Tips and Tricks for Building Secure Mobile Apps

Download Tips and Tricks for Building Secure Mobile Apps

Post on 28-Jul-2015

34 views

Category:

Software

0 download

TRANSCRIPT

1. 1 Copyright 2013 Coveros, Inc.. All rights reserved. Tips and Tricks for Building Secure Mobile Applications Jeffery Payne Chief Executive Officer, Coveros, Inc. jeff.payne@coveros.com www.coveros.com Twitter: @jefferyepayne 2. 2 Copyright 2013 Coveros, Inc.. All rights reserved. Bio Jeffery Payne Jeffery Payne is CEO and founder of Coveros, Inc., a software company that helps organizations accelerate the delivery of secure, reliable software. Coveros uses agile development methods and a proven software assurance framework to build security and quality into software from the ground up. Prior to founding Coveros, Jeffery was Chairman of the Board, CEO, and co-founder of Cigital, Inc. Under his direction, Cigital became a leader in software security and software quality solutions, helping clients mitigate the risk of software failure. Jeffery is a recognized software expert and popular speaker at both business and technology conferences on a variety of software quality, security, and agile development topics. He has also testified before Congress on issues of national importance, including intellectual property rights, cyber-terrorism, software research funding, and software quality. 3. 3 Copyright 2013 Coveros, Inc.. All rights reserved. Coveros helps organizations accelerate the delivery of secure, reliable software Our consulting services: Agile software development Application security Software quality assurance Agile services Agility assessments Process improvement Hands-on agile software development Agile project management Agile testing and automation Agile training by role About Coveros Areas of Expertise 4. 4 Copyright 2013 Coveros, Inc.. All rights reserved. Agenda Mobile applications: the perfect security storm Typical architecture(s) A changing threat model Mobile risks and development strategies Local storage Session management Untrusted clients Native code Mobile platforms Traditional risks Getting more help 5. 5 Copyright 2013 Coveros, Inc.. All rights reserved. Mobile Apps: The Perfect Security Storm Smartphones Database Connectivity Gateways Tablets Cell Network Laptops with mobile data modems Internet App server Web server Sw Apps & Data Fat client concerns Untrusted apps Untrusted users Traditional web security concerns Traditional sw security concerns 6. 6 Copyright 2013 Coveros, Inc.. All rights reserved. A Changing Threat Model New Attack Profiles Increased access by malicious users Malicious 3rd party applications Increased information for attacking application back-ends Fluid Trust Boundaries Level of trust necessary to use 3rd party applications Local access to sensitive data Nuances of Mobile Platforms Differing security models Different vulnerabilities due to programming languages Mobile Apps: The Perfect Security Storm 7. 7 Copyright 2013 Coveros, Inc.. All rights reserved. Mobile Risks Local storage Storage of data (implicitly or explicitly) on a device Session management Managing the on-going interactions between a mobile app user and the rest of a distributed environment Untrusted clients Client requests might not be legitimate Native Code Native code is still prevalent in mobile applications Mobile Platforms How the device (and OS) configures and controls apps Traditional Risks Other risks we already know about Mobile App Security 8. 8 Copyright 2013 Coveros, Inc.. All rights reserved. Do Not Allow Storage of Sensitive Data on Devices Why? Devices use flash memory for local storage External devices have global data permissions Data encryption libraries and key management functions are often misused by developers UI screens are captured and stored in temporary storage What to do Store sensitive data on back-end servers behind a firewall Replace sensitive data that must be entered / displayed on UI with replacement tokens or partial data when it doesnt need to be fully viewable If you must store some data locally, use encryption routines and a computational key derivation function for generating keys Mobile App Security: Best Practices 9. 9 Copyright 2013 Coveros, Inc.. All rights reserved. Make Sure Sessions are Managed Carefully Why? Mobile application sessions tend to be left open longer on mobile devices to support mobile app use cases Untrusted applications that are malicious can compromise your applications if session management isnt secure People often leave their phones laying around What to do Terminate idle sessions after automatically after no more than 5 minutes if application is security-critical Do not use device identifier / MEID as a session token Support token revocation that includes the ability to revoke tokens remotely Use only temporary session keys (to thwart replay attacks) Mobile App Security: Best Practices 10. 10 Copyright 2013 Coveros, Inc.. All rights reserved. Assume No Client (or App) is Trustworthy Why? The increased threat of mobile device compromise means no client / App requesting information can be trusted Trusted apps may have been misconfigured to allow easy compromise What to do Make sure lower levels of encryption (export grade) have been disabled on the backend servers Validate the integrity of all data received from a client or other application (trust no one!) Sanitize all data receive from a client or other input Return the minimum amount of information to the user when an error has occured Move all default directories on all servers Do not allow software to be installed/configured with default passwords Mobile App Security: Best Practices 11. 11 Copyright 2013 Coveros, Inc.. All rights reserved. Test Native Code for Known Vulnerabilities Why? Mobile platforms often support the development of native code applications that are vulnerable to traditional attacks Software written for Apple devices are written in Objective-C, Java can call native code VMs often include vulnerabilities! What to do Use Address Space Layout Randomization (ASLR) to combat overflow attacks Perform traditional secure code scanning on all native code as part of the software development process Avoid using native code if possible Mobile App Security: Best Practices 12. 12 Copyright 2013 Coveros, Inc.. All rights reserved. Understand Your Mobile Platform Why? Each platform uses a different security model Each platform manages applications differently What to learn Learn how applications store data, protect it from access, and when data is physically deleted from the device Understand the default configurations for applications, browsers, and communication protocols Learn how and when information is cached, keyboard keys are logged, and screenshots are saved Understand how libraries are loaded and run (and in what order) Mobile App Security: Best Practices 13. 13 Copyright 2013 Coveros, Inc.. All rights reserved. Dont Forget About Traditional Risks Why? Mobile applications are often just mobile front-ends for our traditional systems (banking, e-commerce, etc.) Mysql often ships with devices and are susceptible to SQL injection Web vulnerabilities exist in thin client mobile apps What to do Check for SQL injections Check for web application security issues (XSS, CRSF, etc.) Mobile App Security: Best Practices 14. 14 Copyright 2013 Coveros, Inc.. All rights reserved. Getting Smarter OWASP Mobile Security Project https://www.owasp.org/index.php/OWASP_Mobile_Security_Project Coveros Labs R&D in: Secure mobile development Malicious code analysis Cloud security http://www.coveros.com/content/coveros-labs Mobile App Security 15. 15 Copyright 2013 Coveros, Inc.. All rights reserved. Questions? Thank You Contact Information: Jeffery Payne jeff.payne@coveros.com 703.431.2920