SlideShare a Scribd company logo

Addressing the OWASP Mobile Security Threats using Xamarin

Download as PPTX, PDF
Alec Tucker
Alec Tucker

You think your mobile app is secure, but is it really? In this session from Xamarin Evolve 2016 in Orlando, Alec will give you the Top 10 mobile threats to be aware of and take an in-depth look at how to mitigate some of these threats using Xamarin and the OWASP Mobile Security Project. A video of the talk is available here: https://youtu.be/rCT9kiA7SE0?list=PLM75ZaNQS_Fb7I6E9MDnMgwW1GGZIijf_

Mobile
1 of 34
Addressing the OWASP Mobile Security Threats using Xamarin Alec Tucker White Clarke Group @alecdtucker
Intro to Standards How can you prove to an enterprise client that your apps are secure? What boxes might a security conscious client require you to tick to comply with policy? What are the industry guidelines for app security?
The Open Web Application Security Project OWASP Top 10 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top 10 for Mobile 2014 / 2016 https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Application Security Verification Standards (ASVS) v3.0 https://www.owasp.org/images/6/67/OWASPApplicationSecurityVerificationStandard3.0.pdf Chapter 17 covers mobile
OWASP Top 10 for Mobile 2014 M1 – Weak server side controls M2 – Insecure data storage on the device M3 – Insufficient transport layer protection M4 – Unintended data leakage M5 – Poor authentication and authorization M6 – Broken cryptography M7 – Client side injection M8 – Security decisions via untrusted inputs M9 – Improper session handling M10 – Lack of binary protection
OWASP Top 10 for Mobile 2016 RC M1 – Improper Platform Usage M2 – Insecure Data Storage M3 – Insecure Communication M4 – Insecure Authentication M5 – Insufficient Cryptography M6 – Insecure Authorization M7 – Client Code Quality M8 – Code Tampering M9 – Reverse Engineering M10 – Extraneous Functionality
2014  2016 RC M1 – Weak server side controls M2 – Insecure data storage on the device M3 – Insufficient transport layer protection M4 – Unintended data leakage M5 – Poor authentication and authorization M6 – Broken cryptography M7 – Client side injection M8 – Security decisions via untrusted inputs M9 – Improper session handling M10 – Lack of binary protection M1 – Improper Platform Usage M2 – Insecure Data Storage M3 – Insecure Communication M4 – Insecure Authentication M5 – Insufficient Cryptography M6 – Insecure Authorization M7 – Client Code Quality M8 – Code Tampering M9 – Reverse Engineering M10 – Extraneous Functionality
Why do common breaches still occur? • Rush to release • Insufficient testing • Malware-infected apps and devices • Lower security budgets for mobile apps • Lack of expertise • Lack of policies Ponemon Institute: https://www.ponemon.org/news-2/64 • Assumption that the OS covers all security requirements • Weaknesses due to cross-platform development and compilation OWASP docs
M1 – Improper Platform Usage Misuse of a platform feature or failure to use platform security controls • Violation of published guidelines • Violation of convention or common practice • Unintentional misuse • Includes requesting too many permissions, or the wrong permissions Example - usesClearTextTraffic on Android, API23+
M1 – Improper Platform Usage
Exposing usesClearTextTraffic in Xamarin using Services; using Xamarin.Forms; [assembly:Dependency(typeof(M1.Droid.NetworkSecurityPolicyService_Droid))] namespace M1.Droid { public class NetworkSecurityPolicyService_Droid : INetworkPolicyService { public NetworkSecurityPolicyService_Droid() { } public bool isClearTextTrafficPermitted() { return Android.Security.NetworkSecurityPolicy.Instance.IsCleartextTrafficPermitted; } } }
Checking usesClearTextTraffic in Xamarin public async Task<string> DownloadContentDishonour(string url) { WebClient client = new WebClient(); return await client.DownloadStringTaskAsync(url); }
Checking usesClearTextTraffic in Xamarin public async Task<string> DownloadContentHonour(string url) { if (networkPolicyService != null && url.StartsWith("http:") && !networkPolicyService.isClearTextTrafficPermitted) { throw new InvalidOperationException( "Clear text network requests are not permitted"); } WebClient client = new WebClient(); return await client.DownloadStringTaskAsync(url); }
M1 – Improper Platform Usage - Components …that honour usesClearTextTraffic • DownloadManager • MediaPlayer • SocketHandler • Java.* / Android.* HTTP, FTP, WebSockets, XMPP, IMAP, SMTP network components • Some third party libraries • OkHttp • ModernHttpClient …that dishonour usesClearTextTraffic • Android.WebKit.WebView • Java.* / Android.* UDP and TCP connections • Any related low-level network stacks • All managed networking components Sydney Mobile .Net (Xamarin) Developers http://www.meetup.com/SydneyMobileDotNetDevelopers/
M2 – Insecure Data Storage 2014 M2 – Insecure Data Storage • SQL databases • Log files • XML datastores / manifest files • Binary data stores • SD card • Cloud sync’d folders 2014 M4 – Unintended Data Leakage • Leaked without developer’s knowledge • Cached data • Images – e.g. task switcher • Key presses • Logging • Buffers This covers two of the 2014 top 10 risks:
Blurring the screen during auto-snapshot public override void OnResignActivation(UIApplication uiApplication) { // 1. Take a screenshot // 2. Blur it // 3. Add the blurred view to the RootViewController.View base.OnResignActivation(uiApplication); } public override void OnActivated(UIApplication uiApplication) { // 4. Remove the blurred view, if there is one base.OnActivated(uiApplication); }
