![Page 1: Assume a hostile environment: securing mobile data in the app · Assume a hostile environment: securing mobile data in the app . MBS-T09 . Scott Alexander -Bown . Senior Mobile Developer](https://reader034.vdocuments.net/reader034/viewer/2022050314/5f76f8df668ca236bd50d9c1/html5/thumbnails/1.jpg)
SESSION ID:
Assume a hostile environment: securing mobile data in the app
MBS-T09
Scott Alexander-Bown Senior Mobile Developer
viaForensics @scottyab
![Page 2: Assume a hostile environment: securing mobile data in the app · Assume a hostile environment: securing mobile data in the app . MBS-T09 . Scott Alexander -Bown . Senior Mobile Developer](https://reader034.vdocuments.net/reader034/viewer/2022050314/5f76f8df668ca236bd50d9c1/html5/thumbnails/2.jpg)
#RSAC
2
©2012-2013 Oliver Geary
![Page 3: Assume a hostile environment: securing mobile data in the app · Assume a hostile environment: securing mobile data in the app . MBS-T09 . Scott Alexander -Bown . Senior Mobile Developer](https://reader034.vdocuments.net/reader034/viewer/2022050314/5f76f8df668ca236bd50d9c1/html5/thumbnails/3.jpg)
#RSAC
The Gap!
3
![Page 4: Assume a hostile environment: securing mobile data in the app · Assume a hostile environment: securing mobile data in the app . MBS-T09 . Scott Alexander -Bown . Senior Mobile Developer](https://reader034.vdocuments.net/reader034/viewer/2022050314/5f76f8df668ca236bd50d9c1/html5/thumbnails/4.jpg)
#RSAC
Goals
Mobile devices are a hostile environment
What are the common app vulnerabilities
How to protect your apps With an Android bias
Questions to ask your app developers
4
![Page 5: Assume a hostile environment: securing mobile data in the app · Assume a hostile environment: securing mobile data in the app . MBS-T09 . Scott Alexander -Bown . Senior Mobile Developer](https://reader034.vdocuments.net/reader034/viewer/2022050314/5f76f8df668ca236bd50d9c1/html5/thumbnails/5.jpg)
#RSAC
Non Goals: There Is No 100% Security
5
Flickr @BigDumpTruck
![Page 6: Assume a hostile environment: securing mobile data in the app · Assume a hostile environment: securing mobile data in the app . MBS-T09 . Scott Alexander -Bown . Senior Mobile Developer](https://reader034.vdocuments.net/reader034/viewer/2022050314/5f76f8df668ca236bd50d9c1/html5/thumbnails/6.jpg)
#RSAC
6
Q) Which Is More Secure?
![Page 7: Assume a hostile environment: securing mobile data in the app · Assume a hostile environment: securing mobile data in the app . MBS-T09 . Scott Alexander -Bown . Senior Mobile Developer](https://reader034.vdocuments.net/reader034/viewer/2022050314/5f76f8df668ca236bd50d9c1/html5/thumbnails/7.jpg)
#RSAC
iOS vs Android OS Vulnerabilities Source: http://www.cvedetails.com Dec 2013
7
![Page 8: Assume a hostile environment: securing mobile data in the app · Assume a hostile environment: securing mobile data in the app . MBS-T09 . Scott Alexander -Bown . Senior Mobile Developer](https://reader034.vdocuments.net/reader034/viewer/2022050314/5f76f8df668ca236bd50d9c1/html5/thumbnails/8.jpg)
#RSAC
8
iOS: Safer for average hipster Joe
![Page 9: Assume a hostile environment: securing mobile data in the app · Assume a hostile environment: securing mobile data in the app . MBS-T09 . Scott Alexander -Bown . Senior Mobile Developer](https://reader034.vdocuments.net/reader034/viewer/2022050314/5f76f8df668ca236bd50d9c1/html5/thumbnails/9.jpg)
#RSAC
9
Android can be hardened (power users)
![Page 10: Assume a hostile environment: securing mobile data in the app · Assume a hostile environment: securing mobile data in the app . MBS-T09 . Scott Alexander -Bown . Senior Mobile Developer](https://reader034.vdocuments.net/reader034/viewer/2022050314/5f76f8df668ca236bd50d9c1/html5/thumbnails/10.jpg)
#RSAC
The Environment Is Hostile
Lost / Stolen
Open Wi-Fi networks
SMiShing
Untrusted ports/chargers
10
![Page 11: Assume a hostile environment: securing mobile data in the app · Assume a hostile environment: securing mobile data in the app . MBS-T09 . Scott Alexander -Bown . Senior Mobile Developer](https://reader034.vdocuments.net/reader034/viewer/2022050314/5f76f8df668ca236bd50d9c1/html5/thumbnails/11.jpg)
#RSAC
Devices Are Hostile Environments
System updates
OEM/Carrier bloatware (Android)
MDM
Secure Containers
System library's i.e KeyChain (iOS)
Device Encryption
Side load (Android)
Vulnerable apps / malware
11
![Page 12: Assume a hostile environment: securing mobile data in the app · Assume a hostile environment: securing mobile data in the app . MBS-T09 . Scott Alexander -Bown . Senior Mobile Developer](https://reader034.vdocuments.net/reader034/viewer/2022050314/5f76f8df668ca236bd50d9c1/html5/thumbnails/12.jpg)
#RSAC
If devices are hostile environments?
