Developing Secure Mobile Applications

11,582 views
11,299 views

Published on

This course provides an introduction to security for mobile applications. It walks through a basic threat model for a mobile application. This threat model is then used as a framework for making good decisions about designing and building applications as well as for testing the security of existing applications. Examples are provided for both iOS (iPhone and iPad) and Android platforms and sample code is provided to demonstrate mobile security assessment techniques.

Published in: Technology
1 Comment
10 Likes
Statistics
Notes
  • hello my dear,
    how are you today i hope all is well.my name is miracleJobe am a girl never married,
    i saw your profile today am very happy and became interest in you so dear i will
    like us to be friend.please i have something to tell you okay.please you can send your email
    address to my private email Box (miraclejobelove@yahoo.com) so that i will send my picture
    to you and tell you more about me. i will happy to see you again as soon as possible.

    Thanks so much
    miss miracle.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
11,582
On SlideShare
0
From Embeds
0
Number of Embeds
907
Actions
Shares
0
Downloads
485
Comments
1
Likes
10
Embeds 0
No embeds

No notes for slide

Developing Secure Mobile Applications

  1. 1. Developing Secure Mobile Applications! ! Dan Cornell! @danielcornell© Copyright 2013 Denim Group - All Rights Reserved
  2. 2. Bio: Dan Cornell •  Founder and CTO, Denim Group •  Software developer by background (Java, .NET) •  OWASP –  San Antonio Chapter Leader –  Open Review Project Leader –  Global Membership Committee •  Speaking –  RSA, SOURCE Boston –  OWASP AppSec, Portugal Summit, AppSecEU Dublin –  ROOTS in Norway© Copyright 2013 Denim Group - All Rights Reserved 2
  3. 3. Denim Group Background •  Secure software services and products company –  Builds secure software –  Helps organizations assess and mitigate risk of in-house developed and third party software –  Provides classroom training and e-Learning so clients can build software securely •  Software-centric view of application security –  Application security experts are practicing developers –  Development pedigree translates to rapport with development managers –  Business impact: shorter time-to-fix application vulnerabilities •  Culture of application security innovation and contribution –  Develops open source tools to help clients mature their software security programs •  Remediation Resource Center, ThreadFix, Sprajax –  OWASP national leaders & regular speakers at RSA, SANS, OWASP, ISSA, CSI –  World class alliance partners accelerate innovation to solve client problems© Copyright 2013 Denim Group - All Rights Reserved 3
  4. 4. Tradeoffs: Value versus Risk •  Mobile applications can create tremendous value for organizations –  New classes of applications utilizing mobile capabilities: GPS, camera, etc –  Innovating applications for employees and customers •  Mobile devices and mobile applications can create tremendous risks –  Sensitive data inevitably stored on the device (email, contacts) –  Connect to a lot of untrusted networks (carrier, WiFi) •  Most developers are not trained to develop secure applications –  Fact of life, but slowing getting better •  Most developers are new to creating mobile applications –  Different platforms have different security characteristics and capabilities© Copyright 2013 Denim Group - All Rights Reserved 4
  5. 5. Smart Phones, Dumb Apps •  Lots of media focus on device and platform security –  Important because successful attacks give tremendous attacker leverage •  Most organizations: –  Accept realities of device and platform security –  Concerned about the security of their custom applications –  Concerned about sensitive data on the device because of their apps –  Concerned about network-available resources that support their apps •  Who has smartphone application deployed for customers? •  Who has had smartphone applications deployed without their knowledge? –  *$!%$# marketing department…© Copyright 2013 Denim Group - All Rights Reserved 5
