Developing secure mobile apps by Alexandru Catariov Endava


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Developing secure mobile apps by Alexandru Catariov Endava

  1. 1. Developing SecureMobile Apps AlexandruCatariov
  2. 2. IN YOUR ZONE 2What is the Information Security?
  3. 3. IN YOUR ZONE 3How much is the mobile world exposed?Attack Attack
  4. 4. IN YOUR ZONE 4Connected to internet and other computernetworks
  5. 5. IN YOUR ZONE 5Many apps store data locally……to improve User eXperience…to save traffic…for temporary use
  6. 6. IN YOUR ZONE 6There is a lot of user data
  7. 7. IN YOUR ZONE 7Many sensitive data inputs
  8. 8. IN YOUR ZONE 8…and last but not least, mobile is physically morevulnerable
  9. 9. IN YOUR ZONE 9The good news is that mobile OSes take measures toincrease security…• Sandboxing• User Permissions• Protected API• Encrypted filesystem• App Signing• Remote wipe
  10. 10. IN YOUR ZONE 10..but the bad news is that the army of bad guys growsas well• Rooting or Jailbreaking• Malwares• Viruses• Spoofing• Tampering
  11. 11. IN YOUR ZONE 11The primary data type targeted by attackers in 2012, asin 2011, was customer records (cardholderdata, personal information, email addresses).96%2013 Global Security Report
  12. 12. IN YOUR ZONE 12The number of mobile malwares is rising very fast.The notable one - Toll Fraud0102030405060708090100Q3 2011 Q4 2011 Q1 2012 Q2 2012%Toll Fraud malware Other malware Spyware
  13. 13. IN YOUR ZONE 13What you as a developer can do?
  14. 14. IN YOUR ZONE 14• Use Cryptography• Use hash function such as MD5, SH1, etc.• Use Local KeyChain or KeyStore, but not rely on themAvoid store or sending confidential/sensitive data……otherwise, do not use plain format
  15. 15. IN YOUR ZONE 15Ensure secure storage• Use App Sandbox• Use internal storage• Clear temporary data after use• Use Cryptography• Perform Input Validation
  16. 16. IN YOUR ZONE 16• Strong Authorization & Authentication• Ensure proper session handling• Strong encryption• Validate untrusted inputApply OWASAP Top 10 to secure interaction withservers
  17. 17. IN YOUR ZONE 17Interpocess communication can be also vulnerable• Avoid using network sockets and shared files• Use OS mechanisms instead
  18. 18. IN YOUR ZONE 18Apply anti-debug and anti-reversing measures• Obfuscation• Remove logging code• Don’t use hardcoded sensitive data• Don’t implement customencryption
  19. 19. IN YOUR ZONE 19Perform secure testing• Test on a Jailbroken or rooted device• Use Static Code Analyses tools – Fortify, Veracode
  20. 20. IN YOUR ZONE 20You cannot be 100% safe…
  21. 21. IN YOUR ZONE 21…but you can make it hard – Defense in DepthOakChestRabbitDuckEggNeedle
  22. 22. IN YOUR ZONEResources22•Security Best Practices for Android developers is located here:•iOS Security Overview•OWASP Mobile Security Project:•Trustwave, Spider Labs blog:
  23. 23. IN YOUR ZONE 23Alex Catariov | Development Discipline LeadAlexandru.Catariov@endava.comTel +373 79400205|Skype alex.catariovthank you