We focus on the app!
12
![Page 13: Assume a hostile environment: securing mobile data in the app · Assume a hostile environment: securing mobile data in the app . MBS-T09 . Scott Alexander -Bown . Senior Mobile Developer](https://reader034.vdocuments.net/reader034/viewer/2022050314/5f76f8df668ca236bd50d9c1/html5/thumbnails/13.jpg)
Common App Vulnerabilities
![Page 14: Assume a hostile environment: securing mobile data in the app · Assume a hostile environment: securing mobile data in the app . MBS-T09 . Scott Alexander -Bown . Senior Mobile Developer](https://reader034.vdocuments.net/reader034/viewer/2022050314/5f76f8df668ca236bd50d9c1/html5/thumbnails/14.jpg)
#RSAC
Common App Fails
Not encrypting stored data
Not using SSL connection
Not protecting App components
Not validating client data
Leaking sensitive data to device log
14
![Page 15: Assume a hostile environment: securing mobile data in the app · Assume a hostile environment: securing mobile data in the app . MBS-T09 . Scott Alexander -Bown . Senior Mobile Developer](https://reader034.vdocuments.net/reader034/viewer/2022050314/5f76f8df668ca236bd50d9c1/html5/thumbnails/15.jpg)
#RSAC
15
![Page 16: Assume a hostile environment: securing mobile data in the app · Assume a hostile environment: securing mobile data in the app . MBS-T09 . Scott Alexander -Bown . Senior Mobile Developer](https://reader034.vdocuments.net/reader034/viewer/2022050314/5f76f8df668ca236bd50d9c1/html5/thumbnails/16.jpg)
#RSAC
16
![Page 17: Assume a hostile environment: securing mobile data in the app · Assume a hostile environment: securing mobile data in the app . MBS-T09 . Scott Alexander -Bown . Senior Mobile Developer](https://reader034.vdocuments.net/reader034/viewer/2022050314/5f76f8df668ca236bd50d9c1/html5/thumbnails/17.jpg)
#RSAC
Options For App Security
MDM security SDK?
App Wrapping?
Built-in Distribute via app stores
Better UX
Not relying on others
17
![Page 18: Assume a hostile environment: securing mobile data in the app · Assume a hostile environment: securing mobile data in the app . MBS-T09 . Scott Alexander -Bown . Senior Mobile Developer](https://reader034.vdocuments.net/reader034/viewer/2022050314/5f76f8df668ca236bd50d9c1/html5/thumbnails/18.jpg)
Build in App Security
![Page 19: Assume a hostile environment: securing mobile data in the app · Assume a hostile environment: securing mobile data in the app . MBS-T09 . Scott Alexander -Bown . Senior Mobile Developer](https://reader034.vdocuments.net/reader034/viewer/2022050314/5f76f8df668ca236bd50d9c1/html5/thumbnails/19.jpg)
#RSAC
SQL Injection
Compiled statements
Validate input
Sharing data (Android) Protect components
Custom permissions
Consider read only
19
![Page 20: Assume a hostile environment: securing mobile data in the app · Assume a hostile environment: securing mobile data in the app . MBS-T09 . Scott Alexander -Bown . Senior Mobile Developer](https://reader034.vdocuments.net/reader034/viewer/2022050314/5f76f8df668ca236bd50d9c1/html5/thumbnails/20.jpg)
#RSAC
Encryption
Assess risk of data stored
Bundle your own crypto libraries SpongyCastle adds support:
AES-GCM Elliptic Curve Cryptography (ECC)
Don’t seed SecureRandom class
20
![Page 21: Assume a hostile environment: securing mobile data in the app · Assume a hostile environment: securing mobile data in the app . MBS-T09 . Scott Alexander -Bown . Senior Mobile Developer](https://reader034.vdocuments.net/reader034/viewer/2022050314/5f76f8df668ca236bd50d9c1/html5/thumbnails/21.jpg)
#RSAC
Encryption: Not Storing The Key
