SECURE PROGRAMMING TECHNIQUES Mobile Dev Security dive deeper Location, DD/MM/YYYY Name Surname, job title Title of the talk Mobile Development Security 2021/22 spring SECURE PROGRAMMING TECHNIQUES 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security Harri Kirik [email protected] ● University of Tartu, MSc Infotechnology ● Mobi Lab, https://lab.mobi/ ● 11 year of mobile software engineering WHOAMI 02 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security This is an overview. Not a required checklist for every single project. DISCLAIMER 03 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security 1. Make a plan <- Least stuff known 2. Execute a plan <- Fun part 3. Verify the result <- Hard part TO START 04 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security No! ● But be careful, it can feel like that. IS MOBILE DEVELOPMENT DIFFERENT IN TERMS OF SECURITY? 05 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security Yes, the user has control over it ● But the user is not you! ● That user is attack vector ● Most users will think differently than you ● Most users do not have the newest version 1) BUT IT IS IN MY HANDS! 06 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security Kernel-level sandbox for the win! ● Process separation ● Storage separation ● Memory separation ● Resource separation ● Intent separation 2) BUT IT IS A MORE SECURE ENVIRONMENT! 07 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security Yes, but is it always more secure? 1. Secure <- You want this 2. Unsecure <- You are ready for this 3. Unknown <- WTH? BUT IT IS A MORE SECURE ENVIRONMENT! 08 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security It is / looks unsecure, .. 1. but with a capable user? 2. but for an official reason? 3. and already owned by someone else? BUT IT IS A MORE SECURE ENVIRONMENT! 09 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security It is unknown, because .. ● your own bug? ● platform service interruption? ● already compromised? ● unknown? BUT IT IS A MORE SECURE ENVIRONMENT! 010 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security Well, actually :D ● The long tail of old versions ● The turnover time for releases IS MOBILE DEVELOPMENT DIFFERENT IN TERMS OF SECURITY? 011 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security ● Anyways, to the topic at hand BACK TO THE BASICS 012 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security 1. Make a plan <- Least stuff known 2. Execute a plan <- Fun part 3. Verify the result <- Hard part TO START 013 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security To start with .. THE BASICS 014 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security Set a clear baseline requirement A. “Device with the factory setting” B. “Device with #A plus successful attestation” C. “A non-rooted device” D. “Any Google Android device” BASICS 015 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security Set a clear baseline requirement E. “Any Huawei Android device” F. “Factory settings or a extra disclaimer agreed” G. ... BASICS 016 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security Set a clear baseline requirement ● And build other security against that ● Eg - Pick your battles BASICS 017 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security Code reviews ● Does it do what the spec says? ● Is the code well written? ● Is the architecture correct? ● Do we need to agree on something? ● Did we forget something? BASICS 018 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security Team’s agreements ● Start with a opinionated baseline ● Review and commit in the beginning of the project ● Hold your peers accountable for compliance BASICS 019 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security Team’s agreements - Example BASICS 020 1) Each implementation task (new feature, bugfix) should at least go through one of the following: ○ A code review as per “Code review process” ○ A design review as per “Design QA process” ○ Manual testing as per “manual QA process” ○ Automated testing by unit tests or instrumentation tests or integration tests Unless decided otherwise and the reason is documented to the tracker task. 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security Team’s agreements ● Value for the team’s process ● Value in the security measures process BASICS 021 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security MASVS ● OWASP Mobile Application Security Verification Standard ● MASVS-L1 & MASVS-L2 ● https://bit.ly/39EyGF1 BASICS 022 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security MASVS ● Regular review and agreement is more important than one-time full compliance ● Reason about it in you context BASICS 023 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security MASVS ● Record the results in a checklist ● TODO - OK - PRTL - NOK - N/A ● Each NOK gets a tracker ID and comment ● Each N/A and PRTL gets a comment BASICS 024 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security MASVS - Example BASICS 025 3.5 MSTG-CRYPTO-5 The app doesn’t re-use the same cryptographic key for multiple purposes. OK The library does not re-use the same cryptographic key for multiple purposes. 3.6 MSTG-CRYPTO-6 All random values are generated using a sufficiently secure random number generator. OK All random values are generated using a sufficiently secure random number generator. PRNG improvements are applied on platform API levels where they are required as per https://androiddevelopers.googleblog.com/2013/08/somesecureran dom-thoughts.html. 7.1 MSTG-CODE-1 The app is signed and provisioned with a valid certificate, of which the private key is properly protected. N/A The binary is a library and is not directly signed as only Android applications can be signed. 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security Play Store Data Safety form ● In a survey format ● With a focus on user privacy ● Used for both developer and user guidance BASICS 026 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security Play Store Data Safety - Example BASICS 027 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security Components and boundaries ● Parts with different ○ goals? ○ security properties? ○ security requirements? Easier to build and review and audit BASICS 028 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security Debug vs release binaries ● Build explicit debug binaries ● Keep release binary clean ● Make it explicit / automatic which is which ● Use a CI! BASICS 029 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security Create clear identity and versioning ● In file naming ● As explicit strings in binaries ● As strings in companion documentation BASICS 030 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security Logging ● Doesn’t have to be event-based ● Make it pre-configured based on debug / release ● Disable (all but critical?) logs for release ○ Or off by default if library BASICS 031 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security APIs and interfaces ● Which ones you trust? ● Which ones you don’t? ● Which ones you have control over? ● Which ones are frequently updated? ● Versioning? BASICS 032 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security API keys and tokens ● Visible to world! ● In your binary forever! ● Restrict for single purpose ● Restrict for a specific signing key BASICS 033 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security Identity and signing ● Account owner owns the app? ● Android: Upload and Signing keys ○ Why? ○ Who has them? BASICS 034 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security What you can also consider .. A LITTLE MORE ADVANCED 035 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security Device Integrity ● Is your device in the factory setup? ● Is your device unrooted? ● Is your baseline present? ADVANCED 036 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security Device Integrity ● Google SafetyNet Attestation API ○ Google Play Integrity API ● Huawei SysIntegrity API ● Apple DeviceCheck API ADVANCED 037 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security Google SafetyNet Attestation API ADVANCED 038 1. The SafetyNet Attestation API receives a call from your app. This call includes a nonce. 2. The SafetyNet Attestation service evaluates the runtime environment and requests a signed attestation of the assessment results from Google's servers. 3. Google's servers send the signed attestation to the SafetyNet Attestation service on the device. 4. The SafetyNet Attestation service returns this signed attestation to your app. 5. Your app forwards the signed attestation to your server. 6. This server validates the response and uses it decisions 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security Keystore ● Android Keystore ● iOS Secure Enclave ● Create and keep keys on device tied to app (and user) ● Most devices support it ADVANCED 039 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security TEE (Android Keystore) ● Trusted Execution Environment ● Runs on the same processor ● Is isolated from the rest of the system by both hardware and software ADVANCED 040 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security StrongBox Keymaster (Android Keystore) ● Its own CPU ● Secure storage ● A true random-number generator ● Additional mechanisms to resist package tampering and unauthorized sideloading of apps ADVANCED 041 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security Secure Enclave (iOS) ● Secure Enclave Processor ● AES engine for cryptographic operations ● Protected memory ADVANCED 042 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security Keystore ● Fallback to software? ● Operations unavailable? ● Device migration? ADVANCED 043 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security Obfuscation and active protection ● ProGuard / R8 ● DexGuard / Promon ADVANCED 044 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security UX and humans ● Secure keyboards ● Drawing over apps ● Call and just ask them to give you their money .. ADVANCED 045 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security User tracking ● Allowed, but .. ○ Only via advertising IDs ○ User clearable ● No fingerprinting! ADVANCED 046 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security Device fingerprinting ● Officially not allowed ○ Apple vs Uber ● Somewhat grey area in reality ○ Fraud protection ADVANCED 047 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security Auditability ● Is the code and process understandable? ● Is the process verifiable? ● Is the code readable and reviewable? ADVANCED 048 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security Auditability ● Open-source your stuff? ○ Hoia - https://bit.ly/3wLO36F ADVANCED 049 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security Check the result .. VERIFY 050 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security Code audits ● Can you go over the spec and the code and say it does what the spec says? ● Yes? Mostly? Not very well? VERIFY 051 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security MobSF ● Mobile Security Framework ● “Pen-testing, malware analysis and security assessment framework” ● Knows nothing of you context VERIFY 052 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security MobSF 1. Run on the release binary 2. Analyse the report and create a companion document with comments 3. Keep both 4. Create tracker tasks when needed VERIFY 053 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security MobSF - Example VERIFY 054 ISSUE SEVERITY STANDARDS FILES The App uses an insecure Random number Generator High MASVS: MSTG-CRYPTO-6 j$/util/concurrent/F.java kotlinx/coroutines/scheduling/Corouti neScheduler.java Files may contain hardcoded sensitive information like usernames, passwords, kest, etc. High MASVS: MSTG-STORAGE-14 io/jsonwebtoken/jwsHeader.java 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security OWASP dependency check ● Software Composition Analysis (SCA) tool ● Attempts to detect publicly disclosed vulnerabilities contained dependencies ● Knows nothing of you context VERIFY 055 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security OWASP dependency check 1. Run on the project 2. Analyse the report and create a companion document with comments 3. Keep both 4. Create tracker tasks when needed VERIFY 056 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security Dependency check - Example VERIFY 057 DEPENDENCY FINDINGS commons-compress-1.20.jar ● CVE-2021-35515 ● When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package. ● CVE-2021-35516 .. 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security Manual Pentesting ● Knows of you context ● Evaluates findings based on context VERIFY 058 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security Manual Pentesting 1. Submit your release binary 2. Analyse the report and create a companion document with comments 3. Keep both 4. Create tracker tasks when needed VERIFY 059 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security Manual Pentesting - Example VERIFY 060 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security VERIFY - PENTESTING EXAMPLE 061 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security 1. Make a plan <- Least stuff known 2. Execute a plan <- Fun part 3. Verify the result <- Hard part TO START 062 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security This was an overview. Not a required checklist for every single project. DISCLAIMER 063 

SECURE PROGRAMMING TECHNIQUES Mobile Dev Security Questions? Comments? THANKS! 2021/22 spring Harri Kirik [email protected] ● Mobi Lab, https://lab.mobi/ ● We are hiring - [email protected]