Blurring the screen during auto-snapshot // 1. Take a screenshot UIView view = UIApplication.SharedApplication.KeyWindow.RootViewController.View; UIGraphics.BeginImageContext(view.Frame.Size); view.DrawViewHierarchy(view.Frame, true); UIImage image = UIGraphics.GetImageFromCurrentImageContext(); UIGraphics.EndImageContext();
Blurring the screen during auto-snapshot // 2. Blur it UIImage newImage = null; using(var inputImage = new CoreImage.CIImage(image)) { using(var blur = new CoreImage.CIGaussianBlur()) { blur.Image = inputImage; blur.Radius = 25f; using(var outputImage = blur.OutputImage) { using(var context = CoreImage.CIContext.FromOptions(new CoreImage.CIContextOptions() { UseSoftwareRenderer = false })) { using(var cgImage = context.CreateCGImage(outputImage, new System.Drawing.RectangleF ( new System.Drawing.PointF(0,0), new System.Drawing.SizeF((float)image.Size.Width, (float)image.Size.Height)))) { newImage = UIImage.FromImage(cgImage); } } } } }
Blurring the screen during auto-snapshot // 3. Add the blurred view to the RootViewController.View view.AddSubview(new UIImageView(newImage)); // 4. Remove the blurred view, if there is one int lastIndex = UIApplication.SharedApplication.KeyWindow .RootViewController.View.Subviews.GetUpperBound(0); if (lastIndex > 0) { UIApplication.SharedApplication.KeyWindow .RootViewController.View.Subviews[lastIndex] .RemoveFromSuperview(); }
M2 – Insecure Data Storage iOS Developer Cheat Sheet - https://www.owasp.org/index.php/IOS_Developer_Cheat_Sheet - Small amounts of sensitive data should go in the Keychain - Recommends usage of a third party encryption API “not encumbered by inherent weaknesses in Apple’s encryption” - Singles out SQLCipher - Key management then becomes critical ( M5) - https://www.owasp.org/index.php/Key_Management_Cheat_Sheet Windows Mobile 10 Security Guide - https://technet.microsoft.com/en-us/library/mt674915(v=vs.85).aspx
M3 – Insecure Communication This covers: • Poor handshaking • Incorrect SLL versions • Weak negotiation • Cleartext communication of sensitive assets * • SSL certificate validity * Sensitive assets can include things like the IMEI and other hardware addresses. Some jurisdictions consider these to be private data that must be given the same privacy treatment as a phone number or home address
Checking certificate validity – iOS / Android System.Net.ServicePointManager.ServerCertificateValidationCallback += ((sender, certificate, chain, sslPolicyErrors) => { return sslPolicyErrors == System.Net.Security.SslPolicyErrors.None && validCertificates.Contains(certificate.GetCertHashString); });
M4 – Insecure Authentication In general, follow the same rules as a web app for authentication i.e. if porting a web app, it should not be possible to authenticate with less auth factors than the web browser Never use a device identifier (UDID, IP, MAC address, IMEI) to identify a user or a session Remember that some jurisdictions treat these as personal data
M4 – Insecure Authentication Avoid out-of-band authentication tokens being sent to the same device as the user is using to login (e.g. SMS to phone) http://www.smh.com.au/technology/consumer-security/malware-hijacks-big-four- australian-banks-apps-steals-twofactor-sms-codes-20160309-gnf528.html
M5 – Insufficient Cryptography https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet • Only store sensitive data that you need • Use strong approved authenticated encryption • Store a one-way and salted value of passwords • Ensure that the cryptographic protection remains secure even if access controls fail • Ensure that any secret key is protected from unauthorised access • Follow applicable regulations on use of cryptography • PCLCrypto component
M5 – Insufficient Cryptography Use of hardware information in key: SQLCipher advice - What’s unacceptable is to use this in entirety and nothing else - They propose it’s acceptable to use it as a portion of a key, but point out that it’s critical that at least a portion of the key is both: - Entered by the user - Never stored on the device https://discuss.zetetic.net/t/sqlcipher-database-key-material-and-selection/25
M6 – Insecure Authorization App may restrict functions based on user’s authorization level Web service endpoints cannot assume this is sufficient Classic finding is a server implicitly trusting the mobile code to only generate requests appropriate to the user’s privilege level Of course this cannot be assumed of a compromised app
M7 – Client Code Quality Is Your App Secure? - Kerry Lothrop, Thursday Think Like a Hacker - Sam Rehman & Lou Crocker, Wednesday
M8 – Code Tampering private bool IsJailBroken() { return UIApplication.SharedApplication.CanOpenUrl(new NSUrl("cydia://package/com.example.package"))); }
M9 – Reverse Engineering
M10 – Extraneous Functionality
Where to from here? Source: Arxan State of Application Security 2016 – Financial Services Report 2014 M3  2016 M3 Insecure Communication 2014 M10  2016 M9 Reverse Engineering Remembering…
Where to from here? • OWASP ASVS • PCI standards • If you don’t have a security policy, reference these standards • If you do have a security policy, check it against these standards • If you’re writing or reviewing a security policy, check it against these standards • Awareness and further research • Build in house expertise, outsource, bring in specialised security products / consultants • A combination of the above http://www.amazon.com/Xamarin-Unleashed-Alec-Tucker/dp/0672337509
Thank you / Questions

Recommended

Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!Abhijeth D
 
MOBİL CİHAZLARDAN MANUEL VERİ ELDE ETME YÖNTEMLERİNİN İNCELENMESİ
MOBİL CİHAZLARDAN MANUEL VERİ ELDE ETME YÖNTEMLERİNİN İNCELENMESİMOBİL CİHAZLARDAN MANUEL VERİ ELDE ETME YÖNTEMLERİNİN İNCELENMESİ
MOBİL CİHAZLARDAN MANUEL VERİ ELDE ETME YÖNTEMLERİNİN İNCELENMESİibrahim BALOGLU
 
