Tweet
Tweet

Slide 1

Slide 1 text

http://www.egeniq.com [email protected] @egeniq Bedrijf Zoekt App / AppDevEvent, 13 november 2012 Ivo Jansch Privacy & Security in Apps

Slide 2

Slide 2 text

About Me @ijansch Entreprenerd Mobile & Web Developer Author & Speaker 2

Slide 3

Slide 3 text

About Egeniq Mobile Development Knowledge Distributed 3

Slide 4

Slide 4 text

Can We Trust The Device? 4

Slide 5

Slide 5 text

Your phone knows things your friends don’t 5

Slide 6

Slide 6 text

What your phone knows: 6 Where you are Time & Date Orientation & Position Who you are Who your wife is Your sister’s birthday Where your wife is Where you work Who you call Who emails you Who your friends are What you like Contact details

Slide 7

Slide 7 text

PlaceRaider 7 Source: http://www.technologyreview.com/view/429394/placeraider-the-military-smartphone-malware/

Slide 8

Slide 8 text

Smartphone as an eavesdropping device 8 Source: http://www.switched.com/2011/01/20/ralf-philipp-weinmann-turns-smartphone-hack-eavesdropping-device/

Slide 9

Slide 9 text

Banks use advanced privacy protection 9 Picture taken from: http://systemato.com/2012/08/my-6-favourite-android-apps/

Slide 10

Slide 10 text

... but is app protection sufficient? 10 Source: http://www.zdnet.com/mind-hackers-could-get-secrets-from-your-brainwaves-7000003267/

Slide 11

Slide 11 text

Actual Incidents 11

Slide 12

Slide 12 text

Incidents ‣ iPhone Location Tracking (2011) • http://www.nytimes.com/2011/04/28/technology/28apple.html? _r=2& • Accident ‣ Path Address Book Upload Controversy (2012) • http://www.theverge.com/2012/2/8/2785217/path-ios-address- book-upload-ceo-apology • Naivety, good intentions ‣ Google Play Malware ‘grand theft auto’ (2012) • http://www.informationweek.com/security/attacks/more-android- malware-pulled-from-google/240003514?itc=edit_in_body_cross • Bad intentions 12

Slide 13

Slide 13 text

Our responsibility as developer 13

Slide 14

Slide 14 text

IMHO, Developers Should: ‣Respect user privacy • Collect only what you need • Be open about what you collect • Treat data responsibly ‣Write secure code • Follow common security best practices • Protect data (server, device, transport) • Don’t invent your own wheels (standards!) 14

Slide 15

Slide 15 text

A small demo: TIQR Learning about security using open source tools 15

Slide 16

Slide 16 text

Tiqr - Demo 16 1 2 3 4 5 6 http://www.tiqr.org

Slide 17

Slide 17 text

Why is Mobile Security Important? ‣Apps run on our user’s hardware • Out of our control ‣Our users deal with third party services • Even more out of our control 17

Slide 18

Slide 18 text

A Use Case 18 Mobile App Third Party Services Server backend

Slide 19

Slide 19 text

OAuth 19 OAuth Consumer OAuth Provider

Slide 20

Slide 20 text

Why do you need to protect keys? 20 8 OAuth Provider

Slide 21

Slide 21 text

Security Mechanisms On the major platforms 21

Slide 22

Slide 22 text

Sandboxing ‣Apps only have access to their own data ‣Access is based on OS user ID ‣Further protected by application signature 22

Slide 23

Slide 23 text

Permission Models ‣ Android uses permissions: ‣ Apple: GPS and push • Since iOS6: Contacts, Photos, etc. 23

Slide 24

Slide 24 text

Storage + Secure Storage ‣ Device Storage • Apps have their own location, within sandbox ‣ USB Storage (Android) • External storage, sharable between apps ‣ Hardware Encrypted Storage (iOS) • Hardware Encryption (passcode lock) • Sandboxed Keychain ‣ Software Encrypted Storage (Android) • Java KeyStores with strong encryption algorithms • Honeycomb/ICS also have ‘whole device encryption’ 24

Slide 25

Slide 25 text

So we don’t have to worry, right? ‣Can I securely store data? • Is sandboxing a solution? -> Not when device is rooted • Is device storage a solution? -> Not when device is rooted 25

