More Related Content Similar to The fundamentals of Android and iOS app security (20) The fundamentals of Android and iOS app security1. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
The fundamentals of Android
and iOS app security
2. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Andrew Hoog
CEO | NowSecure
@ahoog42
ahoog@nowsecure.com
● Computer scientist, mobile
security and forensics researcher
● Author, expert witness, and
patent-holder
● Regularly briefs senior
government officials and top
banking institutions about mobile
security
3. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Contents
● Too many apps are vulnerable
● Security needs to be part of
the development workflow
● Secure mobile development
best practices
● Automated security testing and
continuous integration (CI) in practice
4. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Too many mobile apps
are vulnerable
5. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Real-world examples of mobile app security failures
Starbucks
Thieves siphoned money out of users’
accounts using the mobile app
via USA Today
Ola
India’s largest startup with $1.1B in funding
was hacked to allow unlimited free rides
via The Next Web
Hulu and Tinder
App vulnerabilities offered access
to free premium accounts
via CNBC
6. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Mobile apps with at least one
high risk security or privacy flaw
2016 NowSecure Mobile Security Report
A quarter of mobile apps are vulnerable
25%
7. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.© Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
More popular apps are more likely to include a security flaw
1M-5M
Downloads
5M-10M
Downloads
37% 46% 50%
100K-500K
Downloads
2016 NowSecure Mobile Security Report
8. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.© Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
Issues within apps downloaded more than 1 million times
Apps exposing sensitive data Apps with security flaws
2016 NowSecure Mobile Security Report
9. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Developers aren’t trained in
developing secure mobile apps
Tools that identify mobile
security flaws aren’t kept
up-to-date
Mobile app security is assumed
(if it’s considered at all)
Time and budget are not
committed to mobile app security
The roots of the mobile app security problem
10. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Why make security a part of the
mobile app development workflow?
11. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Almost half of orgs deploy weekly or more often
https://blog.newrelic.com/2016/02/04/data-culture-survey-results-faster-deployment/
12. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Developing with security in mind saves you time
Requirements /
Architecture
Coding Integration /
Component
Testing
System /
Acceptance
Testing
Production /
Post-Release
Source: National Institute of Standards and Technology
The cost (time, money, etc.)
of fixing defects is
30xhigher after an app
has been deployed
13. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
Development / Integration Staging Production
Dev Team
Version
Control
Build & Unit
Tests
Automated
Acceptance
Tests
Release
User
Acceptance
Tests
Check-in
Check-in
Check-in
Trigger
Trigger
Trigger
Trigger
Trigger Approval
Approval
Feedback
Feedback
Feedback
Feedback
Feedback
Feedback
Engineer QA DevOps
Shift security & performance
testing to the left
14. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
Secure mobile development
best practices
15. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
OWASP Top 10
Mobile Risks
(draft 2016 update)
42+ tips for building
secure mobile apps
Source material for mobile app security fundamentals
16. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
17. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
1
Improper
Platform Usage
OWASP MOBILE TOP 10 2016 DRAFT
18. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Misuse of a platform feature or lack of
platform security controls for the
Android or iOS operating systems. Issues
may include incorrect use of the keychain
on iOS or Android intents.
19. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Android - Implement Intents Carefully
Intents are used for inter-component signaling. Improper
implementation could result in data leakage, restricted functions being
called and program flow being manipulated.
https://books.nowsecure.com/secure-mobile-development/en/android
/implement-intents-carefully.html
iOS - Use the Keychain Carefully
iOS provides the keychain for secure data storage. However, in several
scenarios, the keychain can be compromised and subsequently
decrypted.
https://books.nowsecure.com/secure-mobile-development/en/ios/use-
the-keychain-carefully.html
Best practice(s):
20. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
2
Insecure
Data Storage
OWASP MOBILE TOP 10 2016 DRAFT
21. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Vulnerabilities that
leak personal information and
provide access to hackers.
22. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
1 in 10apps leak private, sensitive data like
email, username, or password
NowSecure: 2016 NowSecure Mobile Security Report
Data from testing 400,000 mobile apps
23. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Implement secure data storage
Transmit and display but do not persist to memory. Ensure that an analog leak does not present itself
where screenshots of the data are written to disk. Store only in RAM (clear at application close).
https://books.nowsecure.com/secure-mobile-development/en/sensitive-data/implement-secure-data-sto
rage.html
Securely store data in RAM
Do not keep sensitive data (e.g., encryption keys) in RAM longer than required. Nullify any variables that
hold keys after use.
https://books.nowsecure.com/secure-mobile-development/en/ios/use-the-keychain-carefully.html
Best practice(s):
24. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
3Insecure
Communication
OWASP MOBILE TOP 10 2016 DRAFT
25. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Insecure communication
refers to communications
being sent in cleartext as well
as other insecure methods.
26. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
Example: SwiftKey vulnerabilities
(CVE-2015-4640 & CVE-2015-4641)
Best practice(s):
Fully validate SSL/TLS
An application not properly validating its
connection to the server is susceptible to a
man-in-the-middle attack by a privileged
network attacker.
https://books.nowsecure.com/secure-mobile-d
evelopment/en/sensitive-data/fully-validate-ss
l-tls.html
27. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
4Insecure
Authentication
OWASP MOBILE TOP 10 2016 DRAFT
28. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Mobile apps need to
securely identify a user and maintain
that user’s identity, especially when
users are calling and sending
sensitive data such as financial
information.
29. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Best practice(s):
Hide Account Numbers and
Use Tokens
Given the widespread use of mobile apps in public
places, displaying partial numbers (e.g. *9881) can
help ensure maximum privacy for this information.
Unless there is a need to store the complete number
on the device, store the partially hidden numbers.
https://books.nowsecure.com/secure-mobile-develo
pment/en/sensitive-data/hide-account-numbers-and
-use-tokens.html
30. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
5Insufficient
Cryptography
OWASP MOBILE TOP 10 2016 DRAFT
31. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
The process behind
encryption and
decryption may allow
a hacker to decrypt
sensitive data.
The algorithm behind
encryption and
decryption may be
weak in nature.
32. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Implement secure data storage
If storing sensitive data on the device is a requirement,
add an additional layer of verified, third-party
encryption. By adding another layer of encryption, you
have more control over the implementation and mitigate
attacks focused on the main OS encryption classes.
https://books.nowsecure.com/secure-mobile-developme
nt/en/sensitive-data/implement-secure-data-storage.ht
ml
Best practice(s):
33. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
6Insecure
Authorization
OWASP MOBILE TOP 10 2016 DRAFT
34. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Insecure authorization refers to
the failure of a server to properly
enforce identity and permissions
as stated by the mobile app.
35. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Best practice(s):
Implement Proper Web
Server Configuration
Certain settings on a web server can increase
security. One commonly overlooked
vulnerability on a web server is information
disclosure. Information disclosure can lead to
serious problems because every piece of
information attackers can gain from a server
makes staging an attack easier.
https://books.nowsecure.com/secure-mobile-d
evelopment/en/servers/web-server-configurat
ion.html
36. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
7
Client Code
Quality
OWASP MOBILE TOP 10 2016 DRAFT
37. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Risks that come from vulnerabilities like buffer
overflows, format-string vulnerabilities, and
various other code-level mistakes where the
solution is to rewrite some code that's
running on the mobile device.
38. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Vulnerabilities in the Vitamio SDK
NowSecure Blog: World Writable Code Is Bad, MMMMKAY
Best practice(s):
Test third-party libraries
Third-party libraries can contain vulnerabilities
and weaknesses. Many developers assume
third-party libraries are well-developed and
tested, however, issues can and do exist in their
code.
https://books.nowsecure.com/secure-mobile-d
evelopment/en/coding-practices/test-third-pa
rty-libraries.html
39. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
8Code
Tampering
OWASP MOBILE TOP 10 2016 DRAFT
40. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
When attackers tamper with or
install a backdoor on an app, re-sign
it and publish the malicious version
to third-party app marketplaces.
41. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
● 50M downloads in 19 days on
Android alone
● Within 3 days of initial release,
malicious DroidJack software
found on third-party app stores
● Remote Access Tool (RAT) can
open a silent, backdoor for
hackers
Source: The Hacker News
Example: PokemonGO
42. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Best practice(s):
Implement Anti-Tampering Techniques
Employ anti-tamper and tamper-detection techniques to prevent illegitimate
applications from executing. Use checksums, digital signatures, and other validation
mechanisms to help detect file tampering.
https://books.nowsecure.com/secure-mobile-development/en/coding-practices/anti-
tamper-techniques.html
43. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
9Reverse
Engineering
OWASP MOBILE TOP 10 2016 DRAFT
44. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Reverse engineering refers to
the analysis of a final binary to
determine its source code,
libraries, algorithms, and more.
45. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Best practice(s):
Increase Code Complexity and Use Obfuscation
Reverse engineering apps can provide valuable insight into how your app works.
Making your app more complex internally makes it more difficult for attackers to see
how the app operates, which can reduce the number of attack vectors.
https://books.nowsecure.com/secure-mobile-development/en/coding-practices/code
-complexity-and-obfuscation.html
46. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
1 Extraneous
Functionality
OWASP MOBILE TOP 10 2016 DRAFT0
47. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Developers frequently include hidden
backdoors or security controls they
do not plan on releasing into production.
This error creates risk when a feature is
released to the wild that was
never intended to be shared.
48. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
● Manufacturer of hardware chips
and processors for mobile
devices
● A debug tool, left open for
carriers to test network
connections, was left open on
shipped devices
Source: The Hacker News
Example: MediaTek
49. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Best practice(s):
Carefully Manage Debug Logs
Debug logs are generally designed to be used to detect and correct flaws in an
application. These logs can leak sensitive information that may help an attacker create
a more powerful attack.
https://books.nowsecure.com/secure-mobile-development/en/caching-logging/carefu
lly-manage-debug-logs.html
51. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
You can view the GitHub
repository here:
https://github.com/nowsecure/
secure-mobile-development
Contribute to the Secure Mobile
Development Best Practices
52. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
In practice: continuous integration and automated
mobile app security testing
+
53. Don’t Panic
Connect any time:
@NowSecureMobile
www.nowsecure.com
Learn more about developing secure Android and iOS apps with the
NowSecure Secure Mobile Development Best Practices:
books.nowsecure.com/secure-mobile-development/