Starbucks Web 2.0 case
Starbucks Web 2.0 caseStarbucks Web 2.0 case
Starbucks Web 2.0 caseIvano Sporitus
 
Xamarin security talk slideshare
Xamarin security talk slideshareXamarin security talk slideshare
Xamarin security talk slideshareMarcus de Wilde
 
Secure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDKSecure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDKSalesforce Developers
 

Recommended

Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!Abhijeth D
 
MOBİL CİHAZLARDAN MANUEL VERİ ELDE ETME YÖNTEMLERİNİN İNCELENMESİ
MOBİL CİHAZLARDAN MANUEL VERİ ELDE ETME YÖNTEMLERİNİN İNCELENMESİMOBİL CİHAZLARDAN MANUEL VERİ ELDE ETME YÖNTEMLERİNİN İNCELENMESİ
MOBİL CİHAZLARDAN MANUEL VERİ ELDE ETME YÖNTEMLERİNİN İNCELENMESİibrahim BALOGLU
 
Starbucks Web 2.0 case
Starbucks Web 2.0 caseStarbucks Web 2.0 case
Starbucks Web 2.0 caseIvano Sporitus
 
Xamarin security talk slideshare
Xamarin security talk slideshareXamarin security talk slideshare
Xamarin security talk slideshareMarcus de Wilde
 
Secure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDKSecure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDKSalesforce Developers
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10Pawel Rzepa
 
OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for MobileAppvigil - Mobile App Security Scanner
 
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null MeetOwasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet5h1vang
 
Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M8Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M85h1vang
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidMobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidNikola Milosevic
 
Präsentation
PräsentationPräsentation
PräsentationAndrea Baur
 
Kristin's Team---UR Conference Poster
Kristin's Team---UR Conference PosterKristin's Team---UR Conference Poster
Kristin's Team---UR Conference PosterJoseph Tise
 
Media technologies used
Media technologies usedMedia technologies used
Media technologies usedReeceymorris
 
Analisi e sviluppo di un algoritmo di pianificazione ordini di una ditta di t...
Analisi e sviluppo di un algoritmo di pianificazione ordini di una ditta di t...Analisi e sviluppo di un algoritmo di pianificazione ordini di una ditta di t...
Analisi e sviluppo di un algoritmo di pianificazione ordini di una ditta di t...Marco Furlanetto
 
Paul Bartz Recommendation Letter 1
Paul Bartz Recommendation Letter 1Paul Bartz Recommendation Letter 1
Paul Bartz Recommendation Letter 1Paul Bartz
 
7 Source Control and Release Management
7 Source Control and Release Management7 Source Control and Release Management
7 Source Control and Release Managementjavadch
 
Los envejecientes
Los envejecientesLos envejecientes
Los envejecientesI. E. San Fernando
 
Preservemos nuestro ecosistema proyecto tita expotita
Preservemos nuestro ecosistema proyecto tita expotitaPreservemos nuestro ecosistema proyecto tita expotita
Preservemos nuestro ecosistema proyecto tita expotitaclara ramirez
 
Pantallazos genesis 2
Pantallazos genesis 2Pantallazos genesis 2
Pantallazos genesis 2Andres Kmilo
 
It's not about you: Mobile security in 2016
It's not about you: Mobile security in 2016It's not about you: Mobile security in 2016
It's not about you: Mobile security in 2016NowSecure
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10NowSecure
 
system on chip for telecommand system design
system on chip for telecommand system designsystem on chip for telecommand system design
system on chip for telecommand system designRaghavendra Badager
 
An Itroduction to the QUIS Language
An Itroduction to the QUIS LanguageAn Itroduction to the QUIS Language
An Itroduction to the QUIS Languagejavadch
 
Owasp Mobile Top 10 – 2014
Owasp Mobile Top 10 – 2014Owasp Mobile Top 10 – 2014
Owasp Mobile Top 10 – 2014n|u - The Open Security Community
 
soc ip core based for spacecraft application
soc ip core based for spacecraft applicationsoc ip core based for spacecraft application
soc ip core based for spacecraft applicationnavyashree pari
 
Enterprise Mobile Security and OWASP Compliance
Enterprise Mobile Security and OWASP ComplianceEnterprise Mobile Security and OWASP Compliance
Enterprise Mobile Security and OWASP ComplianceAlec Tucker
 
Mobile Security - Dutch Mobile .Net Developers
Mobile Security - Dutch Mobile .Net DevelopersMobile Security - Dutch Mobile .Net Developers
Mobile Security - Dutch Mobile .Net DevelopersAlberto Aguzzi
 

More Related Content

Viewers also liked

Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10Pawel Rzepa
 
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null MeetOwasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet5h1vang
 
Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M8Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M85h1vang
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidMobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidNikola Milosevic
 
Kristin's Team---UR Conference Poster
Kristin's Team---UR Conference PosterKristin's Team---UR Conference Poster
Kristin's Team---UR Conference PosterJoseph Tise
 
Media technologies used
Media technologies usedMedia technologies used
Media technologies usedReeceymorris
 
Analisi e sviluppo di un algoritmo di pianificazione ordini di una ditta di t...
Analisi e sviluppo di un algoritmo di pianificazione ordini di una ditta di t...Analisi e sviluppo di un algoritmo di pianificazione ordini di una ditta di t...
Analisi e sviluppo di un algoritmo di pianificazione ordini di una ditta di t...Marco Furlanetto
 
