Beginning Mobile Security #appsecapac2014

Transcript

1. Beginning  Mobile  Security   What  you  need  to  know  

2. About  Me   •  About  Me     – Jerry  Hoff

     – OWASP  Volunteer   – Appsec  Tutorial  Series  

3. 3  

4. None
5. None
6. None
7. None
8. None
9. None
10. None

11. NaCve  ApplicaCons   •  Android  –  Java   •  iOS

     –  ObjecCve  C   •  Windows  Phone  –  C#   •  Blackberry  –  C/C++,  Java   •  Firefox  OS  –  HTML,  CSS,  JavaScript   11  
12. None
13. None
14. None
15. None

16. 16   iOS   ObjecCve-­‐C   Android   Java,  C++

      Windows  Mobile   C#   Blackberry   Java   Mobile  Website   HTML5,  JS,  CSS   Cordova  /  Phonegap   HTML5,  JS*,  CSS   *JS  interacts  with   phone  naCve  API   Java  EE  (CXF,  Spring,  Jersey)   ASP.NET   PHP   Python   Ruby   Node.JS,  Erlang,  Google  Cloud  Pla]orm,  Perl,   etc..   Not  listed:  JS  libraries  (jQuery  Mobile,  Sencha  Touch,  etc)   Client   Server   Other  ways  to  build  apps:  Xamarian,  Flash  Builder,  etc..  
17. None
18. None

19. App  Store  Security   •  Google  App  Store:  limited  security

     checks   –  There  are  mulCple  storefronts  (kindle,  etc…)   –  Makes  security  more  challenging   •  iTunes  App  Store:  search  for  banned   funcConality   –  Jailbroken  app  stores   –  iOS  apps  pirated  apps   •  Both  have  been  bypassed  repeatedly   19  

20. “Is  Mobile  secure?”   20  

21. •  Web   –  Most  code  by  necessity    

    is  server  side     –  PresentaCon  HTML/JS/CSS   •  Mobile   –  Significant  compiled  code     sent  to  the  client   –  Powerful  Mobile  APIs   •  camera,  mic,  SMS,  pictures,  etc…   –  Expect  to  be  always  logged  in   –  “App  Phishing”  is  a  thing   –  1/3  of  all  people  experience   a  lost  or  stolen  phone   –  hip://www.symantec.com/about/news/release/arCcle.jsp?prid=20110208_01   Mobile  vs  Web  Security   21  

22. Focus…   •  Secure  Data  in  Transit   •  Securing

     Data  at  Rest   •  Logic  in  the  App   22  

23. Data  in  Transit   23  

24. Data  in  Transit   24  

25. None
26. None
27. None
28. None

29. Data  at  Rest   29  

30. 30  

31. 31  

32. SensiCve  Data  on  the  Client   •  “Can  I  embed

     credenCals  in  my  app  so  only   customer  can  access  server  side  services”   –  NO   •  “Remember  Me”  on  the  client?   32  

33. SensiCve  Data  in  the  Cloud   33   hip://9to5mac.com/2013/10/26/how-­‐to-­‐setup-­‐and-­‐use-­‐icloud-­‐keychain-­‐for-­‐mavericks-­‐and-­‐ios-­‐7/  

34. Logic  in  the  App   34  

35. isPaidUser=true   isAdmin=true  

36. None

37. Server  Side   37  

38. 38   iOS   ObjecCve-­‐C   Android   Java,  C++

      Windows  Mobile   C#   Blackberry   Java   Mobile  Website   HTML5,  JS,  CSS   Cordova  /  Phonegap   HTML5,  JS*,  CSS   *JS  interacts  with   phone  naCve  API   Java  EE     ASP.NET   PHP   Python   Ruby   Node.JS,  Erlang,  Google  Cloud  Pla]orm,  Perl,   etc..   Not  listed:  JS  libraries  (jQuery  Mobile,  Sencha  Touch,  etc)   Client   Server   Other  ways  to  build  apps:  Xamarian,  Flash  Builder,  etc..  

39. More  Resources   39  

40. OWASP  Mobile  Security  Project   40  

41. None
42. None

43. 43   hip://source.android.com/devices/tech/security/  

44. 44   hip://www.apple.com/ipad/business/docs/iOS_Security_Oct12.pdf  

45. That’s  it   45  

46. QuesCons?