Episode Notes: In this episode, we delve into the crucial topic of mobile app security, focusing on the concept of hardware-backed key attestation and its role in verifying device integrity. We explore what key attestation is, an enabling feature of the Android ecosystem that allows apps to check if the device's operating system, bootloader, and overall environment have been tampered with. This process often involves leveraging the device's KeyStore to retrieve a certificate chain and verifying the integrity of certificates and root certificates. We discuss the potential benefits of key attestation, particularly for applications handling sensitive data in industries like finance, point-of-sale (POS) systems, gaming and entertainment, retail and e-commerce, and healthcare. For instance, key attestation can help ensure that payment environments are uncompromised, aligning with security standards like PCI DSS. It can also be valuable for security-focused SDKs, such as those used for identity verification, by ensuring a device's integrity before providing assurances. DexGuard's OS Integrity feature is mentioned as an example of a product building upon key attestation. However, the episode also critically examines the limitations and challenges associated with relying solely on hardware-backed key attestation. We address concerns that determined attackers can potentially manipulate the device to return false positives, rendering device-based attestation unreliable. The static nature of device-based attestation, making it a fixed target, is also highlighted. Additionally, device compatibility issues, particularly with older devices or those lacking trusted certificates, and the potential for false positives affecting legitimate users with custom ROMs or unlocked bootloaders are important considerations. The discussion contrasts device-based attestation with cloud-based attestation solutions, such as Approov, which make attestation decisions remotely, potentially offering more dynamic security policies and protection for both mobile apps and APIs. The importance of runtime protection against threats that can bypass bootloader verification is also touched upon. Furthermore, the episode considers the role of Secure Elements (SE) and Secure Enclaves in protecting sensitive information. While these hardware-backed solutions offer strong security, the software layers above them can introduce vulnerabilities like hooking attacks and emulation, especially on rooted Android devices and jailbroken iOS devices. Tools like Frida and Xposed Framework that can intercept communication are mentioned. The importance of a holistic approach to mobile security, combining hardware integrity with software hardening and runtime protections, is emphasised. Solutions like Cryptomathic’s Mobile Application Security Core (MASC), which aims to protect against hooking, emulation, and tampering, are noted. Links to Relevant Sites:

• Guardsquare: https://www.guardsquare.com/
• Guardsquare Blog: https://www.guardsquare.com/blog
• DexGuard: https://www.guardsquare.com/dexguard
• ProGuard Manual: Available via Guardsquare website
• Cryptomathic: https://www.cryptomathic.com/
• Cryptomathic Blog: https://www.cryptomathic.com/blog
• Approov: https://approov.io/
• Android Developers - Verify hardware-backed key pairs with key attestation: .css-j9qmi7{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-flex-direction:row;-ms-flex-direction:row;flex-direction:row;font-weight:700;margin-bottom:1rem;margin-top:2.8rem;width:100%;-webkit-box-pack:start;-ms-flex-pack:start;-webkit-justify-content:start;justify-content:start;padding-left:5rem;}@media only screen and (max-width: 599px){.css-j9qmi7{padding-left:0;-webkit-box-pack:center;-ms-flex-pack:center;-webkit-justify-content:center;justify-content:center;}}.css-j9qmi7 svg{fill:#27292D;}.css-j9qmi7 .eagfbvw0{-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;color:#27292D;}
  Share

  Mark as Played