developing secure mobile apps by alexandru catariov endava

Download Developing secure mobile apps by Alexandru Catariov Endava

Post on 21-Oct-2014

350 views

Category:

Technology

3 download

Embed Size (px)

DESCRIPTION

 

TRANSCRIPT

Mobile Apps After 2 years of Experience

Developing Secure Mobile Apps

Alexandru Catariov

1

2

What is the Information Security?

IN YOUR ZONE

Confidentiality: Does your application keep your private data private?Integrity: Can the data from your app be trusted and verified?Authentication: Does your app verify you are who you say you are?Authorization: Does your application properly limit user privileges?Availability: Can an attacker take the app offline?Non-Repudiation: Does your app keep records of events?

2

3

How much is the mobile world exposed?

Attack

Attack

Attack

Attack

Attack

Attack

IN YOUR ZONE

3

4

Connected to internet and other computer networks

IN YOUR ZONE

5

Many apps store data locally

to improve User eXperienceto save trafficfor temporary use

IN YOUR ZONE

6

There is a lot of user data

IN YOUR ZONE

7

Many sensitive data inputs

IN YOUR ZONE

8

and last but not least, mobile is physically more vulnerable

IN YOUR ZONE

9

The good news is that mobile OSes take measures to increase security

SandboxingUser PermissionsProtected APIEncrypted file systemApp SigningRemote wipe

IN YOUR ZONE

10

..but the bad news is that the army of bad guys grows as well

Rooting or JailbreakingMalwares Viruses

SpoofingTampering

IN YOUR ZONE

10

11

The primary data type targeted by attackers in 2012, as in 2011, was customer records (cardholder data, personal information, email addresses).

2013 Global Security Report

IN YOUR ZONE

11

12

The number of mobile malwares is rising very fast. The notable one - Toll Fraud

IN YOUR ZONE

12

13

What you as a developer can do?

IN YOUR ZONE

13

14

Use CryptographyUse hash function such as MD5, SH1, etc.Use Local KeyChain or KeyStore, but not rely on them

Avoid store or sending confidential/sensitive data

otherwise, do not use plain format

IN YOUR ZONE

15

Ensure secure storage

Use App SandboxUse internal storageClear temporary data after useUse CryptographyPerform Input Validation

IN YOUR ZONE

16

Strong Authorization & AuthenticationEnsure proper session handlingStrong encryptionValidate untrusted input

Apply OWASAP Top 10 to secure interaction with servers

IN YOUR ZONE

17

Interpocess communication can be also vulnerable

Avoid using network sockets and shared filesUse OS mechanisms instead

IN YOUR ZONE

18

Apply anti-debug and anti-reversing measures

ObfuscationRemove logging code

Dont use hardcoded sensitive dataDont implement custom encryption

IN YOUR ZONE

19

Perform secure testing

Test on a Jailbroken or rooted deviceUse Static Code Analyses tools Fortify, Veracode

IN YOUR ZONE

20

You cannot be 100% safe

IN YOUR ZONE

21

but you can make it hard Defense in Depth

IN YOUR ZONE

Resources

22

Security Best Practices for Android developers is located here: https://developer.android.com/guide/practices/security.html.iOS Security Overview https://developer.apple.com/library/ios/#documentation/Security/Conceptual/Security_Overview/Introduction/Introduction.htmlOWASP Mobile Security Project: https://www.owasp.org/index.php/OWASP_Mobile_Security_ProjectTrustwave, Spider Labs blog: http://blog.spiderlabs.com

IN YOUR ZONE

23

Alex Catariov | Development Discipline LeadAlexandru.Catariov@endava.comTel +373 79400205|Skype alex.catariov

thank you

IN YOUR ZONE