Assume a hostile environment
-
Upload
lalocurarf4807 -
Category
Documents
-
view
226 -
download
0
Transcript of Assume a hostile environment
-
8/12/2019 Assume a hostile environment
1/39
SESSION ID:
Assume a hostile environment: securingmobile data in the app
MBS-T09
Scott Alexander-BownSenior Mobile Developer
viaForensics@scottyab
-
8/12/2019 Assume a hostile environment
2/39
2
-
8/12/2019 Assume a hostile environment
3/39
The Gap!
3
-
8/12/2019 Assume a hostile environment
4/39
Goals
Mobile devices are a hostile environment
What are the common app vulnerabilities
How to protect your apps
With an Android bias
Questions to ask your app developers
4
-
8/12/2019 Assume a hostile environment
5/39
Non Goals: There Is No 100% Security
5
-
8/12/2019 Assume a hostile environment
6/39
6
Q) Which Is More Secure?
-
8/12/2019 Assume a hostile environment
7/39
iOS vs Android OS Vulnerabilities
Source: http://www.cvedetails.comDec 2013
7
http://www.cvedetails.com/http://www.cvedetails.com/ -
8/12/2019 Assume a hostile environment
8/39
8
iOS: Safer for average hipster Joe
-
8/12/2019 Assume a hostile environment
9/39
9
Android can be hardened (power users)
-
8/12/2019 Assume a hostile environment
10/39
The Environment Is Hostile
Lost / Stolen
Open Wi-Fi networks
SMiShing
Untrusted ports/chargers
10
-
8/12/2019 Assume a hostile environment
11/39
Devices Are Hostile Environments
System updates
OEM/Carrier bloatware (Android)
MDM
Secure Containers
System library's i.e KeyChain (iOS)
Device Encryption
Side load (Android)
Vulnerable apps / malware
11
-
8/12/2019 Assume a hostile environment
12/39
If devices are hostile environments?
We focus on the a
12
-
8/12/2019 Assume a hostile environment
13/39
Common A
Vulnerabili
-
8/12/2019 Assume a hostile environment
14/39
Common App Fails
Not encrypting stored data
Not using SSL connection Not protecting App components
Not validating client data
Leaking sensitive data to device log
14
-
8/12/2019 Assume a hostile environment
15/39
15
-
8/12/2019 Assume a hostile environment
16/39
16
-
8/12/2019 Assume a hostile environment
17/39
Options For App Security
MDM security SDK?
App Wrapping? Built-in
Distribute via app stores
Better UX
Not relying on others
17
-
8/12/2019 Assume a hostile environment
18/39
Build in Ap
Security
-
8/12/2019 Assume a hostile environment
19/39
SQL Injection
Compiled statements
Validate input Sharing data (Android)
Protect components
Custom permissions
Consider read only
19
-
8/12/2019 Assume a hostile environment
20/39
Encryption
Assess risk of data stored
Bundle your own crypto libraries SpongyCastle adds support:
AES-GCM
Elliptic Curve Cryptography (ECC)
Dont seed SecureRandom class
20
-
8/12/2019 Assume a hostile environment
21/39
Encryption: Not Storing The Key
Password Based Encryption (PBE)
Generate a key from user pin/password KDF - more iterations the better
Add app time out to clear from memory
The KeyStore provider (Android 4.3+)
Hardware backed (on some devices)
21
-
8/12/2019 Assume a hostile environment
22/39
Encryption: Android Quick Wins
SQLCipher
256-bit AES Encrypt SQLite database
Secure-Preferences
obscure your apps shared preferences
IOCipher
Virtual encrypted disk
Conceal
Easy to use APIs for fast encryption and authentication of data
22
-
8/12/2019 Assume a hostile environment
23/39
Force Update
23
-
8/12/2019 Assume a hostile environment
24/39
Timeout / Caching
Session timeout
App and Server-side Clear app data from memory
Prevent snapshot cache (iOS)
Exclude from recent tasks (Android)
24
-
8/12/2019 Assume a hostile environment
25/39
Q) Are you using SSL?
Q) Are you using SSL
25
-
8/12/2019 Assume a hostile environment
26/39
Q) Is Using SSL Enough?
