ASFWS 2011 - Secure software development for mobile devices
Upcoming SlideShare
Loading in...5

Like this? Share it with your network


ASFWS 2011 - Secure software development for mobile devices



Application Security Forum 2011

Application Security Forum 2011
27.10.2011 - Yverdon-les-Bains (Switzerland)
Speaker: Julien Probst



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution-NonCommercial LicenseCC Attribution-NonCommercial License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

ASFWS 2011 - Secure software development for mobile devices Presentation Transcript

  • 1. DÉVELOPPEMENT D’APPLICATIONSMOBILES SÉCURISÉESJulien ProbstCofondateur Sysmosoft SA Application Security Forum Western Switzerland 27 octobre 2011 - HEIGVD Yverdon-les-Bains 27.10.2011 Application Security Forum - Western Switzerland - 2011 1
  • 2. Swiss based companySpecialized in Mobile SecuritySpinoff of the University of Applied Sciences in Yverdon-les-Bains (HEIG-VD)MobilityWorking since 2008 with private banks to create an adapted solutionIn production since 2010SecurityThreat and vulnerability analysis linked to mobilityAgile & Security Development Lifecycle 2
  • 3. Theft/Lost Property of the enterpriseVirus/Malwares Unauthorized User’s personal access phone Outside Company Network 3
  • 4. 4
  • 5. Purpose ‒ Install Free Apps from “Alternative Stores” ‒ Unlock some new device features Security Issues ‒ All OS Security mechanisms are disabled… ‒ … So all data can potentially be accessed ‒ “Alternative stores” do not verify Apps JailbreakMe ‒ Jailbreak your iPhone/iPad from a web page ‒ Uses a third party App Security Flaw ‒ Versions : v1 2007, v2 2010, v3 2011Source : 5
  • 6. Purpose ‒ To improve user’s experience, some data are shared between Apps ‒ “Official” APIs are usually provided by the OS Security Issues ‒ Easy for Developers to access your shared data… ‒ …and do what they want with it Wall Street Journal Analysis ‒ Over 100 analyzed legal applications ‒ 5 of them transmitted address book to outsidersSource : Wall Street Journal, Your Apps Are Watching You, 17 Dec. 2010 6
  • 7. PoCHow It Works 1. Get access to an iPhone 2. Execute a Jailbreak 3. Install and run the Fraunhofer’s script 4. Wait for the OS to decrypt the Keychain — The PIN Code is not required — Not all secrets are decrypted 5. Access user’s secrets in 6 minutes Source : 7
  • 8. Purpose ‒ Commercial and Free/Open Source solutions ‒ Access “all” data stored on a Smartphone Grant Access to iOS 4.x Physical imaging Logical imaging Passcode recovery Keychain decryption Disk decryption Source : & 8
  • 9. Compromised data Affected Shared Keychain Application Data Device Attack users Data Data Data Transport Specific.Malicious legalApp.JailBreak(with malicious App.)Fraunhofer’s PoCForensic Solution 9
  • 10. 10
  • 11. Professional Configuration Operating SystemDevice Security features Device Configuration Applications Resources 11
  • 12. Prof. Config. User Config. Operating System Device Security features Device Configuration Applications Secure Application Resources Security Business 12
  • 13. 13
  • 14. Device OS User’s secrets Interface “Screenshots” Keychain Display Memory Application Output Manag. Memory’s Data Keyboard Data Input TransportDictionary cache OS App. Application’s State Backup Manager Storage Device’s Data Shared Data Application Data 14
  • 15. OS Application : Secure Document Reader OSSecurity Protection Business Prevention Features Clean KeyboardKeychain Encrypt keyboard Input on exit Clean OS App.Storage Encrypt state on Manager standby Clean Data Auth & Memory mem. onTransport Encrypt Manag. standby 15
  • 16. Cryptographic algorithmsImplements all cryptographic algorithms at the application levelUsually the strongest part of the applicationKey ManagementManages all cryptographic keys at the application levelUsually a weak point of the application 16
  • 17. View Mode – Best securityDo not store data on the deviceOnly use the established ephemeral session key to exchange the dataCache Mode – Best compromiseEncrypt data on the deviceStore and protect the key on the server onlyOffline Mode – Less SecureEncrypt data on the deviceStore and protect the key on the device 17
  • 18. Offline authentication limitation‒ Device ID cannot be verified by the device itself‒ Hardware Tokens ID are verified by a trusted server‒ Only the user’s ID can be verified by the devicePotential attacks against offline authentication‒ Social engineering to obtain user’s credentials‒ Brute force attack against data encryption’s key • Even if crypto algorithms (PBKDF2) are used 18
  • 19. Check the operating systemVerify the version of the OSControl the integrity of the OS (jailbreak, etc.)Check for systems unsecure caches and featuresAvoid/Clean caches (keyboard, pasteboard, screenshots, etc.)Detect undesired features (multitasking manage., backup, etc.)Apply device specific best practiceSecurity recommendationsMemory management, … 19
  • 20. 20
  • 21. Comply with company security policiesCountermeasures are implemented according to the security needsUse high level standards cryptographic algorithmsCrypto algorithms can be used without limitation or restrictionsApply the same security mechanisms to each platformSame mechanisms can be implemented and managed for each platform 21
  • 22. The Application still relies on the operating systemCritical flaw in the OS can potentially lead to data breachSome mechanisms remain out of the control of the applicationOS Prevention/Control mechanisms must be developed (cache cleaning, etc.)Offline Mode remains a potential issueTrusted specific hardware can potentially be usedImplementing security inside Apps. requires experience and timeIntegrating a Security Development Lifecycle (SDLC) is recommended 22
  • 23. Mobile Devices are new threat vectors for companies’ dataMisconfigured devices are vulnerable to a multitude of new types of attacksConventional security solutions are not really adapted for mobilityApplying company security policies to personal mobile devices is not possibleIntegrate security inside Apps and not rely only on OS or infrastructureSensitive data is protected by additional applicative security mechanismsIsolate sensitive or corporate data from private dataEnd users keep their habits while companies apply specific rules to sensitive data 23
  • 24. Contact Rue Galilée 9Sysmosoft SA 1400 Yverdon-les-Bains +41 (0) 24 524 10 36Julien Probst 24