Skip to content

Latest commit

 

History

History
227 lines (170 loc) · 15.1 KB

mitigations.md

File metadata and controls

227 lines (170 loc) · 15.1 KB

Mitigation Strategies Analysis for nextcloud/android

Mitigation Strategy: Application-Level Encryption (Android Keystore Integration)

  • Mitigation Strategy: Application-Level Encryption (Android Keystore Integration)

    • Description:

      1. Key Generation: Derive a strong encryption key from the user's Nextcloud password and a device-specific identifier (e.g., Android ID, a securely generated UUID stored in the Keystore). Use a robust KDF like PBKDF2 with a high iteration count and a random salt.
      2. Key Storage: Store the derived key exclusively in the Android Keystore System using the AndroidKeyStore provider. Configure the Keystore entry to require user authentication (fingerprint, PIN) for key access, if desired. Never store the raw key in SharedPreferences, files, or application memory.
      3. Encryption/Decryption: Before writing any file to the Android file system, encrypt it using the key from the Keystore with a strong, authenticated encryption algorithm (e.g., AES-GCM). Decrypt when reading.
      4. Key Rotation: Implement a mechanism to rotate the encryption key periodically (triggered by password changes, time interval, or remote command).
      5. Secure Wipe: On failed login attempts or remote wipe, securely erase all local data and the encryption key from the Keystore. Overwrite data multiple times using SecureRandom.
      6. Key Attestation: Use Key Attestation (if supported) to verify Keystore integrity.

    • Threats Mitigated:

      • Physical Device Theft/Loss (Severity: High): Prevents data access even if device encryption is bypassed.
      • Malware with Root Access (Severity: High): Protects data from root-level malware.
      • Data Remnants (Severity: Medium): Ensures secure deletion.
      • Unauthorized Access via Backup (Severity: Medium): Protects data if backups are compromised (if combined with backup exclusion).

    • Impact:

      • Physical Device Theft/Loss: Risk reduced from High to Low.
      • Malware with Root Access: Risk reduced from High to Low.
      • Data Remnants: Risk reduced from Medium to Low.
      • Unauthorized Access via Backup: Risk reduced from Medium to Low.

    • Currently Implemented:

      • Likely partial implementation; full Keystore integration and device-specific key strengthening might be missing.

    • Missing Implementation:

      • Full end-to-end encryption before data leaves the device.
      • Robust key rotation.
      • Secure wipe with Keystore key deletion.
      • Device-specific key strengthening.
      • Zero-knowledge mode.
      • Key Attestation.

Mitigation Strategy: Secure IPC - Intents (Android-Specific Handling)

  • Mitigation Strategy: Secure IPC - Intents (Android-Specific Handling)

    • Description:

      1. Explicit Intents: Use explicit Intents for all internal communication between app components (Activities, Services, BroadcastReceivers). Specify the target component's class name directly.
      2. Intent Filters: For components exposed to other apps, use Intent Filters, but set android:exported="false" in the manifest by default. Only set android:exported="true" if absolutely necessary.
      3. Permission Checks: For exported components, implement strict permission checks using android:permission in the manifest. Define custom Android permissions if needed.
      4. Input Validation: Rigorously validate all data in Intent extras (both explicit and implicit). Sanitize input used in file paths, database queries, or UI display. Assume all Intent data is untrusted.
      5. PendingIntents: Use the FLAG_IMMUTABLE flag when creating PendingIntent objects to prevent modification by other apps.

    • Threats Mitigated:

      • Intent Spoofing (Severity: Medium): Prevents malicious apps from sending fake Intents.
      • Intent Interception (Severity: Medium): Reduces the risk of data interception.
      • Unauthorized Access to Components (Severity: High): Prevents access to internal components.

    • Impact:

      • Intent Spoofing: Risk reduced from Medium to Low.
      • Intent Interception: Risk reduced from Medium to Low.
      • Unauthorized Access to Components: Risk reduced from High to Low.

    • Currently Implemented:

      • Likely uses explicit Intents for internal communication; Intent Filters for external interactions. Some input validation is probable.

    • Missing Implementation:

      • Comprehensive input validation for all Intent extras.
      • Consistent use of custom permissions.
      • Consistent use of FLAG_IMMUTABLE for PendingIntent objects.

