแฮก
Responsible / Version: Mr. Pongsakorn Sommalai / 1.0 (2019-10-02)
Confidentiality class: Public
Overview
3
- Introduction
- Android Biometrics (Authentication) Security
- Android Keystore
- Cryptographic Library in Android
- Biometric Prompt
- Example Applications
- AndroidKeyStore
- The better way (let's discuss)
5. บจก.สยามถนัดแฮก
Responsible / Version: Mr. Pongsakorn Sommalai / 1.0 (2019-10-02)
Confidentiality class: Public
What is Biometrics (Authentication)?
5
http://fintechnews.sg/18096/mobile-payment/singaporeans-interested-in-biometrics-authentication-and-payments/
10. บจก.สยามถนัดแฮก
Responsible / Version: Mr. Pongsakorn Sommalai / 1.0 (2019-10-02)
Confidentiality class: Public
Today’s Scenario
10
Scenario: The sophisticated threat actors or APT malware with access to the
victim’s device.
Not these:
12. บจก.สยามถนัดแฮก
Responsible / Version: Mr. Pongsakorn Sommalai / 1.0 (2019-10-02)
Confidentiality class: Public
What is Keystore ?
12
A safe box which can store cryptographic keys.
13. บจก.สยามถนัดแฮก
Responsible / Version: Mr. Pongsakorn Sommalai / 1.0 (2019-10-02)
Confidentiality class: Public
FriendZone Technology and the Trusted Execution Environment (TEE)
13
14. บจก.สยามถนัดแฮก
Responsible / Version: Mr. Pongsakorn Sommalai / 1.0 (2019-10-02)
Confidentiality class: Public
TrustZone Technology and the Trusted Execution Environment (TEE)
14
16. บจก.สยามถนัดแฮก
Responsible / Version: Mr. Pongsakorn Sommalai / 1.0 (2019-10-02)
Confidentiality class: Public
Key Material in AndroidKeyStore
16
- Generate in secure world
- Encrypt in secure world
- Decrypt in secure world
- XXX in secure world
Can you gimme a key? Can you decrypt for me?
17. บจก.สยามถนัดแฮก
Responsible / Version: Mr. Pongsakorn Sommalai / 1.0 (2019-10-02)
Confidentiality class: Public
Cryptographic Library in Android
17
https://developer.android.com/guide/topics/security/cryptography
18. บจก.สยามถนัดแฮก
Responsible / Version: Mr. Pongsakorn Sommalai / 1.0 (2019-10-02)
Confidentiality class: Public
Biometric Prompt
18
https://android-developers.googleblog.com/2018/06/better-biometrics-in-android-p.html
19. บจก.สยามถนัดแฮก
Responsible / Version: Mr. Pongsakorn Sommalai / 1.0 (2019-10-02)
Confidentiality class: Public
Example Application #1
19
// For the "insecure" method, the app relies on onAuthenticationSucceeded function being called
btInsecureActivity.setOnClickListener(new View.OnClickListener() {
@Override
public void onClick(View view) {
new BiometricPrompt(MainActivity.this, executor, new BiometricPrompt.AuthenticationCallback() {
@Override
public void onAuthenticationSucceeded(@NonNull BiometricPrompt.AuthenticationResult result) {
super.onAuthenticationSucceeded(result);
i = new Intent(MainActivity.this, InsecureActivity.class);
startActivity(i);
}
}).authenticate(promptInfo);
}
});
Let’s play !!
21. บจก.สยามถนัดแฮก
Responsible / Version: Mr. Pongsakorn Sommalai / 1.0 (2019-10-02)
Confidentiality class: Public
Example Application #2
21
KeyStore + Cryptographic + BiometricPrompt
22. บจก.สยามถนัดแฮก
Responsible / Version: Mr. Pongsakorn Sommalai / 1.0 (2019-10-02)
Confidentiality class: Public
Example Application #2
22
Generate Key
Init Phrase
Encrypt a Secret Store it Somewhere
Fetch Key
Access Phrase
Authenticate Decrypt a Secret
Secure
World
Secure
World
Secure
World
Only
Object
23. บจก.สยามถนัดแฮก
Responsible / Version: Mr. Pongsakorn Sommalai / 1.0 (2019-10-02)
Confidentiality class: Public
Example Application #2
23
Take a Look at the Source Code !!
24. บจก.สยามถนัดแฮก
Responsible / Version: Mr. Pongsakorn Sommalai / 1.0 (2019-10-02)
Confidentiality class: Public
Interesting Property of a Key
24
- isInsideSecureHardware
- isInvalidatedByBiometricEnrollment
- isUserAuthenticationRequired
- isUserAuthenticationRequirementEnforcedBySecureHardware
- isUserAuthenticationValidWhileOnBody
- userAuthenticationValidityDurationSeconds
25. บจก.สยามถนัดแฮก
Responsible / Version: Mr. Pongsakorn Sommalai / 1.0 (2019-10-02)
Confidentiality class: Public
Example Application #SDHMobile
25
Let’s play with this scenario !!
26. บจก.สยามถนัดแฮก
Responsible / Version: Mr. Pongsakorn Sommalai / 1.0 (2019-10-02)
Confidentiality class: Public
Store encrypted PIN or TOKEN for authentication.
Is it secure ?
26
28. บจก.สยามถนัดแฮก
Responsible / Version: Mr. Pongsakorn Sommalai / 1.0 (2019-10-02)
Confidentiality class: Public
AndroidKeyStore Recap
28
- Generate in secure world
- Encrypt in secure world
- Decrypt in secure world
- XXX in secure world
Can you gimme a key? Can you decrypt it for me?
However, the key must be stored in somewhere right?