secure your mobile apps

Secure your mobile appsNoé Beuret

Marc-Henri Primault

WHY YOUR APP NEEDS SECURITY?

Source: IBM Software

Apple reveals government data request6 nov. 2013

iOS Banking Apps Riddled with Holes17 Jan. 2014

Apple Security flaw hallow to beat encryption22 Feb. 2014

Through 2015, more than 75% of mobile Apps will fail basic security tests

75%SECURITY BREACH COMES FROM MOBILE APP MISCONFIG. (GARTNER)

WHY APPS ARE NOT SECURE ENOUGH?

New technologies• Heterogeneous OS platforms• New version every year

Developers • Focus on features, not security• Unaware of underlying flaws

Mobile security • Hard to build knowledge• Only for a few products• Penetration testing costs

MOBILE SECURITY CHALLENGES

SENSITIVEDATA

INSECURECONNECTION

INSECUREDEVICE

INSECURECLOUD

STORAGE

INSECUREAPPS

THREATS

Threats-

Access to local data

Physical access access

Malware

CodeJailbreak

DATA COMM

iOS - iExplorer

DATA COMM

Best practices

Do I need to store the data?

Store in RAM when it is possible

Use the basic protection provided by the OS

Encrypt all sensitive information

Clean keys from the memory

Never save the keys or password without protection

DATA COMM

Jailbreak detection

Best practices

Never use the password directly

Password

Derivation+

Hash

DATA COMM

Threats-

Communication

Man in the Middle Attack1. Intercept traffic with different attacks

• ARP Poisoning

• Rogue access points

• Evil Twin Attack

2. Eavesdropp clear packets

3. Eavesdropp SSL packets

• SSL Stripping

• Malicious SSL certificate

DATA COMM

SSL Stripping

Malicious SSL Certificate

GET http://mybank.com GET http://mybank.com

302 : https://mybank.com

SSL Handshake

200 OK http://mybank.com 200 OK https://mybank.comHTTPS links replaced by HTTP

CONNECT https://mybank.com CONNECT https://mybank.com

DATA COMM

Demo

DATA COMM

Use SSL / TLS over HTTPProtection Measures

Integrity

Confidentiality

DATA COMM

HTTPS : Best practicesProtection Measures

Always use a full HTTPS URL

Whenever possible, self-signed certificates

should be forbidden

If not possible, DO NOT trust everything !

Trust only your certificate by doing SSL Pinning

DATA COMM

Proxy

Integrity Confidentiality Anonymity

VPN

Integrity Confidentiality Authentication Anonymity Internal network access

DATA COMM

QUICK WINS

StorageSQLCipher for Android : Encrypted SQLite databases

sqlcipher/android-database-sqlcipher

IOCipher : Virtual Encrypted Disks guardianproject/IOCipher

Code analysisRootTools : Basic root detection

stericson/RootTools

Proguard : Obfuscation & Shrinker toolhttp://proguard.sourceforge.net

QUICK WINS

StorageSQLCipher for ios: Encrypted SQLite databases

sqlcipher/sqlcipher

iOS-Crypto-API: Wrapper over security framework cstaylor/iOS-Crypto-API

Network communicationADVCertification: SSL Certificationhttp://www.advtools.com/Products/ADVcertificator.html

Code analysisADVDetector: Jailbreak detectionhttp://www.advtools.com/Products/ADVdetector.html

QUICK WINS

T EC H N O LO GY

F r a m e w o r k

S E C U R E A P PY O U R A P P

=+F r a m e w o r k

SENSE

Encrypted storage Encrypted

communication Proxy HTTP Keys manager Identity manager Jailbreak detection Data leakage prevention

SENSE

• Do not underestimate security of your app

• Think about which security level you really need

• Implement best practices

• Review, test and audit your code

CONCLUSION

THANK YOU FOR YOUR ATTENTION

Contact

Sysmosoft SARue Galilée 6 - 1400 Yverdon-les-Bains – Switzerland

info@sysmosoft.com+41 24 524 10 36

Generalhttps://viaforensics.com/resources/reports/best-practices-ios-android-secure-mobile-development

/

Android

iOShttp://www.raywenderlich.com/45645/ios-app-security-analysis-part-1http://resources.infosecinstitute.com/ios-application-security-part-1-setting-up-a-mobile-pentesting-platform

/

LINKS