Internal Android Library Management (DroidCon SF 2016, Droidcon Italy 2016)
Secure VoIP - DroidCon 2015
-
Upload
marco-pozzato -
Category
Technology
-
view
107 -
download
4
Transcript of Secure VoIP - DroidCon 2015
Secure VoIP
Mobile Secure Communication Solutions for Enterprises April 2015
Marco Pozzato - CTO
Emanuele Gambaro – Android Engineer
Agenda
● Introduction● Network challenges● SW Engineering challenges● MultiPlatform challenges● Security challenges
Introduction
Privacy & Business threats● Industrial espionage● Mass surveillance
Secure Voice & Text Communications
Mobile Communications
● GSM is insecure
● Data Over Voice codec
● CSD is phased out
● → SVOIP
Network challenges
Mobile Communications
Mobile data networks are evil● Packet loss● Burst based● Highly congested● TCP exponential backoff● VoIP block (censorship or contractual)
Network transparency myth!
Network challenges
Mobile Platforms for VIP
VIP smartphones in enterprises● Blackberry OS 5/6/7: push email● Iphone: cool device● Android: power users and geeks● Blackberry 10: strong security & EMM
Tech Guys are scaling organizations hierarchy
Multiplatform challenges
Porting from Blackberry 5
Blackberry VS Android● Differences between platforms
● Our first try● Our final solution
Multiplatform challenges
Porting to BlackBerry 10
Blackberry 10 and Android runtime
● Easy to port application from android to Blackberry 10.3
● ...but a lot of missing important features
● Our solution: a native app
Multiplatform challenges
Zorg
Zorg – a cross-platform ZRTP library
● What are ZRTP and ZORG?
● Diffie-Hellman is slow in sw
● Embed standard BC with ECDH → package name clash
Software engineering challenges
Multi-product codebase
One codebase, different products
● Manage UI resources
● Manage different languages and product name
● Manage different products from the same source code
Software engineering challenges
Data In Transit
How to protect communications between device and server
● Using secure connections and PKI
● Use only right ciphers"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
● Trust only one Certificate Authority
Security challenges
Data At Rest / 1
How to protect key and password on device
● Android keystore support
● Keystore bughttps://code.google.com/p/android/issues/detail?id=61989
● API changes from 4.x to Lollipop
Security challenges
Data At Rest / 2
How to protect user data on device● Protect sqlite databases using sqlcipher for Android
● Secure logging
Security challenges
Randomness and entropy
Java SecureRandom bug
Our test on Samsung S3 with android 4.3
***** BUG FEED DATABASE *****
Run # 3987
Duplicates #15
Pid | seed
6945|96c8cf6b3c3f0786|2
6958|ade560b0c3d272f6|2
[...]
9378|0b9b08fe52b6003d|2
Our solution: using device microphone
Security challenges
Generate key from password
Use PBKDF2 as key derivation function
● Generate strong encryption password from PIN or password
● Iteration tuning
● Android charset bug
Security challenges
Vulnerability assessment
● Made by third party company
● Different methodologies
● Some examples
Security challenges
Static analysis
Static analysis on android application
● Goal of a static analysis
● What can be found with static analysis?
● Common false positive
Security challenges