DDÉVELOPPEMENTÉVELOPPEMENT DD’’APPLICATIONSAPPLICATIONS

MOBILESMOBILES SÉCURISÉESSÉCURISÉES

Julien ProbstCofondateur Sysmosoft SA

27.10.2011 Application Security Forum - Western Switzerland - 2011 1

Application Security ForumWestern Switzerland

27 octobre 2011 - HEIGVD Yverdon-les-Bainshttp://appsec-forum.ch

Swiss based company

Specialized in Mobile Security

Spinoff of the University of Applied Sciences in Yverdon-les-Bains (HEIG-VD)

2

Mobility

Working since 2008 with private banks to create an adapted solution

In production since 2010

Security

Threat and vulnerability analysis linked to mobility

Agile & Security Development Lifecycle

Theft/LostProperty of the

enterprise

3

Company NetworkOutside

Virus/Malwares

Unauthorized

access

enterprise

User’s personal

phone

4

Purpose

‒ Install Free Apps from “Alternative Stores”

‒ Unlock some new device features

Security Issues

5

Source : jailbreakme.com

Security Issues

‒ All OS Security mechanisms are disabled…

‒ … So all data can potentially be accessed

‒ “Alternative stores” do not verify Apps

JailbreakMe

‒ Jailbreak your iPhone/iPad from a web page

‒ Uses a third party App Security Flaw

‒ Versions : v1 2007, v2 2010, v3 2011

Purpose

‒ To improve user’s experience, some data are shared between Apps

‒ “Official” APIs are usually provided by the OS

6

Security Issues

‒ Easy for Developers to access your shared data…

‒ …and do what they want with it

Wall Street Journal Analysis

‒ Over 100 analyzed legal applications

‒ 5 of them transmitted address book to outsiders

Source : Wall Street Journal, Your Apps Are Watching You, 17 Dec. 2010

PoC

How It Works

1. Get access to an iPhone

2. Execute a Jailbreak

7

2. Execute a Jailbreak

3. Install and run the Fraunhofer’s script

4. Wait for the OS to decrypt the Keychain

— The PIN Code is not required

— Not all secrets are decrypted

5. Access user’s secrets in 6 minutes

Source : http://www.fraunhofer.de/

Grant Access to iOS 4.x

Purpose

‒ Commercial and Free/Open Source solutions

‒ Access “all” data stored on a Smartphone

8Source : www.viaforensic.com & www.elcomsoft.com

Physical imaging

Logical imaging

Passcode recovery

Keychain decryption

Disk decryption

Compromised data

AttackAffected

users

Shared

Data

Keychain

Data

Application

Data

Data

Transport

Device

Specific.

Malicious legal

App.

9

App.

JailBreak(with malicious App.)

Fraunhofer’s PoC

Forensic Solution

10

Operating System

Professional Configuration

11

Operating System

ResourcesApplications

Device Security features Device Configuration

Operating System

User Config.Prof. Config.

12

Operating System

Re

sou

rces

Applications

Secure Application

Security

Device Security features Device Configuration

Business

13

Device OS

Display

Output

Memory

Manag.

Keychain

Application

Memory’s Data

User’s secrets

Interface

“Screenshots”

14

Data

Transport

Keyboard

Input

OS App.

Manager

Storage

Backup

Dictionary cacheApplication’s State

Application Data

Device’s Data

Shared Data

Encrypt

Protection

Clean

keyboard

Prevention

Application : Secure Document Reader

Keyboard

Input

OS

Features

Keychain

OS

Security Business

15

Auth &

Encrypt

Encrypt

Encrypt

Clean

mem. on

standby

Clean

state on

standby

keyboard

on exitInput

OS App.

Manager

Memory

Manag.

Data

Transport

Keychain

Storage

Cryptographic algorithms

Implements all cryptographic algorithms at the application level

Usually the strongest part of the application

16

Usually the strongest part of the application

Key Management

Manages all cryptographic keys at the application level

Usually a weak point of the application

View Mode – Best security

Do not store data on the device

Only use the established ephemeral session key to exchange the data

17

Offline Mode – Less Secure

Encrypt data on the device

Store and protect the key on the device

Cache Mode – Best compromise

Encrypt data on the device

Store and protect the key on the server only

Offline authentication limitation

‒ Device ID cannot be verified by the device itself

‒ Hardware Tokens ID are verified by a trusted server

18

‒ Hardware Tokens ID are verified by a trusted server

‒ Only the user’s ID can be verified by the device

Potential attacks against offline authentication

‒ Social engineering to obtain user’s credentials

‒ Brute force attack against data encryption’s key

• Even if crypto algorithms (PBKDF2) are used

Check the operating system

Verify the version of the OS

Control the integrity of the OS (jailbreak, etc.)

19

Check for systems unsecure caches and features

Avoid/Clean caches (keyboard, pasteboard, screenshots, etc.)

Detect undesired features (multitasking manage., backup, etc.)

Apply device specific best practice

Security recommendations

Memory management, …

20

Comply with company security policies

Countermeasures are implemented according to the security needs

21

Use high level standards cryptographic algorithms

Crypto algorithms can be used without limitation or restrictions

Apply the same security mechanisms to each platform

Same mechanisms can be implemented and managed for each platform

The Application still relies on the operating system

Critical flaw in the OS can potentially lead to data breach

22

Implementing security inside Apps. requires experience and time

Integrating a Security Development Lifecycle (SDLC) is recommended

Some mechanisms remain out of the control of the application

OS Prevention/Control mechanisms must be developed (cache cleaning, etc.)

Offline Mode remains a potential issue

Trusted specific hardware can potentially be used

Mobile Devices are new threat vectors for companies’ data

Misconfigured devices are vulnerable to a multitude of new types of attacks

Conventional security solutions are not really adapted for mobility

23

Isolate sensitive or corporate data from private data

End users keep their habits while companies apply specific rules to sensitive data

Integrate security inside Apps and not rely only on OS or infrastructure

Sensitive data is protected by additional applicative security mechanisms

Conventional security solutions are not really adapted for mobility

Applying company security policies to personal mobile devices is not possible

24

Contact

Sysmosoft SARue Galilée 9

1400 Yverdon-les-Bains

Julien Probst+41 (0) 24 524 10 36

Julien.probst@sysmosoft.com