how to make android apps secure: dos and don’ts
TRANSCRIPT
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
How to make Android apps secure: Dos and don’ts
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Connect with us
Follow us on Twitter @NowSecureMobile
—
NowSecure’s Secure Mobile Development Best Practices
www.nowsecure.com/resources/secure-mobile-development/
—
Visit our website https://www.nowsecure.com
Jake Van DykeMobile security researcher
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Sam BakkenContent marketing manager
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Pokemon GORead the NowSecure blog post about security risks and Pokemon GO:
https://www.nowsecure.com/blog/2016/07/12/pokemon-go-security-risks-what-cisos-and-security-pros-need-to-know/
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Contents
● Overview
● Android app security fails
● Dos and don’ts
● Questions
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Overview
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
25%of apps include a
high-risk flaw
Mary Meeker,Internet Trends 2016
33apps installed on
the average device
>8vulnerable apps
on a device
444,2132016 NowSecure MobileSecurity Report
x =
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
53,844 devices in the average global enterprise
444,213vulnerable apps residing on
dual-use devices in the average global enterprise
Ponemon Institute, The Economic Risk of Confidential Data on Mobile Devices in the Workplace
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Recent Android security developments
● Static analysis on apps submitted to Google Play
● Detecting links to third-party libraries
● Android Nougat
○ File system permission changes
○ Sharing files between apps
○ NDK apps linking to platform libraries
○ Android for Work apps
○ Crypto and SHA1PRNG are deprecated
○ Changes to trusted certificate authorities (CA)
https://developer.android.com/preview/behavior-changes.html
General tightening of security in the OS and SDK to provide a “safety net”
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Android app security fails
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Vulnerabilities in the Vitamio SDK
World Writable Code Is Bad, MMMMKAYNowSecure Blog
Relevant best practice
Test third party libraries
“Third-party libraries can contain
vulnerabilities and weaknesses. Many
developers assume third-party libraries are
well-developed and tested, however, issues can
and do exist in their code.”
© Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
SwiftKey vulnerabilities(CVE-2015-4640 & CVE-2015-4641)
Remote Code Execution as System User on Samsung PhonesNowSecure Blog
Relevant best practices
Fully validate SSL/TLS
“An application not properly validating its
connection to the server is susceptible to a
man-in-the-middle attack by a privileged
network attacker.”
Embrace least permissions
Developing secure apps for Android: Dos and don’ts
© Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
Secure Mobile Development Best Practices (SMDBP)
Review the NowSecure Secure Mobile Development Best Practices in their entirety:https://www.nowsecure.com/resources/secure-mobile-development/
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Android
● Implement File Permissions Carefully
● Implement intents carefully
● Check Activities
● Use Broadcasts Carefully
● Implement Pending Intents Carefully
● Protect Application Services
Review the NowSecure Secure Mobile Development Best Practices in their entirety:https://www.nowsecure.com/resources/secure-mobile-development/
● Avoid Intent Sniffing
● Implement Content Providers Carefully
● Follow WebView Best Practices
● Avoid Storing Cached Camera Images
● Avoid GUI Objects Caching
● Sign Android APKs
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Coding practices
● Increase Code Complexity and Use Obfuscation
● Avoid Simple Logic
● Test Third-Party libraries
● Implement Anti-tamper Techniques
● Securely Store Sensitive Data in RAM
● Understand Secure Deletion of Data
● Avoid Query String for Sensitive Data
Review the NowSecure Secure Mobile Development Best Practices in their entirety:https://www.nowsecure.com/resources/secure-mobile-development/
Caching and logging
● Avoid Caching App Data
● Avoid Crash Logs
● Limit Caching of Username
● Carefully Manage Debug Logs
● Be Aware of the Keyboard Cache
● Be Aware of Copy and Paste
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Handling sensitive data
● Implement Secure Data Storage
● Use SECURE Setting For Cookies
● Fully validate SSL/TLS
● Protect Against SSL Downgrade attacks
● Limit Use of UUID
● Treat Geolocation Data Carefully
● Institute Local Session Timeout
Review the NowSecure Secure Mobile Development Best Practices in their entirety:https://www.nowsecure.com/resources/secure-mobile-development/
● Implement Enhanced
/ Two-Factor Authentication
● Protect Application Settings
● Hide Account Numbers and Use Tokens
● Implement Secure Network Transmission
of Sensitive Data
● Validate Input From Client
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Webviews
● Prevent Framing and Clickjacking
● Protect against CSRF with form tokens
Review the NowSecure Secure Mobile Development Best Practices in their entirety:https://www.nowsecure.com/resources/secure-mobile-development/
● Implement Proper Web Server Configuration
● Properly Configure Server-side SSL
● Use Proper Session Management
● Protect and Pen Test Web services
● Protect Internal Resources
Servers
Let’s talk - submit questions using the chat function in the GoToWebinar interface
Learn more about developing secure Android and iOS apps with the NowSecure Secure Mobile Development Best Practices -
www.nowsecure.com/resources/secure-mobile-development/