Your SlideShare is downloading. ×
ASFWS 2011 - Secure software development for mobile devices
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

ASFWS 2011 - Secure software development for mobile devices


Published on

Application Security Forum 2011 …

Application Security Forum 2011
27.10.2011 - Yverdon-les-Bains (Switzerland)
Speaker: Julien Probst

Published in: Technology
1 Comment
  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. DÉVELOPPEMENT D’APPLICATIONSMOBILES SÉCURISÉESJulien ProbstCofondateur Sysmosoft SA Application Security Forum Western Switzerland 27 octobre 2011 - HEIGVD Yverdon-les-Bains 27.10.2011 Application Security Forum - Western Switzerland - 2011 1
  • 2. Swiss based companySpecialized in Mobile SecuritySpinoff of the University of Applied Sciences in Yverdon-les-Bains (HEIG-VD)MobilityWorking since 2008 with private banks to create an adapted solutionIn production since 2010SecurityThreat and vulnerability analysis linked to mobilityAgile & Security Development Lifecycle 2
  • 3. Theft/Lost Property of the enterpriseVirus/Malwares Unauthorized User’s personal access phone Outside Company Network 3
  • 4. 4
  • 5. Purpose ‒ Install Free Apps from “Alternative Stores” ‒ Unlock some new device features Security Issues ‒ All OS Security mechanisms are disabled… ‒ … So all data can potentially be accessed ‒ “Alternative stores” do not verify Apps JailbreakMe ‒ Jailbreak your iPhone/iPad from a web page ‒ Uses a third party App Security Flaw ‒ Versions : v1 2007, v2 2010, v3 2011Source : 5
  • 6. Purpose ‒ To improve user’s experience, some data are shared between Apps ‒ “Official” APIs are usually provided by the OS Security Issues ‒ Easy for Developers to access your shared data… ‒ …and do what they want with it Wall Street Journal Analysis ‒ Over 100 analyzed legal applications ‒ 5 of them transmitted address book to outsidersSource : Wall Street Journal, Your Apps Are Watching You, 17 Dec. 2010 6
  • 7. PoCHow It Works 1. Get access to an iPhone 2. Execute a Jailbreak 3. Install and run the Fraunhofer’s script 4. Wait for the OS to decrypt the Keychain — The PIN Code is not required — Not all secrets are decrypted 5. Access user’s secrets in 6 minutes Source : 7
  • 8. Purpose ‒ Commercial and Free/Open Source solutions ‒ Access “all” data stored on a Smartphone Grant Access to iOS 4.x Physical imaging Logical imaging Passcode recovery Keychain decryption Disk decryption Source : & 8
  • 9. Compromised data Affected Shared Keychain Application Data Device Attack users Data Data Data Transport Specific.Malicious legalApp.JailBreak(with malicious App.)Fraunhofer’s PoCForensic Solution 9
  • 10. 10
  • 11. Professional Configuration Operating SystemDevice Security features Device Configuration Applications Resources 11
  • 12. Prof. Config. User Config. Operating System Device Security features Device Configuration Applications Secure Application Resources Security Business 12
  • 13. 13
  • 14. Device OS User’s secrets Interface “Screenshots” Keychain Display Memory Application Output Manag. Memory’s Data Keyboard Data Input TransportDictionary cache OS App. Application’s State Backup Manager Storage Device’s Data Shared Data Application Data 14
  • 15. OS Application : Secure Document Reader OSSecurity Protection Business Prevention Features Clean KeyboardKeychain Encrypt keyboard Input on exit Clean OS App.Storage Encrypt state on Manager standby Clean Data Auth & Memory mem. onTransport Encrypt Manag. standby 15
  • 16. Cryptographic algorithmsImplements all cryptographic algorithms at the application levelUsually the strongest part of the applicationKey ManagementManages all cryptographic keys at the application levelUsually a weak point of the application 16
  • 17. View Mode – Best securityDo not store data on the deviceOnly use the established ephemeral session key to exchange the dataCache Mode – Best compromiseEncrypt data on the deviceStore and protect the key on the server onlyOffline Mode – Less SecureEncrypt data on the deviceStore and protect the key on the device 17
  • 18. Offline authentication limitation‒ Device ID cannot be verified by the device itself‒ Hardware Tokens ID are verified by a trusted server‒ Only the user’s ID can be verified by the devicePotential attacks against offline authentication‒ Social engineering to obtain user’s credentials‒ Brute force attack against data encryption’s key • Even if crypto algorithms (PBKDF2) are used 18
  • 19. Check the operating systemVerify the version of the OSControl the integrity of the OS (jailbreak, etc.)Check for systems unsecure caches and featuresAvoid/Clean caches (keyboard, pasteboard, screenshots, etc.)Detect undesired features (multitasking manage., backup, etc.)Apply device specific best practiceSecurity recommendationsMemory management, … 19
  • 20. 20
  • 21. Comply with company security policiesCountermeasures are implemented according to the security needsUse high level standards cryptographic algorithmsCrypto algorithms can be used without limitation or restrictionsApply the same security mechanisms to each platformSame mechanisms can be implemented and managed for each platform 21
  • 22. The Application still relies on the operating systemCritical flaw in the OS can potentially lead to data breachSome mechanisms remain out of the control of the applicationOS Prevention/Control mechanisms must be developed (cache cleaning, etc.)Offline Mode remains a potential issueTrusted specific hardware can potentially be usedImplementing security inside Apps. requires experience and timeIntegrating a Security Development Lifecycle (SDLC) is recommended 22
  • 23. Mobile Devices are new threat vectors for companies’ dataMisconfigured devices are vulnerable to a multitude of new types of attacksConventional security solutions are not really adapted for mobilityApplying company security policies to personal mobile devices is not possibleIntegrate security inside Apps and not rely only on OS or infrastructureSensitive data is protected by additional applicative security mechanismsIsolate sensitive or corporate data from private dataEnd users keep their habits while companies apply specific rules to sensitive data 23
  • 24. Contact Rue Galilée 9Sysmosoft SA 1400 Yverdon-les-Bains +41 (0) 24 524 10 36Julien Probst 24