Security in Mobile Apps

Transcript

1. http://www.egeniq.com [email protected] @egeniq Appril Meetup, 19 April 2012 Ivo Jansch

   - @ijansch Security in Mobile Apps Android and iOS

2. About Me @ijansch Developer Author Entreprenerd iOS/Android/PHP 2

3. About Egeniq Mobile Tech Knowledge Geeks Development 3

4. Tiqr - Learning about Mobile Security 4 1 2 3

   4 5 6 http://www.tiqr.org

5. A Use Case 5 Mobile App Third Party Services Server

   backend

6. Why is Mobile Security Important? ‣We deal with data ‣Websites

   run on our servers, apps run on our user’s hardware • Out of our control ‣Our users deal with third party services • Even more out of our control 6

7. Security in the major platforms 7

8. Sandboxing ‣Apps only have access to their own data ‣Access

   is based on OS user ID ‣Further protected by application signature 8

9. Permission Models ‣ Android uses permissions: ‣ Apple: only for

   GPS and push, but “We’re working to make this even better for our customers” 9

10. Storage + Secure Storage iOS ‣Device Storage • Apps have

    their own location, within sandbox ‣Secure Storage ‣ Hardware Encryption (passcode lock) ‣ Sandboxed Keychain 10

11. Storage + Secure Storage Android ‣USB Storage • External storage,

    sharable between apps ‣Device Storage • Apps have their own location, within sandbox ‣Secure Storage • Java KeyStores with strong encryption algorithms • Unfortunately no hardware encrypted storage like iPhone ‣ Note: Honeycomb/ICS do have ‘whole device encryption’ 11

12. So we don’t have to worry, right? ‣Can I now

    securely store data? • Is sandboxing a solution? -> Not when device is rooted • Is device storage a solution? -> Not when device is rooted 12

13. It’s a common question Stackoverflow search for ‘store secrets android’:

    13

14. With common answers - Huh? - Don’t store secrets! -

    Don’t use OAuth! - Obfuscate - Encrypt 14

15. Know what? I’ll just use a library 15

16. Securing Data In Your Code 1. Encryption 16

17. Encryption (Android) 17

18. Encryption (Android) 18

19. Encryption (Android) 19

20. Encryption (iOS) 20

21. Encryption (iOS) 21

22. Securing Data In Your Code 2. KeyStores & KeyChains 22

23. Using the KeyStore (Android) 23

24. Using the KeyStore (Android) 24

25. Using the KeyChain (iOS) 25

26. Secure Your Code 26

27. Validate input! ‣Don’t trust ANY input • Data entered by

    the user • Data entered by other apps • Data retrieved from an API • Data retrieved from .... ‣Don’t think ‘SQL Injection’ is only a concern for web developers 27

28. Buffers 28 ‣Especially when moving down to C level constructs,

    be wary...

29. Conclusion It’s all about awareness 29

30. Recommended Reading ‣ ISBN: 2147483647 ‣ Authors: • Himanshu Dwivedi

    • Chris Clark • David Thiel ‣ Covers: • Android • Apple • WinMo 30

31. Thank you! Questions? http://www.egeniq.com [email protected] @egeniq http://www.egeniq.com [email protected] @ijansch

32. Credits ‣ ‘Tege in Sandbox’ by Judi Cox - http://www.flickr.com/photos/madaise/3406217980/

    ‣ ‘Locker (KHS up close) by Travis Hymas - http://www.flickr.com/photos/ travishasphotos/3481640534/ ‣ ‘Mask’ by Ben Fredericson - http://www.flickr.com/photos/xjrlokix/3932488768/