Paul Bartz Recommendation Letter 1
Paul Bartz Recommendation Letter 1Paul Bartz Recommendation Letter 1
Paul Bartz Recommendation Letter 1Paul Bartz
 
7 Source Control and Release Management
7 Source Control and Release Management7 Source Control and Release Management
7 Source Control and Release Managementjavadch
 
Preservemos nuestro ecosistema proyecto tita expotita
Preservemos nuestro ecosistema proyecto tita expotitaPreservemos nuestro ecosistema proyecto tita expotita
Preservemos nuestro ecosistema proyecto tita expotitaclara ramirez
 
Pantallazos genesis 2
Pantallazos genesis 2Pantallazos genesis 2
Pantallazos genesis 2Andres Kmilo
 
It's not about you: Mobile security in 2016
It's not about you: Mobile security in 2016It's not about you: Mobile security in 2016
It's not about you: Mobile security in 2016NowSecure
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10NowSecure
 
system on chip for telecommand system design
system on chip for telecommand system designsystem on chip for telecommand system design
system on chip for telecommand system designRaghavendra Badager
 
An Itroduction to the QUIS Language
An Itroduction to the QUIS LanguageAn Itroduction to the QUIS Language
An Itroduction to the QUIS Languagejavadch
 
soc ip core based for spacecraft application
soc ip core based for spacecraft applicationsoc ip core based for spacecraft application
soc ip core based for spacecraft applicationnavyashree pari
 

Viewers also liked (20)

Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10
 
OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for Mobile
 
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null MeetOwasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
 
Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M8Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M8
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidMobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
 
Präsentation
PräsentationPräsentation
Präsentation
 
Kristin's Team---UR Conference Poster
Kristin's Team---UR Conference PosterKristin's Team---UR Conference Poster
Kristin's Team---UR Conference Poster
 
Media technologies used
Media technologies usedMedia technologies used
Media technologies used
 
Analisi e sviluppo di un algoritmo di pianificazione ordini di una ditta di t...
Analisi e sviluppo di un algoritmo di pianificazione ordini di una ditta di t...Analisi e sviluppo di un algoritmo di pianificazione ordini di una ditta di t...
Analisi e sviluppo di un algoritmo di pianificazione ordini di una ditta di t...
 
Paul Bartz Recommendation Letter 1
Paul Bartz Recommendation Letter 1Paul Bartz Recommendation Letter 1
Paul Bartz Recommendation Letter 1
 
7 Source Control and Release Management
7 Source Control and Release Management7 Source Control and Release Management
7 Source Control and Release Management
 
Los envejecientes
Los envejecientesLos envejecientes
Los envejecientes
 
Preservemos nuestro ecosistema proyecto tita expotita
Preservemos nuestro ecosistema proyecto tita expotitaPreservemos nuestro ecosistema proyecto tita expotita
Preservemos nuestro ecosistema proyecto tita expotita
 
Pantallazos genesis 2
Pantallazos genesis 2Pantallazos genesis 2
Pantallazos genesis 2
 
It's not about you: Mobile security in 2016
It's not about you: Mobile security in 2016It's not about you: Mobile security in 2016
It's not about you: Mobile security in 2016
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
 
system on chip for telecommand system design
system on chip for telecommand system designsystem on chip for telecommand system design
system on chip for telecommand system design
 
An Itroduction to the QUIS Language
An Itroduction to the QUIS LanguageAn Itroduction to the QUIS Language
An Itroduction to the QUIS Language
 
Owasp Mobile Top 10 – 2014
Owasp Mobile Top 10 – 2014Owasp Mobile Top 10 – 2014
Owasp Mobile Top 10 – 2014
 
soc ip core based for spacecraft application
soc ip core based for spacecraft applicationsoc ip core based for spacecraft application
soc ip core based for spacecraft application
 

Similar to Addressing the OWASP Mobile Security Threats using Xamarin

Enterprise Mobile Security and OWASP Compliance
Enterprise Mobile Security and OWASP ComplianceEnterprise Mobile Security and OWASP Compliance
Enterprise Mobile Security and OWASP ComplianceAlec Tucker
 
Mobile Security - Dutch Mobile .Net Developers
Mobile Security - Dutch Mobile .Net DevelopersMobile Security - Dutch Mobile .Net Developers
Mobile Security - Dutch Mobile .Net DevelopersAlberto Aguzzi
 
QualysGuard InfoDay 2013 - QualysGuard RoadMap for H2-­2013/H1-­2014
QualysGuard InfoDay 2013 - QualysGuard RoadMap for H2-­2013/H1-­2014QualysGuard InfoDay 2013 - QualysGuard RoadMap for H2-­2013/H1-­2014
QualysGuard InfoDay 2013 - QualysGuard RoadMap for H2-­2013/H1-­2014Risk Analysis Consultants, s.r.o.
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft
 
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Scalar Decisions
 
Web Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery PipelinesWeb Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery PipelinesAvi Networks
 
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecWhat the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecIBM Security
 
DataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSDataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSTobias Koprowski
 
Easily View, Manage, and Scale Your App Security with F5 NGINX
Easily View, Manage, and Scale Your App Security with F5 NGINXEasily View, Manage, and Scale Your App Security with F5 NGINX
Easily View, Manage, and Scale Your App Security with F5 NGINXNGINX, Inc.
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! Prathan Phongthiproek
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsBen Rothke
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...Neil Matatall
 
apidays LIVE Singapore 2021 - Why verifying user identity Is not enough In 20...
apidays LIVE Singapore 2021 - Why verifying user identity Is not enough In 20...apidays LIVE Singapore 2021 - Why verifying user identity Is not enough In 20...
apidays LIVE Singapore 2021 - Why verifying user identity Is not enough In 20...apidays
 