Mitigation Strategy: Secure IPC - Content Providers (Android-Specific Controls)

  • Mitigation Strategy: Secure IPC - Content Providers (Android-Specific Controls)

    • Description:

      1. Export Control: Set android:exported="false" in the manifest for the Content Provider unless absolutely necessary for external access.
      2. Permissions: If exported, use android:permission, android:readPermission, and android:writePermission to enforce strict access control. Define custom Android permissions.
      3. URI Permissions: Use grantUriPermissions() sparingly, granting only temporary access to specific URIs. Revoke permissions immediately after use.
      4. Input Validation: Thoroughly validate all input received through the Content Provider (query parameters, selection arguments, data). Use parameterized queries to prevent SQL injection. Sanitize data displayed to the user.
      5. Path Traversal Prevention: Ensure file paths cannot be manipulated to access files outside the intended directory.

    • Threats Mitigated:

      • Unauthorized Data Access (Severity: High): Prevents unauthorized access via the Content Provider.
      • SQL Injection (Severity: High): Prevents SQL injection through the Content Provider.
      • Path Traversal (Severity: High): Prevents access to arbitrary files.

    • Impact:

      • Unauthorized Data Access: Risk reduced from High to Low.
      • SQL Injection: Risk reduced from High to Low.
      • Path Traversal: Risk reduced from High to Low.

    • Currently Implemented:

      • Likely has some permission checks; input validation probable, but comprehensiveness needs verification.

    • Missing Implementation:

      • android:exported="false" might not be the default.
      • Comprehensive input validation and sanitization.
      • Strict URI permission management.

Mitigation Strategy: WebView Security (Android WebView Controls)

  • Mitigation Strategy: WebView Security (Android WebView Controls)

    • Description:

      1. Disable JavaScript: If not essential, disable it: webView.getSettings().setJavaScriptEnabled(false).
      2. Enable JavaScript (Cautiously): If required, enable it only after careful consideration. (Server-side sanitization is crucial, but not Android-specific).
      3. Restrict File Access: webView.getSettings().setAllowFileAccess(false). If needed, use setAllowFileAccessFromFileURLs(false) and setAllowUniversalAccessFromFileURLs(false).
      4. Trusted Sources Only: Load content only from the trusted Nextcloud server.
      5. Content Security Policy (CSP): Implement CSP using WebViewClient.shouldInterceptRequest().
      6. WebViewAssetLoader: Use WebViewAssetLoader for local assets.
      7. Update WebView: Ensure regular WebView updates (system-handled).

    • Threats Mitigated:

      • Cross-Site Scripting (XSS) (Severity: High): Prevents malicious JavaScript injection.
      • Local File Access (Severity: High): Prevents WebView access to sensitive files.
      • Loading Malicious Content (Severity: High): Prevents loading from untrusted sources.

    • Impact:

      • Cross-Site Scripting (XSS): Risk reduced from High to Low (with server-side controls).
      • Local File Access: Risk reduced from High to Low.
      • Loading Malicious Content: Risk reduced from High to Low.

    • Currently Implemented:

      • Likely restricts file access and loads from the server; some XSS protection probable.

    • Missing Implementation:

      • JavaScript might be enabled without sufficient client-side mitigation.
      • Comprehensive CSP might be missing.
      • WebViewAssetLoader might not be used for all local assets.

Mitigation Strategy: Certificate Pinning (Android Network Security)

  • Mitigation Strategy: Certificate Pinning (Android Network Security)

    • Description:

      1. Obtain Certificate/Public Key: Get the Nextcloud server's certificate or public key.
      2. Implement Pinning: Use NetworkSecurityConfig (recommended) or a custom TrustManager. With NetworkSecurityConfig, create network_security_config.xml and specify the pin. Reference this in the manifest with android:networkSecurityConfig.
      3. Handle Pinning Failures: Implement error handling for pinning failures. Do not allow the connection.
      4. Update Pins: Plan for pin updates. Consider dynamic updates (with extreme caution).

    • Threats Mitigated:

      • Man-in-the-Middle (MITM) Attacks (Severity: High): Prevents interception with forged certificates.
      • Certificate Authority Compromise (Severity: High): Protects against compromised CAs.

