Mobile products security in 2018

ITEM 2018, 24-25 MARCH, KYIV, UKRAINE MOBILE PRODUCTS SECURITY IN
2018 by Petro Korienev Mobile Team Lead @ Sigma Software

PETRO KORIENEV, “MOBILE PRODUCTS SECURITY IN 2018”  @ ITEM 2018,
24-25 MARCH, KYIV, UKRAINE IF YOU CAN’T SEE SLIDES, FOLLOW  ←this QR …and let’s start

24-25 MARCH, KYIV, UKRAINE About @me: - Do mobile applications for $$$ - empower teams - CARE ABOUT: - Users - quality - security - performance South Africa, in the wild,  slightly north of Antarctica

24-25 MARCH, KYIV, UKRAINE SECURITY FAILURES CASES

24-25 MARCH, KYIV, UKRAINE Case 1:  Data compromised from mobile API by installing root CERTificate

24-25 MARCH, KYIV, UKRAINE DATA EASILY REVERSIBLE BY CHARLES

24-25 MARCH, KYIV, UKRAINE Case 2:  SENSITIVE KEY LEAKED FROM CODEBASE

24-25 MARCH, KYIV, UKRAINE SOMETIMES NO nEED TO LEAK A KEY

24-25 MARCH, KYIV, UKRAINE PUBLIC_BUCKETS.count > 8000

24-25 MARCH, KYIV, UKRAINE Case 3:  Watch your logs

24-25 MARCH, KYIV, UKRAINE WHEN YOU LOG SENSITIVE DATA

24-25 MARCH, KYIV, UKRAINE AVERAGE COST of data breach for us company in 2017 is $3.5M …and probability to experience it during upcoming 2 years is 27%

24-25 MARCH, KYIV, UKRAINE SO WHAT?

24-25 MARCH, KYIV, UKRAINE MOBILE  SECURITY   CHECKLIST      by owasp

24-25 MARCH, KYIV, UKRAINE Example checklist group

24-25 MARCH, KYIV, UKRAINE TAG cloud might be…

24-25 MARCH, KYIV, UKRAINE - DATA in motion - DATA in use - data at rest - Remote code execution - …

24-25 MARCH, KYIV, UKRAINE DATA in motion

24-25 MARCH, KYIV, UKRAINE MAIN POINTS - Use only secure versions (’s’ suffix) - Don’t (blindly) trust in networking protocol - Whitelist and pin certificates if possible - Don’t pass sensitive data unencrypted

24-25 MARCH, KYIV, UKRAINE UX - p24 NOT UX - another APP

24-25 MARCH, KYIV, UKRAINE PROBABLY, aWESOME UX

24-25 MARCH, KYIV, UKRAINE DATA in USE

24-25 MARCH, KYIV, UKRAINE MAIN POINTS - Use root (jailbreak) detection techniques - Use debugging prevention - Wipe sensitive data from memory and keep it off screen unless explicitly asked by user - Limit possible exploit sources

24-25 MARCH, KYIV, UKRAINE DATA AT REST

24-25 MARCH, KYIV, UKRAINE MAIN POINTS - Disk is shared dangerous resource - Sensitive data should never go plain - Your app should not compromise your user, even if his/her device was stolen

24-25 MARCH, KYIV, UKRAINE FEW PRACTICAL ADVICES - Watch your logs. Use your own logs instead of shared system log - Don’t use cookies - Use encryption provided by system/library - Don’t roll your own crypto

24-25 MARCH, KYIV, UKRAINE BUG SCORE  Crypto 17% : 83% developer

24-25 MARCH, KYIV, UKRAINE Remote code execution

24-25 MARCH, KYIV, UKRAINE MAIN POINTS - Don’t use WebView - Vulnerabilities can be close to unbelievable

24-25 MARCH, KYIV, UKRAINE SECURITY IN  DEVELOPMENT PROCESS

24-25 MARCH, KYIV, UKRAINE MAIN POINTS - awareness " alerts & monitoring - ACLs - No secrets, keys etc. in code - All configuration activities should be recorded

24-25 MARCH, KYIV, UKRAINE MAIN POINTS - check your dependencies for vulnerabilities - be kind to your mates - be open to feedback

24-25 MARCH, KYIV, UKRAINE Info leaked through   online communication You never know Brute Force IRL Lack of fishing  protection Social treats something you never control

24-25 MARCH, KYIV, UKRAINE - Security is value   - EDUCATE security  - think security from start

24-25 MARCH, KYIV, UKRAINE Do THAT F***ing checklist, seriously

24-25 MARCH, KYIV, UKRAINE Links & references - 1 - OWASP Mobile security checklist - OWASP Mobile security testing guide book - AWS Public writeable buckets study - Ponemon institute brief data breach cost - Ponemon institute security research - White source software

24-25 MARCH, KYIV, UKRAINE Links & references - 2 - MIT Research on crypto bug source - Trident vulnerabilities for iOS - FlyUIA data breach - Felix Krause blogs on security topics - GDPR for developers - Crypto bugs MIT study

24-25 MARCH, KYIV, UKRAINE Links & references - 3 - Charles Proxy - iExplorer - Java decompilers - Hopper - AWS Key Nuker

24-25 MARCH, KYIV, UKRAINE [email protected]  [email protected] PERFORMANCE TESTING IN SWIFT Interested? check my upcoming trainings or get in touch https://www.facebook.com/soxjke https://www.linkedin.com/in/petro-korienev MOBILE PRODUCTS SECURITY ESSENTIALS

ITEM 2018, 24-25 MARCH, KYIV, UKRAINE THANK YOU  FOR YOUR
TIME Now, don’t hesitate to ask

Mobile products security in 2018

Mobile products security in 2018

More Decks by Petro Korienev

Other Decks in Technology

Featured

Transcript