Password Based Encryption (PBE) Generate a key from user pin/password
KDF - more iterations the better
Add app time out to clear from memory
The KeyStore provider (Android 4.3+) Hardware backed (on some devices)
21
![Page 22: Assume a hostile environment: securing mobile data in the app · Assume a hostile environment: securing mobile data in the app . MBS-T09 . Scott Alexander -Bown . Senior Mobile Developer](https://reader034.vdocuments.net/reader034/viewer/2022050314/5f76f8df668ca236bd50d9c1/html5/thumbnails/22.jpg)
#RSAC
Encryption: Android Quick Wins
SQLCipher
256-bit AES Encrypt SQLite database
Secure-Preferences
‘obscure’ your app’s shared preferences
IOCipher
Virtual encrypted disk
Conceal Easy to use APIs for fast encryption and authentication of data
22
![Page 23: Assume a hostile environment: securing mobile data in the app · Assume a hostile environment: securing mobile data in the app . MBS-T09 . Scott Alexander -Bown . Senior Mobile Developer](https://reader034.vdocuments.net/reader034/viewer/2022050314/5f76f8df668ca236bd50d9c1/html5/thumbnails/23.jpg)
#RSAC
Force Update
23
![Page 24: Assume a hostile environment: securing mobile data in the app · Assume a hostile environment: securing mobile data in the app . MBS-T09 . Scott Alexander -Bown . Senior Mobile Developer](https://reader034.vdocuments.net/reader034/viewer/2022050314/5f76f8df668ca236bd50d9c1/html5/thumbnails/24.jpg)
#RSAC
Timeout / Caching
Session timeout App and Server-side
Clear app data from memory
Prevent snapshot cache (iOS)
Exclude from recent tasks (Android)
24
![Page 25: Assume a hostile environment: securing mobile data in the app · Assume a hostile environment: securing mobile data in the app . MBS-T09 . Scott Alexander -Bown . Senior Mobile Developer](https://reader034.vdocuments.net/reader034/viewer/2022050314/5f76f8df668ca236bd50d9c1/html5/thumbnails/25.jpg)
#RSAC
Q) Are you using SSL?
Q) Are you using SSL?
25
![Page 26: Assume a hostile environment: securing mobile data in the app · Assume a hostile environment: securing mobile data in the app . MBS-T09 . Scott Alexander -Bown . Senior Mobile Developer](https://reader034.vdocuments.net/reader034/viewer/2022050314/5f76f8df668ca236bd50d9c1/html5/thumbnails/26.jpg)
#RSAC
Q) Is Using SSL Enough?
A) No
26
![Page 27: Assume a hostile environment: securing mobile data in the app · Assume a hostile environment: securing mobile data in the app . MBS-T09 . Scott Alexander -Bown . Senior Mobile Developer](https://reader034.vdocuments.net/reader034/viewer/2022050314/5f76f8df668ca236bd50d9c1/html5/thumbnails/27.jpg)
#RSAC
Stronger SSL
Use secure SSL/TLS protocols (i.e. SSL v3, TLS v1.1/1.2)
Use secure ciphers (128 bit or higher)
Validate the certificates NetCipher
Whole chain validation Orbot: Proxy with Tor
27
![Page 28: Assume a hostile environment: securing mobile data in the app · Assume a hostile environment: securing mobile data in the app . MBS-T09 . Scott Alexander -Bown . Senior Mobile Developer](https://reader034.vdocuments.net/reader034/viewer/2022050314/5f76f8df668ca236bd50d9c1/html5/thumbnails/28.jpg)
#RSAC
SSL Pinning
2 types Certificate pining
Public key pinning
Prevent compromised CAs from being trusted
More difficult for MITM
28
![Page 29: Assume a hostile environment: securing mobile data in the app · Assume a hostile environment: securing mobile data in the app . MBS-T09 . Scott Alexander -Bown . Senior Mobile Developer](https://reader034.vdocuments.net/reader034/viewer/2022050314/5f76f8df668ca236bd50d9c1/html5/thumbnails/29.jpg)
#RSAC
Watch For This!
