Secure Mobile Application #OWASP Day

Transcript

1. Secure Coding Practices for Mobile Applications Yannarak Wannasai, GWAPT November

   29th, 2014

2. Yannarak Wannasai • OWASP Volunteer – Co-Leader of OWASP Thailand

   Chapter • Rakuten Inc. – Security Engineer • Secure-coding & Web Pen-testing Instructor – 10 years of web-based, database-driven software development and analysis experience • GIAC Web Application Penetration Tester

3. Today’s Agenda • Mobile Application Secure coding – Secure Server-side

   APIs – Secure Client Applications – Secure Data in Transits – Secure Data at Rest

4. Secure Server-side APIs

5. Secure the Server-side APIs. • Traditional Web Application Security –

   Validate all untrusted inputs – Properly encode/sanitize outputs – Properly handle error to avoid Information leakage – Harden your servers • Perform all sensitive operations on the server side, rather than on the client side. – Enforce re-authentication if possible

6. Mobile App. Authentication • Always generate your own identifiers •

   Use Authentication & Authorization Protocols – OAuth or SAML can be used. • Authorization and authentication controls must be enforced on the server-side whenever possible. • Where possible, use multi-factor authentication • Avoid implementing “Remember Me” feature for critical applications. – If remember me functionality is required consider only using it to remember the user’s user id.

7. Secure Client Applications

8. Secure the Client App • Validate all inputs from untrusted

   sources. – Intents and Custom URI schemes are considered untrusted. • Be careful when using WebView and JavaScript bridge. – Only use JavaScript bridge only if the application truly loads trusted content into the WebView. – On Android, target your app API Level 17 or above. • Discard and clear all the user data and sensitive information associated with session both in memory and file-system after timeout or logout. – Local Session Timeout might be implemented.

9. Secure the Client App (cont.) • Strictly follow Secure Coding

   Guidelines: – iOS • The CERT C Secure Coding Standard • Apple’s Secure Coding Guide – Android • The CERT Oracle Secure Coding Standard for Java • Android’s Best Practices for Security & Privacy • Binary Protection – Android Code Obfuscation – ProGuard – Restricting debuggers – Jailbreak/Root Detection Controls • Enable Address Space Layout Randomization (ASLR) for application developed with native code languages (C/C++/Objective-C)

10. Secure Data in Transit

11. SSL¥TLS concerns in Mobile App • If using SSL/TLS, try

    to do it right – Server need strong SSL implementation • TLSv1.1 or above • Strong cipher suites with Perfect Forward Secretcy – ECDHE_RSA_WITH_AES_256 GCM_SHA256 • https://www.ssllabs.com/ -- free online testing tool. – Mobile application must verify and validate server’s SSL/TLS Certificate • Warn the user or Block the user if the certificate is invalid. • Certificate Pinning • https://owasp.org/index.php/Transport_Layer_Protection_C heat_Sheet

12. Certificate Pinning • SSL Pinning is making sure the client

    checks the server’s certificate against a known copy of that certificate. – Simply bundle your server’s SSL certificate inside your application, and make sure any SSL request first validates that the server’s certificate exactly matches the bundle’s certificate. – Increase Security & Reduce Cost • For certificate pinning sample code for Android and iOS, please visit: – https://www.owasp.org/index.php/Pinning_Cheat_Sheet

13. Secure Data at Rest

14. Secure at Data Rest • Whenever possible, DO NOT store/cache

    Sensitive Data locally. – Including SQLite, File Systems, HTML5 Storage • The following features must be disabled to prevent information leakage: – Disable debug log – Disable Auto-correction/Word Prediction for sensitive data fields. – Disable copy/paste operations on sensitive data fields. – For iOS, disable caching of application screenshots.

15. How to store data securely • If storing sensitive data

    on the device is a requirement, use existing secure storage facilities; don’t roll your own. – On iOS, use the Keychain API to store small short but sensitive data. – On Android, use the Android KeyStore to store cryptographic keys and encrypt a file stored in internal storage. – Encrypt the sensitive data with platform’s standard crypto API • iOS – Common Crypto • Android – javax.crypto package • Android: implement file permissions carefully – Avoid creating files with permissions of: • MODE_WORLD_READABLE • MODE_WORLD_WRITABLE Even though it may be stored in the app’s private data directory.

16. More Resources • OWASP Top 10 Project • OWASP Mobile

    Security Project – Top 10 Mobile Risks – Top 10 Mobile Controls – Mobile Security Testing • OWASP Proactive Controls Project • Secure Mobile Development Best Practices – https://viaforensics.com/resources/reports/best- practices-ios-android-secure-mobile-development/

17. Question & Answers • E-mail: [email protected] • LinkedIn: http://www.linkedin.com/ in/yannarak

    Thank You