Droidcon mobile security
Droidcon mobile securityDroidcon mobile security
Droidcon mobile securityJudy Ngure
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attackerbugcrowd
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
AWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and ComplianceAWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and ComplianceGaurav "GP" Pal
 

Similar to Addressing the OWASP Mobile Security Threats using Xamarin (20)

Enterprise Mobile Security and OWASP Compliance
Enterprise Mobile Security and OWASP ComplianceEnterprise Mobile Security and OWASP Compliance
Enterprise Mobile Security and OWASP Compliance
 
Mobile Security - Dutch Mobile .Net Developers
Mobile Security - Dutch Mobile .Net DevelopersMobile Security - Dutch Mobile .Net Developers
Mobile Security - Dutch Mobile .Net Developers
 
QualysGuard InfoDay 2013 - QualysGuard RoadMap for H2-­2013/H1-­2014
QualysGuard InfoDay 2013 - QualysGuard RoadMap for H2-­2013/H1-­2014QualysGuard InfoDay 2013 - QualysGuard RoadMap for H2-­2013/H1-­2014
QualysGuard InfoDay 2013 - QualysGuard RoadMap for H2-­2013/H1-­2014
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security Threats
 
Owasp masvs spain 17
Owasp masvs spain 17Owasp masvs spain 17
Owasp masvs spain 17
 
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
 
Web Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery PipelinesWeb Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery Pipelines
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
 
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecWhat the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
 
DataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSDataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPS
 
Easily View, Manage, and Scale Your App Security with F5 NGINX
Easily View, Manage, and Scale Your App Security with F5 NGINXEasily View, Manage, and Scale Your App Security with F5 NGINX
Easily View, Manage, and Scale Your App Security with F5 NGINX
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure!
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applications
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
 
apidays LIVE Singapore 2021 - Why verifying user identity Is not enough In 20...
apidays LIVE Singapore 2021 - Why verifying user identity Is not enough In 20...apidays LIVE Singapore 2021 - Why verifying user identity Is not enough In 20...
apidays LIVE Singapore 2021 - Why verifying user identity Is not enough In 20...
 
Droidcon mobile security
Droidcon mobile securityDroidcon mobile security
Droidcon mobile security
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attacker
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
AWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and ComplianceAWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and Compliance
 

More from Alec Tucker

Monkey fest australia 2020
Monkey fest australia 2020Monkey fest australia 2020
Monkey fest australia 2020Alec Tucker
 
Sydney Mobile .Net (Xamarin) Developers Group March 2016
Sydney Mobile .Net (Xamarin) Developers Group March 2016Sydney Mobile .Net (Xamarin) Developers Group March 2016
Sydney Mobile .Net (Xamarin) Developers Group March 2016Alec Tucker
 
SydMobNet March 2016: Matthew Robbins - Android M Security Policies
SydMobNet March 2016: Matthew Robbins - Android M Security PoliciesSydMobNet March 2016: Matthew Robbins - Android M Security Policies
SydMobNet March 2016: Matthew Robbins - Android M Security PoliciesAlec Tucker
 
Sydney Mobile .Net (Xamarin) Developers Group January 2016
Sydney Mobile .Net (Xamarin) Developers Group January 2016Sydney Mobile .Net (Xamarin) Developers Group January 2016
Sydney Mobile .Net (Xamarin) Developers Group January 2016Alec Tucker
 
Xamarin.android memory management gotchas
Xamarin.android memory management gotchasXamarin.android memory management gotchas
Xamarin.android memory management gotchasAlec Tucker
 
Sydney Mobile .Net Developers Group February 2015
Sydney Mobile .Net Developers Group February 2015Sydney Mobile .Net Developers Group February 2015
Sydney Mobile .Net Developers Group February 2015Alec Tucker
 
Sydney Mobile .Net Developers Group January 2015
Sydney Mobile .Net Developers Group January 2015Sydney Mobile .Net Developers Group January 2015
Sydney Mobile .Net Developers Group January 2015Alec Tucker
 
Sydney Mobile .Net Developers Group December 2014
Sydney Mobile .Net Developers Group December 2014Sydney Mobile .Net Developers Group December 2014
Sydney Mobile .Net Developers Group December 2014Alec Tucker
 
#SydMobNet Nov 2014: Evolve 2014 recap
#SydMobNet Nov 2014: Evolve 2014 recap#SydMobNet Nov 2014: Evolve 2014 recap
#SydMobNet Nov 2014: Evolve 2014 recapAlec Tucker
 
Sydney Mobile .Net Developers Group November 2014
Sydney Mobile .Net Developers Group November 2014Sydney Mobile .Net Developers Group November 2014
Sydney Mobile .Net Developers Group November 2014Alec Tucker
 
SydMobNet September 2014: ReactiveUI, Genymotion, Xamarin.UITest and Xamarin ...
SydMobNet September 2014: ReactiveUI, Genymotion, Xamarin.UITest and Xamarin ...SydMobNet September 2014: ReactiveUI, Genymotion, Xamarin.UITest and Xamarin ...
SydMobNet September 2014: ReactiveUI, Genymotion, Xamarin.UITest and Xamarin ...Alec Tucker
 
SydMobNet August 2014: What's New in iOS8 & Xamarin plus .Net MVC and Xamarin...
SydMobNet August 2014: What's New in iOS8 & Xamarin plus .Net MVC and Xamarin...SydMobNet August 2014: What's New in iOS8 & Xamarin plus .Net MVC and Xamarin...
SydMobNet August 2014: What's New in iOS8 & Xamarin plus .Net MVC and Xamarin...Alec Tucker
 
