Confidentiality: Does your application keep your private data private?Integrity: Can the data from your app be trusted and verified?Authentication: Does your app verify you are who you say you are?Authorization: Does your application properly limit user privileges?Availability: Can an attacker take the app offline?Non-Repudiation: Does your app keep records of events?
Developing secure mobile apps by Alexandru Catariov Endava
Developing SecureMobile Apps AlexandruCatariov
IN YOUR ZONE 2What is the Information Security?
IN YOUR ZONE 3How much is the mobile world exposed?Attack Attack
IN YOUR ZONE 4Connected to internet and other computernetworks
IN YOUR ZONE 5Many apps store data locally……to improve User eXperience…to save traffic…for temporary use
IN YOUR ZONE 8…and last but not least, mobile is physically morevulnerable
IN YOUR ZONE 9The good news is that mobile OSes take measures toincrease security…• Sandboxing• User Permissions• Protected API• Encrypted filesystem• App Signing• Remote wipe
IN YOUR ZONE 10..but the bad news is that the army of bad guys growsas well• Rooting or Jailbreaking• Malwares• Viruses• Spoofing• Tampering
IN YOUR ZONE 11The primary data type targeted by attackers in 2012, asin 2011, was customer records (cardholderdata, personal information, email addresses).96%2013 Global Security Report
IN YOUR ZONE 12The number of mobile malwares is rising very fast.The notable one - Toll Fraud0102030405060708090100Q3 2011 Q4 2011 Q1 2012 Q2 2012%Toll Fraud malware Other malware Spyware
IN YOUR ZONE 13What you as a developer can do?
IN YOUR ZONE 14• Use Cryptography• Use hash function such as MD5, SH1, etc.• Use Local KeyChain or KeyStore, but not rely on themAvoid store or sending confidential/sensitive data……otherwise, do not use plain format
IN YOUR ZONE 15Ensure secure storage• Use App Sandbox• Use internal storage• Clear temporary data after use• Use Cryptography• Perform Input Validation
IN YOUR ZONE 16• Strong Authorization & Authentication• Ensure proper session handling• Strong encryption• Validate untrusted inputApply OWASAP Top 10 to secure interaction withservers
IN YOUR ZONE 17Interpocess communication can be also vulnerable• Avoid using network sockets and shared files• Use OS mechanisms instead
IN YOUR ZONE 18Apply anti-debug and anti-reversing measures• Obfuscation• Remove logging code• Don’t use hardcoded sensitive data• Don’t implement customencryption
IN YOUR ZONE 19Perform secure testing• Test on a Jailbroken or rooted device• Use Static Code Analyses tools – Fortify, Veracode
IN YOUR ZONE 21…but you can make it hard – Defense in DepthOakChestRabbitDuckEggNeedle
IN YOUR ZONEResources22•Security Best Practices for Android developers is located here:https://developer.android.com/guide/practices/security.html.•iOS Security Overviewhttps://developer.apple.com/library/ios/#documentation/Security/Conceptual/Security_Overview/Introduction/Introduction.html•OWASP Mobile Security Project:https://www.owasp.org/index.php/OWASP_Mobile_Security_Project•Trustwave, Spider Labs blog:http://blog.spiderlabs.com
IN YOUR ZONE 23Alex Catariov | Development Discipline LeadAlexandru.Catariov@endava.comTel +373 79400205|Skype alex.catariovthank you