    • Impact:

      • Man-in-the-Middle (MITM) Attacks: Risk reduced from High to Low.
      • Certificate Authority Compromise: Risk reduced from High to Low.

    • Currently Implemented:

      • Requires explicit implementation; not a default Android behavior. Possible, but not certain.

    • Missing Implementation:

      • Likely missing if not explicitly implemented.

Mitigation Strategy: Code Obfuscation and Anti-Tampering (Android-Specific Tools)

  • Mitigation Strategy: Code Obfuscation and Anti-Tampering (Android-Specific Tools)

    • Description:

      1. Code Obfuscation: Use ProGuard or R8 (enabled by default in release builds) to obfuscate code.
      2. Root Detection: Implement root detection (check for su binary, build tags). Warn the user or disable features on rooted devices.
      3. Integrity Checks: Calculate checksums (SHA-256) of critical files (APK, native libraries) and compare to known good values at runtime.
      4. SafetyNet Attestation: Use the SafetyNet Attestation API to verify device integrity and compatibility.

    • Threats Mitigated:

      • Reverse Engineering (Severity: Medium): Increases the difficulty of understanding the code.
      • Code Modification/Tampering (Severity: High): Detects code modification.
      • Running on Compromised Devices (Severity: Medium): Detects rooted/compromised devices.

    • Impact:

      • Reverse Engineering: Risk reduced from Medium to Low.
      • Code Modification/Tampering: Risk reduced from High to Low.
      • Running on Compromised Devices: Risk reduced from Medium to Low.

    • Currently Implemented:

      • Code obfuscation likely enabled for release builds. Root detection and integrity checks less common. SafetyNet Attestation is more advanced.

    • Missing Implementation:

      • Robust integrity checks and SafetyNet Attestation often missing.
      • Root detection might be easily bypassed.

Mitigation Strategy: Biometric Authentication (Android BiometricPrompt API)

  • Mitigation Strategy: Biometric Authentication (Android BiometricPrompt API)

    • Description:

      1. BiometricPrompt API: Use the BiometricPrompt API for all biometric authentication.
      2. Fallback Mechanism: Always provide a fallback (PIN, password).
      3. User Education: Inform users about biometric security implications.
      4. Strong Authentication for Sensitive Operations: Require a second factor (password) for sensitive actions.
      5. Cryptography best practices: Use setUserAuthenticationRequired(true) to ensure that cryptographic keys are only accessible after the user has authenticated.

    • Threats Mitigated:

      • Biometric Spoofing (Severity: Medium): Reduces the risk of bypass.
      • Unauthorized Access (Severity: Medium): Adds a layer of security.

    • Impact:

      • Biometric Spoofing: Risk reduced from Medium to Low.
      • Unauthorized Access: Risk reduced from Medium to Low.

    • Currently Implemented:

      • Likely uses BiometricPrompt if biometric authentication is supported; fallback probably in place.

    • Missing Implementation:

      • Two-factor authentication for sensitive operations might be inconsistent.
      • User education might be insufficient.

Mitigation Strategy: Secure Backup and Restore (Android Backup Controls)

  • Mitigation Strategy: Secure Backup and Restore (Android Backup Controls)

    • Description:

      1. Backup Control: Use android:allowBackup="false" to disable backups entirely, or use android:allowBackup="true" and android:fullBackupContent="@xml/backup_rules" to specify what to back up.
      2. Exclude Sensitive Data: Use the <exclude> tag in backup_rules.xml to exclude sensitive files/directories.
      3. Encrypt Backup Data: If sensitive data must be backed up, encrypt it first.
      4. Disable Auto Backup: Consider disabling auto backup (android:allowBackup="false") and providing an in-app manual, encrypted backup option.

    • Threats Mitigated:

      • Unauthorized Access to Backup Data (Severity: Medium): Prevents data exposure if the backup is compromised.

    • Impact:

      • Unauthorized Access to Backup Data: Risk reduced from Medium to Low.

    • Currently Implemented:

      • Should be excluding sensitive data, but needs verification.

    • Missing Implementation:

      • Sensitive data might not be fully excluded.
      • Encryption of backup data might be missing.
      • In-app manual backup option might be missing.