Secure Your Mobile Apps

Download Secure Your Mobile Apps

Post on 14-Jun-2015




3 download

Embed Size (px)


Why and how to secure a mobile application.


<ul><li> 1. Secure your mobile appsNo BeuretMarc-Henri Primault</li></ul> <p> 2. WHY YOUR APP NEEDSSECURITY? 3. Source: IBM Software75% SECURITY BREACH COMES FROMApple revealsgovernmentdata request6 nov. 2013iOS BankingApps Riddledwith Holes17 Jan. 2014MOBILE APP MISCONFIG. (GARTNER)Apple Securityflaw hallow tobeat encryption22 Feb. 2014Through 2015, morethan 75% of mobileApps will fail basicsecurity tests 4. WHY APPS ARE NOTSECURE ENOUGH? 5. MOBILE SECURITY CHALLENGESNew technologies Heterogeneous OS platforms New version every yearDevelopers Focus on features, not security Unaware of underlying flawsMobile security Hard to build knowledge Only for a few products Penetration testing costs 6. SENSITIVEDATAINSECURECONNECTIONINSECUREDEVICEINSECURECLOUDSTORAGEINSECUREAPPSTHREATS 7. Threats-Access to local data 8. Physical accessaccessMalwareDATA COMMJailbreak Code 9. iOS - iExplorerDATA COMM 10. Best practicesDATA COMM Do I need to store the data? Store in RAM when it is possible Use the basic protection provided by the OS Encrypt all sensitive information Clean keys from the memory Never save the keys or password without protection 11. Best practicesDATA COMM Never use the password directlyPassword Jailbreak detectionDerivation+Hash 12. Threats-Communicat ion 13. DATA COMMMan in the Middle Attack1. Intercept traffic with different attacks ARP Poisoning Rogue access points Evil Twin Attack2. Eavesdropp clear packets3. Eavesdropp SSL packets SSL Stripping Malicious SSL certificate 14. SSL StrippingDATA COMMGET GET http://mybank.comMalicious SSL Certificate302 : https://mybank.comSSL Handshake200 OK 200 OK https://mybank.comHTTPS links replaced by HTTPCONNECT CONNECT 15. DATA COMMDemo 16. Protection MeasuresUse SSL / TLS over HTTP Integrity ConfidentialityDATA COMM 17. DATA COMMProtection MeasuresHTTPS : Best practices Always use a full HTTPS URL Whenever possible, self-signed certificatesshould be forbidden If not possible, DO NOT trust everything ! Trust only your certificate by doing SSL Pinning 18. Proxy Integrity Confidentiality AnonymityDATA COMMVPN Integrity Confidentiality Authentication Anonymity Internal network access 19. QUICK WINS 20. QUICK WINSStorageSQLCipher for Android : Encrypted SQLite databasessqlcipher/android-database-sqlcipherIOCipher : Virtual Encrypted Disksguardianproject/IOCipherCode analysisRootTools : Basic root detectionstericson/RootToolsProguard : Obfuscation &amp; Shrinker tool 21. QUICK WINSStorageSQLCipher for ios: Encrypted SQLite databasessqlcipher/sqlcipheriOS-Crypto-API: Wrapper over security frameworkcstaylor/iOS-Crypto-APINetwork communicationADVCertification: SSL Certification analysisADVDetector: Jailbreak detection 22. TECHNOLOGY 23. F r a m e w o r k+ =Y O U R A P P S E C U R E A P PF r a m e w o r kSENSE Encrypted storage Encrypted communication Proxy HTTP Keys manager Identity manager Jailbreak detection Data leakage prevention 24. SENSE 25. CONCLUSION Do not underestimate security of your app Think about which security level you reallyneed Implement best practices Review, test and audit your code 26. THANK YOU FOR YOUR ATTENTIONContactSysmosoft SARue Galile 6 - 1400 Yverdon-les-Bains 24 524 10 36 27. LINKSGeneral </p>