SydMobNet July 2014: Xamarin 3 & Xamarin Forms
SydMobNet July 2014: Xamarin 3 & Xamarin FormsSydMobNet July 2014: Xamarin 3 & Xamarin Forms
SydMobNet July 2014: Xamarin 3 & Xamarin FormsAlec Tucker
 
SydMobNet May 2014 - Lewis Benge on Wearable Tech
SydMobNet May 2014 - Lewis Benge on Wearable TechSydMobNet May 2014 - Lewis Benge on Wearable Tech
SydMobNet May 2014 - Lewis Benge on Wearable TechAlec Tucker
 
SydMobNet April 2014 - Nick Randolph's Build 2014 Update
SydMobNet April 2014 - Nick Randolph's Build 2014 UpdateSydMobNet April 2014 - Nick Randolph's Build 2014 Update
SydMobNet April 2014 - Nick Randolph's Build 2014 UpdateAlec Tucker
 
Internet of Things, Mobility & .Net Micro Framework SydMobNet March 2014
Internet of Things, Mobility & .Net Micro Framework SydMobNet March 2014Internet of Things, Mobility & .Net Micro Framework SydMobNet March 2014
Internet of Things, Mobility & .Net Micro Framework SydMobNet March 2014Alec Tucker
 
SydMobDev Feb 2014 - Cross Platform Native App Development with Xamarin and M...
SydMobDev Feb 2014 - Cross Platform Native App Development with Xamarin and M...SydMobDev Feb 2014 - Cross Platform Native App Development with Xamarin and M...
SydMobDev Feb 2014 - Cross Platform Native App Development with Xamarin and M...Alec Tucker
 

More from Alec Tucker (17)

Monkey fest australia 2020
Monkey fest australia 2020Monkey fest australia 2020
Monkey fest australia 2020
 
Sydney Mobile .Net (Xamarin) Developers Group March 2016
Sydney Mobile .Net (Xamarin) Developers Group March 2016Sydney Mobile .Net (Xamarin) Developers Group March 2016
Sydney Mobile .Net (Xamarin) Developers Group March 2016
 
SydMobNet March 2016: Matthew Robbins - Android M Security Policies
SydMobNet March 2016: Matthew Robbins - Android M Security PoliciesSydMobNet March 2016: Matthew Robbins - Android M Security Policies
SydMobNet March 2016: Matthew Robbins - Android M Security Policies
 
Sydney Mobile .Net (Xamarin) Developers Group January 2016
Sydney Mobile .Net (Xamarin) Developers Group January 2016Sydney Mobile .Net (Xamarin) Developers Group January 2016
Sydney Mobile .Net (Xamarin) Developers Group January 2016
 
Xamarin.android memory management gotchas
Xamarin.android memory management gotchasXamarin.android memory management gotchas
Xamarin.android memory management gotchas
 
Sydney Mobile .Net Developers Group February 2015
Sydney Mobile .Net Developers Group February 2015Sydney Mobile .Net Developers Group February 2015
Sydney Mobile .Net Developers Group February 2015
 
Sydney Mobile .Net Developers Group January 2015
Sydney Mobile .Net Developers Group January 2015Sydney Mobile .Net Developers Group January 2015
Sydney Mobile .Net Developers Group January 2015
 
Sydney Mobile .Net Developers Group December 2014
Sydney Mobile .Net Developers Group December 2014Sydney Mobile .Net Developers Group December 2014
Sydney Mobile .Net Developers Group December 2014
 
#SydMobNet Nov 2014: Evolve 2014 recap
#SydMobNet Nov 2014: Evolve 2014 recap#SydMobNet Nov 2014: Evolve 2014 recap
#SydMobNet Nov 2014: Evolve 2014 recap
 
Sydney Mobile .Net Developers Group November 2014
Sydney Mobile .Net Developers Group November 2014Sydney Mobile .Net Developers Group November 2014
Sydney Mobile .Net Developers Group November 2014
 
SydMobNet September 2014: ReactiveUI, Genymotion, Xamarin.UITest and Xamarin ...
SydMobNet September 2014: ReactiveUI, Genymotion, Xamarin.UITest and Xamarin ...SydMobNet September 2014: ReactiveUI, Genymotion, Xamarin.UITest and Xamarin ...
SydMobNet September 2014: ReactiveUI, Genymotion, Xamarin.UITest and Xamarin ...
 
SydMobNet August 2014: What's New in iOS8 & Xamarin plus .Net MVC and Xamarin...
SydMobNet August 2014: What's New in iOS8 & Xamarin plus .Net MVC and Xamarin...SydMobNet August 2014: What's New in iOS8 & Xamarin plus .Net MVC and Xamarin...
SydMobNet August 2014: What's New in iOS8 & Xamarin plus .Net MVC and Xamarin...
 
SydMobNet July 2014: Xamarin 3 & Xamarin Forms
SydMobNet July 2014: Xamarin 3 & Xamarin FormsSydMobNet July 2014: Xamarin 3 & Xamarin Forms
SydMobNet July 2014: Xamarin 3 & Xamarin Forms
 
SydMobNet May 2014 - Lewis Benge on Wearable Tech
SydMobNet May 2014 - Lewis Benge on Wearable TechSydMobNet May 2014 - Lewis Benge on Wearable Tech
SydMobNet May 2014 - Lewis Benge on Wearable Tech
 
SydMobNet April 2014 - Nick Randolph's Build 2014 Update
SydMobNet April 2014 - Nick Randolph's Build 2014 UpdateSydMobNet April 2014 - Nick Randolph's Build 2014 Update
SydMobNet April 2014 - Nick Randolph's Build 2014 Update
 
Internet of Things, Mobility & .Net Micro Framework SydMobNet March 2014
Internet of Things, Mobility & .Net Micro Framework SydMobNet March 2014Internet of Things, Mobility & .Net Micro Framework SydMobNet March 2014
Internet of Things, Mobility & .Net Micro Framework SydMobNet March 2014
 
SydMobDev Feb 2014 - Cross Platform Native App Development with Xamarin and M...
SydMobDev Feb 2014 - Cross Platform Native App Development with Xamarin and M...SydMobDev Feb 2014 - Cross Platform Native App Development with Xamarin and M...
SydMobDev Feb 2014 - Cross Platform Native App Development with Xamarin and M...
 

