Upload
nowsecure
View
268
Download
2
Embed Size (px)
Citation preview
Jon PorterSolutions architect
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Jordan ZotosProduct manager
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Contents
● Background on NowSecure
● OWASP overview
● 10 mobile pitfalls
● Questions
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
NowSecure: Forged in mobile from day one
Top engineers and researchers
OSS authors of Radare, Frida,
Santoku Linux, and Android VTS
Disclosed Samsung keyboard vulnerability
Impacting 650M+ devices
worldwide
Regular speaking appearances
Black Hat USA, RSA Conference,
OWASP AppSec USA & more
Leading enterprise customers
From banking, healthcare, tech,
government & more
Founded in Oak Park, IL
With a strong background in
forensics & enterprise security
2009
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Our approach to security for mobile development teams:
1 Consistency in both process and testing environment
2 Speed: Provide results quickly you can easily understand
3 Automate and integrate
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Share best practices for secure mobile development
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Insecure mobile apps create business risk for enterprises
StarbucksThieves siphoned money out of users’
accounts using the mobile app
via USA Today
OlaIndia’s largest startup with $1.1B in funding
was hacked to allow unlimited free rides
via The Next Web
Hulu and TinderApp vulnerabilities offered access
to free premium accounts
via CNBC
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Teams are tasked with deploying apps more frequently
https://blog.newrelic.com/2016/02/04/data-culture-survey-results-faster-deployment/
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
OWASP backgroundAn international leader in application security
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
An open community
dedicated to enabling
organizations to conceive,
develop, acquire, operate,
and maintain applications
that can be trusted.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
10MobilePitfalls toAvoid
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
1 ImproperPlatform Usage
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Misuse of a platform feature or lack of platform security controls for the Android or iOS operating systems. Issues may include incorrect use of the keychain on iOS or Android intents.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Best practice:
Use the Keychain Carefully
iOS provides the keychain for secure data storage. However, in several scenarios, the keychain can be compromised and subsequently decrypted. Read Now
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
2 InsecureDataStorage
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Vulnerabilities that leak personal information and provide access to hackers.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
10.7% of mobile apps leak private, sensitive data like email, username, or password
NowSecure: 2016 NowSecure Mobile Security Report
Data from testing 400,000 mobile apps
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Best practices to securely store mobile data
Implement Secure Data Storage: Read Now
Transmit and display but do not persist to memory. This requires special attention as well, to ensure that an
analog leak does not present itself where screenshots of the data are written to disk. Store only in RAM (clear at
application close).
Securely Store Sensitive Data in Ram: Read Now
Do not keep sensitive data (e.g., encryption keys) in RAM longer than required.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
3 InsecureCommunication
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Insecure communication refers to communications being sent in cleartext as well as other insecure methods.
© Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
SwiftKey vulnerabilities(CVE-2015-4640 & CVE-2015-4641)
Best practice:
Fully validate SSL/TLS
An application not properly validating its
connection to the server is susceptible to a
man-in-the-middle attack by a privileged
network attacker.
Read Now
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
4 InsecureAuthentication
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Mobile apps need to securely identify a user and maintain that user’s identify, especially when users are calling and sending sensitive data such as financial information.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Best practice:
Hide Account Numbers and Use Tokens
Given the widespread use of mobile apps in public places, displaying partial numbers (e.g. *9881) can help ensure maximum privacy for this information. Unless there is a need to store the complete number on the device, store the partially hidden numbers.
Read Now
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
5 InsufficientCryptography
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
The process behind encryption and decryption may allow a hacker to decrypt sensitive data.
The algorithm behind encryption and decryption may be weak in nature.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
6 InsecureAuthorization
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Insecure authorization refers to the failure of a server to properly enforce identity and permissions as stated by the mobile app.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Best practice:
Implement Proper Web Server Configuration
Certain settings on a web server can increase security. One commonly overlooked vulnerability on a web server is information disclosure. Information disclosure can lead to serious problems, because every piece of information attackers can gain from a server makes staging an attack easier.
Read Now
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
7ClientCodeQuality
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Risks that come from vulnerabilities like buffer overflows, format string vulnerabilities, and various other code-level mistakes where the solution is to rewrite some code that's running on the mobile device.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Vulnerabilities in the Vitamio SDK
NowSecure: World Writable Code Is Bad, MMMMKAY
Test third party libraries
Third-party libraries can contain vulnerabilities
and weaknesses. Many developers assume
third-party libraries are well-developed and
tested, however, issues can and do exist in their
code.
Read Now
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
8CodeTampering
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
When attackers tamper with or install a backdoor on an app, re-sign it and publish the malicious version to third-party app marketplaces.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
● 50M downloads in 19 days on Android alone
● Within 3 days of initial release, malicious DroidJack software found on third-party app stores
● Remote Access Tool (RAT) can open a silent, backdoor for hackers
Source: The Hacker News
Let’s talk about PokemonGO
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Best practice:
Implement Anti-Tampering Techniques
Employ anti-tamper and tamper-detection techniques to prevent illegitimate applications from executing. Use checksums, digital signatures and other validation mechanisms to help detect file tampering.
Read Now
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
9ReverseEngineering
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Reverse engineering refers to the analysis of a final binary to determine its source code, libraries, algorithms, and more.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Best practice:
Increase Code Complexity and Use Obfuscation
Reverse engineering apps can provide valuable insight into how your app works. Making your app more complex internally makes it more difficult for attackers to see how the app operates, which can reduce the number of attack vectors.
Read Now
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
10ExtraneousFunctionality
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Developers frequently include hidden backdoors or security controls they do not plan on releasing into production. This error creates risk when a feature is released to the wild that was never intended to be shared.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
● Manufacturer of hardware chips and processors for mobile devices
● A debug tool, left open for carriers to test network connections, was left open on shipped devices
Source: The Hacker News
MediaTek example
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Best practice:
Carefully Manage Debug Logs
Debug logs are generally designed to be used to detect and correct flaws in an application. These logs can leak sensitive information that may help an attacker create a more powerful attack.
Read Now
Review the NowSecure Secure Mobile Development Best Practices in their entirety:
Read Now
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
● You can view the repo on Github here:
https://github.com/nowsecure/secure-mobile-development
● Our team welcomes additions to benefit the mobile community
Contribute to our Github repo
Questions?
Connect any time:@NowSecureMobilewww.nowsecure.com
Learn more about developing secure Android and iOS apps with the NowSecure Secure Mobile Development Best Practices:
books.nowsecure.com/secure-mobile-development/