tips and tricks for building secure mobile apps

6/2/15

1

1 © Copyright 2015 Coveros, Inc.. All rights reserved.

Tips and Tricks for Building Secure Mobile Applications

Jeffery Payne Chief Executive Officer, Coveros, Inc.

[email protected] Twitter: @jefferyepayne


Bio

Jeffery Payne (@jefferyepayne) Jeffery Payne is CEO and founder of Coveros, Inc., a software company that helps organizations accelerate the delivery of secure, reliable software. Coveros uses agile development methods and a proven software assurance framework to build security and quality into software from the ground up. Prior to founding Coveros, Jeffery was Chairman of the Board, CEO, and co-founder of Cigital, Inc. Under his direction, Cigital became a leader in software security and software quality solutions, helping clients mitigate the risk of software failure. Jeffery is a recognized software expert and popular speaker at both business and technology conferences on a variety of software quality, security, and agile development topics. He has also testified before Congress on issues of national importance, including intellectual property rights, cyber-terrorism, software research funding, and software quality.

6/2/15

2


�  Coveros helps organizations accelerate the delivery of secure, reliable software

�  Our consulting services: –  Agile software development –  Application security –  Software quality assurance

�  Agile services –  Agility assessments –  Process improvement –  Hands-on agile software development –  Agile project management –  Agile testing and automation –  Agile training by role

About Coveros

Areas of Expertise


Agenda

�  Mobile applications: the perfect security storm –  Typical architecture(s) –  A changing threat model

�  Mobile risks and development strategies –  Local storage –  Session management –  Untrusted clients –  Native code –  Mobile platforms –  Traditional risks

�  Getting more help

6/2/15

3


Mobile Apps: The Perfect Security Storm

Smartphones

Database

ConnectivityGateways

Tablets

Cell Network

Laptops withmobile data modems

Internet

App server

Web server

Sw Apps & Data

Fat client concerns

Untrusted apps Untrusted users

Traditional web security concerns

Traditional sw security concerns


A Changing Threat Model

�  New Attack Profiles –  Increased access by malicious users –  Malicious 3rd party applications –  Increased information for attacking application back-ends

�  Fluid Trust Boundaries –  Level of trust necessary to use 3rd party applications –  Local access to sensitive data

�  Nuances of Mobile Platforms –  Differing security models –  Different vulnerabilities due to programming languages

Mobile Apps: The Perfect Security Storm

6/2/15

4


Mobile Risks

�  Local storage – Storage of data (implicitly or explicitly) on a device

�  Session management – Managing the on-going interactions between a mobile app user and the rest of a distributed environment

�  Untrusted clients – Client requests might not be legitimate

�  Native Code – Native code is still prevalent in mobile applications

�  Mobile Platforms – How the device (and OS) configures and controls apps

�  Traditional Risks – Other risks we already know about

Mobile App Security


Do Not Allow Storage of Sensitive Data on Devices

�  Why? –  Devices use flash memory for local storage –  External devices have global data permissions –  Data encryption libraries and key management functions are often

misused by developers –  UI screens are captured and stored in “temporary” storage

�  What to do –  Store sensitive data on back-end servers behind a firewall –  Replace sensitive data that must be entered / displayed on UI with

replacement tokens or partial data when it doesn’t need to be fully viewable

–  If you must store some data locally, use encryption routines and a computational key derivation function for generating keys

Mobile App Security: Best Practices

6/2/15

5


Make Sure Sessions are Managed Carefully �  Why?

–  Mobile application sessions tend to be left open longer on mobile devices to support mobile app use cases

–  Untrusted applications that are malicious can compromise your applications if session management isn’t secure

–  People often leave their phones laying around …

�  What to do –  Terminate idle sessions automatically after no more than 5 minutes

if application is security-critical –  Do not use device identifier / MEID as a session token –  Support token revocation that includes the ability to revoke tokens

remotely –  Use only temporary session keys (to thwart ‘replay attacks’)



Assume No Client (or App) is Trustworthy

�  Why? –  The increased threat of mobile device compromise means no client /

App requesting information can be trusted –  Trusted apps may have been misconfigured to allow easy compromise

�  What to do –  Make sure lower levels of encryption (export grade) have been disabled

on the backend servers –  Validate the integrity of all data received from a client or other

application (trust no one!) –  Sanitize all data receive from a client or other input –  Return the minimum amount of information to the user when an error

has occured –  Move all default directories on all servers –  Do not allow software to be installed/configured with default passwords


6/2/15

6


Test Native Code for Known Vulnerabilities

�  Why? –  Mobile platforms often support the development of native code

applications that are vulnerable to traditional attacks –  Software written for Apple devices are written in Objective-C, Java

can call native code –  VM’s often include vulnerabilities!

�  What to do –  Use Address Space Layout Randomization (ASLR) to combat

overflow attacks –  Perform traditional secure code scanning on all native code as part

of the software development process –  Avoid using native code if possible



Understand Your Mobile Platform

�  Why? –  Each platform uses a different security model –  Each platform manages applications differently

�  What to learn –  Learn how applications store data, protect it from access, and when

data is physically deleted from the device –  Understand the default configurations for applications, browsers,

and communication protocols –  Learn how and when information is cached, keyboard keys are

logged, and screenshots are saved –  Understand how libraries are loaded and run (and in what order)


6/2/15

7


Don’t Forget About Traditional Risks

�  Why? –  Mobile applications are often just mobile front-ends for our

traditional systems (banking, e-commerce, etc.) –  Mysql often ships with devices and are susceptible to SQL injection –  Web vulnerabilities exist in thin client mobile apps

�  What to do –  Check for SQL injections –  Check for web application security issues (XSS, CRSF, etc.)



Getting Smarter

� OWASP Mobile Security Project –  https://www.owasp.org/index.php/OWASP_Mobile_Security_Project

� Coveros Labs – R&D in: –  Secure mobile development – Malicious code analysis –  Cloud security –  http://www.coveros.com/content/coveros-labs

Mobile App Security

6/2/15

8


Questions?

Thank You

Contact Information: Jeffery Payne [email protected] 703.431.2920