IM IN UR CODEZSecuring Mobile Apps

Sunday, 2 October 11

Hello!

My name’s Nick.

I work for Mobile Interactive Group

We’re going to talk about app security

...also cats

Sunday, 2 October 11

What this session is about...Mobile application security

Developing apps defensively

...and what it’s not aboutUser-based vulnerabilities (tap-jacking, etc)

Mobile web security

Sunday, 2 October 11

Mobile Web

Mobile Apps

Sunday, 2 October 11

SQL injection

Insecure Data Transmission

Hardcoded passwords

Storing user dataBuffer overflows

API impersonation

In-app XSS

Data leakage

Remote code execution

Sunday, 2 October 11

Web & Apps have similar problems...

...they just appear in different places

Sunday, 2 October 11

Your app will be reverse engineered

It’s only a matter of time

Obfuscation is not a be-all/end-all

A fact (or two)

Sunday, 2 October 11

You might think (comparatively) that your mobile platform is not compromised...

...but how many rooted/jailbreaked phones are out there?

Assume your platform is compromised, and your app will be reverse engineered

Sunday, 2 October 11

You must therefore strongly protect your APIs and supporting application servers

Let’s look at three of the most common issues with apps

Two of these relate to API/server issues

Sunday, 2 October 11

...but first...

Sunday, 2 October 11

We’re all pretty smart developers(...hopefully!)

Sunday, 2 October 11

Your AppYour GoalsThe chasm of misfortune

We are all cats - we have good intentions......and sometimes can’t foresee the consequences

Sunday, 2 October 11

Your AppYour Goals

Banking AppRemembering Users

Storing credentials insecurely

Blogging AppUsing an APINot using SSL

UCG AppUploading Content

Hardcoding your API keys?

Sunday, 2 October 11

Keys and Secrets

Sunday, 2 October 11

1 Keys and Secrets 2 leaking information 3 storing details

“API keys must be protected just like passwords.This means they should not be [...] baked into non-obfuscated applications that can be analysed relatively easily”Cloud Security Alliance, April 18 2011

(...assume this means all mobile apps)

Sunday, 2 October 11

1 Keys and Secrets 2 leaking information 3 storing details

Demo time

Major paid for API

About 1,000,000 downloads

...let’s take a look!

Sunday, 2 October 11

1 Keys and Secrets 2 leaking information 3 storing details

Demo time

User: iPhonePassword: PnkFdrYRh75N

Sunday, 2 October 11

1 Keys and Secrets 2 leaking information 3 storing details

Consequences

The bad

Somebody pulls your S3 secret key and charges £££ to your account

The ugly

A competing app uses your API key to exceed your rate limitsYour users get frustrated and leave

Sunday, 2 October 11

1 Keys and Secrets 2 leaking information 3 storing details

This API is now compromised

I can use it in my own apps without paying the license fee

Because it’s hard-coded in the app it can’t be revoked

Sunday, 2 October 11

1 Keys and Secrets 2 leaking information 3 storing details

This API is now compromised

I can use it in my own apps without paying the license fee

Because it’s hard-coded in the app it can’t be revoked

Sunday, 2 October 11

1 Keys and Secrets 2 leaking information 3 storing details

Prevention

Use an alternative method to authenticateFacebook, Amazon, and other large providers provide these

Don’t trust key verificationIf you have an API that uses a key, don’t assume you can trust the user

Think permissionsIf you do have to use keys, limit the damage that can be done with them

Have a plan...think about the inevitable. What happens if your API is outed?

Sunday, 2 October 11

Leaking Information

Sunday, 2 October 11

1 keys and secrets 2 Leaking Information 3 storing details

This shouldn’t need a slide

If you’re sending passwords in the clear, leave the room

...no, wait - come back! I forgive you!

People share passwords. All the time.My Tumblr password might be my Facebook password

Sunday, 2 October 11

1 keys and secrets 2 Leaking Information 3 storing details

Specific shaming:

...but not the app!

Sunday, 2 October 11

1 keys and secrets 2 Leaking Information 3 storing details

“But Nick, everyone knows SSL/TLS is totally broken!”

“It’s the user’s fault for connecting to an insecure network”

“It’s too much effort / time-consuming to implement”

“My app isn’t important enough for this to be a problem”

Sunday, 2 October 11

1 keys and secrets 2 Leaking Information 3 storing details

Not using TLS is like leaving your house unlocked

Nobody is saying locks are going to stop you from getting burgled...

...but not locking your door is stupid.

Sunday, 2 October 11

Storing Details

Sunday, 2 October 11

1 keys and secrets 2 leaking information 3 Storing Details

Very popular!

According to ViaForensics, June 2011

Username and password in plain text!

Sunday, 2 October 11

1 keys and secrets 2 leaking information 3 Storing Details

Location informationPersonal information (date of birth, address,

Overlooked information

Obvious informationPasswords, usernamesAccount numbers, etc

Sunday, 2 October 11

1 keys and secrets 2 leaking information 3 Storing Details

Consequences

You store passwords or account information unencryptedThis compromises your app, and users information is leakedYou are fined by the ICO

The ugly

The badYou get some bad PRPeople laugh at you as you walk down the street

Sunday, 2 October 11

In Summary

...we’re all smart developers...(remember this bit? from earlier on?)

Sunday, 2 October 11

...but so are the...

Bank of America, Citibank, National Rail Enquiries, Tumblr, AOL, Bump, Flirtomatic, Foursquare, Groupon, LinkedIn, Mint, Skype, Wells Fargo,

WordPress, Match.com Yahoo! Messenger, and many many more...

...developers.

Nobody is perfect, no app is truly secure(including me!)

Sunday, 2 October 11

Remember the cat*

*unlike the cat, your app will not survive a fall from height

Sunday, 2 October 11

Thanks :)

nick.shearer@migcan.com(I don’t tweet - booo!)

Slides will be available on the OTA site soon!

Sunday, 2 October 11