Security as a top of mind issue for mobile application development

2SECURITY AS A TOP OF MIND ISSUE FOR
MOBILE APPLICATION DEVELOPMENT
NOVEMBER 2017

3
AGENDA
▪ INTRODUCTION
▪ MOST COMMON MOBILE APPS SECURITY
VULNERABILITIES
▪ TIPS FOR IMPROVING SECURITY IN MOBILE APPS
▪ Q&A

6
THERE'S AN APP FOR
EVERYTHING

7
SMARTPHONE ≈ YOUR PC
WORKING WITH CHARTS

THE OVERVIEW
https://www.statista.com/statistics/224131/number-of-new-mobile-vulnerabilities/

CYBERSECURITY PROBLEMS ARE EVERYWHERE

HOW BAD IS IT?
Nissan LEAF
https://www.troyhunt.com/controlling-vehicle-features-of-nissan/

HOW BAD IS IT?
https://www.troyhunt.com/controlling-vehicle-features-of-nissan/

HOW BAD IS IT?
The Intel
Management
Engine (ME)
https://arstechnica.com/information-technology/2017/11/intel-warns-of-widespread-vulnerability-in-pc-server-device-firmware/
ME’s connection architecture showing communication
between network and host OS

HOW BAD IS IT?
https://www.blackhat.com/eu-17/briefings/schedule/#how-to-hack-a-turned-off-computer-or-running-unsigned-code-in-intel-management-engine-
8668
“Intel Management Engine is a proprietary technology that consists of a microcontroller
integrated into the Platform Controller Hub (PCH) microchip with a set of built-in
peripherals. The PCH carries almost all communication between the processor and
external devices; therefore Intel ME has access to almost all data on the computer,
and the ability to execute third-party code allows compromising the platform
completely.”

14
“If builders built houses the way programmers build
programs, the first woodpecker to come along
would destroy civilization.”
— Weinberg's Second Law

EVERY PROGRAM IS A POTENTIAL TARGET
▪ LEGAL RESPONSIBILITY
▪ FINANCIAL DAMAGE
▪ REPUTATION RISKS

LEGAL RESPONSIBILITY
GDPR
(General Data Protection Regulation, Regulation (EU) 2016/679)
“Data protection by Design and by Default”
“Article 25. Data protection by Design and by Default requires that data protection is
designed into the development of business processes for products and services.”
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679

LEGAL RESPONSIBILITY
Legea Nr. 133 din 08.07.2011
privind protecţia datelor cu caracter personal
“Articolul 30. Securitatea prelucrării datelor cu caracter pe
"La prelucrarea datelor cu caracter personal, operatorul este obligat să ia măsurile organizatorice şi tehnice
necesare pentru protecţia datelor cu caracter personal împotriva distrugerii, modificării, blocării, copierii,
răspîndirii, precum şi împotriva altor acţiuni ilicite, măsuri menite să asigure un nivel de securitate adecvat în
ceea ce priveşte riscurile prezentate de prelucrare şi caracterul datelor prelucrate."
http://lex.justice.md/viewdoc.php?action=view&view=doc&id=340495&lang=1

19
WHERE ARE THE ANSWERS?
“The answers you seek are within you.”
LITERALLY

22
THE LESSONS OF NATURE
#1 SECURITY IT'S NOT AN
OPTION, IT'S A NECESSITY

23
#2 SECURITY IS A SYSTEM, NOT
A SET OF METHODS

25
#3 WE LIVE IN A CONSTANTLY
CHANGING WORLD, WE NEED
TO REACT FAST AND ADAPT
TO CHANGE

https://imgur.com/gallery/Hutlc

34
#4 SECURITY ≈ RISK
MANAGEMENT

35
MOST COMMON MOBILE APPS SECURITY
VULNERABILITIES
1. Improper Platform Usage
2. Insecure Data Storage
3. Insecure Communication
4. Insecure Authentication
5. Insufficient Cryptography
6. Insecure Authorization
7. Client Code Quality
8. Code Tampering
9. Reverse Engineering
10.Extraneous Functionality
Top 10 Mobile
Risks
- Final List 2016
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project

