Developing Secure Mobile Applications

neversinkhurriedMobile - sans fil

12 nov. 2013 (il y a 7 années et 11 mois)

234 vue(s)

Developing Secure Mobile

Kelly Brown


Kelly Brown, CTO of About Web

Mobile and Cybersecurity user group manager

BS & MS Computer Science, MBA, MS in
Cybersecurity Policy

Developer for 20+ years, Web for 17 years


Mobile Development and Cybersecurity focus

Mobile Platforms

Mobile phone are as powerful as desktops
of ten years ago

Treated more like appliances than a
mobile computer

Need the same security as PCs




Application Security

Mobile Security

Immature Platforms

Client and Server Security

Wild West Deployment

Changing platforms

New developers

Rush to market

Application Stores

End user awareness

OWASP Mobile Top 10 Risks

Insecure Data Storage

Weak Server Side Controls

Insufficient Transport Layer Protection

Client Side Injection

Poor Authorization and Authentication

Improper Session Handling

Security Decision Via Untrusted Inputs

Side Channel Data Leakage

Broken Cryptography

Sensitive Information Disclosure

Insecure Data Storage

Sensitive data stored on phone

User name, passwords, account numbers

Not encrypted

Cached data

User lists

Account lists

Insecure Data Storage

Best Practices

Only store required information

Don’t store sensitive data on SD card

Encrypt data

Don’t use world readable or writable permissions

Example: Passwords stored unencrypted in
SQLite database or text file. Bank of America
was storing account and user information in text

Weak Server Side Controls

Authentication Mechanisms

Data validation

Server configuration

Weak Server Side Controls

Best Practices

Many practices are well known as part of
Web Server and Web Application best

Account permissions

Data permissions

Range Checking

Example: Bank app for money transfers
was not checking owner of account to
ensure it belonged to user requesting
transfer, also allowed negative values

Insufficient Transport Layer

Sending data unencrypted

Weakly encrypted data

Ignoring certificate validation errors

Insufficient Transport Layer Protection

Best Practices

Use SSL!

Don’t ignore SSL server warnings

Examples: Google client login. Sends
token unencrypted when on WIFI.
Compromised root CAs issued fake
Google and Microsoft certificates

Client Side Injection

Web based mobile apps or apps that use
browser libraries

Jquery Mobile


Cross Site scripting

SQL Injection

Phone Dialer and SMS

app payment systems

Client Side Injection

Best Practices

Sanitize data before displaying or

Use prepared statements for database

Watch for native web hybrid functions

Opening html windows or pulling data from

Example: Recent Yahoo hack was SQL

Poor Authorization and

Relying on values from device (device id)

IMEI (International Mobile Equipment Identity)

UUID (iDevices)

Devices can be resold (Ebay)

Devices can be stolen

Millions of phones are lost/stolen each year

Poor Authorization and Authentication

Best Practices

Don’t rely on device ID or subscriber ID as
only authenticator

User multi factor authentication

Device ID + password

Improper Session Handling

Mobile sessions are usually much longer
than Web sessions

Mobile sessions can be handled several

HTTP cookies

OAuth tokens

SSO authentication services

Improper Session Handling

Best Practices

Don’t use device identifier as session

Use session time out (apps can stay in
memory for a long time)

Ensure tokens can be revoked quickly if
lost or stolen

Ensure proper token generation

Example: FaceBook mobile application,
token stored unencrypted

Security Decision Via

Untrusted Inputs

Can be used to elevate privileges

Can be platform specific


URL Schemes



Malicious apps

Client side injection

Security Decision Via

Untrusted Inputs

Best Practices

Check permission at input boundaries

Prompt user for authorization before
allowing changes to sensitive data

Side Channel Data Leakage

Caused by programming flaws and device

Sensitive data ends up in untended places

Web caches

Keystore logging

Screenshots (ie

IOS backgrounding)

Logs (invalid login attempts)

Temp directories

Understand with 3

party libraries are doing with
your data (ad networks, analytics)

Side Channel Data Leakage

Best Practices

Don’t log sensitive data (PII, login credentials)

Remove sensitive data before screenshots are
taken, disable keystroke logging per field, and
utilize anti
caching directives for web content

Debug your apps before releasing them to
observe files created, written to, or modified in
any way

Carefully review any third party libraries you
introduce and the data they consume

Test your applications across as many platform
versions as possible

Broken Cryptography

Two primary categories

Broken implementations using strong crypto

Custom, easily defeated crypto

Encoding != encryption

Obfuscation != encryption

Serialization != encryption

Broken Cryptography

Best Practices

Don’t store encryption keys with data

Use tested/validated encryption libraries

Don’t write your own encryption

Use built in encryption libraries of devices

Example: Base64 is not encryption

Sensitive Information Disclosure

Hard coded values in application


API keys

Business Logic

Apps can be reverse

Code obfuscation helps, but isn’t fool proof

Anything in your mobile application is not

Sensitive Information Disclosure

Best Practices

Don’t store private API keys on app

Credit card processing keys

Store sensitive information/business logic
on the server side

Don’t hard code passwords into your app!

Questions and Comments