developing secure mobile apps by alexandru catariov endava
Post on 21-Oct-2014
358 views
DESCRIPTION
TRANSCRIPT
![Page 1: Developing secure mobile apps by Alexandru Catariov Endava](https://reader033.vdocuments.net/reader033/viewer/2022061106/5445c198b1af9fcb068b4669/html5/thumbnails/1.jpg)
Developing Secure Mobile Apps Alexandru
Catariov
![Page 2: Developing secure mobile apps by Alexandru Catariov Endava](https://reader033.vdocuments.net/reader033/viewer/2022061106/5445c198b1af9fcb068b4669/html5/thumbnails/2.jpg)
IN YOUR ZONE 2
What is the Information Security?
![Page 3: Developing secure mobile apps by Alexandru Catariov Endava](https://reader033.vdocuments.net/reader033/viewer/2022061106/5445c198b1af9fcb068b4669/html5/thumbnails/3.jpg)
IN YOUR ZONE 3
How much is the mobile world exposed?
Attack
Attack
Attack
Attack
Attack
Attack
![Page 4: Developing secure mobile apps by Alexandru Catariov Endava](https://reader033.vdocuments.net/reader033/viewer/2022061106/5445c198b1af9fcb068b4669/html5/thumbnails/4.jpg)
IN YOUR ZONE 4
Connected to internet and other computer networks
![Page 5: Developing secure mobile apps by Alexandru Catariov Endava](https://reader033.vdocuments.net/reader033/viewer/2022061106/5445c198b1af9fcb068b4669/html5/thumbnails/5.jpg)
IN YOUR ZONE 5
Many apps store data locally…
…to improve User eXperience…to save traffic…for temporary use
![Page 6: Developing secure mobile apps by Alexandru Catariov Endava](https://reader033.vdocuments.net/reader033/viewer/2022061106/5445c198b1af9fcb068b4669/html5/thumbnails/6.jpg)
IN YOUR ZONE 6
There is a lot of user data
![Page 7: Developing secure mobile apps by Alexandru Catariov Endava](https://reader033.vdocuments.net/reader033/viewer/2022061106/5445c198b1af9fcb068b4669/html5/thumbnails/7.jpg)
IN YOUR ZONE 7
Many sensitive data inputs
![Page 8: Developing secure mobile apps by Alexandru Catariov Endava](https://reader033.vdocuments.net/reader033/viewer/2022061106/5445c198b1af9fcb068b4669/html5/thumbnails/8.jpg)
IN YOUR ZONE 8
…and last but not least, mobile is physically more vulnerable
![Page 9: Developing secure mobile apps by Alexandru Catariov Endava](https://reader033.vdocuments.net/reader033/viewer/2022061106/5445c198b1af9fcb068b4669/html5/thumbnails/9.jpg)
IN YOUR ZONE 9
The good news is that mobile OSes take measures to increase security…
• Sandboxing• User Permissions• Protected API• Encrypted file
system• App Signing• Remote wipe
![Page 10: Developing secure mobile apps by Alexandru Catariov Endava](https://reader033.vdocuments.net/reader033/viewer/2022061106/5445c198b1af9fcb068b4669/html5/thumbnails/10.jpg)
IN YOUR ZONE 10
..but the bad news is that the army of bad guys grows as well
• Rooting or Jailbreaking• Malwares • Viruses
• Spoofing• Tampering
![Page 11: Developing secure mobile apps by Alexandru Catariov Endava](https://reader033.vdocuments.net/reader033/viewer/2022061106/5445c198b1af9fcb068b4669/html5/thumbnails/11.jpg)
IN YOUR ZONE 11
The primary data type targeted by attackers in 2012, as in 2011, was customer records (cardholder data, personal information, email addresses).
96%
2013 Global Security Report
![Page 12: Developing secure mobile apps by Alexandru Catariov Endava](https://reader033.vdocuments.net/reader033/viewer/2022061106/5445c198b1af9fcb068b4669/html5/thumbnails/12.jpg)
IN YOUR ZONE 12
The number of mobile malwares is rising very fast. The notable one - Toll Fraud
Q3 2011 Q4 2011 Q1 2012 Q2 20120
102030405060708090
100
Toll Fraud malware Other malware Spyware
%
![Page 13: Developing secure mobile apps by Alexandru Catariov Endava](https://reader033.vdocuments.net/reader033/viewer/2022061106/5445c198b1af9fcb068b4669/html5/thumbnails/13.jpg)
IN YOUR ZONE 13
What you as a developer can do?
