ASFWS 2011 - Secure software development for mobile devices


Published on

Application Security Forum 2011
27.10.2011 - Yverdon-les-Bains (Switzerland)
Speaker: Julien Probst

Published in: Technology
1 Comment
  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

ASFWS 2011 - Secure software development for mobile devices

  1. 1. DÉVELOPPEMENT D’APPLICATIONSMOBILES SÉCURISÉESJulien ProbstCofondateur Sysmosoft SA Application Security Forum Western Switzerland 27 octobre 2011 - HEIGVD Yverdon-les-Bains 27.10.2011 Application Security Forum - Western Switzerland - 2011 1
  2. 2. Swiss based companySpecialized in Mobile SecuritySpinoff of the University of Applied Sciences in Yverdon-les-Bains (HEIG-VD)MobilityWorking since 2008 with private banks to create an adapted solutionIn production since 2010SecurityThreat and vulnerability analysis linked to mobilityAgile & Security Development Lifecycle 2
  3. 3. Theft/Lost Property of the enterpriseVirus/Malwares Unauthorized User’s personal access phone Outside Company Network 3
  4. 4. 4
  5. 5. Purpose ‒ Install Free Apps from “Alternative Stores” ‒ Unlock some new device features Security Issues ‒ All OS Security mechanisms are disabled… ‒ … So all data can potentially be accessed ‒ “Alternative stores” do not verify Apps JailbreakMe ‒ Jailbreak your iPhone/iPad from a web page ‒ Uses a third party App Security Flaw ‒ Versions : v1 2007, v2 2010, v3 2011Source : 5
  6. 6. Purpose ‒ To improve user’s experience, some data are shared between Apps ‒ “Official” APIs are usually provided by the OS Security Issues ‒ Easy for Developers to access your shared data… ‒ …and do what they want with it Wall Street Journal Analysis ‒ Over 100 analyzed legal applications ‒ 5 of them transmitted address book to outsidersSource : Wall Street Journal, Your Apps Are Watching You, 17 Dec. 2010 6
  7. 7. PoCHow It Works 1. Get access to an iPhone 2. Execute a Jailbreak 3. Install and run the Fraunhofer’s script 4. Wait for the OS to decrypt the Keychain — The PIN Code is not required — Not all secrets are decrypted 5. Access user’s secrets in 6 minutes Source : 7
  8. 8. Purpose ‒ Commercial and Free/Open Source solutions ‒ Access “all” data stored on a Smartphone Grant Access to iOS 4.x Physical imaging Logical imaging Passcode recovery Keychain decryption Disk decryption Source : & 8
  9. 9. Compromised data Affected Shared Keychain Application Data Device Attack users Data Data Data Transport Specific.Malicious legalApp.JailBreak(with malicious App.)Fraunhofer’s PoCForensic Solution 9
  10. 10. 10
  11. 11. Professional Configuration Operating SystemDevice Security features Device Configuration Applications Resources 11
  12. 12. Prof. Config. User Config. Operating System Device Security features Device Configuration Applications Secure Application Resources Security Business 12
  13. 13. 13
  14. 14. Device OS User’s secrets Interface “Screenshots” Keychain Display Memory Application Output Manag. Memory’s Data Keyboard Data Input TransportDictionary cache OS App. Application’s State Backup Manager Storage Device’s Data Shared Data Application Data 14
  15. 15. OS Application : Secure Document Reader OSSecurity Protection Business Prevention Features Clean KeyboardKeychain Encrypt keyboard Input on exit Clean OS App.Storage Encrypt state on Manager standby Clean Data Auth & Memory mem. onTransport Encrypt Manag. standby 15
  16. 16. Cryptographic algorithmsImplements all cryptographic algorithms at the application levelUsually the strongest part of the applicationKey ManagementManages all cryptographic keys at the application levelUsually a weak point of the application 16
  17. 17. View Mode – Best securityDo not store data on the deviceOnly use the established ephemeral session key to exchange the dataCache Mode – Best compromiseEncrypt data on the deviceStore and protect the key on the server onlyOffline Mode – Less SecureEncrypt data on the deviceStore and protect the key on the device 17
  18. 18. Offline authentication limitation‒ Device ID cannot be verified by the device itself‒ Hardware Tokens ID are verified by a trusted server‒ Only the user’s ID can be verified by the devicePotential attacks against offline authentication‒ Social engineering to obtain user’s credentials‒ Brute force attack against data encryption’s key • Even if crypto algorithms (PBKDF2) are used 18
  19. 19. Check the operating systemVerify the version of the OSControl the integrity of the OS (jailbreak, etc.)Check for systems unsecure caches and featuresAvoid/Clean caches (keyboard, pasteboard, screenshots, etc.)Detect undesired features (multitasking manage., backup, etc.)Apply device specific best practiceSecurity recommendationsMemory management, … 19
  20. 20. 20
  21. 21. Comply with company security policiesCountermeasures are implemented according to the security needsUse high level standards cryptographic algorithmsCrypto algorithms can be used without limitation or restrictionsApply the same security mechanisms to each platformSame mechanisms can be implemented and managed for each platform 21
  22. 22. The Application still relies on the operating systemCritical flaw in the OS can potentially lead to data breachSome mechanisms remain out of the control of the applicationOS Prevention/Control mechanisms must be developed (cache cleaning, etc.)Offline Mode remains a potential issueTrusted specific hardware can potentially be usedImplementing security inside Apps. requires experience and timeIntegrating a Security Development Lifecycle (SDLC) is recommended 22
  23. 23. Mobile Devices are new threat vectors for companies’ dataMisconfigured devices are vulnerable to a multitude of new types of attacksConventional security solutions are not really adapted for mobilityApplying company security policies to personal mobile devices is not possibleIntegrate security inside Apps and not rely only on OS or infrastructureSensitive data is protected by additional applicative security mechanismsIsolate sensitive or corporate data from private dataEnd users keep their habits while companies apply specific rules to sensitive data 23
  24. 24. Contact Rue Galilée 9Sysmosoft SA 1400 Yverdon-les-Bains +41 (0) 24 524 10 36Julien Probst 24