SESSION ID: Assume a hostile environment: securing mobile data in the app MBS-T09 Scott Alexander-Bown Senior Mobile Developer viaForensics @scottyab 

#RSAC 2 ©2012-­‐2013  Oliver  Geary   

#RSAC The Gap! 3 

#RSAC Goals u  Mobile devices are a hostile environment u  What are the common app vulnerabilities u  How to protect your apps u  With an Android bias u  Questions to ask your app developers 4 

#RSAC Non Goals: There Is No 100% Security 5 Flickr @BigDumpTruck 

#RSAC 6 Q) Which Is More Secure? 

#RSAC iOS vs Android OS Vulnerabilities Source: http://www.cvedetails.com Dec 2013 7 

#RSAC 8 iOS: Safer for average hipster Joe 

#RSAC 9 Android can be hardened (power users) 

#RSAC The Environment Is Hostile u  Lost / Stolen u  Open Wi-Fi networks u  SMiShing u  Untrusted ports/chargers 10 

#RSAC Devices Are Hostile Environments u  System updates u  OEM/Carrier bloatware (Android) u  MDM u  Secure Containers u  System library's i.e KeyChain (iOS) u  Device Encryption u  Side load (Android) u  Vulnerable apps / malware 11 

#RSAC If devices are hostile environments? We focus on the app! 12 

Common App Vulnerabilities 

#RSAC Common App Fails u  Not encrypting stored data u  Not using SSL connection u  Not protecting App components u  Not validating client data u  Leaking sensitive data to device log 14 

#RSAC 15 

#RSAC 16 

#RSAC Options For App Security u  MDM security SDK? u  App Wrapping? u  Built-in u  Distribute via app stores u  Better UX u  Not relying on others 17 

Build in App Security 

#RSAC SQL Injection u  Compiled statements u  Validate input u  Sharing data (Android) u  Protect components u  Custom permissions u  Consider read only 19 

#RSAC Encryption u  Assess risk of data stored u  Bundle your own crypto libraries u  SpongyCastle adds support: u  AES-GCM u  Elliptic Curve Cryptography (ECC) u  Don’t seed SecureRandom class 20 

#RSAC Encryption: Not Storing The Key u  Password Based Encryption (PBE) u  Generate a key from user pin/password u  KDF - more iterations the better u  Add app time out to clear from memory u  The KeyStore provider (Android 4.3+) u  Hardware backed (on some devices) 21 

#RSAC Encryption: Android Quick Wins u  SQLCipher u  256-bit AES Encrypt SQLite database u  Secure-Preferences u  ‘obscure’ your app’s shared preferences u  IOCipher u  Virtual encrypted disk u  Conceal u  Easy to use APIs for fast encryption and authentication of data 22 

#RSAC Force Update 23 

#RSAC Timeout / Caching u  Session timeout u  App and Server-side u  Clear app data from memory u  Prevent snapshot cache (iOS) u  Exclude from recent tasks (Android) 24 

#RSAC Q) Are you using SSL? Q) Are you using SSL? 25 

#RSAC Q) Is Using SSL Enough? u  A) No 26 

#RSAC Stronger SSL u  Use secure SSL/TLS protocols (i.e. SSL v3, TLS v1.1/1.2) u  Use secure ciphers (128 bit or higher) u  Validate the certificates u  NetCipher u  Whole chain validation u  Orbot: Proxy with Tor 27 

#RSAC SSL Pinning u  2 types u  Certificate pining u  Public key pinning u  Prevent compromised CAs from being trusted u  More difficult for MITM 28 

#RSAC Watch For This! 29 

#RSAC Tamper Detection u  Simulator/emulator check u  System properties u  Jail break/Root check u  Root apps (Cydia, SuperSU etc) u  System properties u  Validate signing key (Android) 30 

#RSAC Anti Reversing u  Obfuscation code u  Proguard (Android) u  Restrict Debugging u  Restrict Logging 31 

#RSAC DexGuard (Android) u  ProGuard’s bad ass brother u  Same config as ProGuard u  Not free but 1 license == ∞ apps u  Highlights u  One line tamper check u  囃$鷭.smali, Œ$鷭.smali u  API hiding with String encryption == tough 32 

#RSAC Further Resources u  42+ Secure mobile development best practices u  http://bit.ly/viafor42 u  OWASP Mobile security recommendations u  http://bit.ly/owaspmobile 33 

What To Ask? 

#RSAC What to ask your app developers? u  Who is building it and where? u  Are they certified? u  bit.ly/mobilesecuritycert u  Play/App store account access? u  How is security assessed? u  Code reviews (including 3rd party libs) u  Static analysis u  Red team black box assessment 35 

#RSAC Summary u  Mobile devices are a hostile environment u  What are the common app vulnerabilities u  How to protect your apps u  Questions to ask your app developers 36 

#RSAC Q&A | Contact | Feedback u  Thanks for listening… @scottyab github/scottyab [email protected] Book signing tomorrow 3:30pm 37 Thanks  to  @thomas_cannon   

#RSAC Build in app security. 38 

#RSAC Reference u  http://github.com/rtyley/spongycastle u  Encryption sample projects u  http://github.com/nelenkov/android-pbe u  http://github.com/nelenkov/android- keystore u  https://github.com/moxie0/AndroidPinning u  NetCipher - https://github.com/guardianproject/ NetCipher u  DexGuard - www.saikoa.com/dexguard u  SQLCipher - http://sqlcipher.net/sqlcipher-for-android u  Secure-Preferences - http://github.com/scottyab/secure-preferences u  IOCipher - http://guardianproject.info/code/iocipher u  Conceal - http://facebook.github.io/conceal u  Android security cookbook ISBN:1782167161 u  http://bit.ly/MscEFu 39