Developing Secure Mobile Apps Alexandru

Catariov

IN YOUR ZONE 2

What is the Information Security?

IN YOUR ZONE 3

How much is the mobile world exposed?

Attack

Attack

Attack

Attack

Attack

Attack

IN YOUR ZONE 4

Connected to internet and other computer networks

IN YOUR ZONE 5

Many apps store data locally…

…to improve User eXperience…to save traffic…for temporary use

IN YOUR ZONE 6

There is a lot of user data

IN YOUR ZONE 7

Many sensitive data inputs

IN YOUR ZONE 8

…and last but not least, mobile is physically more vulnerable

IN YOUR ZONE 9

The good news is that mobile OSes take measures to increase security…

• Sandboxing• User Permissions• Protected API• Encrypted file

system• App Signing• Remote wipe

IN YOUR ZONE 10

..but the bad news is that the army of bad guys grows as well

• Rooting or Jailbreaking• Malwares • Viruses

• Spoofing• Tampering

IN YOUR ZONE 11

The primary data type targeted by attackers in 2012, as in 2011, was customer records (cardholder data, personal information, email addresses).

96%

2013 Global Security Report

IN YOUR ZONE 12

The number of mobile malwares is rising very fast. The notable one - Toll Fraud

Q3 2011 Q4 2011 Q1 2012 Q2 20120

102030405060708090

100

Toll Fraud malware Other malware Spyware

%

IN YOUR ZONE 13

What you as a developer can do?

IN YOUR ZONE 14

• Use Cryptography• Use hash function such as MD5, SH1, etc.• Use Local KeyChain or KeyStore, but not rely on them

Avoid store or sending confidential/sensitive data…

…otherwise, do not use plain format

IN YOUR ZONE 15

Ensure secure storage • Use App Sandbox• Use internal storage• Clear temporary data after use

• Use Cryptography• Perform Input Validation

IN YOUR ZONE 16

• Strong Authorization & Authentication• Ensure proper session handling• Strong encryption• Validate untrusted input

Apply OWASAP Top 10 to secure interaction with servers

IN YOUR ZONE 17

Interpocess communication can be also vulnerable

• Avoid using network sockets and shared files• Use OS mechanisms instead

IN YOUR ZONE 18

Apply anti-debug and anti-reversing measures

• Obfuscation• Remove logging code

• Don’t use hardcoded sensitive data• Don’t implement custom

encryption

IN YOUR ZONE 19

Perform secure testing

• Test on a Jailbroken or rooted device• Use Static Code Analyses tools – Fortify, Veracode

IN YOUR ZONE 20

You cannot be 100% safe…

IN YOUR ZONE 21

…but you can make it hard – Defense in Depth

Oak

Chest

Rabbit

Duck

Egg

Needle

IN YOUR ZONE

Resources

22

•Security Best Practices for Android developers is located here:

https://developer.android.com/guide/practices/security.html.

•iOS Security Overview https://developer.apple.com/library/ios/#

documentation/Security/Conceptual/Security_Overview/Introduction/Introd

uction.html

•OWASP Mobile Security Project: https://

www.owasp.org/index.php/OWASP_Mobile_Security_Project

•Trustwave, Spider Labs blog:

http://blog.spiderlabs.com

IN YOUR ZONE 23

Alex Catariov | Development Discipline LeadAlexandru.Catariov@endava.comTel +373 79400205|Skype alex.catariov

thank you