mobile app security - sec4dev

Mobile App SecurityAn introduction

Marc Obrador

Who am I?

2

Marc ObradorCo-founder & Head of Product Architecture @ Build38

Barcelona

[email protected]

@marcobrador

/in/marc-obrador

February 2020Build38 | Intro to Mobile App Security

3

Agenda

1. Introduction

2. Some Common Threads1. Man-In-The-Middle2. App Tampering & Repackaging3. Root / Jailbreak

3. Recap

@marcobrador February 2020Build38 | Intro to Mobile App Security

4

Agenda

1. Introduction


3. Recap


Mobile-first world

Why Mobile App Security?

5

Smartphone =untrusted device

Regulation(depending on market)

Desktop

Mobile

2009 2015 2020

0

20

40

60

80

100

Source: www.gs.statcounter.com


Mobile AppSec vs “traditional” Cyber Securtity

6February 2020Build38 | Intro to Mobile App Security

Let’s first switch our perspective

Is there anything I can do?

Build38 | Intro to Mobile App Security 7February 2020

-40

-20

0

20

40

60

80

-10

-5

0

5

10

15

20

25

M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12

Investment Income Cumulated Profit

The hacker’s perspective


Make it unattractive for the hacker



-40

-20

0

20

40

60

80

-10

-5

0

5

10

15

20

25

M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12




-40

-20

0

20

40

60

80

-10

-5

0

5

10

15

20

25

M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12



Build38 | Intro to Mobile App Security 12

1. Increase required investment: Obfuscation + Anti-reversing

2. Reduce income: Diversification

3. Force periodic investment: Renewability

February 2020

Things to protect

Build38 | Intro to Mobile App Security 13

User Data Business Data / IP DRM

February 2020

14

Agenda

1. Introduction


3. Recap


15

Agenda

1. Introduction


3. Recap


MITM


HTTPS is assumed!

MITM with HTTPS?


Android: depends on OEM iOS: requires social engineering

No, if Certificate Pinning is used

18

Agenda

1. Introduction


3. Recap


What is it?


1. Download 2. Unpack 3. Modify 4. Repack 5. Distribute

But, why?


Cheating on games Getting paid features for free Stealing user data

Android: apktool + smali code


iOS: dynamic library injection


Protecting against app repackaging

23

Obfuscation Detect it


24

Agenda

1. Introduction


3. Recap


The ”sandbox” model

25@marcobrador February 2020Build38 | Intro to Mobile App Security

Root / Jailbreak Detection

26

/scottyab/rootbeer

/KimChangYoun/rootbeerFresh

/Stericson/RootTools

/avltree9798/isJailbroken

/thii/DTTJailbreakDetection


27

What to do if Root / Jailbreak is found?


What to do if Root is found?

28

Sources:

- https://techcrunch.com/2019/08/29/google-iphone-secretly-hacked/

- https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html


https://techcrunch.com/2019/08/29/google-iphone-secretly-hacked/

https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html

Nothing

Restrict some sensitive functionality

Deny service

Design your security model assuming that root can (and will) happen

What to do if Root is found?

29@marcobrador February 2020Build38 | Intro to Mobile App Security

30

Agenda

1. Introduction


3. Recap


- 100% protection does not exist – aim for “good enough”

- Certificate Pinning is a good idea

- Apps can be reverse engineered and repackaged§ Move security-relevant logic to backend or write it in native C

- Root can be really bad – come up with a plan

Recap


Thank you!

Any questions?

mobile app security - sec4dev

Documents