Slide 1

Slide 1 text

Mobile App Security A Developer Introduction Marc Obrador Head of Product Architecture @ Build38

Slide 2

Slide 2 text

Who am I? 2 Marc Obrador Head of Product Architecture @ Build38 Barcelona [email protected] @marcobrador /in/marc-obrador Build38 | Intro to Mobile App Security November 2019

Slide 3

Slide 3 text

The basics 3 Build38 | Intro to Mobile App Security November 2019

Slide 4

Slide 4 text

Mobile-first world Why do I need to care about Mobile App Security? 4 Smartphone = untrusted device Regulation (depending on market) Desktop Mobile 2009 2015 2020 0 20 40 60 80 100 Source: www.gs.statcounter.com Build38 | Intro to Mobile App Security November 2019

Slide 5

Slide 5 text

What do I need to protect? 5 Build38 | Intro to Mobile App Security November 2019

Slide 6

Slide 6 text

It depends What do I need to protect? 6 Build38 | Intro to Mobile App Security November 2019

Slide 7

Slide 7 text

What do I need to protect? Build38 | Intro to Mobile App Security 7 User Data Your Business DRM November 2019

Slide 8

Slide 8 text

Let’s first switch our perspective How can I protect my app? Build38 | Intro to Mobile App Security 8 November 2019

Slide 9

Slide 9 text

-40 -20 0 20 40 60 80 -10 -5 0 5 10 15 20 25 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 Investment Income Cumulated Profit The hacker’s perspective Build38 | Intro to Mobile App Security 9 November 2019

Slide 10

Slide 10 text

How can I protect my app? Build38 | Intro to Mobile App Security 10 November 2019

Slide 11

Slide 11 text

Make it unattractive for the hacker How can I protect my app? Build38 | Intro to Mobile App Security 11 November 2019

Slide 12

Slide 12 text

-40 -20 0 20 40 60 80 -10 -5 0 5 10 15 20 25 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 Investment Income Cumulated Profit How can I protect my app? Build38 | Intro to Mobile App Security 12 November 2019

Slide 13

Slide 13 text

-40 -20 0 20 40 60 80 -10 -5 0 5 10 15 20 25 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 Investment Income Cumulated Profit How can I protect my app? Build38 | Intro to Mobile App Security 13 1. Increase required investment: Obfuscation + Anti-reversing 2. Reduce income: Diversification 3. Force periodic investment: Renewability November 2019

Slide 14

Slide 14 text

Some Common Threads (and their countermeasures) Build38 | Intro to Mobile App Security 14 November 2019

Slide 15

Slide 15 text

- Risk for both user data and backend - It’s 2019 – use HTTPS! - But… Might not be enough § Certificate Pinning § Mutual Authentication MITM (Man-in the Middle) Build38 | Intro to Mobile App Security 15 November 2019

Slide 16

Slide 16 text

- Modifying an App and redistributing it for malicious purposes, in order to: § Modify original behavior o Getting paid features for free o Cheating on a game (Pokémon GO) o … § Stealing user data - How? § Android: modify smali code § iOS: dynamic library injection App Repackaging (1/2) 16 Build38 | Intro to Mobile App Security November 2019

Slide 17

Slide 17 text

App Repackaging (2/2) 17 Obfuscation Detect repackaging Build38 | Intro to Mobile App Security November 2019

Slide 18

Slide 18 text

- Sandbox model: basis of the security model in Android and iOS § Each app runs and stores data in isolation from other apps - Root / Jailbreak means “escaping” this isolation Rooted / Jailbroken devices (1/2) Build38 | Intro to Mobile App Security 18 November 2019

Slide 19

Slide 19 text

Root == GOD Build38 | Intro to Mobile App Security 19 November 2019

Slide 20

Slide 20 text

- User may have legitimately rooted its device - Remote root exploits are a thing - No clear action… § Restrict some sensitive functionality § Design your security model assuming that root can (will) happen Rooted / Jailbroken devices (2/2) 20 Source: - https://techcrunch.com/2019/08/29/google-iphone-secretly-hacked/ - https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html Build38 | Intro to Mobile App Security November 2019

Slide 21

Slide 21 text

Recap Build38 | Intro to Mobile App Security 21 November 2019

Slide 22

Slide 22 text

- Know what you need to protect - 100% protection does not exist – aim for “good enough” - Secure Networking is a must - Apps can be reverse engineered and repackaged § Move security-relevant logic to backend or write it in native C - Root can be really bad – come up with a plan Recap 22 Build38 | Intro to Mobile App Security November 2019

Slide 23

Slide 23 text

Thank you! Questions after Jean-Luc’s show J