Assume a hostile environment: securing mobile data in the app

Transcript

1. SESSION ID: Assume a hostile environment: securing mobile data in

   the app MBS-T09 Scott Alexander-Bown Senior Mobile Developer viaForensics @scottyab

2. #RSAC 2 ©2012-­‐2013  Oliver  Geary  

3. #RSAC The Gap! 3

4. #RSAC Goals u  Mobile devices are a hostile environment u 

   What are the common app vulnerabilities u  How to protect your apps u  With an Android bias u  Questions to ask your app developers 4

5. #RSAC Non Goals: There Is No 100% Security 5 Flickr

   @BigDumpTruck

6. #RSAC 6 Q) Which Is More Secure?

7. #RSAC iOS vs Android OS Vulnerabilities Source: http://www.cvedetails.com Dec 2013

   7

8. #RSAC 8 iOS: Safer for average hipster Joe

9. #RSAC 9 Android can be hardened (power users)

10. #RSAC The Environment Is Hostile u  Lost / Stolen u 

    Open Wi-Fi networks u  SMiShing u  Untrusted ports/chargers 10

11. #RSAC Devices Are Hostile Environments u  System updates u  OEM/Carrier

    bloatware (Android) u  MDM u  Secure Containers u  System library's i.e KeyChain (iOS) u  Device Encryption u  Side load (Android) u  Vulnerable apps / malware 11

12. #RSAC If devices are hostile environments? We focus on the

    app! 12

13. Common App Vulnerabilities

14. #RSAC Common App Fails u  Not encrypting stored data u 

    Not using SSL connection u  Not protecting App components u  Not validating client data u  Leaking sensitive data to device log 14

15. #RSAC 15

16. #RSAC 16

17. #RSAC Options For App Security u  MDM security SDK? u 

    App Wrapping? u  Built-in u  Distribute via app stores u  Better UX u  Not relying on others 17

18. Build in App Security

19. #RSAC SQL Injection u  Compiled statements u  Validate input u 

    Sharing data (Android) u  Protect components u  Custom permissions u  Consider read only 19

20. #RSAC Encryption u  Assess risk of data stored u  Bundle

    your own crypto libraries u  SpongyCastle adds support: u  AES-GCM u  Elliptic Curve Cryptography (ECC) u  Don’t seed SecureRandom class 20

21. #RSAC Encryption: Not Storing The Key u  Password Based Encryption

    (PBE) u  Generate a key from user pin/password u  KDF - more iterations the better u  Add app time out to clear from memory u  The KeyStore provider (Android 4.3+) u  Hardware backed (on some devices) 21

22. #RSAC Encryption: Android Quick Wins u  SQLCipher u  256-bit AES

    Encrypt SQLite database u  Secure-Preferences u  ‘obscure’ your app’s shared preferences u  IOCipher u  Virtual encrypted disk u  Conceal u  Easy to use APIs for fast encryption and authentication of data 22

23. #RSAC Force Update 23

24. #RSAC Timeout / Caching u  Session timeout u  App and

    Server-side u  Clear app data from memory u  Prevent snapshot cache (iOS) u  Exclude from recent tasks (Android) 24

25. #RSAC Q) Are you using SSL? Q) Are you using

    SSL? 25

26. #RSAC Q) Is Using SSL Enough? u  A) No 26

27. #RSAC Stronger SSL u  Use secure SSL/TLS protocols (i.e. SSL

    v3, TLS v1.1/1.2) u  Use secure ciphers (128 bit or higher) u  Validate the certificates u  NetCipher u  Whole chain validation u  Orbot: Proxy with Tor 27

28. #RSAC SSL Pinning u  2 types u  Certificate pining u 

    Public key pinning u  Prevent compromised CAs from being trusted u  More difficult for MITM 28

29. #RSAC Watch For This! 29

30. #RSAC Tamper Detection u  Simulator/emulator check u  System properties u 

    Jail break/Root check u  Root apps (Cydia, SuperSU etc) u  System properties u  Validate signing key (Android) 30

31. #RSAC Anti Reversing u  Obfuscation code u  Proguard (Android) u 

    Restrict Debugging u  Restrict Logging 31

32. #RSAC DexGuard (Android) u  ProGuard’s bad ass brother u  Same

    config as ProGuard u  Not free but 1 license == ∞ apps u  Highlights u  One line tamper check u  囃$鷭.smali, Œ$鷭.smali u  API hiding with String encryption == tough 32

33. #RSAC Further Resources u  42+ Secure mobile development best practices

    u  http://bit.ly/viafor42 u  OWASP Mobile security recommendations u  http://bit.ly/owaspmobile 33

34. What To Ask?

35. #RSAC What to ask your app developers? u  Who is

    building it and where? u  Are they certified? u  bit.ly/mobilesecuritycert u  Play/App store account access? u  How is security assessed? u  Code reviews (including 3rd party libs) u  Static analysis u  Red team black box assessment 35

36. #RSAC Summary u  Mobile devices are a hostile environment u 

    What are the common app vulnerabilities u  How to protect your apps u  Questions to ask your app developers 36

37. #RSAC Q&A | Contact | Feedback u  Thanks for listening…

    @scottyab github/scottyab [email protected] Book signing tomorrow 3:30pm 37 Thanks  to  @thomas_cannon  

38. #RSAC Build in app security. 38

39. #RSAC Reference u  http://github.com/rtyley/spongycastle u  Encryption sample projects u  http://github.com/nelenkov/android-pbe

    u  http://github.com/nelenkov/android- keystore u  https://github.com/moxie0/AndroidPinning u  NetCipher - https://github.com/guardianproject/ NetCipher u  DexGuard - www.saikoa.com/dexguard u  SQLCipher - http://sqlcipher.net/sqlcipher-for-android u  Secure-Preferences - http://github.com/scottyab/secure-preferences u  IOCipher - http://guardianproject.info/code/iocipher u  Conceal - http://facebook.github.io/conceal u  Android security cookbook ISBN:1782167161 u  http://bit.ly/MscEFu 39