29
![Page 30: Assume a hostile environment: securing mobile data in the app · Assume a hostile environment: securing mobile data in the app . MBS-T09 . Scott Alexander -Bown . Senior Mobile Developer](https://reader034.vdocuments.net/reader034/viewer/2022050314/5f76f8df668ca236bd50d9c1/html5/thumbnails/30.jpg)
#RSAC
Tamper Detection
Simulator/emulator check System properties
Jail break/Root check Root apps (Cydia, SuperSU etc)
System properties
Validate signing key (Android)
30
![Page 31: Assume a hostile environment: securing mobile data in the app · Assume a hostile environment: securing mobile data in the app . MBS-T09 . Scott Alexander -Bown . Senior Mobile Developer](https://reader034.vdocuments.net/reader034/viewer/2022050314/5f76f8df668ca236bd50d9c1/html5/thumbnails/31.jpg)
#RSAC
Anti Reversing
Obfuscation code Proguard (Android)
Restrict Debugging
Restrict Logging
31
![Page 32: Assume a hostile environment: securing mobile data in the app · Assume a hostile environment: securing mobile data in the app . MBS-T09 . Scott Alexander -Bown . Senior Mobile Developer](https://reader034.vdocuments.net/reader034/viewer/2022050314/5f76f8df668ca236bd50d9c1/html5/thumbnails/32.jpg)
#RSAC
DexGuard (Android)
ProGuard’s bad ass brother
Same config as ProGuard
Not free but 1 license == ∞ apps
Highlights One line tamper check
囃$鷭.smali, Œ$鷭.smali
API hiding with String encryption == tough
32
![Page 33: Assume a hostile environment: securing mobile data in the app · Assume a hostile environment: securing mobile data in the app . MBS-T09 . Scott Alexander -Bown . Senior Mobile Developer](https://reader034.vdocuments.net/reader034/viewer/2022050314/5f76f8df668ca236bd50d9c1/html5/thumbnails/33.jpg)
#RSAC
Further Resources
42+ Secure mobile development best practices
http://bit.ly/viafor42
OWASP Mobile security recommendations http://bit.ly/owaspmobile
33
![Page 34: Assume a hostile environment: securing mobile data in the app · Assume a hostile environment: securing mobile data in the app . MBS-T09 . Scott Alexander -Bown . Senior Mobile Developer](https://reader034.vdocuments.net/reader034/viewer/2022050314/5f76f8df668ca236bd50d9c1/html5/thumbnails/34.jpg)
What To Ask?
![Page 35: Assume a hostile environment: securing mobile data in the app · Assume a hostile environment: securing mobile data in the app . MBS-T09 . Scott Alexander -Bown . Senior Mobile Developer](https://reader034.vdocuments.net/reader034/viewer/2022050314/5f76f8df668ca236bd50d9c1/html5/thumbnails/35.jpg)
#RSAC
What to ask your app developers?
Who is building it and where?
Are they certified? bit.ly/mobilesecuritycert
Play/App store account access?
How is security assessed? Code reviews (including 3rd party libs)
Static analysis
Red team black box assessment
35
![Page 36: Assume a hostile environment: securing mobile data in the app · Assume a hostile environment: securing mobile data in the app . MBS-T09 . Scott Alexander -Bown . Senior Mobile Developer](https://reader034.vdocuments.net/reader034/viewer/2022050314/5f76f8df668ca236bd50d9c1/html5/thumbnails/36.jpg)
#RSAC
Summary
Mobile devices are a hostile environment
What are the common app vulnerabilities
How to protect your apps
Questions to ask your app developers
36
![Page 37: Assume a hostile environment: securing mobile data in the app · Assume a hostile environment: securing mobile data in the app . MBS-T09 . Scott Alexander -Bown . Senior Mobile Developer](https://reader034.vdocuments.net/reader034/viewer/2022050314/5f76f8df668ca236bd50d9c1/html5/thumbnails/37.jpg)
#RSAC
Q&A | Contact | Feedback
Thanks for listening…
@scottyab
github/scottyab
Book signing tomorrow 3:30pm
37
Thanks to @thomas_cannon
![Page 38: Assume a hostile environment: securing mobile data in the app · Assume a hostile environment: securing mobile data in the app . MBS-T09 . Scott Alexander -Bown . Senior Mobile Developer](https://reader034.vdocuments.net/reader034/viewer/2022050314/5f76f8df668ca236bd50d9c1/html5/thumbnails/38.jpg)
#RSAC
Build in app security.
38
![Page 39: Assume a hostile environment: securing mobile data in the app · Assume a hostile environment: securing mobile data in the app . MBS-T09 . Scott Alexander -Bown . Senior Mobile Developer](https://reader034.vdocuments.net/reader034/viewer/2022050314/5f76f8df668ca236bd50d9c1/html5/thumbnails/39.jpg)
#RSAC
Reference http://github.com/rtyley/spongycastle
Encryption sample projects
http://github.com/nelenkov/android-pbe
http://github.com/nelenkov/android-keystore
https://github.com/moxie0/AndroidPinning
NetCipher -
https://github.com/guardianproject/NetCiphe
r
DexGuard - www.saikoa.com/dexguard
SQLCipher - http://sqlcipher.net/sqlcipher-for-
android
Secure-Preferences -
http://github.com/scottyab/secure-preferences
IOCipher -
http://guardianproject.info/code/iocipher
Conceal - http://facebook.github.io/conceal
Android security cookbook ISBN:1782167161
http://bit.ly/MscEFu
39