Upgrading approaches to the secure mobile architectures

042b7c0e45c53de46667f07de2fb2614?s=47 vixentael
April 25, 2016

Upgrading approaches to the secure mobile architectures

If you can't tap on the link inside slides, please open as pdf (button on the right).

-------------------
-------------------

My talk at #appbuilders16 conference (https://appbuilders.ch/)

Mobile platforms present both new threats and new opportunities for system security. This presentation deals with modern approaches: how to protect data, which trust relationships emerge with mobile phone, how they affect traditional security layouts. How mobile phones dictate important client-server relationships.

But, what’s more important, we talk about making these things a consistent system: how to think to pick the right tools, which architectural patterns enforce security and minimize risks by design. We learn about ideas of echelonized defence, compartmentation and risk control. We finish with understanding where we stand right now: in security landscape that is rapidly changing, and mobile’s role in it is both dangerous and very important.

----------------------------------------

post

https://medium.com/@vixentael/upgrading-approaches-to-the-secure-mobile-architectures-7a8fcb10d28a

042b7c0e45c53de46667f07de2fb2614?s=128

vixentael

April 25, 2016
Tweet

Transcript

  1. Upgrading approaches to the secure mobile architectures #appbuilders16 @vixentael

  2. OR

  3. Everything will be BROKEN! #appbuilders16 @vixentael

  4. Everything will be BROKEN, so what should we do? #appbuilders16

    @vixentael
  5. Intro: this is a picture

  6. This is a picture: virgin sight network backend logic the

    app server environment #appbuilders16 @vixentael
  7. UI/UX deliver fast! GTD! swift boring crap, waste of life

    maaaagic! magic.. MVP! #appbuilders16 @vixentael This is a picture: mobile focus
  8. source of trust risk we control sandbox dragons lots of

    risk even if app is good easy to f*ck up #appbuilders16 @vixentael This is a picture: security vision
  9. #appbuilders16 @vixentael This is a picture: the reality FBI CIA

    NSA hackers QA engineers
  10. the brains! #appbuilders16 @vixentael This is a picture: our control

  11. The problem

  12. The problem bad cryptography insecure API’s plaintext traffic data leakage

    denial of service remote jailbreak over bluetooth stolen credentials man-in-the-middle
  13. Openness Speed Ignorance The problem #appbuilders16 @vixentael

  14. How bad is it? Like this Control Nissan LEAF via

    vulnerable APIs http://www.troyhunt.com/2016/02/controlling- vehicle-features-of-nissan.html #appbuilders16 @vixentael http://www.wired.com/2015/07/gadget-hacks- gm-cars-locate-unlock-start/ http://samy.pl/defcon2015/ hacking cars using OnStar app to locate, unlock and remote start vehicles what could possibly go wrong?
  15. None
  16. iMessage Recovery of Plaintext iMessage Data using Javascript http://www.bishopfox.com/blog/2016/04/if-you-cant-break-crypto-break-the-client- recovery-of-plaintext-imessage-data/

    Grab all your iMess aHachments via key enumeraIon http://blog.cryptographyengineering.com/2016/03/attack-of- week-apple-imessage.html #appbuilders16 @vixentael
  17. This is how bad it is! #appbuilders16 @vixentael iOS vulnerabilities

    by years raw data from cvedetails.com 0 100 200 300 400 2007 2008 2009 2010 2011 2012 2013 2014 2015 1 9 27 32 37 112 90 120 384
  18. This is how bad it is! http://blog.mindedsecurity.com/2015/03/ssl- mitm-attack-in-afnetworking-251-do.html >1500 vulnerable

    apps via flawed AFNetworking <10% popular apps use SSL pinning #appbuilders16 @vixentael iOS vulnerabilities by years raw data from cvedetails.com 0 100 200 300 400 2007 2008 2009 2010 2011 2012 2013 2014 2015 1 9 27 32 37 112 90 120 384
  19. SO WHAT?

