28
Secure your mobile apps Noé Beuret Marc-Henri Primault

Secure Your Mobile Apps

  • Upload
    primomh

  • View
    254

  • Download
    3

Embed Size (px)

DESCRIPTION

Why and how to secure a mobile application.

Citation preview

Page 1: Secure Your Mobile Apps

Secure your mobile appsNoé Beuret

Marc-Henri Primault

Page 2: Secure Your Mobile Apps
Page 3: Secure Your Mobile Apps

WHY YOUR APP NEEDS SECURITY?

Page 4: Secure Your Mobile Apps

Source: IBM Software

Apple reveals government data request6 nov. 2013

iOS Banking Apps Riddled with Holes17 Jan. 2014

Apple Security flaw hallow to beat encryption22 Feb. 2014

Through 2015, more than 75% of mobile Apps will fail basic security tests

75%SECURITY BREACH COMES FROM MOBILE APP MISCONFIG. (GARTNER)

Page 5: Secure Your Mobile Apps

WHY APPS ARE NOT SECURE ENOUGH?

Page 6: Secure Your Mobile Apps

New technologies• Heterogeneous OS platforms• New version every year

Developers • Focus on features, not security• Unaware of underlying flaws

Mobile security • Hard to build knowledge• Only for a few products• Penetration testing costs

MOBILE SECURITY CHALLENGES

Page 7: Secure Your Mobile Apps

SENSITIVEDATA

INSECURECONNECTION

INSECUREDEVICE

INSECURECLOUD

STORAGE

INSECUREAPPS

THREATS

Page 8: Secure Your Mobile Apps

Threats-

Access to local data

Page 9: Secure Your Mobile Apps

Physical access access

Malware

CodeJailbreak

DATA COMM

Page 10: Secure Your Mobile Apps

iOS - iExplorer

DATA COMM

Page 11: Secure Your Mobile Apps

Best practices

Do I need to store the data?

Store in RAM when it is possible

Use the basic protection provided by the OS

Encrypt all sensitive information

Clean keys from the memory

Never save the keys or password without protection

DATA COMM

Page 12: Secure Your Mobile Apps

Jailbreak detection

Best practices

Never use the password directly

Password

Derivation+

Hash

DATA COMM

Page 13: Secure Your Mobile Apps

Threats-

Communication

Page 14: Secure Your Mobile Apps

Man in the Middle Attack1. Intercept traffic with different attacks

• ARP Poisoning

• Rogue access points

• Evil Twin Attack

2. Eavesdropp clear packets

3. Eavesdropp SSL packets

• SSL Stripping

• Malicious SSL certificate

DATA COMM

Page 15: Secure Your Mobile Apps

SSL Stripping

Malicious SSL Certificate

GET http://mybank.com GET http://mybank.com

302 : https://mybank.com

SSL Handshake

200 OK http://mybank.com 200 OK https://mybank.comHTTPS links replaced by HTTP

CONNECT https://mybank.com CONNECT https://mybank.com

DATA COMM

Page 16: Secure Your Mobile Apps

Demo

DATA COMM

Page 17: Secure Your Mobile Apps

Use SSL / TLS over HTTPProtection Measures

Integrity

Confidentiality

DATA COMM

Page 18: Secure Your Mobile Apps

HTTPS : Best practicesProtection Measures

Always use a full HTTPS URL

Whenever possible, self-signed certificates

should be forbidden

If not possible, DO NOT trust everything !

Trust only your certificate by doing SSL Pinning

DATA COMM

Page 19: Secure Your Mobile Apps

Proxy

Integrity Confidentiality Anonymity

VPN

Integrity Confidentiality Authentication Anonymity Internal network access

DATA COMM

Page 20: Secure Your Mobile Apps

QUICK WINS

Page 21: Secure Your Mobile Apps

StorageSQLCipher for Android : Encrypted SQLite databases

sqlcipher/android-database-sqlcipher

IOCipher : Virtual Encrypted Disks guardianproject/IOCipher

Code analysisRootTools : Basic root detection

stericson/RootTools

Proguard : Obfuscation & Shrinker toolhttp://proguard.sourceforge.net

QUICK WINS

Page 22: Secure Your Mobile Apps

StorageSQLCipher for ios: Encrypted SQLite databases

sqlcipher/sqlcipher

iOS-Crypto-API: Wrapper over security framework cstaylor/iOS-Crypto-API

Network communicationADVCertification: SSL Certificationhttp://www.advtools.com/Products/ADVcertificator.html

Code analysisADVDetector: Jailbreak detectionhttp://www.advtools.com/Products/ADVdetector.html

QUICK WINS

Page 23: Secure Your Mobile Apps

T EC H N O LO GY

Page 24: Secure Your Mobile Apps

F r a m e w o r k

S E C U R E A P PY O U R A P P

=+F r a m e w o r k

SENSE

Encrypted storage Encrypted

communication Proxy HTTP Keys manager Identity manager Jailbreak detection Data leakage prevention

Page 25: Secure Your Mobile Apps

SENSE

Page 26: Secure Your Mobile Apps

• Do not underestimate security of your app

• Think about which security level you really need

• Implement best practices

• Review, test and audit your code

CONCLUSION

Page 27: Secure Your Mobile Apps

THANK YOU FOR YOUR ATTENTION

Contact

Sysmosoft SARue Galilée 6 - 1400 Yverdon-les-Bains – Switzerland

[email protected]+41 24 524 10 36