Mobile App Security An Introduction Mobile Romandie Meetup • February 2022 Nicolas Prallet adnovum.com 

Speaker About Me Prallet Nicolas (Marfurt) Senior Software Engineer at Adnovum [email protected] @nmarfurt 

Prelude The year is 2022. Everybody has a smartphone. Smartphones cannot be trusted. 

Design Process for a Secure Mobile Application 

Software Development Lifecycle SDLC 5 Deployment 1 Requirements 2 Design 3 Development 4 Testing 

Secure Software Development Lifecycle SSDLC Development Testing Deployment Design Requirements Threat modeling Static analysis and secure code review Security testing Risk assessment Security assessment 

DevSecOps A shift left culture 

Secure Software Development Lifecycle In simpler words Define security concept Design and implement security controls Verify security controls 

Security Concept Definition 

Security Concept Definition Risk assessment Identify the likeliness of the software being attacked and how big is the damage. − Define business, regulatory and contractual requirements − Define and classify valuable assets and sensitive data − Identify risks and vulnerabilities − Evaluate the probability and impact of identified risks 

Security Concept Definition Threat modeling Identify potential security threats and prioritize techniques to mitigate attacks. − Describe the solution components and their interactions − Identify potential threats to the solution − Define security controls to prevent or mitigate each threat − Focus on finding the right balance between desired security and user friendliness 

What to Protect Sensitive Data Personally identifiable information (PII) Names and addresses Health data Financial data Credentials … Logs Technical data Keys … PCI DSS (payment) GDPR (EU personal data) Regulated data HIPAA (health data) … 

Impact of Weak Security − Stolen user or customer information − Financial damage (revenue loss) − Bad reputation, loss of brand confidence − Intellectual property (IP) theft − Compliance and regulatory issues (legal) 

OWASP Mobile Top 10 Risks M1: Improper Platform Usage https://owasp.org/www-project-mobile-top-10/ M6: Insecure Authorization M2: Insecure Data Storage M3: Insecure Communication M4: Insecure Authentication M5: Insufficient Cryptography M7: Client Code Quality M8: Code Tampering M9: Reverse Engineering M10: Extraneous Functionality 

Security Controls 

OWASP Mobile Application Security Verification Standard 
 https://github.com/OWASP/owasp-masvs 

OWASP Mobile Application Security Verification Standard 
 Security Levels https://github.com/OWASP/owasp-masvs Good practice for all apps Additional requirements for apps that handle sensitive data Additional security measures 

Data at Rest Encrypt data stored on device: files, preferences, databases, backups 😱 😃 − Use available system files protection − Use strong encryption with integrity checks (e.g. AES-GCM) − Follow NIST recommendations (https://pages.nist.gov/800-63-3/sp800-63b.html) − Do not store sensitive data (minimize the data you collect) − Do no re-use keys with same parameters (salt, IV) − Misuse of encryption libraries (e.g. wrong parameters) 👉 

Key Management Keys are data → they must be correctly managed and protected − Store keys encrypted or in hardware protected module (Secure Element/Enclave) − Protect access to keys via biometric authentication − Derive keys based on user input (e.g. KDF) − Define a key lifecycle to limit the quantity of data encrypted with one key (key rotation) − Make sure that compromised/outdated keys don’t work (key revocation) − Do not store hardcoded keys − Do not keep keys in memory − Do not store keys with the data they protect 😱 👉 😃 

Data in Transit Use TLS to encrypt data in transit. Encrypt data on top of TLS if necessary. − Use well-configured TLS − Use ephemeral keys − Use key agreement protocol − Do not disable default security from platform (e.g. ATS on iOS) − Do not use self-signed certificates − Do not allow invalid certificates 😱 👉 😃 

Certificate Pinning Validate host’s certificate against a known copy trusted by the app − Pin the leaf certificate or an intermediate certificate − Pin the whole certificate or its public key (or their hash) − Embed pinned certificate into your app − Update your app regularly to support new server certificates − https://cheatsheetseries.owasp.org/cheatsheets/Pinning_Cheat_Sheet.html − https://developer.apple.com/documentation/security/ preventing_insecure_network_connections − https://developer.android.com/training/articles/security-config.html ℹ 👉 😃 

Authentication and authorization Authentication = verifying who someone is Authorization = verifying what specific data a user has access to − Enforce password policy − Use password autofill feature − Use passwordless authentication − Use multi-factor authentication for accessing sensitive data − Use biometric authentication bound to key operations − Minimize the lifetime of session identifiers and tokens − Temporarily lock the user on multiple incorrect authentication attempts − Rely on multiple communication channels for critical operations 👉 😃 

Platform Interaction − Restrict access to device capabilities − Request only the minimal set of permissions that are necessary − Validate and sanitize all user and external input − Restrict Web view access to required resources and clear cache − Hide sensitive data before app transition (snapshot) 😃 

Build Settings − Signed and provision the app with a valid certificate − Build production binaries in release mode − Remove debugging code and symbols from generated binaries 😃 

App Hardening Increase app’s resilience against reverse engineering and specific client- side attacks. − Prevent the app to run on rooted or jailbroken devices − Prevent an app to detect and respond to the presence of a debugger − Prevent an app to run on an emulator or simulator − Make it difficult to tamper and modify a legitimate app (data, memory) − Obfuscate data using encryption or tokenization − Obfuscate source code to make it difficult to understand and analyze 👉 😍 

Various Recommendations − Organize security awareness trainings for team members − Follow secure coding guidelines − Use security checklists on code reviews − Use industry’s standards and tools − Consult OWASP Top 10 Proactive Controls − Do not implement your own security controls where solutions are available − Do not copy-paste from the Web without understanding − Do not log sensitive data − Do not commit secrets 😱 😃 

Verification and Testing 

OWASP Mobile Security Testing Guide 
 https://github.com/OWASP/owasp-mstg 

OWASP Mobile Application Security Checklists 
 https://github.com/OWASP/owasp-mstg 

Analysis Tools Static app security testing (SAST) Dynamic app security testing (DAST) − White-box testing evaluating static inputs − documentation − source code − 3rd party dependencies − Integrated into CI/CD pipelines − SonarQube, Fortify, Veracode, MobSF,… − Black-box approach (no knowledge of software) − Input/output analysis on running app − Frida, Charles, mitmproxy,… 

Thank you 
 for your attention And your digital business works