Mobile App Security

Transcript

1. Mobile App Security An Introduction Mobile Romandie Meetup • February

   2022 Nicolas Prallet adnovum.com

2. Speaker About Me Prallet Nicolas (Marfurt) Senior Software Engineer at

   Adnovum [email protected] @nmarfurt

3. Prelude The year is 2022. Everybody has a smartphone. Smartphones

   cannot be trusted.

4. Design Process for a Secure Mobile Application

5. Software Development Lifecycle SDLC 5 Deployment 1 Requirements 2 Design

   3 Development 4 Testing

6. Secure Software Development Lifecycle SSDLC Development Testing Deployment Design Requirements

   Threat modeling Static analysis and secure code review Security testing Risk assessment Security assessment

7. DevSecOps A shift left culture

8. Secure Software Development Lifecycle In simpler words Define security concept

   Design and implement security controls Verify security controls

9. Security Concept Definition

10. Security Concept Definition Risk assessment Identify the likeliness of the

    software being attacked and how big is the damage. − Define business, regulatory and contractual requirements − Define and classify valuable assets and sensitive data − Identify risks and vulnerabilities − Evaluate the probability and impact of identified risks

11. Security Concept Definition Threat modeling Identify potential security threats and

    prioritize techniques to mitigate attacks. − Describe the solution components and their interactions − Identify potential threats to the solution − Define security controls to prevent or mitigate each threat − Focus on finding the right balance between desired security and user friendliness

12. What to Protect Sensitive Data Personally identifiable information (PII) Names

    and addresses Health data Financial data Credentials … Logs Technical data Keys … PCI DSS (payment) GDPR (EU personal data) Regulated data HIPAA (health data) …

13. Impact of Weak Security − Stolen user or customer information

    − Financial damage (revenue loss) − Bad reputation, loss of brand confidence − Intellectual property (IP) theft − Compliance and regulatory issues (legal)

14. OWASP Mobile Top 10 Risks M1: Improper Platform Usage https://owasp.org/www-project-mobile-top-10/

    M6: Insecure Authorization M2: Insecure Data Storage M3: Insecure Communication M4: Insecure Authentication M5: Insufficient Cryptography M7: Client Code Quality M8: Code Tampering M9: Reverse Engineering M10: Extraneous Functionality

15. Security Controls

16. OWASP Mobile Application Security Verification Standard 
 https://github.com/OWASP/owasp-masvs

17. OWASP Mobile Application Security Verification Standard 
 Security Levels https://github.com/OWASP/owasp-masvs

    Good practice for all apps Additional requirements for apps that handle sensitive data Additional security measures

18. Data at Rest Encrypt data stored on device: files, preferences,

    databases, backups 😱 😃 − Use available system files protection − Use strong encryption with integrity checks (e.g. AES-GCM) − Follow NIST recommendations (https://pages.nist.gov/800-63-3/sp800-63b.html) − Do not store sensitive data (minimize the data you collect) − Do no re-use keys with same parameters (salt, IV) − Misuse of encryption libraries (e.g. wrong parameters) 👉

19. Key Management Keys are data → they must be correctly

    managed and protected − Store keys encrypted or in hardware protected module (Secure Element/Enclave) − Protect access to keys via biometric authentication − Derive keys based on user input (e.g. KDF) − Define a key lifecycle to limit the quantity of data encrypted with one key (key rotation) − Make sure that compromised/outdated keys don’t work (key revocation) − Do not store hardcoded keys − Do not keep keys in memory − Do not store keys with the data they protect 😱 👉 😃

20. Data in Transit Use TLS to encrypt data in transit.

    Encrypt data on top of TLS if necessary. − Use well-configured TLS − Use ephemeral keys − Use key agreement protocol − Do not disable default security from platform (e.g. ATS on iOS) − Do not use self-signed certificates − Do not allow invalid certificates 😱 👉 😃

21. Certificate Pinning Validate host’s certificate against a known copy trusted

    by the app − Pin the leaf certificate or an intermediate certificate − Pin the whole certificate or its public key (or their hash) − Embed pinned certificate into your app − Update your app regularly to support new server certificates − https://cheatsheetseries.owasp.org/cheatsheets/Pinning_Cheat_Sheet.html − https://developer.apple.com/documentation/security/ preventing_insecure_network_connections − https://developer.android.com/training/articles/security-config.html ℹ 👉 😃

22. Authentication and authorization Authentication = verifying who someone is Authorization

    = verifying what specific data a user has access to − Enforce password policy − Use password autofill feature − Use passwordless authentication − Use multi-factor authentication for accessing sensitive data − Use biometric authentication bound to key operations − Minimize the lifetime of session identifiers and tokens − Temporarily lock the user on multiple incorrect authentication attempts − Rely on multiple communication channels for critical operations 👉 😃

23. Platform Interaction − Restrict access to device capabilities − Request

    only the minimal set of permissions that are necessary − Validate and sanitize all user and external input − Restrict Web view access to required resources and clear cache − Hide sensitive data before app transition (snapshot) 😃

24. Build Settings − Signed and provision the app with a

    valid certificate − Build production binaries in release mode − Remove debugging code and symbols from generated binaries 😃

25. App Hardening Increase app’s resilience against reverse engineering and specific

    client- side attacks. − Prevent the app to run on rooted or jailbroken devices − Prevent an app to detect and respond to the presence of a debugger − Prevent an app to run on an emulator or simulator − Make it difficult to tamper and modify a legitimate app (data, memory) − Obfuscate data using encryption or tokenization − Obfuscate source code to make it difficult to understand and analyze 👉 😍

26. Various Recommendations − Organize security awareness trainings for team members

    − Follow secure coding guidelines − Use security checklists on code reviews − Use industry’s standards and tools − Consult OWASP Top 10 Proactive Controls − Do not implement your own security controls where solutions are available − Do not copy-paste from the Web without understanding − Do not log sensitive data − Do not commit secrets 😱 😃

27. Verification and Testing

28. OWASP Mobile Security Testing Guide 
 https://github.com/OWASP/owasp-mstg

29. OWASP Mobile Application Security Checklists 
 https://github.com/OWASP/owasp-mstg

30. Analysis Tools Static app security testing (SAST) Dynamic app security

    testing (DAST) − White-box testing evaluating static inputs − documentation − source code − 3rd party dependencies − Integrated into CI/CD pipelines − SonarQube, Fortify, Veracode, MobSF,… − Black-box approach (no knowledge of software) − Input/output analysis on running app − Frida, Charles, mitmproxy,…

31. Thank you 
 for your attention And your digital business

    works