Mobile Apps Security: OTA11

IM IN UR CODEZ Securing Mobile AppsSunday, 2 October 11

Hello! My name’s Nick. I work for Mobile Interactive Group We’re going to talk about app security ...also catsSunday, 2 October 11

What this session is about... Mobile application security Developing apps defensively ...and what it’s not about User-based vulnerabilities (tap-jacking, etc) Mobile web securitySunday, 2 October 11

Mobile Apps Mobile WebSunday, 2 October 11

Hardcoded passwords SQL injection In-app XSS Insecure Data Transmission Buffer overflows Storing user data Data leakage API impersonation Remote code executionSunday, 2 October 11

Web & Apps have similar problems... ...they just appear in different placesSunday, 2 October 11

A fact (or two) Your app will be reverse engineered It’s only a matter of time Obfuscation is not a be-all/end-allSunday, 2 October 11

You might think (comparatively) that your mobile platform is not compromised... ...but how many rooted/jailbreaked phones are out there? Assume your platform is compromised, and your app will be reverse engineeredSunday, 2 October 11

You must therefore strongly protect your APIs and supporting application servers Let’s look at three of the most common issues with apps Two of these relate to API/server issuesSunday, 2 October 11

...but first...Sunday, 2 October 11

We’re all pretty smart developers (...hopefully!)Sunday, 2 October 11

The chasm of misfortune Your Goals Your App We are all cats - we have good intentions... ...and sometimes can’t foresee the consequencesSunday, 2 October 11

Your Goals Your App Remembering Storing credentials insecurely Banking App Users Not using SSL Using an API Blogging App Uploading Hardcoding your API keys Content ? UCG AppSunday, 2 October 11

Keys and SecretsSunday, 2 October 11

“API keys must be protected just like passwords. This means they should not be [...] baked into non-obfuscated applications that can be analysed relatively easily” Cloud Security Alliance, April 18 2011 (...assume this means all mobile apps)1 Keys and Secrets 2 leaking information 3 storing detailsSunday, 2 October 11

Demo time Major paid for API About 1,000,000 downloads ...let’s take a look!1 Keys and Secrets 2 leaking information 3 storing detailsSunday, 2 October 11

Demo time User: iPhone Password: PnkFdrYRh75N1 Keys and Secrets 2 leaking information 3 storing detailsSunday, 2 October 11

Consequences The bad A competing app uses your API key to exceed your rate limits Your users get frustrated and leave The ugly Somebody pulls your S3 secret key and charges £££ to your account1 Keys and Secrets 2 leaking information 3 storing detailsSunday, 2 October 11

This API is now compromised I can use it in my own apps without paying the license fee Because it’s hard-coded in the app it can’t be revoked1 Keys and Secrets 2 leaking information 3 storing detailsSunday, 2 October 11

Prevention Use an alternative method to authenticate Facebook, Amazon, and other large providers provide these Don’t trust key verification If you have an API that uses a key, don’t assume you can trust the user Think permissions If you do have to use keys, limit the damage that can be done with them Have a plan ...think about the inevitable. What happens if your API is outed?1 Keys and Secrets 2 leaking information 3 storing detailsSunday, 2 October 11

Leaking InformationSunday, 2 October 11

This shouldn’t need a slide If you’re sending passwords in the clear, leave the room ...no, wait - come back! I forgive you! People share passwords. All the time. My Tumblr password might be my Facebook password1 keys and secrets 2 Leaking Information 3 storing detailsSunday, 2 October 11

Specific shaming: ...but not the app!1 keys and secrets 2 Leaking Information 3 storing detailsSunday, 2 October 11

“But Nick, everyone knows SSL/TLS is totally broken!” “It’s the user’s fault for connecting to an insecure network” “It’s too much effort / time-consuming to implement” “My app isn’t important enough for this to be a problem”1 keys and secrets 2 Leaking Information 3 storing detailsSunday, 2 October 11

Not using TLS is like leaving your house unlocked Nobody is saying locks are going to stop you from getting burgled... ...but not locking your door is stupid.1 keys and secrets 2 Leaking Information 3 storing detailsSunday, 2 October 11

Storing DetailsSunday, 2 October 11

Very popular! Username and password in plain text!1 keys and secrets 2 leaking information 3 Storing Details According to ViaForensics, June 2011Sunday, 2 October 11

Obvious information Passwords, usernames Account numbers, etc Overlooked information Location information Personal information (date of birth, address,1 keys and secrets 2 leaking information 3 Storing DetailsSunday, 2 October 11

Consequences The bad You get some bad PR People laugh at you as you walk down the street The ugly You store passwords or account information unencrypted This compromises your app, and users information is leaked You are fined by the ICO1 keys and secrets 2 leaking information 3 Storing DetailsSunday, 2 October 11

In Summary ...we’re all smart developers... (remember this bit? from earlier on?)Sunday, 2 October 11

...but so are the... Bank of America, Citibank, National Rail Enquiries, Tumblr, AOL, Bump, Flirtomatic, Foursquare, Groupon, LinkedIn, Mint, Skype, Wells Fargo, WordPress, Match.com Yahoo! Messenger, and many many more... ...developers. Nobody is perfect, no app is truly secure (including me!)Sunday, 2 October 11

Remember the cat* *unlike the cat, your app will not survive a fall from heightSunday, 2 October 11

Thanks :) nick.shearer@migcan.com (I don’t tweet - booo!) Slides will be available on the OTA site soon!Sunday, 2 October 11

http://lanyrd.com	10
http://lanyrd.com	10
http://overtheair.org	4

Mobile Apps Security: OTA11

by lxt04

Accessibility

Categories

Upload Details

Usage Rights

3 Embeds 24

Statistics