secure your mobile apps
Post on 14-Jun-2015
251 Views
Preview:
DESCRIPTION
TRANSCRIPT
Secure your mobile appsNoé Beuret
Marc-Henri Primault
WHY YOUR APP NEEDS SECURITY?
Source: IBM Software
Apple reveals government data request6 nov. 2013
iOS Banking Apps Riddled with Holes17 Jan. 2014
Apple Security flaw hallow to beat encryption22 Feb. 2014
Through 2015, more than 75% of mobile Apps will fail basic security tests
75%SECURITY BREACH COMES FROM MOBILE APP MISCONFIG. (GARTNER)
WHY APPS ARE NOT SECURE ENOUGH?
New technologies• Heterogeneous OS platforms• New version every year
Developers • Focus on features, not security• Unaware of underlying flaws
Mobile security • Hard to build knowledge• Only for a few products• Penetration testing costs
MOBILE SECURITY CHALLENGES
SENSITIVEDATA
INSECURECONNECTION
INSECUREDEVICE
INSECURECLOUD
STORAGE
INSECUREAPPS
THREATS
Threats-
Access to local data
Physical access access
Malware
CodeJailbreak
DATA COMM
iOS - iExplorer
DATA COMM
Best practices
Do I need to store the data?
Store in RAM when it is possible
Use the basic protection provided by the OS
Encrypt all sensitive information
Clean keys from the memory
Never save the keys or password without protection
DATA COMM
Jailbreak detection
Best practices
Never use the password directly
Password
Derivation+
Hash
DATA COMM
Threats-
Communication
Man in the Middle Attack1. Intercept traffic with different attacks
• ARP Poisoning
• Rogue access points
• Evil Twin Attack
2. Eavesdropp clear packets
3. Eavesdropp SSL packets
• SSL Stripping
• Malicious SSL certificate
DATA COMM
SSL Stripping
Malicious SSL Certificate
GET http://mybank.com GET http://mybank.com
302 : https://mybank.com
SSL Handshake
200 OK http://mybank.com 200 OK https://mybank.comHTTPS links replaced by HTTP
CONNECT https://mybank.com CONNECT https://mybank.com
DATA COMM
Demo
DATA COMM
Use SSL / TLS over HTTPProtection Measures
Integrity
Confidentiality
DATA COMM
HTTPS : Best practicesProtection Measures
Always use a full HTTPS URL
Whenever possible, self-signed certificates
should be forbidden
If not possible, DO NOT trust everything !
Trust only your certificate by doing SSL Pinning
DATA COMM
Proxy
Integrity Confidentiality Anonymity
VPN
Integrity Confidentiality Authentication Anonymity Internal network access
DATA COMM
QUICK WINS
StorageSQLCipher for Android : Encrypted SQLite databases
sqlcipher/android-database-sqlcipher
IOCipher : Virtual Encrypted Disks guardianproject/IOCipher
Code analysisRootTools : Basic root detection
stericson/RootTools
Proguard : Obfuscation & Shrinker toolhttp://proguard.sourceforge.net
QUICK WINS
StorageSQLCipher for ios: Encrypted SQLite databases
sqlcipher/sqlcipher
iOS-Crypto-API: Wrapper over security framework cstaylor/iOS-Crypto-API
Network communicationADVCertification: SSL Certificationhttp://www.advtools.com/Products/ADVcertificator.html
Code analysisADVDetector: Jailbreak detectionhttp://www.advtools.com/Products/ADVdetector.html
QUICK WINS
T EC H N O LO GY
F r a m e w o r k
S E C U R E A P PY O U R A P P
=+F r a m e w o r k
SENSE
Encrypted storage Encrypted
communication Proxy HTTP Keys manager Identity manager Jailbreak detection Data leakage prevention
SENSE
• Do not underestimate security of your app
• Think about which security level you really need
• Implement best practices
• Review, test and audit your code
CONCLUSION
THANK YOU FOR YOUR ATTENTION
Contact
Sysmosoft SARue Galilée 6 - 1400 Yverdon-les-Bains – Switzerland
info@sysmosoft.com+41 24 524 10 36
Generalhttps://viaforensics.com/resources/reports/best-practices-ios-android-secure-mobile-development
/
Android
iOShttp://www.raywenderlich.com/45645/ios-app-security-analysis-part-1http://resources.infosecinstitute.com/ios-application-security-part-1-setting-up-a-mobile-pentesting-platform
/
LINKS
top related