Scribd
Upload
79 views39 pages

Assume A Hostile Environment

The document discusses securing mobile app data in a hostile mobile environment. It outlines common app vulnerabilities and provides recommendations for how to protect apps, including encrypting stored data, using SSL, tamper detection, and questions to ask app developers about security practices.

Uploaded by

lalocura_rf4807
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
79 views39 pages

Assume A Hostile Environment

The document discusses securing mobile app data in a hostile mobile environment. It outlines common app vulnerabilities and provides recommendations for how to protect apps, including encrypting stored data, using SSL, tamper detection, and questions to ask app developers about security practices.

Uploaded by

lalocura_rf4807
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 39

SESSION ID:

Assume a hostile environment: securing


mobile data in the app
MBS-T09
Scott Alexander-Bown
Senior Mobile Developer
viaForensics
@scottyab
#RSAC
2

2012-2013 Oliver Geary
#RSAC
The Gap!
3
#RSAC
Goals
Mobile devices are a hostile environment
What are the common app vulnerabilities
How to protect your apps
With an Android bias
Questions to ask your app developers
4
#RSAC
Non Goals: There Is No 100% Security

5
Flickr @BigDumpTruck
#RSAC
6
Q) Which Is More Secure?
#RSAC
iOS vs Android OS Vulnerabilities
Source: http://www.cvedetails.com Dec 2013
7
#RSAC
8
iOS: Safer for average hipster J oe
#RSAC
9
Android can be hardened (power users)
#RSAC
The Environment Is Hostile
Lost / Stolen
Open Wi-Fi networks
SMiShing
Untrusted ports/chargers
10
#RSAC
Devices Are Hostile Environments
System updates
OEM/Carrier bloatware (Android)
MDM
Secure Containers
System library's i.e KeyChain (iOS)
Device Encryption
Side load (Android)
Vulnerable apps / malware
11
#RSAC
If devices are hostile environments?
We focus on the app!
12
Common App
Vulnerabilities
#RSAC
Common App Fails
Not encrypting stored data
Not using SSL connection
Not protecting App components
Not validating client data
Leaking sensitive data to device log


14
#RSAC


15
#RSAC


16
#RSAC
Options For App Security
MDM security SDK?
App Wrapping?
Built-in
Distribute via app stores
Better UX
Not relying on others

17
Build in App
Security
#RSAC
SQL Injection
Compiled statements
Validate input
Sharing data (Android)
Protect components
Custom permissions
Consider read only

19
#RSAC
Encryption
Assess risk of data stored
Bundle your own crypto libraries
SpongyCastle adds support:
AES-GCM
Elliptic Curve Cryptography (ECC)

Dont seed SecureRandom class
20
#RSAC
Encryption: Not Storing The Key
Password Based Encryption (PBE)
Generate a key from user pin/password
KDF - more iterations the better
Add app time out to clear from memory
The KeyStore provider (Android 4.3+)
Hardware backed (on some devices)

21
#RSAC
Encryption: Android Quick Wins
SQLCipher
256-bit AES Encrypt SQLite database
Secure-Preferences
obscure your apps shared preferences
IOCipher
Virtual encrypted disk
Conceal
Easy to use APIs for fast encryption and authentication of data
22
#RSAC
Force Update
23
#RSAC
Timeout / Caching
Session timeout
App and Server-side
Clear app data from memory
Prevent snapshot cache (iOS)
Exclude from recent tasks (Android)

24
#RSAC
Q) Are you using SSL?
Q) Are you using SSL?
25
#RSAC
Q) Is Using SSL Enough?
A) No
26
#RSAC
Stronger SSL
Use secure SSL/TLS protocols (i.e. SSL v3, TLS v1.1/1.2)
Use secure ciphers (128 bit or higher)
Validate the certificates
NetCipher
Whole chain validation
Orbot: Proxy with Tor

27
#RSAC
SSL Pinning
2 types
Certificate pining
Public key pinning
Prevent compromised CAs from being trusted
More difficult for MITM


28
#RSAC
Watch For This!
29
#RSAC
Tamper Detection
Simulator/emulator check
System properties
J ail break/Root check
Root apps (Cydia, SuperSU etc)
System properties
Validate signing key (Android)

30
#RSAC
Anti Reversing
Obfuscation code
Proguard (Android)
Restrict Debugging
Restrict Logging
31
#RSAC
DexGuard (Android)
ProGuards bad ass brother
Same config as ProGuard
Not free but 1 license == apps
Highlights
One line tamper check
$.smali, $.smali
API hiding with String encryption == tough
32
#RSAC
Further Resources
42+ Secure mobile development best practices
http://bit.ly/viafor42
OWASP Mobile security recommendations
http://bit.ly/owaspmobile

33
What To Ask?
#RSAC
What to ask your app developers?
Who is building it and where?
Are they certified?
bit.ly/mobilesecuritycert
Play/App store account access?
How is security assessed?
Code reviews (including 3
rd
party libs)
Static analysis
Red team black box assessment
35
#RSAC
Summary
Mobile devices are a hostile environment
What are the common app vulnerabilities
How to protect your apps
Questions to ask your app developers
36
#RSAC
Q&A | Contact | Feedback
Thanks for listening
@scottyab
github/scottyab
[email protected]
Book signing tomorrow 3:30pm
37
Thanks to @thomas_cannon
#RSAC


Build in app security.
38
#RSAC
Reference
http://github.com/rtyley/spongycastle
Encryption sample projects
http://github.com/nelenkov/android-pbe
http://github.com/nelenkov/android-
keystore
https://github.com/moxie0/AndroidPinning
NetCipher -
https://github.com/guardianproject/NetCiphe
r
DexGuard - www.saikoa.com/dexguard

SQLCipher - http://sqlcipher.net/sqlcipher-for-
android
Secure-Preferences -
http://github.com/scottyab/secure-preferences
IOCipher -
http://guardianproject.info/code/iocipher
Conceal - http://facebook.github.io/conceal
Android security cookbook ISBN:1782167161
http://bit.ly/MscEFu
39

You might also like