Developing secure mobile apps by Alexandru Catariov Endava

  • 159 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
159
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
7
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Confidentiality: Does your application keep your private data private?Integrity: Can the data from your app be trusted and verified?Authentication: Does your app verify you are who you say you are?Authorization: Does your application properly limit user privileges?Availability: Can an attacker take the app offline?Non-Repudiation: Does your app keep records of events?

Transcript

  • 1. Developing SecureMobile Apps AlexandruCatariov
  • 2. IN YOUR ZONE 2What is the Information Security?
  • 3. IN YOUR ZONE 3How much is the mobile world exposed?Attack Attack
  • 4. IN YOUR ZONE 4Connected to internet and other computernetworks
  • 5. IN YOUR ZONE 5Many apps store data locally……to improve User eXperience…to save traffic…for temporary use
  • 6. IN YOUR ZONE 6There is a lot of user data
  • 7. IN YOUR ZONE 7Many sensitive data inputs
  • 8. IN YOUR ZONE 8…and last but not least, mobile is physically morevulnerable
  • 9. IN YOUR ZONE 9The good news is that mobile OSes take measures toincrease security…• Sandboxing• User Permissions• Protected API• Encrypted filesystem• App Signing• Remote wipe
  • 10. IN YOUR ZONE 10..but the bad news is that the army of bad guys growsas well• Rooting or Jailbreaking• Malwares• Viruses• Spoofing• Tampering
  • 11. IN YOUR ZONE 11The primary data type targeted by attackers in 2012, asin 2011, was customer records (cardholderdata, personal information, email addresses).96%2013 Global Security Report
  • 12. IN YOUR ZONE 12The number of mobile malwares is rising very fast.The notable one - Toll Fraud0102030405060708090100Q3 2011 Q4 2011 Q1 2012 Q2 2012%Toll Fraud malware Other malware Spyware
  • 13. IN YOUR ZONE 13What you as a developer can do?
  • 14. IN YOUR ZONE 14• Use Cryptography• Use hash function such as MD5, SH1, etc.• Use Local KeyChain or KeyStore, but not rely on themAvoid store or sending confidential/sensitive data……otherwise, do not use plain format
  • 15. IN YOUR ZONE 15Ensure secure storage• Use App Sandbox• Use internal storage• Clear temporary data after use• Use Cryptography• Perform Input Validation
  • 16. IN YOUR ZONE 16• Strong Authorization & Authentication• Ensure proper session handling• Strong encryption• Validate untrusted inputApply OWASAP Top 10 to secure interaction withservers
  • 17. IN YOUR ZONE 17Interpocess communication can be also vulnerable• Avoid using network sockets and shared files• Use OS mechanisms instead
  • 18. IN YOUR ZONE 18Apply anti-debug and anti-reversing measures• Obfuscation• Remove logging code• Don’t use hardcoded sensitive data• Don’t implement customencryption
  • 19. IN YOUR ZONE 19Perform secure testing• Test on a Jailbroken or rooted device• Use Static Code Analyses tools – Fortify, Veracode
  • 20. IN YOUR ZONE 20You cannot be 100% safe…
  • 21. IN YOUR ZONE 21…but you can make it hard – Defense in DepthOakChestRabbitDuckEggNeedle
  • 22. IN YOUR ZONEResources22•Security Best Practices for Android developers is located here:https://developer.android.com/guide/practices/security.html.•iOS Security Overviewhttps://developer.apple.com/library/ios/#documentation/Security/Conceptual/Security_Overview/Introduction/Introduction.html•OWASP Mobile Security Project:https://www.owasp.org/index.php/OWASP_Mobile_Security_Project•Trustwave, Spider Labs blog:http://blog.spiderlabs.com
  • 23. IN YOUR ZONE 23Alex Catariov | Development Discipline LeadAlexandru.Catariov@endava.comTel +373 79400205|Skype alex.catariovthank you