tips and tricks for building secure mobile apps

1© Copyright 2013 Coveros, Inc.. All rights reserved.

Tips and Tricks for Building Secure Mobile Applications

Jeffery Payne

Chief Executive Officer, Coveros, Inc.

[email protected]

www.coveros.com

Twitter: @jefferyepayne

mailto:[email protected]

http://www.coveros.com/


Bio

Jeffery PayneJeffery Payne is CEO and founder of Coveros, Inc., a software company that helps organizations accelerate the delivery of secure, reliable software. Coveros uses agile development methods and a proven software assurance framework to build security and quality into software from the ground up. Prior to founding Coveros, Jeffery was Chairman of the Board, CEO, and co-founder of Cigital, Inc. Under his direction, Cigital became a leader in software security and software quality solutions, helping clients mitigate the risk of software failure. Jeffery is a recognized software expert and popular speaker at both business and technology conferences on a variety of software quality, security, and agile development topics. He has also testified before Congress on issues of national importance, including intellectual property rights, cyber-terrorism, software research funding, and software quality.


Coveros helps organizations accelerate the delivery of secure, reliable software

Our consulting services:– Agile software development– Application security– Software quality assurance

Agile services– Agility assessments– Process improvement– Hands-on agile software development– Agile project management– Agile testing and automation– Agile training by role

About Coveros

Areas of Expertise


Agenda

Mobile applications: the perfect security storm– Typical architecture(s)– A changing threat model

Mobile risks and development strategies– Local storage– Session management– Untrusted clients– Native code – Mobile platforms– Traditional risks

Getting more help


Mobile Apps: The Perfect Security Storm

Smartphones

Database

ConnectivityGateways

Tablets

Cell Network

Laptops withmobile data modems

Internet

App server

Web server

Sw Apps & Data

Fat clientconcerns

UntrustedappsUntrustedusers

Traditionalweb securityconcerns

Traditionalsw securityconcerns


A Changing Threat Model

New Attack Profiles– Increased access by malicious users– Malicious 3rd party applications– Increased information for attacking application back-ends

Fluid Trust Boundaries– Level of trust necessary to use 3rd party applications– Local access to sensitive data

Nuances of Mobile Platforms– Differing security models– Different vulnerabilities due to programming languages

Mobile Apps: The Perfect Security Storm


Mobile Risks

Local storage – Storage of data (implicitly or explicitly) on a device

Session management – Managing the on-going interactions between a mobile app user and the rest of a distributed environment

Untrusted clients – Client requests might not be legitimate

Native Code – Native code is still prevalent in mobile applications

Mobile Platforms – How the device (and OS) configures and controls apps

Traditional Risks – Other risks we already know about

Mobile App Security


Do Not Allow Storage of Sensitive Data on Devices

Why?– Devices use flash memory for local storage– External devices have global data permissions– Data encryption libraries and key management functions are often

misused by developers– UI screens are captured and stored in “temporary” storage

What to do– Store sensitive data on back-end servers behind a firewall– Replace sensitive data that must be entered / displayed on UI with

replacement tokens or partial data when it doesn’t need to be fully viewable

– If you must store some data locally, use encryption routines and a computational key derivation function for generating keys

Mobile App Security: Best Practices


Make Sure Sessions are Managed Carefully

Why?– Mobile application sessions tend to be left open longer on mobile

devices to support mobile app use cases– Untrusted applications that are malicious can compromise your

applications if session management isn’t secure– People often leave their phones laying around …

What to do– Terminate idle sessions after automatically after no more than 5

minutes if application is security-critical– Do not use device identifier / MEID as a session token– Support token revocation that includes the ability to revoke tokens

remotely– Use only temporary session keys (to thwart ‘replay attacks’)



Assume No Client (or App) is Trustworthy Why?

– The increased threat of mobile device compromise means no client / App requesting information can be trusted

– Trusted apps may have been misconfigured to allow easy compromise

What to do– Make sure lower levels of encryption (export grade) have been

disabled on the backend servers– Validate the integrity of all data received from a client or other

application (trust no one!)– Sanitize all data receive from a client or other input– Return the minimum amount of information to the user when an

error has occured– Move all default directories on all servers– Do not allow software to be installed/configured with default

passwords



Test Native Code for Known Vulnerabilities

Why?– Mobile platforms often support the development of native code

applications that are vulnerable to traditional attacks– Software written for Apple devices are written in Objective-C, Java

can call native code– VM’s often include vulnerabilities!

What to do– Use Address Space Layout Randomization (ASLR) to combat

overflow attacks– Perform traditional secure code scanning on all native code as part

of the software development process– Avoid using native code if possible



Understand Your Mobile Platform

Why?– Each platform uses a different security model– Each platform manages applications differently

What to learn– Learn how applications store data, protect it from access, and when

data is physically deleted from the device– Understand the default configurations for applications, browsers,

and communication protocols– Learn how and when information is cached, keyboard keys are

logged, and screenshots are saved– Understand how libraries are loaded and run (and in what order)



Don’t Forget About Traditional Risks

Why?– Mobile applications are often just mobile front-ends for our

traditional systems (banking, e-commerce, etc.)– Mysql often ships with devices and are susceptible to SQL injection– Web vulnerabilities exist in thin client mobile apps

What to do– Check for SQL injections– Check for web application security issues (XSS, CRSF, etc.)



Getting Smarter

OWASP Mobile Security Project– https://www.owasp.org/index.php/OWASP_Mobile_Security_Project

Coveros Labs – R&D in:– Secure mobile development– Malicious code analysis– Cloud security– http://www.coveros.com/content/coveros-labs

Mobile App Security

https://www.owasp.org/index.php/OWASP_Mobile_Security_Project


Questions?

Thank You

Contact Information:

Jeffery [email protected]