Android Explorations

The last two posts introduced app encryption , the new system key store and a few other security related features introduced in Jelly Bean. Browsing the ASOP code reveals another new feature which sits higher in the security stack than the previously discussed ones -- certificate blacklisting. In this article we will present some details about its implementation and introduce a sample app that allows us to test how blacklisting works in practice. Why blacklist certificates? In a perfect world, a working  Public Key Infrastructure (PKI) takes care of issuing, distributing and revoking certificates as necessary. All that a system needs to verify the identities of previously unknown machines and users are a few trust anchor certificates. In practice, though, there are number of issues . Those have been known for some time, but the recent breaches in top-level CAs have shown that the problems and their consequences are far from theoretical. Probably the biggest PKI issue is...

Along with all the user facing new features everyone is talking about, the latest Android release has quite a bit of security improvements under the hood. Of those only app encryption has been properly announced, while the rest remain mostly covered up by upper level APIs. This, of course, is not fair, so let's call them up (the list is probably not exhaustive): RSA and DSA key generation and signatures are now implemented in native code for better performance TLS v1.2 support improved system key store new OpenSSL interface (engine) to the system key store new key management HAL component -- keymaster hardware-backed keymaster implementation on Galaxy Nexus and Nexus 7 The first two features are mostly self-explanatory, but the rest merit some exploration. Let's look into each one in turn. System key store improvements As we have already discussed , the system key store in Android is provided by a native daemon that encrypts secrets using a key derived from the devi...

The latest Android version, 4.1 (Jelly Bean) was announced last week at Google I/O  with a bunch of new features and improvements . One of the more interesting features is app encryption, but there haven't been any details besides the short announcement: 'From Jelly Bean and forward, paid apps in Google Play are encrypted with a device-specific key before they are delivered and stored on the device.'. The lack of details is of course giving rise to guesses and speculations, some people even fear that they will have to repurchase their paid apps when they get a new device. In this article we will look at how app encryption is implemented in the OS,  show how you can install encrypted apps without going through Google Play, and take a peak at how Google Play delivers encrypted apps. OS support for encrypted apps The previous version of this article was based on Eclipse framework source packages and binary system images, and was missing a few pieces. As Jelly Bean sour...