Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure Mobile Application #OWASP Day

OWASP Japan
November 29, 2014
74

Secure Mobile Application #OWASP Day

OWASP Japan

November 29, 2014
Tweet

Transcript

  1. Yannarak Wannasai • OWASP Volunteer – Co-Leader of OWASP Thailand

    Chapter • Rakuten Inc. – Security Engineer • Secure-coding & Web Pen-testing Instructor – 10 years of web-based, database-driven software development and analysis experience • GIAC Web Application Penetration Tester
  2. Today’s Agenda • Mobile Application Secure coding – Secure Server-side

    APIs – Secure Client Applications – Secure Data in Transits – Secure Data at Rest
  3. Secure the Server-side APIs. • Traditional Web Application Security –

    Validate all untrusted inputs – Properly encode/sanitize outputs – Properly handle error to avoid Information leakage – Harden your servers • Perform all sensitive operations on the server side, rather than on the client side. – Enforce re-authentication if possible
  4. Mobile App. Authentication • Always generate your own identifiers •

    Use Authentication & Authorization Protocols – OAuth or SAML can be used. • Authorization and authentication controls must be enforced on the server-side whenever possible. • Where possible, use multi-factor authentication • Avoid implementing “Remember Me” feature for critical applications. – If remember me functionality is required consider only using it to remember the user’s user id.
  5. Secure the Client App • Validate all inputs from untrusted

    sources. – Intents and Custom URI schemes are considered untrusted. • Be careful when using WebView and JavaScript bridge. – Only use JavaScript bridge only if the application truly loads trusted content into the WebView. – On Android, target your app API Level 17 or above. • Discard and clear all the user data and sensitive information associated with session both in memory and file-system after timeout or logout. – Local Session Timeout might be implemented.
  6. Secure the Client App (cont.) • Strictly follow Secure Coding

    Guidelines: – iOS • The CERT C Secure Coding Standard • Apple’s Secure Coding Guide – Android • The CERT Oracle Secure Coding Standard for Java • Android’s Best Practices for Security & Privacy • Binary Protection – Android Code Obfuscation – ProGuard – Restricting debuggers – Jailbreak/Root Detection Controls • Enable Address Space Layout Randomization (ASLR) for application developed with native code languages (C/C++/Objective-C)
  7. SSL¥TLS concerns in Mobile App • If using SSL/TLS, try

    to do it right – Server need strong SSL implementation • TLSv1.1 or above • Strong cipher suites with Perfect Forward Secretcy – ECDHE_RSA_WITH_AES_256 GCM_SHA256 • https://www.ssllabs.com/ -- free online testing tool. – Mobile application must verify and validate server’s SSL/TLS Certificate • Warn the user or Block the user if the certificate is invalid. • Certificate Pinning • https://owasp.org/index.php/Transport_Layer_Protection_C heat_Sheet
  8. Certificate Pinning • SSL Pinning is making sure the client

    checks the server’s certificate against a known copy of that certificate. – Simply bundle your server’s SSL certificate inside your application, and make sure any SSL request first validates that the server’s certificate exactly matches the bundle’s certificate. – Increase Security & Reduce Cost • For certificate pinning sample code for Android and iOS, please visit: – https://www.owasp.org/index.php/Pinning_Cheat_Sheet
  9. Secure at Data Rest • Whenever possible, DO NOT store/cache

    Sensitive Data locally. – Including SQLite, File Systems, HTML5 Storage • The following features must be disabled to prevent information leakage: – Disable debug log – Disable Auto-correction/Word Prediction for sensitive data fields. – Disable copy/paste operations on sensitive data fields. – For iOS, disable caching of application screenshots.
  10. How to store data securely • If storing sensitive data

    on the device is a requirement, use existing secure storage facilities; don’t roll your own. – On iOS, use the Keychain API to store small short but sensitive data. – On Android, use the Android KeyStore to store cryptographic keys and encrypt a file stored in internal storage. – Encrypt the sensitive data with platform’s standard crypto API • iOS – Common Crypto • Android – javax.crypto package • Android: implement file permissions carefully – Avoid creating files with permissions of: • MODE_WORLD_READABLE • MODE_WORLD_WRITABLE Even though it may be stored in the app’s private data directory.
  11. More Resources • OWASP Top 10 Project • OWASP Mobile

    Security Project – Top 10 Mobile Risks – Top 10 Mobile Controls – Mobile Security Testing • OWASP Proactive Controls Project • Secure Mobile Development Best Practices – https://viaforensics.com/resources/reports/best- practices-ios-android-secure-mobile-development/