A) No
26
-
8/12/2019 Assume a hostile environment
27/39
Stronger SSL
Use secure SSL/TLS protocols (i.e. SSL v3, TLS v1.1/1.2)
Use secure ciphers (128 bit or higher) Validate the certificates
NetCipher
Whole chain validation
Orbot: Proxy with Tor
27
-
8/12/2019 Assume a hostile environment
28/39
SSL Pinning
2 types
Certificate pining Public key pinning
Prevent compromised CAs from being trusted
More difficult for MITM
28
-
8/12/2019 Assume a hostile environment
29/39
Watch For This!
29
-
8/12/2019 Assume a hostile environment
30/39
Tamper Detection
Simulator/emulator check
System properties Jail break/Root check
Root apps (Cydia, SuperSU etc)
System properties
Validate signing key (Android)
30
-
8/12/2019 Assume a hostile environment
31/39
Anti Reversing
Obfuscation code
Proguard (Android) Restrict Debugging
Restrict Logging
31
G ( )
-
8/12/2019 Assume a hostile environment
32/39
DexGuard (Android)
ProGuards bad ass brother
Same config as ProGuard Not free but 1 license == apps
Highlights
One line tamper check
$.smali, $.smali API hiding with String encryption == tough
32
F th R
-
8/12/2019 Assume a hostile environment
33/39
Further Resources
42+ Secure mobile development best practices
http://bit.ly/viafor42 OWASP Mobile security recommendations
http://bit.ly/owaspmobile
33
-
8/12/2019 Assume a hostile environment
34/39
What To As
Wh t t k d l ?
-
8/12/2019 Assume a hostile environment
35/39
What to ask your app developers?
Who is building it and where?
Are they certified? bit.ly/mobilesecuritycert
Play/App store account access?
How is security assessed?
Code reviews (including 3rdparty libs) Static analysis
Red team black box assessment
35
S
-
8/12/2019 Assume a hostile environment
36/39
Summary
Mobile devices are a hostile environment
What are the common app vulnerabilities How to protect your apps
Questions to ask your app developers
36
Q&A | C t t | F db k
-
8/12/2019 Assume a hostile environment
37/39
Q&A | Contact | Feedback
Thanks for listening
@scottyabgithub/scottyab
Book signing tomorrow 3:30pm
37
Thanks to @thomas_cannon
-
8/12/2019 Assume a hostile environment
38/39
Build in app secur
38
Reference
-
8/12/2019 Assume a hostile environment
39/39
Reference
http://github.com/rtyley/spongycastle
Encryption sample projects
http://github.com/nelenkov/android-pbe
http://github.com/nelenkov/android-
keystore
https://github.com/moxie0/AndroidPinning
NetCipher -
https://github.com/guardianproject/NetCiphe
r
DexGuard - www.saikoa.com/dexguard
SQLCipher - http://sqlcipher.ne
android
Secure-Preferences -
http://github.com/scottyab/secu
IOCipher -
http://guardianproject.info/code
Conceal - http://facebook.githu
Android security cookbook ISB
http://bit.ly/MscEFu
39
http://github.com/rtyley/spongycastlehttp://github.com/nelenkov/android-pbehttp://github.com/nelenkov/android-keystorehttp://github.com/nelenkov/android-keystorehttps://github.com/moxie0/AndroidPinninghttps://github.com/guardianproject/NetCipherhttps://github.com/guardianproject/NetCipherhttp://www.saikoa.com/dexguardhttp://sqlcipher.net/sqlcipher-for-androidhttp://sqlcipher.net/sqlcipher-for-androidhttp://github.com/scottyab/secure-preferenceshttp://guardianproject.info/code/iocipherhttp://facebook.github.io/concealhttp://bit.ly/MscEFuhttp://bit.ly/MscEFuhttp://facebook.github.io/concealhttp://guardianproject.info/code/iocipherhttp://github.com/scottyab/secure-preferenceshttp://sqlcipher.net/sqlcipher-for-androidhttp://sqlcipher.net/sqlcipher-for-androidhttp://www.saikoa.com/dexguardhttps://github.com/guardianproject/NetCipherhttps://github.com/guardianproject/NetCipherhttps://github.com/moxie0/AndroidPinninghttp://github.com/nelenkov/android-keystorehttp://github.com/nelenkov/android-keystorehttp://github.com/nelenkov/android-pbehttp://github.com/rtyley/spongycastle