CS4720
Security
CS4720– MobileApplicationDevelopment
CS4720
TheTraditionalSecurityModel• TheFirewallApproach• “Keepthegoodguysinandthebadguysout”
2
CS4720
DistributedSystemSecurity
3
• “IslandsofSecurity”
CS4720
SecuritywithWebServices• Thesemodelswerejustfinewhencorporationshadtheirownnetworks
• Ifyouneededin,youusedaVPN• NowtheopenInternetisusedasthemainnetwork
• Howdoesthischangethesecuritymodel?• Considerthis:howdoyouaccessawebservice?
4
CS4720
SecuritywithWebServices
5
• Firewallsecurityhappensatthenetworklayer
• Butnowweneedaccessonaper-applicationbasis
• Howcanweachievethat?
CS4720
SecuritywithWebServices
6
• Webservicesaredesignedtopenetratefirewalls,sincetheyuseport80
• Application-levelsecurityisneededtoexamine:– Whoismakingarequest– Whatinfoisbeingaccessed– Whatservicesisbeingaddressed
• IPbasedsecurityisstillneededthough!
CS4720
ApplicationSecurity101• Whataresomebasicthingsyoudotoprotectyoursystemattheapplicationlevel?
• Catchexceptionsanddon’tshowdetailederrormessages
• Hideinterfaces• “Don’ttrustyourusers”• Encryption
7
CS4720
ApplicationSecurity101
8
• Well…shoot.• Webservices:
– Havepublicallyannouncedinterfaces!– Mustreturndetailedexceptionstodebugsystems!– Atsomelevel,musttrustusers!
• Weneedsecuritythatisbasicallycontent-aware
CS4720
SystemSecurity
9
• Human:socialengineeringattacks• Physical:“stealtheserveritself”• Network:treatyourserverlikea2yearold• OperatingSystem:thewarcontinues• Application:justdiscussed• Database:protectingthedata
CS4720
Content-AwareSecurity• Mustbeabletoinspectcontentofnetworktraffic
• Mustbeabletomakeauthorizationdecisions• Mustbeabletomakeauthenticationdecisions• Mustbeabletoverifydataasvalidforthistransaction
• Mustalsodealwithconfidentialityandprivacyconcerns(encryption,messageintegrity,audit)
10
CS4720
WebServiceSecurityConcerns• UnauthorizedAccess:peopleviewinfothattheyshouldn’tfromamessage
• UnauthorizedAlteration:anattackermodifiespartofamessage
• Man-in-the-Middle:anattackersitsin-betweentwopartiesandviewsmessages(oraltersthem)astheypassby
• Denial-of-Service:floodtheservicewithsomanymessagesthatitcan’tkeepup
11
CS4720
ApplicationLevelSecurity• Referstosecuritysafeguardsbuiltintoaparticularapplicationandoperateindependently fromthenetworklevelsecurity
• Authentication• Authorization• Integrity/Confidentiality• Non-repudiation/Auditing
12
CS4720
Authentication• Verifyingthattherequesteristherequester…• …andthattheserviceistheservice• Thisrequiresamechanismof“proofofidentity”
• Whataresomewaysaccomplishthis?• Username/password• SignedCertificates• AuthenticationApplications
13
CS4720
Alittleclosertohome• Netbadge (ormoreaccurately,PubCookie orShiboleth)
• http://www.pubcookie.org/docs/how-pubcookie-works.html
14
CS4720
Authorization• Nowthatweknowwhoyouare,whatareyouallowedtodo?
• Permissions• Role-basedsecurity• Howdoesthisworkinadatabasesystem?• Howaboutanoperatingsystem?
15
CS4720
Integrity/Confidentiality• Whathappensifamessageis:
– Capturedandreused?– Capturedandmodified?– Monitoredasispassesbyinapassivemanner?
• Howdoweverifyamessagehasn’tbeentamperedwith?– Digitalsignature
• Howdoweverifyithasn’tbeenviewed?– Encryption
16
CS4720
Non-repudiation/Auditing• Whenwe’rechargingtouseawebservice,howdoweproveyouusedtheservicesowecanchargeyou?
• Howdowetrackyouractivities?• Digitallysignedlogs,effectively• Alsosavesthecertificateusedtoperformthetransaction(likeasignatureonareceipt)
17
CS4720
MobileSecurity• Questionstoaskyourselfasadeveloper:
– Isthemobilebackendassecureastheappitself?– Isdataencryptedwheneverandwhereverit’sstored?
– DoestheappuseHTTPSencryption– andenforceit?
– Hastheappbinarybeenscrubbedofsensitiveinformation?
– Havestepsbeentakentothwartreverseengineeringandanalysis?
18
CS4720
MobileSecurity• Whatarethe“badguys”after?
19
CS4720
MobileSecurity• Personaldatastoredonthedevice
– Notjustnameandaddress!– Passwords– Confidentialdocuments– Financialinformation
• Sensordata– GPSlocation(totrackpeople)– Microphone/Camera(espionage)
• Falseinstalls(foradhits,forinstance)
20
CS4720
MobileSecurity• Nowweknowwhatweareupagainst• So…howdowestopthem?• Whataresome“bestpractices”?• Whatfeaturesoftheplatformsshouldwebeutilizing?
• Wherearetheattackscomingfrom(wherearetheweakpoints)?
