Secure Your Mobile Apps

Download Secure Your Mobile Apps

Post on 14-Jun-2015

235 views

Category:

Mobile

3 download

Embed Size (px)

DESCRIPTION

Why and how to secure a mobile application.

TRANSCRIPT

<ul><li> 1. Secure your mobile appsNo BeuretMarc-Henri Primault</li></ul> <p> 2. WHY YOUR APP NEEDSSECURITY? 3. Source: IBM Software75% SECURITY BREACH COMES FROMApple revealsgovernmentdata request6 nov. 2013iOS BankingApps Riddledwith Holes17 Jan. 2014MOBILE APP MISCONFIG. (GARTNER)Apple Securityflaw hallow tobeat encryption22 Feb. 2014Through 2015, morethan 75% of mobileApps will fail basicsecurity tests 4. WHY APPS ARE NOTSECURE ENOUGH? 5. MOBILE SECURITY CHALLENGESNew technologies Heterogeneous OS platforms New version every yearDevelopers Focus on features, not security Unaware of underlying flawsMobile security Hard to build knowledge Only for a few products Penetration testing costs 6. SENSITIVEDATAINSECURECONNECTIONINSECUREDEVICEINSECURECLOUDSTORAGEINSECUREAPPSTHREATS 7. Threats-Access to local data 8. Physical accessaccessMalwareDATA COMMJailbreak Code 9. iOS - iExplorerDATA COMM 10. Best practicesDATA COMM Do I need to store the data? Store in RAM when it is possible Use the basic protection provided by the OS Encrypt all sensitive information Clean keys from the memory Never save the keys or password without protection 11. Best practicesDATA COMM Never use the password directlyPassword Jailbreak detectionDerivation+Hash 12. Threats-Communicat ion 13. DATA COMMMan in the Middle Attack1. Intercept traffic with different attacks ARP Poisoning Rogue access points Evil Twin Attack2. Eavesdropp clear packets3. Eavesdropp SSL packets SSL Stripping Malicious SSL certificate 14. SSL StrippingDATA COMMGET http://mybank.com GET http://mybank.comMalicious SSL Certificate302 : https://mybank.comSSL Handshake200 OK http://mybank.com 200 OK https://mybank.comHTTPS links replaced by HTTPCONNECT https://mybank.com CONNECT https://mybank.com 15. DATA COMMDemo 16. Protection MeasuresUse SSL / TLS over HTTP Integrity ConfidentialityDATA COMM 17. DATA COMMProtection MeasuresHTTPS : Best practices Always use a full HTTPS URL Whenever possible, self-signed certificatesshould be forbidden If not possible, DO NOT trust everything ! Trust only your certificate by doing SSL Pinning 18. Proxy Integrity Confidentiality AnonymityDATA COMMVPN Integrity Confidentiality Authentication Anonymity Internal network access 19. QUICK WINS 20. QUICK WINSStorageSQLCipher for Android : Encrypted SQLite databasessqlcipher/android-database-sqlcipherIOCipher : Virtual Encrypted Disksguardianproject/IOCipherCode analysisRootTools : Basic root detectionstericson/RootToolsProguard : Obfuscation &amp; Shrinker toolhttp://proguard.sourceforge.net 21. QUICK WINSStorageSQLCipher for ios: Encrypted SQLite databasessqlcipher/sqlcipheriOS-Crypto-API: Wrapper over security frameworkcstaylor/iOS-Crypto-APINetwork communicationADVCertification: SSL Certificationhttp://www.advtools.com/Products/ADVcertificator.htmlCode analysisADVDetector: Jailbreak detectionhttp://www.advtools.com/Products/ADVdetector.html 22. TECHNOLOGY 23. F r a m e w o r k+ =Y O U R A P P S E C U R E A P PF r a m e w o r kSENSE Encrypted storage Encrypted communication Proxy HTTP Keys manager Identity manager Jailbreak detection Data leakage prevention 24. SENSE 25. CONCLUSION Do not underestimate security of your app Think about which security level you reallyneed Implement best practices Review, test and audit your code 26. THANK YOU FOR YOUR ATTENTIONContactSysmosoft SARue Galile 6 - 1400 Yverdon-les-Bains Switzerlandinfo@sysmosoft.com+41 24 524 10 36 27. LINKSGeneralhttps://viaforensics.com/resources/reports/best-practices-ios-android-secure-mobile-development/AndroidiOShttp://www.raywenderlich.com/45645/ios-app-security-analysis-part-1http://resources.infosecinstitute.com/ios-application-security-part-1-setting-up-a-mobile-pentesting-platform/ </p>