the fundamentals of android and ios app security

53
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. The fundamentals of Android and iOS app security

Upload: nowsecure

Post on 24-Jan-2017

100 views

Category:

Technology


0 download

TRANSCRIPT

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

The fundamentals of Androidand iOS app security

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Andrew HoogCEO | NowSecure@[email protected]

● Computer scientist, mobile security and forensics researcher

● Author, expert witness, and patent-holder

● Regularly briefs senior government officials and top banking institutions about mobile security

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Contents

● Too many apps are vulnerable

● Security needs to be part ofthe development workflow

● Secure mobile developmentbest practices

● Automated security testing and continuous integration (CI) in practice

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Too many mobile appsare vulnerable

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Real-world examples of mobile app security failures

StarbucksThieves siphoned money out of users’

accounts using the mobile app

via USA Today

OlaIndia’s largest startup with $1.1B in funding

was hacked to allow unlimited free rides

via The Next Web

Hulu and TinderApp vulnerabilities offered access

to free premium accounts

via CNBC

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Mobile apps with at least one high risk security or privacy flaw

2016 NowSecure Mobile Security Report

A quarter of mobile apps are vulnerable

25%

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.© Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.

More popular apps are more likely to include a security flaw

1M-5MDownloads

5M-10MDownloads

37% 46% 50%

100K-500KDownloads

2016 NowSecure Mobile Security Report

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.© Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.

Issues within apps downloaded more than 1 million times

Apps exposing sensitive data Apps with security flaws

2016 NowSecure Mobile Security Report

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Developers aren’t trained in developing secure mobile apps

Tools that identify mobile security flaws aren’t kept

up-to-date

Mobile app security is assumed(if it’s considered at all)

Time and budget are not committed to mobile app security

The roots of the mobile app security problem

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Why make security a part of the mobile app development workflow?

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Almost half of orgs deploy weekly or more often

https://blog.newrelic.com/2016/02/04/data-culture-survey-results-faster-deployment/

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Developing with security in mind saves you time

Requirements / Architecture

Coding Integration /Component

Testing

System /Acceptance

Testing

Production / Post-Release

Source: National Institute of Standards and Technology

The cost (time, money, etc.)of fixing defects is

30x higher after an app has been deployed

© Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.

Development / Integration Staging Production

Dev TeamVersion Control

Build & Unit Tests

Automated Acceptance

TestsRelease

User Acceptance

Tests

Check-in

Check-in

Check-in

Trigger

Trigger

Trigger

Trigger

Trigger Approval

Approval

Feedback

Feedback

Feedback

Feedback

Feedback

Feedback

Engineer QA DevOps

Shift security & performance testing to the left

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

Secure mobile development best practices

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

OWASP Top 10 Mobile Risks

(draft 2016 update)

42+ tips for building secure mobile apps

Source material for mobile app security fundamentals

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

1ImproperPlatform Usage

OWASP MOBILE TOP 10 2016 DRAFT

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Misuse of a platform feature or lack of platform security controls for the Android or iOS operating systems. Issues may include incorrect use of the keychain on iOS or Android intents.

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Android - Implement Intents CarefullyIntents are used for inter-component signaling. Improper

implementation could result in data leakage, restricted functions being

called and program flow being manipulated.

https://books.nowsecure.com/secure-mobile-development/en/android

/implement-intents-carefully.html

iOS - Use the Keychain CarefullyiOS provides the keychain for secure data storage. However, in several scenarios, the keychain can be compromised and subsequently decrypted.

https://books.nowsecure.com/secure-mobile-development/en/ios/use-the-keychain-carefully.html

Best practice(s):

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

2InsecureData Storage

OWASP MOBILE TOP 10 2016 DRAFT

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Vulnerabilities that leak personal information and provide access to hackers.

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

1 in 10 apps leak private, sensitive data like email, username, or password

NowSecure: 2016 NowSecure Mobile Security Report

Data from testing 400,000 mobile apps

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Implement secure data storageTransmit and display but do not persist to memory. Ensure that an analog leak does not present itself

where screenshots of the data are written to disk. Store only in RAM (clear at application close).

https://books.nowsecure.com/secure-mobile-development/en/sensitive-data/implement-secure-data-sto

rage.html

Securely store data in RAMDo not keep sensitive data (e.g., encryption keys) in RAM longer than required. Nullify any variables that hold keys after use.

https://books.nowsecure.com/secure-mobile-development/en/ios/use-the-keychain-carefully.html

Best practice(s):

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

3InsecureCommunication

OWASP MOBILE TOP 10 2016 DRAFT

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Insecure communication refers to communications being sent in cleartext as well as other insecure methods.

© Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.

Example: SwiftKey vulnerabilities(CVE-2015-4640 & CVE-2015-4641)

Best practice(s):

Fully validate SSL/TLS

An application not properly validating its

connection to the server is susceptible to a

man-in-the-middle attack by a privileged

network attacker.

https://books.nowsecure.com/secure-mobile-d

evelopment/en/sensitive-data/fully-validate-ss

l-tls.html

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

4InsecureAuthentication

OWASP MOBILE TOP 10 2016 DRAFT

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Mobile apps need to securely identify a user and maintain that user’s identity, especially when users are calling and sending sensitive data such as financial information.