21
CS4720
MobileSecurity• CoreFeatures/BestPractices
– Executinginasandbox– Utilizingsystemlevelpermissions– Implementingapplicationpermissions– Encryptedor“hardened”filesystem– Remotepolicymanagement– Remotedevicelocating/wipe
22
CS4720
ExecutinginaSandbox• BothiOSandAndroidrunonaUnix-basedkernel
• AppsaregiventheirownuseridandexecutionspacewitheachapprunninginaVM
• Bydefault,oneappcannottouchanotherapp’sdata
23
CS4720
Permissions• Android:permissionsdeclaredup-frontoninstall
• iOS:permissionsrequestedadhocduringexecution
• Inbothcases,themainproblemisanuninformed(ormisinformed)user
24
CS4720
Permissions• Example:Theappwantstoaccessyourlocation…why?
• Doesithaveapurposeforthefunctionality?• Ifitdoes,doestheauthorcommunicatethebenefitsofthisfeatureappropriately?
• WhatisthechallengetodothisbetweenAndroidandiOS?
25
CS4720
Encryption/HardenedFileSystem• Whatifyoujustdon’ttrustGoogle/Apple?• ForAndroid,theOSisopensource• Blackberryofferedahardenedversionforalongtime– thatonereasonitwasadoptedastheplatformofchoiceforthegovernment
• https://copperhead.co/android/
26
CS4720
PolicyManagement• Everbeenissuedalaptopasapartofaninternship?
• Whatcouldyoudowith/onthatmachine?• Whatprotectionswereonthatmachine?
27
CS4720
PolicyManagement• Youdon’texpecttogettouseyourpersonalmachineforworkstuff…
• …butmany(most?all?)peopledon’twanttohavetwophones!
• AlargeproblemwithmobilesecurityinacorporationisBYOD(BringYourOwnDevice)
• Howdoyoukeepthingsseparate?
28
CS4720
PolicyManagement• MDM(MobileDeviceManagement)• Canputspecificusagepoliciesonadevice(ifownedbycompany)
• Canpartitionawaybusinessoperations– Canrunbasicallylikeavirtualmachineonthesamedevice
• http://www.apple.com/iphone/business/it/
29
CS4720
CompressionandObfuscation• Javabytecode,unlikefullycompiledcode,isrelativelyeasytoreverseengineer
• Further,wetendtoleavelotsof“clues”inourcode– Variablenames– Classnames– Methodnames
• It’srelativelyeasyto“rebuild”aJavaapp!
30
CS4720
CompressionandObfuscation• Javaprogrammersalsotendtoleavealotof“cruft”behind…– Debugmessages(loggingthat’snotneeded)– Lotsofextrawhitespace– Lotsofcomments
• Sometimes,youhavetogetthat.apk assmallaspossible…
31
CS4720
CompressionandObfuscation• ProGuard
– detectsandremovesunusedclasses,fields,methods,andattributesfromyourpackagedapp
– optimizesthebytecode– removesunusedcodeinstructions– obfuscatestheremainingclasses,fields,andmethodswithshortnames
32
CS4720
ProGuard
33
CS4720
ProGuard
34
public void onCreate(Bundle paramBundle) {super.onCreate(paramBundle);WL.createInstance(this);WL.getInstance().showSplashScreen(this);WL.getInstance().initializeWebFramework(getAppl
icationContext(), this);}
CS4720
ProGuard
35
public void onCreate(Bundle paramBundle) {super.onCreate(paramBundle);com.worklight.androidgap.b.a.a(this);com.worklight.androidgap.b.a.b();com.worklight.androidgap.b.a.b(this);com.worklight.androidgap.b.a.b().a(getApplicati
onContext(), this);}
CS4720
StackTraces?• Whatdoyoudowhenauser(orapp)submitsastacktraceforyoutodebug?
• EverrunofProGuard generatesamapping.txtfilethatcontainsinfoonhowtoundotheobfuscation
• ThisfilecanbeuploadedtoGooglePlaywithyour.apk andGooglewillhandleitforyou!
36
CS4720
mapping.txt
37
cs4720.cs.virginia.edu.sensorexample.AccelSensor -> cs4720.cs.virginia.edu.sensorexample.AccelSensor: android.hardware.SensorManager mSensorManager -> a android.hardware.Sensor mSensor -> b double maxValue -> c void <init>() -> <init> void onCreate(android.os.Bundle) -> onCreatevoid onAccuracyChanged(android.hardware.Sensor,int) -> onAccuracyChangedvoid onSensorChanged(android.hardware.SensorEvent) -> onSensorChangedvoid onResume() -> onResumevoid onPause() -> onPauseboolean onCreateOptionsMenu(android.view.Menu) -> onCreateOptionsMenu
CS4720
Passwords?• ProGuard canmakethingsharder…• … butapasswordcan’tbeencrypted,perse,sinceyouhavetouseit!
• Options?– Lockyourkeysinanotherencryptedbox(orDB)– Havetheuserprovideitinsomeway– public/privatekeyhandshake
38
CS4720
AboveAllElse• CommonSense!!!!• Storehashesofpasswordsifpossible• Usebuilt-inencryptedstores(likeKeyStore orKeyChain)forcredentials
• Don’t“overreach”onpermissions• Don’ttrustyourusers- validateallinput• Don’texposeextrafunctionality• Don’trunanythingasadmin
39