Developing Secure Mobile Applications

neversinkhurriedΚινητά – Ασύρματες Τεχνολογίες

12 Νοε 2013 (πριν από 3 χρόνια και 9 μήνες)

64 εμφανίσεις

Developing Secure Mobile
Applications

Kelly Brown

Introduction


Kelly Brown, CTO of About Web


Mobile and Cybersecurity user group manager


BS & MS Computer Science, MBA, MS in
Cybersecurity Policy


Developer for 20+ years, Web for 17 years


MCSE+I, MCDBA, ACE, MCTS, ITIL, CISSP,
CEH


Mobile Development and Cybersecurity focus

Mobile Platforms


Mobile phone are as powerful as desktops
of ten years ago


Treated more like appliances than a
mobile computer


Need the same security as PCs


Antivirus


Antimalware


Firewall


Application Security


Mobile Security


Immature Platforms


Client and Server Security


Wild West Deployment


Changing platforms


New developers


Rush to market


Application Stores


End user awareness

OWASP Mobile Top 10 Risks


Insecure Data Storage


Weak Server Side Controls


Insufficient Transport Layer Protection


Client Side Injection


Poor Authorization and Authentication


Improper Session Handling


Security Decision Via Untrusted Inputs


Side Channel Data Leakage


Broken Cryptography


Sensitive Information Disclosure


Insecure Data Storage


Sensitive data stored on phone


User name, passwords, account numbers


Not encrypted


Cached data


User lists


Account lists



Insecure Data Storage

Best Practices


Only store required information


Don’t store sensitive data on SD card


Encrypt data


Don’t use world readable or writable permissions


Example: Passwords stored unencrypted in
SQLite database or text file. Bank of America
was storing account and user information in text
file.


Weak Server Side Controls


Authentication Mechanisms


Data validation


Server configuration


Weak Server Side Controls

Best Practices


Many practices are well known as part of
Web Server and Web Application best
practices


Account permissions


Data permissions


Range Checking


Example: Bank app for money transfers
was not checking owner of account to
ensure it belonged to user requesting
transfer, also allowed negative values


Insufficient Transport Layer
Protection


Sending data unencrypted


Weakly encrypted data


Ignoring certificate validation errors



Insufficient Transport Layer Protection

Best Practices


Use SSL!


Don’t ignore SSL server warnings


Examples: Google client login. Sends
token unencrypted when on WIFI.
Compromised root CAs issued fake
Google and Microsoft certificates

Client Side Injection


Web based mobile apps or apps that use
browser libraries


Jquery Mobile


PhoneGap


Cross Site scripting


SQL Injection


Phone Dialer and SMS


In
-
app payment systems


Client Side Injection

Best Practices


Sanitize data before displaying or
executing


Use prepared statements for database
calls


Watch for native web hybrid functions


Opening html windows or pulling data from
html


Example: Recent Yahoo hack was SQL
Injection

Poor Authorization and
Authentication


Relying on values from device (device id)


IMEI (International Mobile Equipment Identity)


UUID (iDevices)


Devices can be resold (Ebay)


Devices can be stolen


Millions of phones are lost/stolen each year


Poor Authorization and Authentication

Best Practices


Don’t rely on device ID or subscriber ID as
only authenticator


User multi factor authentication


Device ID + password



Improper Session Handling


Mobile sessions are usually much longer
than Web sessions


Mobile sessions can be handled several
ways


HTTP cookies


OAuth tokens


SSO authentication services

Improper Session Handling

Best Practices


Don’t use device identifier as session
token


Use session time out (apps can stay in
memory for a long time)


Ensure tokens can be revoked quickly if
lost or stolen


Ensure proper token generation


Example: FaceBook mobile application,
token stored unencrypted


Security Decision Via

Untrusted Inputs


Can be used to elevate privileges


Can be platform specific


iOS


URL Schemes


Android


Intents


Malicious apps


Client side injection


Security Decision Via

Untrusted Inputs

Best Practices


Check permission at input boundaries


Prompt user for authorization before
allowing changes to sensitive data


Side Channel Data Leakage


Caused by programming flaws and device
features


Sensitive data ends up in untended places


Web caches


Keystore logging


Screenshots (ie
-

IOS backgrounding)


Logs (invalid login attempts)


Temp directories


Understand with 3
rd

party libraries are doing with
your data (ad networks, analytics)



Side Channel Data Leakage

Best Practices


Don’t log sensitive data (PII, login credentials)


Remove sensitive data before screenshots are
taken, disable keystroke logging per field, and
utilize anti
-
caching directives for web content


Debug your apps before releasing them to
observe files created, written to, or modified in
any way


Carefully review any third party libraries you
introduce and the data they consume


Test your applications across as many platform
versions as possible


Broken Cryptography


Two primary categories


Broken implementations using strong crypto
libraries


Custom, easily defeated crypto
implementations


Encoding != encryption


Obfuscation != encryption


Serialization != encryption


Broken Cryptography

Best Practices


Don’t store encryption keys with data


Use tested/validated encryption libraries


Don’t write your own encryption


Use built in encryption libraries of devices


Example: Base64 is not encryption

Sensitive Information Disclosure


Hard coded values in application


Passwords


API keys


Business Logic


Apps can be reverse
engineered/decompiled


Code obfuscation helps, but isn’t fool proof


Anything in your mobile application is not
safe!


Sensitive Information Disclosure

Best Practices


Don’t store private API keys on app


Credit card processing keys


Store sensitive information/business logic
on the server side


Don’t hard code passwords into your app!

Questions and Comments