![Page 14: Developing secure mobile apps by Alexandru Catariov Endava](https://reader033.vdocuments.net/reader033/viewer/2022061106/5445c198b1af9fcb068b4669/html5/thumbnails/14.jpg)
IN YOUR ZONE 14
• Use Cryptography• Use hash function such as MD5, SH1, etc.• Use Local KeyChain or KeyStore, but not rely on them
Avoid store or sending confidential/sensitive data…
…otherwise, do not use plain format
![Page 15: Developing secure mobile apps by Alexandru Catariov Endava](https://reader033.vdocuments.net/reader033/viewer/2022061106/5445c198b1af9fcb068b4669/html5/thumbnails/15.jpg)
IN YOUR ZONE 15
Ensure secure storage • Use App Sandbox• Use internal storage• Clear temporary data after use
• Use Cryptography• Perform Input Validation
![Page 16: Developing secure mobile apps by Alexandru Catariov Endava](https://reader033.vdocuments.net/reader033/viewer/2022061106/5445c198b1af9fcb068b4669/html5/thumbnails/16.jpg)
IN YOUR ZONE 16
• Strong Authorization & Authentication• Ensure proper session handling• Strong encryption• Validate untrusted input
Apply OWASAP Top 10 to secure interaction with servers
![Page 17: Developing secure mobile apps by Alexandru Catariov Endava](https://reader033.vdocuments.net/reader033/viewer/2022061106/5445c198b1af9fcb068b4669/html5/thumbnails/17.jpg)
IN YOUR ZONE 17
Interpocess communication can be also vulnerable
• Avoid using network sockets and shared files• Use OS mechanisms instead
![Page 18: Developing secure mobile apps by Alexandru Catariov Endava](https://reader033.vdocuments.net/reader033/viewer/2022061106/5445c198b1af9fcb068b4669/html5/thumbnails/18.jpg)
IN YOUR ZONE 18
Apply anti-debug and anti-reversing measures
• Obfuscation• Remove logging code
• Don’t use hardcoded sensitive data• Don’t implement custom
encryption
![Page 19: Developing secure mobile apps by Alexandru Catariov Endava](https://reader033.vdocuments.net/reader033/viewer/2022061106/5445c198b1af9fcb068b4669/html5/thumbnails/19.jpg)
IN YOUR ZONE 19
Perform secure testing
• Test on a Jailbroken or rooted device• Use Static Code Analyses tools – Fortify, Veracode
![Page 20: Developing secure mobile apps by Alexandru Catariov Endava](https://reader033.vdocuments.net/reader033/viewer/2022061106/5445c198b1af9fcb068b4669/html5/thumbnails/20.jpg)
IN YOUR ZONE 20
You cannot be 100% safe…
![Page 21: Developing secure mobile apps by Alexandru Catariov Endava](https://reader033.vdocuments.net/reader033/viewer/2022061106/5445c198b1af9fcb068b4669/html5/thumbnails/21.jpg)
IN YOUR ZONE 21
…but you can make it hard – Defense in Depth
Oak
Chest
Rabbit
Duck
Egg
Needle
![Page 22: Developing secure mobile apps by Alexandru Catariov Endava](https://reader033.vdocuments.net/reader033/viewer/2022061106/5445c198b1af9fcb068b4669/html5/thumbnails/22.jpg)
IN YOUR ZONE
Resources
22
•Security Best Practices for Android developers is located here:
https://developer.android.com/guide/practices/security.html.
•iOS Security Overview https://developer.apple.com/library/ios/#
documentation/Security/Conceptual/Security_Overview/Introduction/Introd
uction.html
•OWASP Mobile Security Project: https://
www.owasp.org/index.php/OWASP_Mobile_Security_Project
•Trustwave, Spider Labs blog:
http://blog.spiderlabs.com
![Page 23: Developing secure mobile apps by Alexandru Catariov Endava](https://reader033.vdocuments.net/reader033/viewer/2022061106/5445c198b1af9fcb068b4669/html5/thumbnails/23.jpg)
IN YOUR ZONE 23
Alex Catariov | Development Discipline [email protected] +373 79400205|Skype alex.catariov
thank you