tips and tricks for building secure mobile apps
TRANSCRIPT
6/2/15
1
1 © Copyright 2015 Coveros, Inc.. All rights reserved.
Tips and Tricks for Building Secure Mobile Applications
Jeffery Payne Chief Executive Officer, Coveros, Inc.
[email protected] Twitter: @jefferyepayne
2 © Copyright 2015 Coveros, Inc.. All rights reserved.
Bio
Jeffery Payne (@jefferyepayne) Jeffery Payne is CEO and founder of Coveros, Inc., a software company that helps organizations accelerate the delivery of secure, reliable software. Coveros uses agile development methods and a proven software assurance framework to build security and quality into software from the ground up. Prior to founding Coveros, Jeffery was Chairman of the Board, CEO, and co-founder of Cigital, Inc. Under his direction, Cigital became a leader in software security and software quality solutions, helping clients mitigate the risk of software failure. Jeffery is a recognized software expert and popular speaker at both business and technology conferences on a variety of software quality, security, and agile development topics. He has also testified before Congress on issues of national importance, including intellectual property rights, cyber-terrorism, software research funding, and software quality.
6/2/15
2
3 © Copyright 2015 Coveros, Inc.. All rights reserved.
� Coveros helps organizations accelerate the delivery of secure, reliable software
� Our consulting services: – Agile software development – Application security – Software quality assurance
� Agile services – Agility assessments – Process improvement – Hands-on agile software development – Agile project management – Agile testing and automation – Agile training by role
About Coveros
Areas of Expertise
4 © Copyright 2015 Coveros, Inc.. All rights reserved.
Agenda
� Mobile applications: the perfect security storm – Typical architecture(s) – A changing threat model
� Mobile risks and development strategies – Local storage – Session management – Untrusted clients – Native code – Mobile platforms – Traditional risks
� Getting more help
6/2/15
3
5 © Copyright 2015 Coveros, Inc.. All rights reserved.
Mobile Apps: The Perfect Security Storm
Smartphones
Database
ConnectivityGateways
Tablets
Cell Network
Laptops withmobile data modems
Internet
App server
Web server
Sw Apps & Data
Fat client concerns
Untrusted apps Untrusted users
Traditional web security concerns
Traditional sw security concerns
6 © Copyright 2015 Coveros, Inc.. All rights reserved.
A Changing Threat Model
� New Attack Profiles – Increased access by malicious users – Malicious 3rd party applications – Increased information for attacking application back-ends
� Fluid Trust Boundaries – Level of trust necessary to use 3rd party applications – Local access to sensitive data
� Nuances of Mobile Platforms – Differing security models – Different vulnerabilities due to programming languages
Mobile Apps: The Perfect Security Storm
6/2/15
4
7 © Copyright 2015 Coveros, Inc.. All rights reserved.
Mobile Risks
� Local storage – Storage of data (implicitly or explicitly) on a device
� Session management – Managing the on-going interactions between a mobile app user and the rest of a distributed environment
� Untrusted clients – Client requests might not be legitimate
� Native Code – Native code is still prevalent in mobile applications
� Mobile Platforms – How the device (and OS) configures and controls apps
� Traditional Risks – Other risks we already know about
Mobile App Security
8 © Copyright 2015 Coveros, Inc.. All rights reserved.
Do Not Allow Storage of Sensitive Data on Devices
� Why? – Devices use flash memory for local storage – External devices have global data permissions – Data encryption libraries and key management functions are often
misused by developers – UI screens are captured and stored in “temporary” storage
� What to do – Store sensitive data on back-end servers behind a firewall – Replace sensitive data that must be entered / displayed on UI with
replacement tokens or partial data when it doesn’t need to be fully viewable
– If you must store some data locally, use encryption routines and a computational key derivation function for generating keys
Mobile App Security: Best Practices
6/2/15
5
9 © Copyright 2015 Coveros, Inc.. All rights reserved.
Make Sure Sessions are Managed Carefully � Why?
– Mobile application sessions tend to be left open longer on mobile devices to support mobile app use cases
– Untrusted applications that are malicious can compromise your applications if session management isn’t secure
– People often leave their phones laying around …
� What to do – Terminate idle sessions automatically after no more than 5 minutes
if application is security-critical – Do not use device identifier / MEID as a session token – Support token revocation that includes the ability to revoke tokens
remotely – Use only temporary session keys (to thwart ‘replay attacks’)
Mobile App Security: Best Practices
10 © Copyright 2015 Coveros, Inc.. All rights reserved.
Assume No Client (or App) is Trustworthy
� Why? – The increased threat of mobile device compromise means no client /
App requesting information can be trusted – Trusted apps may have been misconfigured to allow easy compromise
� What to do – Make sure lower levels of encryption (export grade) have been disabled
on the backend servers – Validate the integrity of all data received from a client or other
application (trust no one!) – Sanitize all data receive from a client or other input – Return the minimum amount of information to the user when an error
has occured – Move all default directories on all servers – Do not allow software to be installed/configured with default passwords
Mobile App Security: Best Practices
6/2/15
6
11 © Copyright 2015 Coveros, Inc.. All rights reserved.
Test Native Code for Known Vulnerabilities
� Why? – Mobile platforms often support the development of native code
applications that are vulnerable to traditional attacks – Software written for Apple devices are written in Objective-C, Java
can call native code – VM’s often include vulnerabilities!
� What to do – Use Address Space Layout Randomization (ASLR) to combat
overflow attacks – Perform traditional secure code scanning on all native code as part
of the software development process – Avoid using native code if possible
Mobile App Security: Best Practices
12 © Copyright 2015 Coveros, Inc.. All rights reserved.
Understand Your Mobile Platform
� Why? – Each platform uses a different security model – Each platform manages applications differently
� What to learn – Learn how applications store data, protect it from access, and when
data is physically deleted from the device – Understand the default configurations for applications, browsers,
and communication protocols – Learn how and when information is cached, keyboard keys are
logged, and screenshots are saved – Understand how libraries are loaded and run (and in what order)
Mobile App Security: Best Practices
6/2/15
7
13 © Copyright 2015 Coveros, Inc.. All rights reserved.
Don’t Forget About Traditional Risks
� Why? – Mobile applications are often just mobile front-ends for our
traditional systems (banking, e-commerce, etc.) – Mysql often ships with devices and are susceptible to SQL injection – Web vulnerabilities exist in thin client mobile apps
� What to do – Check for SQL injections – Check for web application security issues (XSS, CRSF, etc.)
Mobile App Security: Best Practices
14 © Copyright 2015 Coveros, Inc.. All rights reserved.
Getting Smarter
� OWASP Mobile Security Project – https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
� Coveros Labs – R&D in: – Secure mobile development – Malicious code analysis – Cloud security – http://www.coveros.com/content/coveros-labs
Mobile App Security
6/2/15
8
15 © Copyright 2015 Coveros, Inc.. All rights reserved.
Questions?
Thank You
Contact Information: Jeffery Payne [email protected] 703.431.2920