  20. Why does this even happen?

  21. Our mindset is wrong a bit “It works” != “It’s

    secure” Mobile’s limited abilities require specific server behavior Mobile is not traditional client- server Design-driven development is frequently a security disaster #appbuilders16 @vixentael
  22. Mobile is an odd thin client #appbuilders16 @vixentael – Can

    server really address you by IP address? – Can server expect RFC behavior of your IP stack? – Can server and client share code and components with proper trust? – Is IPC / RPC behavior reciprocal between client and server? – Is client and server equal in their capacity for technical decisions? Mobile considers itself in a proper client-server relationship, but:
  23. Mobile is an odd thin client #appbuilders16 @vixentael – Can

    server really address you by IP address? – Can server expect RFC behavior of your IP stack? – Can server and client share code and components with proper trust? – Is IPC / RPC behavior reciprocal between client and server? – Is client and server equal in their capacity for technical decisions? Mobile considers itself in a proper client-server relationship, but: NOPE ;)
  24. Mobile security is hard and yet undeveloped #appbuilders16 @vixentael Sophisticated

    problems security-wise No well established techniques Very blurred risk models
  25. What exactly are we risking?

  26. Identity Data Control What we risk? #appbuilders16 @vixentael

  27. Data #appbuilders16 @vixentael personal data health data conversations certificates passwords

    contacts users’ data
  28. Identity #appbuilders16 @vixentael identification (credentials) attacker access allowed! application

  29. Control #appbuilders16 @vixentael Remember those cars, right?

  30. What should we do?

  31. Understand the strong sides #appbuilders16 @vixentael limited ecosystem low collateral

    risk things user has and you can trust authentication/trust is quite good data safety almost network passive narrowed threat scope
  32. Trust no one. But yourself #appbuilders16 @vixentael trust server less

    explicit trust involve users ☁
  33. Echelonization #appbuilders16 @vixentael if the system has one perimeter, it

    will fail!
  34. Echelonization #appbuilders16 @vixentael authenticate manually verify credentials use many factors

    ..add more layers of defense!
  35. Compartmentalization #appbuilders16 @vixentael limit the access to information to those

    who need to know it in order to perform certain tasks store secure transmit display
  36. SO WHAT?

  37. Practice time! techniques for your architectures

  38. Do all classic things #appbuilders16 @vixentael https://speakerdeck.com/vixentael/avoiding-damage-shame-and- regrets-data-protection-for-mobile-client-server-architectures Protect transport

    well, authenticate server, pin certificates Authenticate everything Encrypt everything in motion and at rest Protect keys well Then escalate with novel techniques read my previous slides
  39. End-to-end encryption 101 #appbuilders16 @vixentael users own all keys server

    can’t see anything important transport keys are ephemeral app state does not rely on server state ☁
  40. End-to-end encryption 101+1 #appbuilders16 @vixentael https://cossacklabs.com/choose-your-ios-crypto.html large + text

  41. Multi-factor authentication #appbuilders16 @vixentael things you have things you know

    things you are phone device sim card ID docs private/public key password address answer to quesIon biometrics of all kinds
  42. Multi-factor authentication #appbuilders16 @vixentael things you have things you know

    things you are phone device sim card ID docs private/public key password address answer to quesIon biometrics of all kinds 2+ = MFA && &&
  43. Zero-knowledge: problem no trust :( #appbuilders16 @vixentael

  44. Zero-knowledge: proof! trust :) #appbuilders16 @vixentael https://cossacklabs.com/introducing_secure_comparator.html wanna know more?

  45. Is this it?

  46. Combining things: secure app v.1 SSL storage encryption storage encryption

    data leakage MiTM weak SSL #appbuilders16 @vixentael
  47. Combining things: secure app v.2 end-to-end encryption #appbuilders16 @vixentael storage

    encryption storage encryption weak auth blind trust ephemeral keys protected transport
  48. Combining things: secure app v.3 #appbuilders16 @vixentael end-to-end encryption storage

    encryption storage encryption ephemeral keys protected transport MFA ZKP
  49. It is simple, isn’t it?

  50. Key points #appbuilders16 @vixentael 1. read these slides again, tapping

    on links 2. read ‘Additional reading’ 3. read my previous presentations 4. analyze your current system 5. implement the techniques 6. ??? 7. profit! …feel free to contact me
  51. Thank you for listening @vixentael iOS developer at stanfy.com iOS

    contributor at Themis/cossacklabs.com
  52. Additional reading https://medium.com/stanfy-engineering-practices/data-protection-for-mobile-client-server- architectures-6e6dcabd871a Data Protection For Mobile Client-Server Architectures

    http://mashable.com/2016/04/16/apple-security-explained/ How Apple Security works https://www.cossacklabs.com/avoid-ssl-for-your-next-app.html Why you should avoid ssl for your next application https://cossacklabs.com/choose-your-ios-crypto.html Crypto in iOS: choose your destiny https://www.owasp.org/index.php/IOS_Application_Security_Testing_Cheat_Sheet OWASP: iOS application security testing cheat sheet