[ICE71 CyberSecurity Networking Night] Mobile App Security: A developer's introduction

38b49a5fa7e0519f2919ac342a463980?s=47 Marc Obrador
November 14, 2019

[ICE71 CyberSecurity Networking Night] Mobile App Security: A developer's introduction

38b49a5fa7e0519f2919ac342a463980?s=128

Marc Obrador

November 14, 2019
Tweet

Transcript

  1. Mobile App Security A Developer Introduction Marc Obrador Head of

    Product Architecture @ Build38
  2. Who am I? 2 Marc Obrador Head of Product Architecture

    @ Build38 Barcelona marc@build38.com @marcobrador /in/marc-obrador Build38 | Intro to Mobile App Security November 2019
  3. The basics 3 Build38 | Intro to Mobile App Security

    November 2019
  4. Mobile-first world Why do I need to care about Mobile

    App Security? 4 Smartphone = untrusted device Regulation (depending on market) Desktop Mobile 2009 2015 2020 0 20 40 60 80 100 Source: www.gs.statcounter.com Build38 | Intro to Mobile App Security November 2019
  5. What do I need to protect? 5 Build38 | Intro

    to Mobile App Security November 2019
  6. It depends What do I need to protect? 6 Build38

    | Intro to Mobile App Security November 2019
  7. What do I need to protect? Build38 | Intro to

    Mobile App Security 7 User Data Your Business DRM November 2019
  8. Let’s first switch our perspective How can I protect my

    app? Build38 | Intro to Mobile App Security 8 November 2019
  9. -40 -20 0 20 40 60 80 -10 -5 0

    5 10 15 20 25 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 Investment Income Cumulated Profit The hacker’s perspective Build38 | Intro to Mobile App Security 9 November 2019
  10. How can I protect my app? Build38 | Intro to

    Mobile App Security 10 November 2019
  11. Make it unattractive for the hacker How can I protect

    my app? Build38 | Intro to Mobile App Security 11 November 2019
  12. -40 -20 0 20 40 60 80 -10 -5 0

    5 10 15 20 25 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 Investment Income Cumulated Profit How can I protect my app? Build38 | Intro to Mobile App Security 12 November 2019
  13. -40 -20 0 20 40 60 80 -10 -5 0

    5 10 15 20 25 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 Investment Income Cumulated Profit How can I protect my app? Build38 | Intro to Mobile App Security 13 1. Increase required investment: Obfuscation + Anti-reversing 2. Reduce income: Diversification 3. Force periodic investment: Renewability November 2019
  14. Some Common Threads (and their countermeasures) Build38 | Intro to

    Mobile App Security 14 November 2019
  15. - Risk for both user data and backend - It’s

    2019 – use HTTPS! - But… Might not be enough § Certificate Pinning § Mutual Authentication MITM (Man-in the Middle) Build38 | Intro to Mobile App Security 15 November 2019
  16. - Modifying an App and redistributing it for malicious purposes,

    in order to: § Modify original behavior o Getting paid features for free o Cheating on a game (Pokémon GO) o … § Stealing user data - How? § Android: modify smali code § iOS: dynamic library injection App Repackaging (1/2) 16 Build38 | Intro to Mobile App Security November 2019
  17. App Repackaging (2/2) 17 Obfuscation Detect repackaging Build38 | Intro

    to Mobile App Security November 2019
  18. - Sandbox model: basis of the security model in Android

    and iOS § Each app runs and stores data in isolation from other apps - Root / Jailbreak means “escaping” this isolation Rooted / Jailbroken devices (1/2) Build38 | Intro to Mobile App Security 18 November 2019
  19. Root == GOD Build38 | Intro to Mobile App Security

    19 November 2019
  20. - User may have legitimately rooted its device - Remote

    root exploits are a thing - No clear action… § Restrict some sensitive functionality § Design your security model assuming that root can (will) happen Rooted / Jailbroken devices (2/2) 20 Source: - https://techcrunch.com/2019/08/29/google-iphone-secretly-hacked/ - https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html Build38 | Intro to Mobile App Security November 2019
  21. Recap Build38 | Intro to Mobile App Security 21 November

    2019
  22. - Know what you need to protect - 100% protection

    does not exist – aim for “good enough” - Secure Networking is a must - Apps can be reverse engineered and repackaged § Move security-relevant logic to backend or write it in native C - Root can be really bad – come up with a plan Recap 22 Build38 | Intro to Mobile App Security November 2019
  23. Thank you! Questions after Jean-Luc’s show J