Assume a hostile environment

8/12/2019 Assume a hostile environment

1/39

SESSION ID:

Assume a hostile environment: securingmobile data in the app

MBS-T09

Scott Alexander-BownSenior Mobile Developer

viaForensics@scottyab


2/39

2


3/39

The Gap!

3


4/39

Goals

Mobile devices are a hostile environment

What are the common app vulnerabilities

How to protect your apps

With an Android bias

Questions to ask your app developers

4


5/39

Non Goals: There Is No 100% Security

5


6/39

6

Q) Which Is More Secure?


7/39

iOS vs Android OS Vulnerabilities

Source: http://www.cvedetails.comDec 2013

7
http://www.cvedetails.com/http://www.cvedetails.com/


8/39

8

iOS: Safer for average hipster Joe


9/39

9

Android can be hardened (power users)


10/39

The Environment Is Hostile

Lost / Stolen

Open Wi-Fi networks

SMiShing

Untrusted ports/chargers

10


11/39

Devices Are Hostile Environments

System updates

OEM/Carrier bloatware (Android)

MDM

Secure Containers

System library's i.e KeyChain (iOS)

Device Encryption

Side load (Android)

Vulnerable apps / malware

11


12/39

If devices are hostile environments?

We focus on the a

12


13/39

Common A

Vulnerabili


14/39

Common App Fails

Not encrypting stored data

Not using SSL connection Not protecting App components

Not validating client data

Leaking sensitive data to device log

14


15/39

15


16/39

16


17/39

Options For App Security

MDM security SDK?

App Wrapping? Built-in

Distribute via app stores

Better UX

Not relying on others

17


18/39

Build in Ap

Security


19/39

SQL Injection

Compiled statements

Validate input Sharing data (Android)

Protect components

Custom permissions

Consider read only

19


20/39

Encryption

Assess risk of data stored

Bundle your own crypto libraries SpongyCastle adds support:

AES-GCM

Elliptic Curve Cryptography (ECC)

Dont seed SecureRandom class

20


21/39

Encryption: Not Storing The Key

Password Based Encryption (PBE)

Generate a key from user pin/password KDF - more iterations the better

Add app time out to clear from memory

The KeyStore provider (Android 4.3+)

Hardware backed (on some devices)

21


22/39

Encryption: Android Quick Wins

SQLCipher

256-bit AES Encrypt SQLite database

Secure-Preferences

obscure your apps shared preferences

IOCipher

Virtual encrypted disk

Conceal

Easy to use APIs for fast encryption and authentication of data

22


23/39

Force Update

23


24/39

Timeout / Caching

Session timeout

App and Server-side Clear app data from memory

Prevent snapshot cache (iOS)

Exclude from recent tasks (Android)

24


25/39

Q) Are you using SSL?

Q) Are you using SSL

25


26/39

Q) Is Using SSL Enough?

A) No

26


27/39

Stronger SSL

Use secure SSL/TLS protocols (i.e. SSL v3, TLS v1.1/1.2)

Use secure ciphers (128 bit or higher) Validate the certificates

NetCipher

Whole chain validation

Orbot: Proxy with Tor

27


28/39

SSL Pinning

2 types

Certificate pining Public key pinning

Prevent compromised CAs from being trusted

More difficult for MITM

28


29/39

Watch For This!

29


30/39

Tamper Detection

Simulator/emulator check

System properties Jail break/Root check

Root apps (Cydia, SuperSU etc)

System properties

Validate signing key (Android)

30


31/39

Anti Reversing

Obfuscation code

Proguard (Android) Restrict Debugging

Restrict Logging

31

G ( )


32/39

DexGuard (Android)

ProGuards bad ass brother

Same config as ProGuard Not free but 1 license == apps

Highlights

One line tamper check

$.smali, $.smali API hiding with String encryption == tough

32

F th R


33/39

Further Resources

42+ Secure mobile development best practices

http://bit.ly/viafor42 OWASP Mobile security recommendations

http://bit.ly/owaspmobile

33


34/39

What To As

Wh t t k d l ?


35/39

What to ask your app developers?

Who is building it and where?

Are they certified? bit.ly/mobilesecuritycert

Play/App store account access?

How is security assessed?

Code reviews (including 3rdparty libs) Static analysis

Red team black box assessment

35

S


36/39

Summary

Mobile devices are a hostile environment

What are the common app vulnerabilities How to protect your apps

Questions to ask your app developers

36

Q&A | C t t | F db k


37/39

Q&A | Contact | Feedback

Thanks for listening

@scottyabgithub/scottyab

[email protected]

Book signing tomorrow 3:30pm

37

Thanks to @thomas_cannon


38/39

Build in app secur

38

Reference


39/39

Reference

http://github.com/rtyley/spongycastle

Encryption sample projects

http://github.com/nelenkov/android-pbe

http://github.com/nelenkov/android-

keystore

https://github.com/moxie0/AndroidPinning

NetCipher -

https://github.com/guardianproject/NetCiphe

r

DexGuard - www.saikoa.com/dexguard

SQLCipher - http://sqlcipher.ne

android

Secure-Preferences -

http://github.com/scottyab/secu

IOCipher -

http://guardianproject.info/code

Conceal - http://facebook.githu

Android security cookbook ISB

http://bit.ly/MscEFu

39
http://github.com/rtyley/spongycastlehttp://github.com/nelenkov/android-pbehttp://github.com/nelenkov/android-keystorehttp://github.com/nelenkov/android-keystorehttps://github.com/moxie0/AndroidPinninghttps://github.com/guardianproject/NetCipherhttps://github.com/guardianproject/NetCipherhttp://www.saikoa.com/dexguardhttp://sqlcipher.net/sqlcipher-for-androidhttp://sqlcipher.net/sqlcipher-for-androidhttp://github.com/scottyab/secure-preferenceshttp://guardianproject.info/code/iocipherhttp://facebook.github.io/concealhttp://bit.ly/MscEFuhttp://bit.ly/MscEFuhttp://facebook.github.io/concealhttp://guardianproject.info/code/iocipherhttp://github.com/scottyab/secure-preferenceshttp://sqlcipher.net/sqlcipher-for-androidhttp://sqlcipher.net/sqlcipher-for-androidhttp://www.saikoa.com/dexguardhttps://github.com/guardianproject/NetCipherhttps://github.com/guardianproject/NetCipherhttps://github.com/moxie0/AndroidPinninghttp://github.com/nelenkov/android-keystorehttp://github.com/nelenkov/android-keystorehttp://github.com/nelenkov/android-pbehttp://github.com/rtyley/spongycastle

Documents

Assume a hostile environment