secure app development on ios and android 1 secure app development on mobile platforms mohit mathur...

Secure App Development on iOS and Android 1

Secure App Development on Mobile Platforms

Mohit MathurSenior Software Engineer, SymantecSeptember 10th, 2011

Goal of the Session

Myths about Data Security on Smartphones1

How to Develop a Secure Application?2

Agenda

3

Data Storage Options available on iOS and Android2


How to really Safeguard your Data?4

Conclusion5

Popular Smartphone Platforms - iOS & Android1

Agenda

4




Conclusion5


Popular Smartphone Platforms

Agenda

6




Conclusion5


Data Storage Options Available• iOS Keychain:

– Storage area available on iOS devices.

– Gets preserved across app re-installation.

– Data lives in the keychain for eternity once saved.

• Android Internal Storage:

– Store private data on the device memory.

– Files saved to the internal storage are private to your application.

– When the user uninstalls the application, the associated files are removed.

Data Storage Options Available• iOS Keychain:

– NSMutableDictionary *addQuery = [[NSMutableDictionary alloc] init];

– [addQuery setObject:data forKey:(NSData *)kSecValueData];– SecItemAdd((CFDictionaryRef)addQuery, NULL);

• Android Internal Storage:– File file = new File(filesDir, “myData");– DataOutputStream dos = new DataOutputStream

(new FileOutputStream(file));– dos.write(data); //byte[]

Add Data to the Keychain

Create Keychain

Create File

Add Data to the file

Data Storage Options Available

Agenda

10




Conclusion5


Myths about Data Security on Smartphones• Security features provided by iOS & Android:

– Passcode

– Hardware Encryption

– Encrypted Keychain

– “Just” Delete your Data

– Relying on User IDs and File Access

Myths about Data Security on iOS• Passcode:

– Anyone with the right know-how can delete a file and your passcode goes away.

– All it takes is “ONE MINUTE” to do it.

Courtesy: Dark Myles Source:YouTube

Myths about Data Security on iOS• Hardware Encryption:

– Russian security outfit ElcomSoft has have discovered a method that allows them to copy and decrypt the memory of iOS devices that have built-in hardware encryption.

– Using a special RAMDisk driver they could boot the iOS device in DFU (Device Firmware Upgrade) Mode.

– This exposes the data stored in the memory.– Various keys to decrypt the data are extracted

from the device by running special tools.– ElcomSoft maintains that it will restrict its

discovery only to law enforcement, forensic and intelligence organizations.

– But thousands of similar tools are already freely available on internet for anyone to use.

Myths about Data Security on iOS• Encrypted Keychain Backup:

– There are simple tools available on the internet which void the password set to take encrypted keychain backup.

– Within no time hacker can access any file of your encrypted backup.

• Just “Delete” the Data:– People who are already familiar with OS X raw disks know how to

access deleted information, like email, images, voicemail and application data.

– The raw disk gives [hackers] access to the iPhone's entire file system, not just user data, including stuff that's not normally synchronized.

– Even if you delete data on any iOS device, its no actually deleted.– One should use Apple’s disk utility service to wipe an entire device

clean.

Myths about Data Security on Android• Relying on User IDs and File Access:

– Filesystem is still accessible to hackers.

– App data can easily be cloned.

Given a thought anytime???

Courtesy: Mohit

Myths about Data Security on Smartphones• Lets revisit security features provided by iOS & Android:

– Passcode

– Hardware Encryption

– Encrypted Keychain

– “Just” Delete your Data

– Relying on User IDs and File Access

• Just relying on platform security features doesn’t suffice the purpose.

Agenda

17




Conclusion5


How to Really Safeguard your Data• What a typical Mobile app needs???

– Secure Local Device Storage.

– Secure Communication with Cloud.

– Share Data among Same Family of Apps.

How to Really Safeguard your Data• Secure Data Storage:

– Use 3 levels of security: Encipher your Data with Stronger Encryption.

Tie Data to the Device.

Sign your app.

Protection from Hacker

Strong Protection from Hacker

Protection from Malicious App

How to Really Safeguard your Data– Encrypt Data:

iOS - CCCrypt API of Security.h package

o Uses strong Encryption – AES + 256 bits key.

o Supports CBC.

How to Really Safeguard your Data– Encrypt Data:

Android - Bouncy Castle Crypto APIs

o Uses strong Encryption – AES + 256 bits key.

o Supports CBC.Consumes the key, salt & iter to initialize generator

Generated the key and iv. Of the given size

Initializing the cipher engine; type – AES, padding – PKCS7Indicating it’s an encryption flow

Byte array that will hold the cipher text

Encrypting the plaintextFinalizing the cipher text

How to Really Safeguard your Data– Tie Data to the Device:

Use Device Specific Unique Data as a part of your Encryption Key.

o iOS – MAC address or UDID

o Android – IMEI for GSM and the MEID or ESN for CDMA phones.

How to Really Safeguard your Data– Sign your App:

iOS:

o Use Apple issued Signing Certs & Provisioning Profiles.

o In Xcode, under Project Edit Project Settings Build Code Signing Identity Select your Cert to sign you app file.

Android:

o Use Signing Certs issued by any CA (like Symantec).

o Symantec issues Signing Cert @ $499/year Subscription Charge. https://www.verisign.com/code-signing/sun-java/index.html?sl=productdetails)

o Use <signjar> ant task in build.xml to sign your apk file.

– Platform enforces data sand-boxing for your app.

– Malicious app cannot access your app data as its not signed by the same certificate.

How to Really Safeguard your Data• Secure Communication with Cloud:

– Use HTTPS protocol. iOS – NSURLConnection + HTTPS Protocol

Android – javax.net.ssl.HttpsURLConnection

– Identify list of supported cipher suites and enable only strong ciphers. Example – TLS_RSA_WITH_AES_256_CBC_SHA

iOS – CFNetwork Framework.

Android – SSLEngine.h [getSupportedCipherSuites(), setEnabledCipherSuites()]

– Use MAC (Message Authentication Code) to identify that the request is coming from a legitimate client.

How to Really Safeguard your Data• Share Data among Same Family of Apps:

– iOS: App ID = <Bundle Seed ID> . <Bundle Identifier>

App IDs should be added to Entitlement.plist file in Xcode.

Add kSecAttrAccessGroup attribute to you keychain

All the apps MUST be signed with the same certificate.

Must be Same for all the Apps of your

family

Same Same

Same

How to Really Safeguard your Data• Share Data among Same Family of Apps:

– Android: Add “sharedUserId” attribute value in the AndroidManifest.xml

Sign all the apps with the same certificate.

Agenda

27




Conclusion5


Conclusion• Do not completely rely on security features provided by the platform.

• Enforce Stronger Security:

– Encipher your data with stronger encryption.

– Tie data to the device.

– App Signing.

– Eliminate weak SSL cipher suites for your platform.

– Securely share data among family of applications.

VIP Access• VIP = Validation & ID Protection.• Provides OATH Compliant Second Factor

Authentication.• Protects your online accounts by

requiring a security code -- in addition to your user name and password -- for safe and secure account access.

• App available both for Consumer and Enterprise users.

• Supports around 800+ Mobile Devices across the globe.

• To get your own VIP Credential for FREE, log-on to the following URL from your mobile browser:

m.verisign.com• For more information, visit:

idprotect.verisign.com

Thank you!

Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

31

Mohit [email protected]

secure app development on ios and android 1 secure app development on mobile platforms mohit mathur...

Documents

data security

user data

app data

application data

data forkey

data lives

file file

store private data