  6. 6. Smart Phones, Dumb Apps •  Lots of media focus on device and platform security –  Important because successful attacks give tremendous attacker leverage •  Most organizations: –  Accept realities of device and platform security –  Concerned about the security of their custom applications –  Concerned about sensitive data on the device because of their apps –  Concerned about network-available resources that support their apps •  Who has smartphone application deployed for customers? •  Who has had smartphone applications deployed without their knowledge? –  *$!%$# marketing department…© Copyright 2013 Denim Group - All Rights Reserved 6
  7. 7. Mobile Application Security •  Mobile technologies have their own distinct risks •  Many mobile solutions are not as secure as you may think •  What goes wrong? –  Poor assumptions about what mobile technology “buys you” –  Device features that undermine security –  Trust in untrustworthy assets –  Failure to utilize available solutions© Copyright 2013 Denim Group - All Rights Reserved
  8. 8. The Distinguishing Features of Mobile •  Smartphone applications are essentially thick-client applications –  That people carry in their pockets –  And drop in toilets –  And put on eBay when the new iPhone comes out –  And leave on airplanes –  And so on… •  What else should you assume they know or will find out? •  Attackers will be able to access: –  Target user (victim) devices –  Your application binaries© Copyright 2013 Denim Group - All Rights Reserved 8
  9. 9. What Does this Mean for Security? •  IMPORTANT: It is really the system as a whole you care about –  Application plus… –  3rd party web services –  Enterprise services –  And so on •  How can attackers gain unauthorized access? –  Attacker steals or accesses a lost device –  Malicious application –  Attacker reverse engineers an application to access corporate resources –  And so on… •  The most “interesting” weaknesses and vulnerabilities we find are in mobile applications’ interactions with supporting services© Copyright 2013 Denim Group - All Rights Reserved 9
  10. 10. What Does this Mean for Security? •  Mobile applications are different than web applications –  Can’t just fire up an automated scanner and turn up a bunch of SQL injection and XSS vulnerabilities –  Usually…© Copyright 2013 Denim Group - All Rights Reserved 10
  11. 11. Mobile Application Security •  Typical Mobile Threats –  Data Flow –  Functional –  Abuse Cases •  Mobile Security Assessments –  Assessment Approaches –  Tools for Review and Testing© Copyright 2013 Denim Group - All Rights Reserved
  12. 12. Existing Resources for Mobile Security •  Secure Implementation Guidance –  Official development guides do not cover security risks comprehensively –  However, they do cover their platform solutions to many security concerns •  OWASP Mobile Security Project Top 10 Mobile Risks •  Veracode Mobile App Top 10 List© Copyright 2013 Denim Group - All Rights Reserved 12
  13. 13. OWASP Mobile Security Project Top 10 Mobile Risks© Copyright 2013 Denim Group - All Rights Reserved 13
  14. 14. OWASP Mobile Security Project Top 10 Mobile Risks 1.  Insecure Data Storage 2.  Weak Server Side Controls 3.  Insufficient Transport Layer Protection 4.  Client Side Injection 5.  Poor Authorization and Authentication 6.  Improper Session Handling 7.  Security Decisions Via Untrusted Inputs 8.  Side Channel Data Leakage 9.  Broken Cryptography 10.  Sensitive Information Disclosure https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_Ten_Mobile_Risks© Copyright 2013 Denim Group - All Rights Reserved 14
  15. 15. Mobile App Top 10 List A.  Malicious Functionality 1.  Activity monitoring and data retrieval 2.  Unauthorized dialing, SMS and payments 3.  Unauthorized network connectivity (exfiltration or command & control) 4.  UI Impersonation 5.  System modification (rootkit, APN proxy config) 6.  Logic or time bomb B.  Vulnerabilities 1.  Sensitive data leakage (inadvertent or side channel) 2.  Unsafe sensitive data storage 3.  Unsafe sensitive data transmission 4.  Hardcoded passwords/keys http://www.veracode.com/blog/2010/12/mobile-app-top-10-list/© Copyright 2013 Denim Group - All Rights Reserved 15
  16. 16. Mobile Attack Scenarios •  Borrowed Device •  Stolen Device •  Malicious Application Functionality •  Other Malicious Application •  Attacks from Mobile Web Services •  Attacks against Mobile Web Services •  Attacks from Local Network •  Abuse of Device Feature© Copyright 2013 Denim Group - All Rights Reserved