Addressing the OWASP Mobile Security Threats using Xamarin

  • 1.
  • 2. Addressing the OWASP Mobile Security Threats using Xamarin Alec Tucker White Clarke Group @alecdtucker
  • 3. Intro to Standards How can you prove to an enterprise client that your apps are secure? What boxes might a security conscious client require you to tick to comply with policy? What are the industry guidelines for app security?
  • 4. The Open Web Application Security Project OWASP Top 10 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top 10 for Mobile 2014 / 2016 https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Application Security Verification Standards (ASVS) v3.0 https://www.owasp.org/images/6/67/OWASPApplicationSecurityVerificationStandard3.0.pdf Chapter 17 covers mobile
  • 5. OWASP Top 10 for Mobile 2014 M1 – Weak server side controls M2 – Insecure data storage on the device M3 – Insufficient transport layer protection M4 – Unintended data leakage M5 – Poor authentication and authorization M6 – Broken cryptography M7 – Client side injection M8 – Security decisions via untrusted inputs M9 – Improper session handling M10 – Lack of binary protection
  • 6. OWASP Top 10 for Mobile 2016 RC M1 – Improper Platform Usage M2 – Insecure Data Storage M3 – Insecure Communication M4 – Insecure Authentication M5 – Insufficient Cryptography M6 – Insecure Authorization M7 – Client Code Quality M8 – Code Tampering M9 – Reverse Engineering M10 – Extraneous Functionality
  • 7. 2014  2016 RC M1 – Weak server side controls M2 – Insecure data storage on the device M3 – Insufficient transport layer protection M4 – Unintended data leakage M5 – Poor authentication and authorization M6 – Broken cryptography M7 – Client side injection M8 – Security decisions via untrusted inputs M9 – Improper session handling M10 – Lack of binary protection M1 – Improper Platform Usage M2 – Insecure Data Storage M3 – Insecure Communication M4 – Insecure Authentication M5 – Insufficient Cryptography M6 – Insecure Authorization M7 – Client Code Quality M8 – Code Tampering M9 – Reverse Engineering M10 – Extraneous Functionality
  • 8. Why do common breaches still occur? • Rush to release • Insufficient testing • Malware-infected apps and devices • Lower security budgets for mobile apps • Lack of expertise • Lack of policies Ponemon Institute: https://www.ponemon.org/news-2/64 • Assumption that the OS covers all security requirements • Weaknesses due to cross-platform development and compilation OWASP docs
  • 9. M1 – Improper Platform Usage Misuse of a platform feature or failure to use platform security controls • Violation of published guidelines • Violation of convention or common practice • Unintentional misuse • Includes requesting too many permissions, or the wrong permissions Example - usesClearTextTraffic on Android, API23+
  • 10. M1 – Improper Platform Usage
  • 11. Exposing usesClearTextTraffic in Xamarin using Services; using Xamarin.Forms; [assembly:Dependency(typeof(M1.Droid.NetworkSecurityPolicyService_Droid))] namespace M1.Droid { public class NetworkSecurityPolicyService_Droid : INetworkPolicyService { public NetworkSecurityPolicyService_Droid() { } public bool isClearTextTrafficPermitted() { return Android.Security.NetworkSecurityPolicy.Instance.IsCleartextTrafficPermitted; } } }
  • 12. Checking usesClearTextTraffic in Xamarin public async Task<string> DownloadContentDishonour(string url) { WebClient client = new WebClient(); return await client.DownloadStringTaskAsync(url); }
  • 13. Checking usesClearTextTraffic in Xamarin public async Task<string> DownloadContentHonour(string url) { if (networkPolicyService != null && url.StartsWith("http:") && !networkPolicyService.isClearTextTrafficPermitted) { throw new InvalidOperationException( "Clear text network requests are not permitted"); } WebClient client = new WebClient(); return await client.DownloadStringTaskAsync(url); }
  • 14. M1 – Improper Platform Usage - Components …that honour usesClearTextTraffic • DownloadManager • MediaPlayer • SocketHandler • Java.* / Android.* HTTP, FTP, WebSockets, XMPP, IMAP, SMTP network components • Some third party libraries • OkHttp • ModernHttpClient …that dishonour usesClearTextTraffic • Android.WebKit.WebView • Java.* / Android.* UDP and TCP connections • Any related low-level network stacks • All managed networking components Sydney Mobile .Net (Xamarin) Developers http://www.meetup.com/SydneyMobileDotNetDevelopers/
  • 15. M2 – Insecure Data Storage 2014 M2 – Insecure Data Storage • SQL databases • Log files • XML datastores / manifest files • Binary data stores • SD card • Cloud sync’d folders 2014 M4 – Unintended Data Leakage • Leaked without developer’s knowledge • Cached data • Images – e.g. task switcher • Key presses • Logging • Buffers This covers two of the 2014 top 10 risks:
  • 16. Blurring the screen during auto-snapshot public override void OnResignActivation(UIApplication uiApplication) { // 1. Take a screenshot // 2. Blur it // 3. Add the blurred view to the RootViewController.View base.OnResignActivation(uiApplication); } public override void OnActivated(UIApplication uiApplication) { // 4. Remove the blurred view, if there is one base.OnActivated(uiApplication); }
  • 17. Blurring the screen during auto-snapshot // 1. Take a screenshot UIView view = UIApplication.SharedApplication.KeyWindow.RootViewController.View; UIGraphics.BeginImageContext(view.Frame.Size); view.DrawViewHierarchy(view.Frame, true); UIImage image = UIGraphics.GetImageFromCurrentImageContext(); UIGraphics.EndImageContext();
