Chapter • Rakuten Inc. – Security Engineer • Secure-coding & Web Pen-testing Instructor – 10 years of web-based, database-driven software development and analysis experience • GIAC Web Application Penetration Tester
Validate all untrusted inputs – Properly encode/sanitize outputs – Properly handle error to avoid Information leakage – Harden your servers • Perform all sensitive operations on the server side, rather than on the client side. – Enforce re-authentication if possible
Use Authentication & Authorization Protocols – OAuth or SAML can be used. • Authorization and authentication controls must be enforced on the server-side whenever possible. • Where possible, use multi-factor authentication • Avoid implementing “Remember Me” feature for critical applications. – If remember me functionality is required consider only using it to remember the user’s user id.
sources. – Intents and Custom URI schemes are considered untrusted. • Be careful when using WebView and JavaScript bridge. – Only use JavaScript bridge only if the application truly loads trusted content into the WebView. – On Android, target your app API Level 17 or above. • Discard and clear all the user data and sensitive information associated with session both in memory and file-system after timeout or logout. – Local Session Timeout might be implemented.
Guidelines: – iOS • The CERT C Secure Coding Standard • Apple’s Secure Coding Guide – Android • The CERT Oracle Secure Coding Standard for Java • Android’s Best Practices for Security & Privacy • Binary Protection – Android Code Obfuscation – ProGuard – Restricting debuggers – Jailbreak/Root Detection Controls • Enable Address Space Layout Randomization (ASLR) for application developed with native code languages (C/C++/Objective-C)
to do it right – Server need strong SSL implementation • TLSv1.1 or above • Strong cipher suites with Perfect Forward Secretcy – ECDHE_RSA_WITH_AES_256 GCM_SHA256 • https://www.ssllabs.com/ -- free online testing tool. – Mobile application must verify and validate server’s SSL/TLS Certificate • Warn the user or Block the user if the certificate is invalid. • Certificate Pinning • https://owasp.org/index.php/Transport_Layer_Protection_C heat_Sheet
checks the server’s certificate against a known copy of that certificate. – Simply bundle your server’s SSL certificate inside your application, and make sure any SSL request first validates that the server’s certificate exactly matches the bundle’s certificate. – Increase Security & Reduce Cost • For certificate pinning sample code for Android and iOS, please visit: – https://www.owasp.org/index.php/Pinning_Cheat_Sheet
Sensitive Data locally. – Including SQLite, File Systems, HTML5 Storage • The following features must be disabled to prevent information leakage: – Disable debug log – Disable Auto-correction/Word Prediction for sensitive data fields. – Disable copy/paste operations on sensitive data fields. – For iOS, disable caching of application screenshots.
on the device is a requirement, use existing secure storage facilities; don’t roll your own. – On iOS, use the Keychain API to store small short but sensitive data. – On Android, use the Android KeyStore to store cryptographic keys and encrypt a file stored in internal storage. – Encrypt the sensitive data with platform’s standard crypto API • iOS – Common Crypto • Android – javax.crypto package • Android: implement file permissions carefully – Avoid creating files with permissions of: • MODE_WORLD_READABLE • MODE_WORLD_WRITABLE Even though it may be stored in the app’s private data directory.
Security Project – Top 10 Mobile Risks – Top 10 Mobile Controls – Mobile Security Testing • OWASP Proactive Controls Project • Secure Mobile Development Best Practices – https://viaforensics.com/resources/reports/best- practices-ios-android-secure-mobile-development/