  17. 17. Approaches for Identifying Threats •  Use Cases for Business –  Useful for identifying flaws with specific application features •  Data Flow for Architecture –  What threats can we identify looking at the application’s data flow? –  The whole system’s data stores, services, processes, etc. –  The interaction among those components •  Functional Security –  Here are the security features. How could an attacker defeat them? •  Attacker’s Goals for Threat Trees –  If you are an attacker, what would you want to accomplish? –  How would you go about achieving the malicious goal? –  Useful for identifying any erroneous security assumptions •  No one approach is perfect – these are essentially brain storming techniques© Copyright 2013 Denim Group - All Rights Reserved 17
  18. 18. Typical Mobile Threats User Mobile   Mobile  Web   Application Services Local  App   Storage Device   Keychain Main Site Pages •  Spoofing: Users to the Mobile Application •  Spoofing: Web Services to Mobile Application •  Tampering: Mobile Application •  Tampering: Device Data Stores •  Disclosure: Device Data Stores or Residual Data •  Disclosure: Mobile Application to Web Service •  Denial of Service: Mobile Application •  Elevation of Privilege: Mobile Application or Web Services© Copyright 2013 Denim Group - All Rights Reserved
  19. 19. Spoofing: Users to the Mobile Application •  Borrowed Device •  Stolen Device •  Other Malicious Application Attacker Mobile   Application Local  App   Storage Device   Keychain© Copyright 2013 Denim Group - All Rights Reserved
  20. 20. Spoofing: Attacker to Mobile Web Services •  Attacks against Mobile Web Services Attacker User Mobile   Application Mobile  Web  Services© Copyright 2013 Denim Group - All Rights Reserved
  21. 21. Spoofing: Web Services to Mobile Application •  Borrowed Device •  Other Malicious Application Malicious Host User Mobile   Application Mobile  Web  Services© Copyright 2013 Denim Group - All Rights Reserved
  22. 22. Tampering: Mobile Application •  Borrowed/Stolen Device •  Other Malicious Application User Tampered   Application Local  App   Storage Device   Keychain© Copyright 2013 Denim Group - All Rights Reserved
  23. 23. Disclosure: Device Data Stores or Residual Data •  Borrowed/Stolen Device •  Malicious Application Functionality •  Other Malicious Application User Mobile   •  Attacks from Mobile Web Application Services Local  SQLIte   Storage Device   Keychain© Copyright 2013 Denim Group - All Rights Reserved
  24. 24. Disclosure: Mobile Application to Web Service •  Attacks from Local Network •  Other Malicious Application Attacker User Mobile   Application Mobile  Web  Services© Copyright 2013 Denim Group - All Rights Reserved
  25. 25. Other Data-Flow Threats •  Denial of Service •  Elevation of Privilege User USAA Attacker Mobile   Member Mobile   Application Application Local  App   Local  App   Storage Device   Storage Device   Keychain Keychain© Copyright 2013 Denim Group - All Rights Reserved
  26. 26. Functional Security Threats •  Authentication We have already discussed these •  Session Management for a general web environment and •  Access Control will look at them for the mobile platforms. •  Input Validation •  Output Encoding/Escaping •  Cryptography •  Error Handling and Logging •  Data Protection •  Communication Security •  Configuration© Copyright 2013 Denim Group - All Rights Reserved 26
  27. 27. Abuse Cases •  Abuse Cases help identify threats from the attacker’s perspective –  What the attacker wants –  How they would try to achieve those goals •  Look over each application use case –  What functionality fulfills that use case? –  How would an attacker attempt to abuse that functionality? •  If a use-case accounts for a user requesting a document, then the abuse case would account for a request to a document that they are not allowed to see or one that doesnt exist •  If a use-case accounts for a privileged user approving a transaction, then the abuse case would account for a lower-level user attempting to force approval for the transaction© Copyright 2013 Denim Group - All Rights Reserved 27
  28. 28. 1.  --- Mobile Assessment Overview© Copyright 2013 Denim Group - All Rights Reserved 28
