Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Upgrading approaches to the secure mobile architectures

vixentael
April 25, 2016

Upgrading approaches to the secure mobile architectures

If you can't tap on the link inside slides, please open as pdf (button on the right).

-------------------
-------------------

My talk at #appbuilders16 conference (https://appbuilders.ch/)

Mobile platforms present both new threats and new opportunities for system security. This presentation deals with modern approaches: how to protect data, which trust relationships emerge with mobile phone, how they affect traditional security layouts. How mobile phones dictate important client-server relationships.

But, what’s more important, we talk about making these things a consistent system: how to think to pick the right tools, which architectural patterns enforce security and minimize risks by design. We learn about ideas of echelonized defence, compartmentation and risk control. We finish with understanding where we stand right now: in security landscape that is rapidly changing, and mobile’s role in it is both dangerous and very important.

----------------------------------------

post

https://medium.com/@vixentael/upgrading-approaches-to-the-secure-mobile-architectures-7a8fcb10d28a

vixentael

April 25, 2016
Tweet

More Decks by vixentael

Other Decks in Programming

Transcript

  1. OR

  2. This is a picture: virgin sight network backend logic the

    app server environment #appbuilders16 @vixentael
  3. UI/UX deliver fast! GTD! swift boring crap, waste of life

    maaaagic! magic.. MVP! #appbuilders16 @vixentael This is a picture: mobile focus
  4. source of trust risk we control sandbox dragons lots of

    risk even if app is good easy to f*ck up #appbuilders16 @vixentael This is a picture: security vision
  5. The problem bad cryptography insecure API’s plaintext traffic data leakage

    denial of service remote jailbreak over bluetooth stolen credentials man-in-the-middle
  6. How bad is it? Like this Control Nissan LEAF via

    vulnerable APIs http://www.troyhunt.com/2016/02/controlling- vehicle-features-of-nissan.html #appbuilders16 @vixentael http://www.wired.com/2015/07/gadget-hacks- gm-cars-locate-unlock-start/ http://samy.pl/defcon2015/ hacking cars using OnStar app to locate, unlock and remote start vehicles what could possibly go wrong?
  7. iMessage Recovery of Plaintext iMessage Data using Javascript http://www.bishopfox.com/blog/2016/04/if-you-cant-break-crypto-break-the-client- recovery-of-plaintext-imessage-data/

    Grab all your iMess aHachments via key enumeraIon http://blog.cryptographyengineering.com/2016/03/attack-of- week-apple-imessage.html #appbuilders16 @vixentael
  8. This is how bad it is! #appbuilders16 @vixentael iOS vulnerabilities

    by years raw data from cvedetails.com 0 100 200 300 400 2007 2008 2009 2010 2011 2012 2013 2014 2015 1 9 27 32 37 112 90 120 384
  9. This is how bad it is! http://blog.mindedsecurity.com/2015/03/ssl- mitm-attack-in-afnetworking-251-do.html >1500 vulnerable

    apps via flawed AFNetworking <10% popular apps use SSL pinning #appbuilders16 @vixentael iOS vulnerabilities by years raw data from cvedetails.com 0 100 200 300 400 2007 2008 2009 2010 2011 2012 2013 2014 2015 1 9 27 32 37 112 90 120 384
  10. Our mindset is wrong a bit “It works” != “It’s

    secure” Mobile’s limited abilities require specific server behavior Mobile is not traditional client- server Design-driven development is frequently a security disaster #appbuilders16 @vixentael
  11. Mobile is an odd thin client #appbuilders16 @vixentael – Can

    server really address you by IP address? – Can server expect RFC behavior of your IP stack? – Can server and client share code and components with proper trust? – Is IPC / RPC behavior reciprocal between client and server? – Is client and server equal in their capacity for technical decisions? Mobile considers itself in a proper client-server relationship, but:
  12. Mobile is an odd thin client #appbuilders16 @vixentael – Can

    server really address you by IP address? – Can server expect RFC behavior of your IP stack? – Can server and client share code and components with proper trust? – Is IPC / RPC behavior reciprocal between client and server? – Is client and server equal in their capacity for technical decisions? Mobile considers itself in a proper client-server relationship, but: NOPE ;)
  13. Mobile security is hard and yet undeveloped #appbuilders16 @vixentael Sophisticated

    problems security-wise No well established techniques Very blurred risk models
  14. Understand the strong sides #appbuilders16 @vixentael limited ecosystem low collateral

    risk things user has and you can trust authentication/trust is quite good data safety almost network passive narrowed threat scope
  15. Compartmentalization #appbuilders16 @vixentael limit the access to information to those

    who need to know it in order to perform certain tasks store secure transmit display
  16. Do all classic things #appbuilders16 @vixentael https://speakerdeck.com/vixentael/avoiding-damage-shame-and- regrets-data-protection-for-mobile-client-server-architectures Protect transport

    well, authenticate server, pin certificates Authenticate everything Encrypt everything in motion and at rest Protect keys well Then escalate with novel techniques read my previous slides
  17. End-to-end encryption 101 #appbuilders16 @vixentael users own all keys server

    can’t see anything important transport keys are ephemeral app state does not rely on server state ☁
  18. Multi-factor authentication #appbuilders16 @vixentael things you have things you know

    things you are phone device sim card ID docs private/public key password address answer to quesIon biometrics of all kinds
  19. Multi-factor authentication #appbuilders16 @vixentael things you have things you know

    things you are phone device sim card ID docs private/public key password address answer to quesIon biometrics of all kinds 2+ = MFA && &&
  20. Combining things: secure app v.1 SSL storage encryption storage encryption

    data leakage MiTM weak SSL #appbuilders16 @vixentael
  21. Combining things: secure app v.2 end-to-end encryption #appbuilders16 @vixentael storage

    encryption storage encryption weak auth blind trust ephemeral keys protected transport
  22. Combining things: secure app v.3 #appbuilders16 @vixentael end-to-end encryption storage

    encryption storage encryption ephemeral keys protected transport MFA ZKP
  23. Key points #appbuilders16 @vixentael 1. read these slides again, tapping

    on links 2. read ‘Additional reading’ 3. read my previous presentations 4. analyze your current system 5. implement the techniques 6. ??? 7. profit! …feel free to contact me
  24. Additional reading https://medium.com/stanfy-engineering-practices/data-protection-for-mobile-client-server- architectures-6e6dcabd871a Data Protection For Mobile Client-Server Architectures

    http://mashable.com/2016/04/16/apple-security-explained/ How Apple Security works https://www.cossacklabs.com/avoid-ssl-for-your-next-app.html Why you should avoid ssl for your next application https://cossacklabs.com/choose-your-ios-crypto.html Crypto in iOS: choose your destiny https://www.owasp.org/index.php/IOS_Application_Security_Testing_Cheat_Sheet OWASP: iOS application security testing cheat sheet