  • 18. Blurring the screen during auto-snapshot // 2. Blur it UIImage newImage = null; using(var inputImage = new CoreImage.CIImage(image)) { using(var blur = new CoreImage.CIGaussianBlur()) { blur.Image = inputImage; blur.Radius = 25f; using(var outputImage = blur.OutputImage) { using(var context = CoreImage.CIContext.FromOptions(new CoreImage.CIContextOptions() { UseSoftwareRenderer = false })) { using(var cgImage = context.CreateCGImage(outputImage, new System.Drawing.RectangleF ( new System.Drawing.PointF(0,0), new System.Drawing.SizeF((float)image.Size.Width, (float)image.Size.Height)))) { newImage = UIImage.FromImage(cgImage); } } } } }
  • 19. Blurring the screen during auto-snapshot // 3. Add the blurred view to the RootViewController.View view.AddSubview(new UIImageView(newImage)); // 4. Remove the blurred view, if there is one int lastIndex = UIApplication.SharedApplication.KeyWindow .RootViewController.View.Subviews.GetUpperBound(0); if (lastIndex > 0) { UIApplication.SharedApplication.KeyWindow .RootViewController.View.Subviews[lastIndex] .RemoveFromSuperview(); }
  • 20. M2 – Insecure Data Storage iOS Developer Cheat Sheet - https://www.owasp.org/index.php/IOS_Developer_Cheat_Sheet - Small amounts of sensitive data should go in the Keychain - Recommends usage of a third party encryption API “not encumbered by inherent weaknesses in Apple’s encryption” - Singles out SQLCipher - Key management then becomes critical ( M5) - https://www.owasp.org/index.php/Key_Management_Cheat_Sheet Windows Mobile 10 Security Guide - https://technet.microsoft.com/en-us/library/mt674915(v=vs.85).aspx
  • 21. M3 – Insecure Communication This covers: • Poor handshaking • Incorrect SLL versions • Weak negotiation • Cleartext communication of sensitive assets * • SSL certificate validity * Sensitive assets can include things like the IMEI and other hardware addresses. Some jurisdictions consider these to be private data that must be given the same privacy treatment as a phone number or home address
  • 22. Checking certificate validity – iOS / Android System.Net.ServicePointManager.ServerCertificateValidationCallback += ((sender, certificate, chain, sslPolicyErrors) => { return sslPolicyErrors == System.Net.Security.SslPolicyErrors.None && validCertificates.Contains(certificate.GetCertHashString); });
  • 23. M4 – Insecure Authentication In general, follow the same rules as a web app for authentication i.e. if porting a web app, it should not be possible to authenticate with less auth factors than the web browser Never use a device identifier (UDID, IP, MAC address, IMEI) to identify a user or a session Remember that some jurisdictions treat these as personal data
  • 24. M4 – Insecure Authentication Avoid out-of-band authentication tokens being sent to the same device as the user is using to login (e.g. SMS to phone) http://www.smh.com.au/technology/consumer-security/malware-hijacks-big-four- australian-banks-apps-steals-twofactor-sms-codes-20160309-gnf528.html
  • 25. M5 – Insufficient Cryptography https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet • Only store sensitive data that you need • Use strong approved authenticated encryption • Store a one-way and salted value of passwords • Ensure that the cryptographic protection remains secure even if access controls fail • Ensure that any secret key is protected from unauthorised access • Follow applicable regulations on use of cryptography • PCLCrypto component
  • 26. M5 – Insufficient Cryptography Use of hardware information in key: SQLCipher advice - What’s unacceptable is to use this in entirety and nothing else - They propose it’s acceptable to use it as a portion of a key, but point out that it’s critical that at least a portion of the key is both: - Entered by the user - Never stored on the device https://discuss.zetetic.net/t/sqlcipher-database-key-material-and-selection/25
  • 27. M6 – Insecure Authorization App may restrict functions based on user’s authorization level Web service endpoints cannot assume this is sufficient Classic finding is a server implicitly trusting the mobile code to only generate requests appropriate to the user’s privilege level Of course this cannot be assumed of a compromised app
  • 28. M7 – Client Code Quality Is Your App Secure? - Kerry Lothrop, Thursday Think Like a Hacker - Sam Rehman & Lou Crocker, Wednesday
  • 29. M8 – Code Tampering private bool IsJailBroken() { return UIApplication.SharedApplication.CanOpenUrl(new NSUrl("cydia://package/com.example.package"))); }
  • 30. M9 – Reverse Engineering
  • 31. M10 – Extraneous Functionality
  • 32. Where to from here? Source: Arxan State of Application Security 2016 – Financial Services Report 2014 M3  2016 M3 Insecure Communication 2014 M10  2016 M9 Reverse Engineering Remembering…
  • 33. Where to from here? • OWASP ASVS • PCI standards • If you don’t have a security policy, reference these standards • If you do have a security policy, check it against these standards • If you’re writing or reviewing a security policy, check it against these standards • Awareness and further research • Build in house expertise, outsource, bring in specialised security products / consultants • A combination of the above http://www.amazon.com/Xamarin-Unleashed-Alec-Tucker/dp/0672337509
  • 34. Thank you / Questions