  29. 29. Assessment Activities Type of Analysis Activities Static Analysis Source Code Source code scanning Manual source code review Binary Reverse engineering Dynamic Analysis Debugger execution Traffic capture via proxy Analyze remote services Forensic Analysis File permission analysis File content analysis© Copyright 2013 Denim Group - All Rights Reserved 29
  30. 30. The General Assessment Approach •  Identification –  Help identify what applications have highest priority to assess •  Preparation –  Obtain requisite code and/or access •  Baseline Review and Testing –  Account for risks inherent to the technology and common features –  Commercial scanning tools with manual auditing •  Targeted Testing –  Account for identified threats, data flow, abuse cases –  Follow up with suspect behavior in the baseline review and testing •  Reporting –  Rate vulnerabilities –  Provide remediation recommendations© Copyright 2013 Denim Group - All Rights Reserved 30
  31. 31. Static Analysis •  Source Code Scanning •  Manual Code Reviews •  Advantages –  Identifies flaws during integration, when it is easier to address issues –  Developers can identify flaws in their own code before checking it in –  Many projects already have a code review process in-place •  Disadvantages –  Freeware tools do not address security well –  Licensed tools are a significant investment –  Manual review can be unstructured and time-consuming without licensed tools –  Not ideal for discovering logical vulnerabilities© Copyright 2013 Denim Group - All Rights Reserved 31
  32. 32. Dynamic Analysis •  Integrate abuse cases into unit and automated testing •  Use application scanning tools •  Perform a dedicated penetration test by security staff or a 3rd party •  Advantages –  Generally more time-efficient than manual code review –  Good for discovering logical vulnerabilities •  Disadvantages –  Requires fully functional features to test –  Security staff may not have application security training or experience –  Scanning tools may have difficulty with unusual applications© Copyright 2013 Denim Group - All Rights Reserved 32
  33. 33. Tools vs. Manual Review •  As we have discussed, some tests are better done manually •  Automated tools are well suited to discover implementation flaws –  Cross-site scripting –  Injection –  Information leakage or improper error handling –  Transport layer security •  Manual testing is a better approach to discover design flaws –  Direct object references –  Malicious file execution –  Cross-site request forgery –  Authentication/Authorization© Copyright 2013 Denim Group - All Rights Reserved 33
  34. 34. The Scope of Mobile Security Review© Copyright 2013 Denim Group - All Rights Reserved
  35. 35. Generic Mobile Application Threat Model© Copyright 2013 Denim Group - All Rights Reserved 35
  36. 36. Some Assumptions for Developers •  Smartphone applications are essentially thick-client applications –  That people carry in their pockets –  And drop in toilets –  And put on eBay when the new iPhone comes out –  And leave on airplanes –  And so on… •  Attackers will be able to access: –  Target user (victim) devices –  Your application binaries •  What else should you assume they know or will find out?© Copyright 2013 Denim Group - All Rights Reserved 36
  37. 37. Let’s Take Apart Some Apps •  Pandemobium Stock Trader Application •  Android and iOS versions •  Functionality –  Log in –  Track stock tips –  Make stock trades –  Get stock tips –  Share stock tips© Copyright 2013 Denim Group - All Rights Reserved 37
  38. 38. Pandemobium Stock Trader Application •  We will use as an example through the class •  Available for free online –  https://code.google.com/p/pandemobium/ –  Look for updates! Share with your friends! •  Components: –  iPhone application –  Android application –  Supporting web services (Java/JSP web application) –  User manual (HTML) –  Vulnerability list (HTML)© Copyright 2013 Denim Group - All Rights Reserved 38
  39. 39. Pandemobium Stock Trader Application© Copyright 2013 Denim Group - All Rights Reserved 39