36
TIPS FOR IMPROVING SECURITY IN MOBILE APPS
Improper Platform Usage
misuse of a platform feature or failure to use platform security controls
(Android intents, platform permissions, misuse of TouchID, the Keychain, other security control that is
part of the mobile operating system)
• SharedPreferences + MODE_PRIVATE
• Explicit intents
• Manifest android:exported="false"
• file.getCanonicalPath() - YES file.getAbsolutePath() - NO (ln -s filename maliciousfilename)
• webView.getSettings().setAllowFileAccess(false)
• store session tokens, passwords, cryptography secrets in Keychain

37
There comes a time in most
men’s lives where they feel
the need to raise the Black
Flag.

38
Markdown editor
(PlayStore Top 20)

39

40
Insecure Data Storage
insecure data storage and unintended data leakage
• Secure-preferences
• Secure cache
• Secure DB (SQLCipher, Encrypted Core Data, Realm+encryptionKey)
• ! URL caching (both request and response)
• ! Logging
• ! Analytics data sent to 3rd parties

41
Insecure Communication
(poor handshaking, incorrect SSL versions, weak negotiation, cleartext communication of sensitive
assets, etc)

42

43

44
• SSL Pinning (TrustKit, OkHttp+CertificatePinner, and alert users through the UI if the mobile app
detects an invalid certificate)
• DNS Cache Poisoning Attacks
• Use strong, industry standard cipher suites with appropriate key lengths.
• Use certificates signed by a trusted CA provider.
OkHttp: https://github.com/square/okhttp/wiki/HTTPS
Alamofire: https://github.com/Alamofire/Alamofire#security

45
Insecure Authentication
authenticating the end user or bad session management
• Failing to identify the user at all when that should be required
• Failure to maintain the user's identity when it is required
• Weaknesses in session management

46
• If client-side storage of data is required, the data will need to be encrypted using an encryption key
that is securely derived from the user’s login credentials.
• Persistent authentication (Remember Me) functionality implemented within mobile applications
should never store a user’s password on the device.
• Mobile applications should utilize a device-specific authentication token that can be revoked within
the mobile application by the user.
• Authenticating a user locally can lead to client-side bypass vulnerabilities.

Insufficient Cryptography
where cryptography was attempted, but it wasn't done correctly
• Poor Key Management Processes
• Creation and Use of Custom Encryption Protocols
• Use of Insecure and/or Deprecated Algorithms

Insecure Authorization
(authorization decisions in the client side, forced browsing, etc.).
Distinct from authentication issues (e.g., device enrolment, user identification, etc.)
• Hidden Endpoints
• User Role or Permission Transmissions(mobile app is transmitting the user's roles or permissions to
a backend)

52
Client Code Quality
security decisions via untrusted inputs
(catch-all for code-level implementation problems in the mobile client, things like buffer overflows,
format string vulnerabilities, and various other code-level mistakes where the solution is to rewrite
some code that's running on the mobile device)

53
Code Tampering
(binary patching, local resource modification, method hooking, method swizzling, and dynamic
memory modification)
• Android Root Detection (rootbeer)
• iOS Jailbreak Detection

54

55
TRIADA

56
Reverse Engineering
(analysis of the final core binary to determine its source code, libraries, algorithms, and other assets)
A good obfuscator will have the following abilities:
• Narrow down what methods / code segments to obfuscate;
• Tune the degree of obfuscation to balance performance impact;
• Withstand de-obfuscation from tools like IDA Pro and Hopper;
• Obfuscate string tables as well as methods

59
Extraneous Functionality
hidden backdoor functionality or other internal development security controls that
are not intended to be released into a production environment
(accidentally included password as a comment in a hybrid app, disabling of 2-factor authentication
during testing)
• Debug flag in configuration file
• Administrative endpoint exposed
• The backend description is written to the logs

60
ADDITIONAL READING
Ephemeral keys
https://github.com/cossacklabs/mobile-websocket-example
Zero Knowledge Protocols
https://hackernoon.com/eli5-zero-knowledge-proof-78a276db9eff
End-to-end Encryption
https://medium.com/@cossacklabs/eli5-end-to-end-encryption-ae46821db74f

Security as a top of mind issue for mobile application development

Related slideshows

More Related Content

Security as a top of mind issue for mobile application development