Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Mobile App Security Best Practices

918 views

Published on

My talk at FOSS monthly meetup

Published in: Technology
  • Login to see the comments

  • Be the first to like this

Mobile App Security Best Practices

  1. 1. Mobile Security Pitfalls Common goofs we make and how to avoid them Ynon Perek tocode.co.il ynon@tocode.co.il
  2. 2. You Don’t NeedTo Be a Hacker ✤ Bug -> Vulnerability -> Exploit ✤ Hackers use exploits ✤ We’ll focus on fixing bugs
  3. 3. Types ofVulnerabilities Platform Application ServerCommunicationTechnical Human Factor Platform
  4. 4. NeedTo Protect… ✤ Our own private data ✤ Server ✤ Application secrets ✤ Our user’s private data
  5. 5. Guidelines: Server ✤ Assume Evil Teddy Bear is writing your client app ✤ Now write the server
  6. 6. Common Security Pitfalls - Server ✤ Trusting client application with too much data ✤ Leaving secrets in application source code ✤ Leaving server unprotected
  7. 7. Demo:Tinder Location Bug
  8. 8. Demo:Tinder Location Bug "birth_date": "1992-06-24T00:00:00.000Z", "gender": 1, "name": "Daisie", "pos": { "lon": -73.9977375759311, "lat": 40.72255556095288 }, "fbId": "185"
  9. 9. And the fix ??? "photos":[ ... ], "id":"52617e698525596018001418", "common_friends":[], "common_likes":[ ], "common_like_count":0, "common_friend_count":0, "distance_mi":4.760408451724539
  10. 10. FoundYa!
  11. 11. How I HackedYour Facebook Photos Request :- DELETE /518171421550249 HTTP/1.1 Host : graph.facebook.com Content-Length: 245 access_token=CAACEdEose0cBAABAXPPuULhNCsYZA2cgSbajNEV99ZCH XoNPvp6LqgHmTNYvuNt3e5DD4wZA1eAMflPMCAGKVlaDbJQXPZAWqd3vka Ay9VvQnxyECVD0DYOpWm3we0X3lp6ZB0hlaSDSkbcilmKYLAzQ6ql1ChyV iTiSH1ZBvrjZAH3RQoova87KKsGJT3adTVZBaDSIZAYxRzCNtAC0SZCMzK AyCfXXy4RMUZD Response :- {"error":{"message":"(#200) Application does not have the capability to make this API call.","type":"OAuthException","code":200}}
  12. 12. Now let’s try with FB for Android token … Request :- DELETE /518171421550249 HTTP/1.1 Host : graph.facebook.com Content-Length: 245 access_token=<Facebook_for_Android_Access_Token> Response :- true
  13. 13. Interesting, Now let’s try another album… Request :- DELETE /518171421550249 HTTP/1.1 Host : graph.facebook.com Content-Length: 245 access_token=<Facebook_for_Android_Access_Token> Response :- true OMG! Album Got Deleted
  14. 14. Bug Bounty Programs https://hackerone.com/
  15. 15. Getting ItWrong: ParseTodo App http://code.tutsplus.com/tutorials/getting- started-with-parse--net-28000
  16. 16. Getting It Right: ParseTodo App http://todolist.parseapp.com/#
  17. 17. And now for the client Platform Application ServerCommunicationTechnical Human Factor Platform
  18. 18. Guidelines: Client app ✤ Assume phone was hijacked by evil teddy bear ✤ Assume server was hacked by evil teddy bear ✤ Assume all external data is fed in by evil teddy bear
  19. 19. Apple Storing Location Data in iOS4 What makes this issue worse is that the file is unencrypted and unprotected, and it’s on any machine you’ve synched with your iOS device… http://radar.oreilly.com/2011/04/apple-location-tracking.html
  20. 20. JS Code Injections Evil Hacker Honest User Web Application (Email) Send message to honest user Message includes evil JS code
  21. 21. Why Is It Bad? ✤ PhoneGap apps provide no protection against evil JS ✤ Can use all device capabilities
  22. 22. JS Code Injections - PhoneGap ✤ WiFi network names ✤ QR Code ✤ NFC ✤ SMS ✤ Address Book ✤ iFrames
  23. 23. Communication Layer Platform Application ServerCommunicationTechnical Human Factor Platform
  24. 24. Guidelines: Communication ✤ Oh no evil teddy bear PWNS the router ✤ Encrypted ✤ Authenticated ✤ Tamper proof ✤ => HTTPS
  25. 25. Remember Firesheep?
  26. 26. Demo: Listening on unencrypted mobile traffic using a proxy
  27. 27. Q & A
  28. 28. Thanks For Listening ✤ Ynon Perek ✤ tocode.co.il ✤ ynon@tocode.co.il

×