  40. 40. So What Does a Bad Guy See? (Android Edition) •  Install the application onto a device •  Root the device •  Pull the application’s APK file onto a workstation for analysis •  APK files are ZIP files •  They contain: –  AndroidManifest.xml –  Other binary XML files in res/ –  classes.dex DEX binary code© Copyright 2013 Denim Group - All Rights Reserved 40
  41. 41. Generic Android Application Threat Model© Copyright 2013 Denim Group - All Rights Reserved 41
  42. 42. What’s Up With My XML Files? •  Binary encoding •  Use axml2xml.pl to convert them to text http://code.google.com/p/android-random/downloads/detail?name=axml2xml.pl© Copyright 2013 Denim Group - All Rights Reserved 42
  43. 43. Much Better •  Now we see: –  Screens in application –  Permissions required by the application –  Intents applications is registered to consume –  And so on© Copyright 2013 Denim Group - All Rights Reserved 43
  44. 44. Do the Same Thing With the Rest of Them •  Recurse through the res/ subdirectory •  UI layouts, other resources© Copyright 2013 Denim Group - All Rights Reserved 44
  45. 45. What About the Code? •  All of it is stuffed in classes.dex •  Android phones use DEX rather than Java bytecodes –  Register-based virtual machine rather than stack-based virtual machine •  Options: –  Look at DEX assembly via de-dexing –  Convert to Java bytecode and then to Java source code© Copyright 2013 Denim Group - All Rights Reserved 45
  46. 46. De-Dex to See DEX Assembly •  DEX bytecode ~= Java bytecode •  All code goes in one file •  Disassemble to DEX assembly with dedexer http://dedexer.sourceforge.net/© Copyright 2013 Denim Group - All Rights Reserved 46
  47. 47. Lots of Information •  Like the fun-fun world of Java disassembly and decompilation –  (We’ll get to the DEX decompilation in a moment) •  LOTS of information available© Copyright 2013 Denim Group - All Rights Reserved 47
  48. 48. But Can I Decompile to Java? •  Yes •  We •  Can •  Convert to Java bytecodes with dex2jar –  http://code.google.com/p/dex2jar/ –  (Now you can run static analysis tools like Findbugs) •  Convert to Java source code with your favorite Java decompiler –  Everyone has a favorite Java decompiler, right?© Copyright 2013 Denim Group - All Rights Reserved 48
  49. 49. DEX Assembly Versus Java Source Code •  De-DEXing works pretty reliably •  DEX assembly is easy to parse with grep •  DEX assembly is reasonably easy to manually analyze •  Java decompilation works most of the time •  Java source code can be tricky to parse with grep •  Java source code is very easy to manually analyze •  Verdict: –  Do both! –  Grep through DEX assembly to identify starting points for analysis –  Analyze Java source in detail© Copyright 2013 Denim Group - All Rights Reserved 49
  50. 50. So What Did We Learn? •  Look at the string constants –  URLs, hostnames, web paths •  Look at the de-DEXed assembly –  Method calls –  Data flow •  Developers: BAD NEWS –  The bad guys have all your code –  They might understand your app better than you –  How much sensitive intellectual property do you want to embed in your mobile application now?© Copyright 2013 Denim Group - All Rights Reserved 50
  51. 51. Is There Sensitive Data On the Device? •  Look at the disassemled DEX code •  Grep for “File”© Copyright 2013 Denim Group - All Rights Reserved 51
  52. 52. What About Java Source Code? •  Get the source code with JD-Gui –  http://java.decompiler.free.fr/© Copyright 2013 Denim Group - All Rights Reserved 52
  53. 53. Look for Files With Bad Permissions •  Look for file open operations using –  Context.MODE_WORLD_READABLE –  (translates to “1”)© Copyright 2013 Denim Group - All Rights Reserved 53
  54. 54. Next: What Is On the Server-Side •  To access sensitive data on a device: –  Steal a device –  Want more data? –  Steal another device •  To access sensitive data from web services –  Attack the web service •  String constants for URLs, hostnames, paths •  Examples: –  3rd party web services –  Enterprise web services© Copyright 2013 Denim Group - All Rights Reserved 54
  55. 55. So Now What? •  3rd Party Web Services –  Is data being treated as untrusted? –  Google promised to “not be evil” •  For everyone else… •  Enterprise Web Services –  Did you know these were deployed? –  Have these been tested for possible security flaws? –  Stealing records en-masse is preferable to stealing them one-at-a-time© Copyright 2013 Denim Group - All Rights Reserved 55