Slide 26

Slide 26 text

It’s a common question Stackoverflow search for ‘store secret iphone’: 26

Slide 27

Slide 27 text

With common answers 27

Slide 28

Slide 28 text

Know what? I’ll just use a library 28

Slide 29

Slide 29 text

Securing Data In Your Code 0. Obfuscation 29

Slide 30

Slide 30 text

Obfuscation 30

Slide 31

Slide 31 text

Securing Data In Your Code 1. Encryption 31

Slide 32

Slide 32 text

Encryption (iOS) 32

Slide 33

Slide 33 text

Decryption (iOS) 33

Slide 34

Slide 34 text

Encryption (Android) 34

Slide 35

Slide 35 text

Encryption (Android) 35

Slide 36

Slide 36 text

What’s the problem with encryption? 36 We need another key to protect the secret

Slide 37

Slide 37 text

Other Encryption gotchas ‣AppStore is US based: Encryption export • Requires NSA approval, basically • Process is documented, but time consuming • Not needed if it’s only for “authentication purposes” ‣Two flavours of US gov approval: • Self classification (if you use standard stuff for standard things) • Agency classification (non standard stuff and/or non standard things) 37

Slide 38

Slide 38 text

Securing Data In Your Code 2. Secure Storage 38

Slide 39

Slide 39 text

KeyChain (iOS) ‣Hardware based encryption for secrets ‣Good: • Not too much code • No extra key/password required (device passcode) • Works well with (encrypted) iTunes Backup ‣Bad: • Not every user has a passcode set • Lower level functions, lots of C (complexity) • Doesn’t work across iCloud backup/restore 39

Slide 40

Slide 40 text

More KeyChain So if I use the KeyChain and have a passcode, I’m safe, right? RIGHT? ‣4 digit passode can be brute forced in 9 minutes ‣6 digit passcode takes 1.5 years Source: Fraunhofer’s “iOS KeyChain Weakness FAQ” http://sit4.me/ios-keychain-faq 40

Slide 41

Slide 41 text

Using the KeyChain 41

Slide 42

Slide 42 text

Using the KeyStore (Android) 42

Slide 43

Slide 43 text

Using the KeyStore (Android) 43

Slide 44

Slide 44 text

Securing Data In Your Code 3. Server Side Solutions 44

Slide 45

Slide 45 text

Retrieve key from API 45 iOS App OAuth Provider Your API ?

Slide 46

Slide 46 text

Transparent Proxy 46 iOS App OAuth Provider Proxy

Slide 47

Slide 47 text

Securing Data In Your Code 4. “All of the above” 47

Slide 48

Slide 48 text

What are we doing in Tiqr? ‣ Tiqr secrets are encrypted • The encryption key is a pincode • There’s no plain text to compare against, so breaking it is hard ‣ Encrypted identities are stored in keychain • So also protected by passcode lock, if present ‣ Secret is not communicated • Challenge/response for ‘proof of posession’ ‣ Requires server validation of decrypted secret • Server enforces temporary and permanent blocks to stop brute force 48

Slide 49

Slide 49 text

Always Secure Your Code (Because data is not the only thing at risk) 49

Slide 50

Slide 50 text

Buffers 50 ‣Especially when moving down to C level constructs, be wary...

Slide 51

Slide 51 text

Validate input! ‣Don’t trust ANY input • Data entered by the user • Data entered by other apps • Data retrieved from an API • Data retrieved from .... ‣Don’t think ‘SQL Injection’ is only a concern for web developers 51

Slide 52

Slide 52 text

Conclusion 52

Slide 53

Slide 53 text

Conclusion It’s all about awareness 53

Slide 54

Slide 54 text

Recommended Reading ‣ ISBN: 2147483647 ‣ Authors: • Himanshu Dwivedi • Chris Clark • David Thiel ‣ Covers: • Android • Apple • WinMo 54

Slide 55

Slide 55 text

Thank you! Questions? http://www.egeniq.com [email protected] @egeniq http://www.egeniq.com (about us) http://tiqr.org (demo + code) [email protected] @ijansch

Slide 56

Slide 56 text

Credits ‣ ‘Tege in Sandbox’ by Judi Cox - http://www.flickr.com/photos/madaise/3406217980/ ‣ ‘Locker (KHS up close) by Travis Hymas - http://www.flickr.com/photos/ travishasphotos/3481640534/ ‣ ‘Mask’ by Ben Fredericson - http://www.flickr.com/photos/xjrlokix/3932488768/