Introduction to Mobile App Security

38b49a5fa7e0519f2919ac342a463980?s=47 Marc Obrador
February 27, 2020

Introduction to Mobile App Security

sec4dev Conference (Vienna)

38b49a5fa7e0519f2919ac342a463980?s=128

Marc Obrador

February 27, 2020
Tweet

Transcript

  1. Mobile App Security An introduction Marc Obrador

  2. Who am I? 2 Marc Obrador Co-founder & Head of

    Product Architecture @ Build38 Barcelona marc@build38.com @marcobrador /in/marc-obrador February 2020 Build38 | Intro to Mobile App Security
  3. 3 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    2. App Tampering & Repackaging 3. Root / Jailbreak 3. Recap @marcobrador February 2020 Build38 | Intro to Mobile App Security
  4. 4 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    2. App Tampering & Repackaging 3. Root / Jailbreak 3. Recap @marcobrador February 2020 Build38 | Intro to Mobile App Security
  5. Mobile-first world Why Mobile App Security? 5 Smartphone = untrusted

    device Regulation (depending on market) Desktop Mobile 2009 2015 2020 0 20 40 60 80 100 Source: www.gs.statcounter.com February 2020 Build38 | Intro to Mobile App Security
  6. Mobile AppSec vs “traditional” Cyber Securtity 6 February 2020 Build38

    | Intro to Mobile App Security
  7. Let’s first switch our perspective Is there anything I can

    do? Build38 | Intro to Mobile App Security 7 February 2020
  8. -40 -20 0 20 40 60 80 -10 -5 0

    5 10 15 20 25 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 Investment Income Cumulated Profit The hacker’s perspective Build38 | Intro to Mobile App Security 8 February 2020
  9. Is there anything I can do? Build38 | Intro to

    Mobile App Security 9 February 2020
  10. Make it unattractive for the hacker Is there anything I

    can do? Build38 | Intro to Mobile App Security 10 February 2020
  11. -40 -20 0 20 40 60 80 -10 -5 0

    5 10 15 20 25 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 Investment Income Cumulated Profit Is there anything I can do? Build38 | Intro to Mobile App Security 11 February 2020
  12. -40 -20 0 20 40 60 80 -10 -5 0

    5 10 15 20 25 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 Investment Income Cumulated Profit Is there anything I can do? Build38 | Intro to Mobile App Security 12 1. Increase required investment: Obfuscation + Anti-reversing 2. Reduce income: Diversification 3. Force periodic investment: Renewability February 2020
  13. Things to protect Build38 | Intro to Mobile App Security

    13 User Data Business Data / IP DRM February 2020
  14. 14 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    2. App Tampering & Repackaging 3. Root / Jailbreak 3. Recap @marcobrador February 2020 Build38 | Intro to Mobile App Security
  15. 15 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    2. App Tampering & Repackaging 3. Root / Jailbreak 3. Recap @marcobrador February 2020 Build38 | Intro to Mobile App Security
  16. MITM Build38 | Intro to Mobile App Security 16 February

    2020 HTTPS is assumed!
  17. MITM with HTTPS? Build38 | Intro to Mobile App Security

    17 February 2020 Android: depends on OEM iOS: requires social engineering No, if Certificate Pinning is used
  18. 18 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    2. App Tampering & Repackaging 3. Root / Jailbreak 3. Recap @marcobrador February 2020 Build38 | Intro to Mobile App Security
  19. What is it? 19 February 2020 Build38 | Intro to

    Mobile App Security 1. Download 2. Unpack 3. Modify 4. Repack 5. Distribute
  20. But, why? 20 February 2020 Build38 | Intro to Mobile

    App Security Cheating on games Getting paid features for free Stealing user data
  21. Android: apktool + smali code 21 February 2020 Build38 |

    Intro to Mobile App Security
  22. iOS: dynamic library injection 22 February 2020 Build38 | Intro

    to Mobile App Security
  23. Protecting against app repackaging 23 Obfuscation Detect it February 2020

    Build38 | Intro to Mobile App Security
  24. 24 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    2. App Tampering & Repackaging 3. Root / Jailbreak 3. Recap @marcobrador February 2020 Build38 | Intro to Mobile App Security
  25. The ”sandbox” model 25 @marcobrador February 2020 Build38 | Intro

    to Mobile App Security
  26. Root / Jailbreak Detection 26 /scottyab/rootbeer /KimChangYoun/rootbeerFresh /Stericson/RootTools /avltree9798/isJailbroken /thii/DTTJailbreakDetection

    @marcobrador February 2020 Build38 | Intro to Mobile App Security
  27. 27 What to do if Root / Jailbreak is found?

    @marcobrador February 2020 Build38 | Intro to Mobile App Security
  28. What to do if Root is found? 28 Sources: -

    https://techcrunch.com/2019/08/29/google-iphone-secretly-hacked/ - https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html @marcobrador February 2020 Build38 | Intro to Mobile App Security
  29. Nothing Restrict some sensitive functionality Deny service Design your security

    model assuming that root can (and will) happen What to do if Root is found? 29 @marcobrador February 2020 Build38 | Intro to Mobile App Security
  30. 30 Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle

    2. App Tampering & Repackaging 3. Root / Jailbreak 3. Recap @marcobrador February 2020 Build38 | Intro to Mobile App Security
  31. - 100% protection does not exist – aim for “good

    enough” - Certificate Pinning is a good idea - Apps can be reverse engineered and repackaged § Move security-relevant logic to backend or write it in native C - Root can be really bad – come up with a plan Recap 31 February 2020 Build38 | Intro to Mobile App Security
  32. Thank you! Any questions?