  56. 56. Web Services Example •  Trumped up example, but based on real life •  Given a web services endpoint, what will a bad guy do? •  Sequence: –  Request a junk method “abcd” –  Get a “No method ‘abcd’ available” –  Request a method “<script>alert(‘hi’);</script>” –  Hilarity ensues…© Copyright 2013 Denim Group - All Rights Reserved 56
  57. 57. What Is Wrong With the Example Application? •  Sensitive data stored on the device unprotected •  Trusts data from 3rd party web services •  Exposes enterprise web services to attackers •  Enterprise web services vulnerable to reflected XSS attacks •  And so on… •  This is a trumped-up example with concentrated vulnerabilities, but… •  All of these reflect real-world examples of vulnerabilities –  Public breaches –  Application assessments© Copyright 2013 Denim Group - All Rights Reserved 57
  58. 58. What About iPhones/iPads? •  Objective-C compiled to ARMv6, ARMv7 machine code –  Not as fun (easy) as Java compiled to DEX bytecode –  But … subject to buffer overflows, memory handling issues, other native code fun •  Apps from iTunes Store –  Encrypted –  Used to be “easy” (well, mechanical) to break encryption with a jailbroken phone and a debugger –  Now trickier (but likely not insurmountable) –  And the default apps are not encrypted…© Copyright 2013 Denim Group - All Rights Reserved 58
  59. 59. Run “strings” on the Binary •  Web services endpoints: URLs, hostnames, paths •  Objective-C calling conventions: [myThing doStuff:a second:b third:c];! becomes obj_msgsend(myThing, “doStuff:second:third:”, a, b, c);!© Copyright 2013 Denim Group - All Rights Reserved 59
  60. 60. Run “otool” on the Binary •  otool –l <MyApp> –  View the load commands –  Segment info, encryption info, libraries in use •  otool –t –v <MyApp> –  Disassemble the text segment to ARM assembly –  If run on an encrypted application you get garbage •  otool –o <MyApp> –  Print the Objective-C segment •  And so on…© Copyright 2013 Denim Group - All Rights Reserved 60
  61. 61. Net Result for iPhone/iPad •  More obscure –  But does that mean more secure? •  Can still retrieve a tremendous amount of information •  Can still observe a running application •  “Security” based on obscurity is not durable© Copyright 2013 Denim Group - All Rights Reserved 61
  62. 62. Mobile Browser Content Handling •  Many mobile platforms allow you to designate applications to handle content found in web pages –  By URI protocol –  By content type •  Provide a “premium” experience for users who have the target app installed •  Examples: –  tel:// URLs initiating phone calls –  maps:// URLs to display maps© Copyright 2013 Denim Group - All Rights Reserved 62
  63. 63. iPhone/iPad URL Schemes •  iOS applications can be set up to “handle” certain URL schemes •  Defined in the application’s Info.plist •  Binary format: annoying© Copyright 2013 Denim Group - All Rights Reserved 63
  64. 64. Decoding plist Files •  plutil -convert xml1 Info.plist •  Much nicer© Copyright 2013 Denim Group - All Rights Reserved 64
  65. 65. iOS URL Handlers •  XPath: Look for: /plist/dict/array/dict[key=CFBundleURLSchemes]/array/string •  Now you know the URL Schemes the app handles •  SANS blog post on this issue in iOS: –  http://software-security.sans.org/blog/2010/11/08/insecure-handling-url-schemes- apples-ios/?utm_source%253Drss%2526utm_medium%253Drss %2526utm_campaign%253Dinsecure-handling-url-schemes-apples-ios –  Too long to type? http://bit.ly/ezqdK9© Copyright 2013 Denim Group - All Rights Reserved 65
  66. 66. Android Intents •  Intents are facilities for late-binding messaging between applications –  http://developer.android.com/guide/topics/intents/intents-filters.html •  One use is to allow applications to register to receive messages from the Browser when certain types of content are received –  Like iOS URL Schemes but an even more comprehensive IPC mechanism© Copyright 2013 Denim Group - All Rights Reserved 66
  67. 67. Intent Filter Example <intent-filter> <action android:name="android.intent.action.VIEW" /> <category android:name="android.intent.category.DEFAULT" /> <category android:name="android.intent.category.BROWSABLE" /> <data android:scheme="danco" /> </intent-filter> •  Action: What to do? •  Data: Scheme is URI “protocol” to handle •  Category BROWSABLE: Allow this Action to be initiated by the browser© Copyright 2013 Denim Group - All Rights Reserved 67