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Best practice(s):

Hide Account Numbers and Use TokensGiven the widespread use of mobile apps in public places, displaying partial numbers (e.g. *9881) can help ensure maximum privacy for this information. Unless there is a need to store the complete number on the device, store the partially hidden numbers.

https://books.nowsecure.com/secure-mobile-development/en/sensitive-data/hide-account-numbers-and-use-tokens.html

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

5InsufficientCryptography

OWASP MOBILE TOP 10 2016 DRAFT

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

The process behind encryption and decryption may allow a hacker to decrypt sensitive data.

The algorithm behind encryption and decryption may be weak in nature.

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Implement secure data storageIf storing sensitive data on the device is a requirement,

add an additional layer of verified, third-party

encryption. By adding another layer of encryption, you

have more control over the implementation and mitigate

attacks focused on the main OS encryption classes.

https://books.nowsecure.com/secure-mobile-developme

nt/en/sensitive-data/implement-secure-data-storage.ht

ml

Best practice(s):

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

6InsecureAuthorization

OWASP MOBILE TOP 10 2016 DRAFT

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Insecure authorization refers to the failure of a server to properly enforce identity and permissions as stated by the mobile app.

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Best practice(s):

Implement Proper Web Server ConfigurationCertain settings on a web server can increase security. One commonly overlooked vulnerability on a web server is information disclosure. Information disclosure can lead to serious problems because every piece of information attackers can gain from a server makes staging an attack easier.

https://books.nowsecure.com/secure-mobile-development/en/servers/web-server-configuration.html

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

7Client CodeQuality

OWASP MOBILE TOP 10 2016 DRAFT

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Risks that come from vulnerabilities like buffer overflows, format-string vulnerabilities, and various other code-level mistakes where the solution is to rewrite some code that's running on the mobile device.

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Vulnerabilities in the Vitamio SDK

NowSecure Blog: World Writable Code Is Bad, MMMMKAY

Best practice(s):

Test third-party libraries

Third-party libraries can contain vulnerabilities and weaknesses. Many developers assume third-party libraries are well-developed and tested, however, issues can and do exist in their code.

https://books.nowsecure.com/secure-mobile-development/en/coding-practices/test-third-party-libraries.html

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

8CodeTampering

OWASP MOBILE TOP 10 2016 DRAFT

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

When attackers tamper with or install a backdoor on an app, re-sign it and publish the malicious version to third-party app marketplaces.

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

● 50M downloads in 19 days on Android alone

● Within 3 days of initial release, malicious DroidJack software found on third-party app stores

● Remote Access Tool (RAT) can open a silent, backdoor for hackers

Source: The Hacker News

Example: PokemonGO

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Best practice(s):

Implement Anti-Tampering TechniquesEmploy anti-tamper and tamper-detection techniques to prevent illegitimate applications from executing. Use checksums, digital signatures, and other validation mechanisms to help detect file tampering.

https://books.nowsecure.com/secure-mobile-development/en/coding-practices/anti-tamper-techniques.html

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

9ReverseEngineering

OWASP MOBILE TOP 10 2016 DRAFT

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Reverse engineering refers to the analysis of a final binary to determine its source code, libraries, algorithms, and more.

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Best practice(s):

Increase Code Complexity and Use ObfuscationReverse engineering apps can provide valuable insight into how your app works. Making your app more complex internally makes it more difficult for attackers to see how the app operates, which can reduce the number of attack vectors.

https://books.nowsecure.com/secure-mobile-development/en/coding-practices/code-complexity-and-obfuscation.html

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

1 ExtraneousFunctionality

OWASP MOBILE TOP 10 2016 DRAFT0

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Developers frequently include hidden backdoors or security controls they do not plan on releasing into production.

This error creates risk when a feature is released to the wild that was never intended to be shared.

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

● Manufacturer of hardware chips and processors for mobile devices

● A debug tool, left open for carriers to test network connections, was left open on shipped devices

Source: The Hacker News

Example: MediaTek

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Best practice(s):

Carefully Manage Debug Logs

Debug logs are generally designed to be used to detect and correct flaws in an application. These logs can leak sensitive information that may help an attacker create a more powerful attack.

https://books.nowsecure.com/secure-mobile-development/en/caching-logging/carefully-manage-debug-logs.html

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

You can view the GitHub repository here:

https://github.com/nowsecure/secure-mobile-development

Contribute to the Secure Mobile Development Best Practices

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

In practice: continuous integration and automated mobile app security testing

+

Don’t Panic

Connect any time:@NowSecureMobilewww.nowsecure.com

Learn more about developing secure Android and iOS apps with the NowSecure Secure Mobile Development Best Practices:

books.nowsecure.com/secure-mobile-development/