Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security in Mobile Apps

Security in Mobile Apps

A short presentation about security topics for app developers. Using the learnings from the http://tiqr.org project, we look at the security features that Android and iOS offer.

Delivered on April 19, 2012 as part of the #appril initiative.

Ivo Jansch

April 25, 2012
Tweet

More Decks by Ivo Jansch

Other Decks in Programming

Transcript

  1. Why is Mobile Security Important? ‣We deal with data ‣Websites

    run on our servers, apps run on our user’s hardware • Out of our control ‣Our users deal with third party services • Even more out of our control 6
  2. Sandboxing ‣Apps only have access to their own data ‣Access

    is based on OS user ID ‣Further protected by application signature 8
  3. Permission Models ‣ Android uses permissions: ‣ Apple: only for

    GPS and push, but “We’re working to make this even better for our customers” 9
  4. Storage + Secure Storage iOS ‣Device Storage • Apps have

    their own location, within sandbox ‣Secure Storage ‣ Hardware Encryption (passcode lock) ‣ Sandboxed Keychain 10
  5. Storage + Secure Storage Android ‣USB Storage • External storage,

    sharable between apps ‣Device Storage • Apps have their own location, within sandbox ‣Secure Storage • Java KeyStores with strong encryption algorithms • Unfortunately no hardware encrypted storage like iPhone ‣ Note: Honeycomb/ICS do have ‘whole device encryption’ 11
  6. So we don’t have to worry, right? ‣Can I now

    securely store data? • Is sandboxing a solution? -> Not when device is rooted • Is device storage a solution? -> Not when device is rooted 12
  7. With common answers - Huh? - Don’t store secrets! -

    Don’t use OAuth! - Obfuscate - Encrypt 14
  8. Validate input! ‣Don’t trust ANY input • Data entered by

    the user • Data entered by other apps • Data retrieved from an API • Data retrieved from .... ‣Don’t think ‘SQL Injection’ is only a concern for web developers 27
  9. Recommended Reading ‣ ISBN: 2147483647 ‣ Authors: • Himanshu Dwivedi

    • Chris Clark • David Thiel ‣ Covers: • Android • Apple • WinMo 30
  10. Credits ‣ ‘Tege in Sandbox’ by Judi Cox - http://www.flickr.com/photos/madaise/3406217980/

    ‣ ‘Locker (KHS up close) by Travis Hymas - http://www.flickr.com/photos/ travishasphotos/3481640534/ ‣ ‘Mask’ by Ben Fredericson - http://www.flickr.com/photos/xjrlokix/3932488768/