  68. 68. Intent Filter Demo – Manual Launch, HTML Page© Copyright 2013 Denim Group - All Rights Reserved 68
  69. 69. Intent Filter Demo – Anchor Launch, IFrame Launch© Copyright 2013 Denim Group - All Rights Reserved 69
  70. 70. I’m a Security Tester. Why Do I Care? •  URL handlers are remotely-accessible attack surface •  This is a way for you to “reach out and touch” applications installed on a device if you can get a user to navigate to a malicious page •  Send in arbitrary URLs via links or (easier) embedded IFRAMEs •  Example: iOS Skype application used to automatically launch the Skype application and initiate a call when it encountered a skype:// URL –  Apple’s native Phone handle for tel:// URLs would confirm before a call was made© Copyright 2013 Denim Group - All Rights Reserved 70
  71. 71. I’m a Developer. Why Do I Care? •  See the previous slide. Bad guys care. So should you. Please. •  Content passed in via these handlers must be treated as untrusted –  Positively validate –  Enforce proper logic restrictions •  All: –  Should a malicious web page be able to cause this behavior? •  Make phone call, transmit location, take photo, start audio recording, etc •  iOS: –  Validate inputs to handleOpenURL: message •  Android: –  Validate data brought in from Action.getIntent() method© Copyright 2013 Denim Group - All Rights Reserved 71
  72. 72. So What Should Developers Do? •  Threat model your smartphone applications –  More complicated architectures -> more opportunities for problems •  Watch what you store on the device –  May have PCI, HIPAA implications •  Be careful consuming 3rd party services –  Who do you love? Who do you trust? •  Be careful deploying enterprise web services –  Very attractive target for bad guys –  Often deployed “under the radar”© Copyright 2013 Denim Group - All Rights Reserved 72
  73. 73. Secure Mobile Development Reference •  Platform-specific recommendations •  Key topic areas •  Provide specific, proscriptive guidance to developers building mobile applications© Copyright 2013 Denim Group - All Rights Reserved 73
  74. 74. Specific Platforms •  iOS (iPhone, iPad) •  Android •  Blackberry (in progress) •  Windows Phone 7 (in progress) –  Windows Mobile 6.5 (?) •  Symbian (?) •  Others (?) •  Will be guided by demand, which is focused by new development activity© Copyright 2013 Denim Group - All Rights Reserved 74
  75. 75. Topics Areas •  Topic Areas –  Overview of Application Development –  Overview of Secure Development –  Defeating Platform Environment Restrictions –  Installing Applications –  Application Permissions Model –  Local Storage –  Encryption APIs –  Network Communications –  Protecting Network Communications –  Native Code Execution –  Application Licensing and Payments –  Browser URL Handling© Copyright 2013 Denim Group - All Rights Reserved 75
  76. 76. So What Should Security People Do? •  Find out about smartphone projects –  Not always done by your usual development teams –  R&D, “Office of the CTO,” Marketing •  Assess the security implications of smartphone applications –  What data is stored on the device? –  What services are you consuming? –  Are new enterprise services being deployed to support the application?© Copyright 2013 Denim Group - All Rights Reserved 76
  77. 77. Resources •  axml2xml.pl (Convert Android XML files to normal XML) –  http://code.google.com/p/android-random/downloads/detail?name=axml2xml.pl •  Dedexer (Convert DEX bytecodes into DEX assembler) –  http://dedexer.sourceforge.net/ •  Dex2jar (Convert DEX bytecode in Java bytecode) –  http://code.google.com/p/dex2jar/ •  JD-GUI (Convert Java bytecode to Java source code) –  http://java.decompiler.free.fr/ •  otool (Get information about iPhone binaries) –  http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man1/otool.1.html© Copyright 2013 Denim Group - All Rights Reserved 77
  78. 78. Online •  Code, slides and videos online: www.smartphonesdumbapps.com© Copyright 2013 Denim Group - All Rights Reserved 78
  79. 79. Questions? Dan Cornell dan@denimgroup.com Twitter: @danielcornell www.denimgroup.com blog.denimgroup.com (210) 572-4400© Copyright 2013 Denim Group - All Rights Reserved 79

×