developing secure mobile apps by alexandru catariov endava
Post on 21-Oct-2014
357 views
DESCRIPTION
TRANSCRIPT
Developing Secure Mobile Apps Alexandru
Catariov
IN YOUR ZONE 2
What is the Information Security?
IN YOUR ZONE 3
How much is the mobile world exposed?
Attack
Attack
Attack
Attack
Attack
Attack
IN YOUR ZONE 4
Connected to internet and other computer networks
IN YOUR ZONE 5
Many apps store data locally…
…to improve User eXperience…to save traffic…for temporary use
IN YOUR ZONE 6
There is a lot of user data
IN YOUR ZONE 7
Many sensitive data inputs
IN YOUR ZONE 8
…and last but not least, mobile is physically more vulnerable
IN YOUR ZONE 9
The good news is that mobile OSes take measures to increase security…
• Sandboxing• User Permissions• Protected API• Encrypted file
system• App Signing• Remote wipe
IN YOUR ZONE 10
..but the bad news is that the army of bad guys grows as well
• Rooting or Jailbreaking• Malwares • Viruses
• Spoofing• Tampering
IN YOUR ZONE 11
The primary data type targeted by attackers in 2012, as in 2011, was customer records (cardholder data, personal information, email addresses).
96%
2013 Global Security Report
IN YOUR ZONE 12
The number of mobile malwares is rising very fast. The notable one - Toll Fraud
Q3 2011 Q4 2011 Q1 2012 Q2 20120
102030405060708090
100
Toll Fraud malware Other malware Spyware
%
IN YOUR ZONE 13
What you as a developer can do?
IN YOUR ZONE 14
• Use Cryptography• Use hash function such as MD5, SH1, etc.• Use Local KeyChain or KeyStore, but not rely on them
Avoid store or sending confidential/sensitive data…
…otherwise, do not use plain format
IN YOUR ZONE 15
Ensure secure storage • Use App Sandbox• Use internal storage• Clear temporary data after use
• Use Cryptography• Perform Input Validation
IN YOUR ZONE 16
• Strong Authorization & Authentication• Ensure proper session handling• Strong encryption• Validate untrusted input
Apply OWASAP Top 10 to secure interaction with servers
IN YOUR ZONE 17
Interpocess communication can be also vulnerable
• Avoid using network sockets and shared files• Use OS mechanisms instead
IN YOUR ZONE 18
Apply anti-debug and anti-reversing measures
• Obfuscation• Remove logging code
• Don’t use hardcoded sensitive data• Don’t implement custom
encryption
IN YOUR ZONE 19
Perform secure testing
• Test on a Jailbroken or rooted device• Use Static Code Analyses tools – Fortify, Veracode
IN YOUR ZONE 20
You cannot be 100% safe…
IN YOUR ZONE 21
…but you can make it hard – Defense in Depth
Oak
Chest
Rabbit
Duck
Egg
Needle
IN YOUR ZONE
Resources
22
•Security Best Practices for Android developers is located here:
https://developer.android.com/guide/practices/security.html.
•iOS Security Overview https://developer.apple.com/library/ios/#
documentation/Security/Conceptual/Security_Overview/Introduction/Introd
uction.html
•OWASP Mobile Security Project: https://
www.owasp.org/index.php/OWASP_Mobile_Security_Project
•Trustwave, Spider Labs blog:
http://blog.spiderlabs.com
IN YOUR ZONE 23
Alex Catariov | Development Discipline [email protected] +373 79400205|Skype alex.catariov
thank you