Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How iOS and Android Handle Security Webinar

2,213 views

Published on

This webinar takes a technical look at mobile security in iOS and Android and how each of the platforms handle security differently. During the webinar, Dan will cover numerous mobile security topics including mobile secure development, defeating platform environment restrictions and their respective permission models and how to protect network communications.

The 60-minute webinar will provide actionable information to help build a more secure mobile application development program with time for questions.

Published in: Technology
  • Be the first to comment

How iOS and Android Handle Security Webinar

  1. 1. How iOS and Android Handle Security Dan Cornell @danielcornell
  2. 2. Dan’s Background • Founder and CTO of Denim Group • Software developer by background • OWASP San Antonio
  3. 3. Denim Group Company Background • Professional services firm that builds & secures enterprise applications • External application & network assessments • Web, mobile, and cloud • Software development lifecycle development (SDLC) consulting • Secure development services: • Secure .NET and Java application development & remediation • Classroom secure developer training for PCI compliance • Develop ThreadFix
  4. 4. Overview • Challenges of secure mobile development • Areas of concern: • Basics of (secure) application development • Secure data storage • Secure data communication • Mobile browsers • Handling SMS and push messaging • Licensing and in-app payments • Questions and Answers
  5. 5. Secure Mobile Application Development Reference • Topics include: • Overview of Application Development • Overview of Secure Development • Defeating Platform Environment Restrictions • Installing Applications • Application Permissions Model • Local Storage • Encryption APIs • Network Communications • Protecting Network Communications • Application Licensing and Payments • Mobile Browser • Native Code Execution • Browser URL Handling • Mobile Application SMS/Push Update Handling http://www.denimgroup.com/know_artic_secure_mobile_application_development_reference.html
  6. 6. Secure Mobile Application Development Reference • For developers: • Learn the security capabilities of your mobile development platform • Get access to further learning resources • For security professionals: • Learn the security capabilities of the mobile development platform(s) your organization is targeting http://www.denimgroup.com/know_artic_secure_mobile_application_development_reference.html
  7. 7. CHALLENGES OF SECURE MOBILE DEVELOPMENT How iOS and Android Handle Security
  8. 8. Mobile Application Threat Model • More complicated than standard web application threat model • Chess versus checkers • Today we will focus on code running on the mobile device
  9. 9. Generic Mobile Application Threat Model 9
  10. 10. Typical Mobile Threats • Spoofing: Users to the Mobile Application • Spoofing: Web Services to Mobile Application • Tampering: Mobile Application • Tampering: Device Data Stores • Disclosure: Device Data Stores or Residual Data • Disclosure: Mobile Application to Web Service • Denial of Service: Mobile Application • Elevation of Privilege: Mobile Application or Web Services User Local App Storage Mobile Application Mobile Web Services Device Keychain Main Site Pages
  11. 11. AREAS OF CONCERN How iOS and Android Handle Security
  12. 12. Areas of Concern • Basics of (Secure) Application Development • Secure Data Storage • Secure Data Communication • Mobile Browsers • Handling SMS and Push Messaging • Licensing and In-App Payments
  13. 13. AREAS OF CONCERN How iOS and Android Handle Security Basics of (Secure) Application Development
  14. 14. Basics of (Secure) Application Development • Overview of Application Development • Overview of Secure Development • Defeating Platform Environmental Restrictions • Installing Applications • Application Permissions Model • Native Code Execution
  15. 15. Overview of Application Development iOS • Objective-C is most common • Swift for newer applications • iOS Developer program allows installing and testing applications to developer phones • Actual applications installed from iTunes Store Android • Typically written in Java • Previously: Dalvik and DEX • More recently: Android Runtime (ART) • Applications installed from Android Play store or side-loaded via USB
  16. 16. Overview of Secure Development iOS • Apple provides Secure Coding Guide with both: • General secure coding recommendations • iOS-specific recommendations Android • Google provides a Google Group with secure Android coding recommendations • Many 3rd party resources available as well
  17. 17. Defeating Platform Environmental Restrictions iOS • iOS devices can be “jailbroken” • Allows access to the device as the root user • Allows for loading of 3rd party applications to be installed • Allows for use of alternate app stores Android • Android devices can be “rooted” • Allows for root-level access to the device • Allows for custom kernels on many devices
  18. 18. Installing Applications iOS • Non-jailbroken iOS devices: • Apple iTunes Store • Developers can install applications on a set of test devices • Alternate app stores for jailbroken devices Android • Google Play store • Side-loading applications • For development/debugging • For general usage • Alternate app stores for rooted devices
  19. 19. Application Permissions Model iOS • App asks for relevant permission when needed • Can allow or deny • Can review permissions and which applications are requesting them Android • Baked into AndroidManifest.xml • Fairly fine-grained • But must be accepted wholesale • Take a look at what apps from the app store ask for…
  20. 20. Native Code Execution iOS • Objective-C compiles to ARM machine code • Objective-C not safe by nature (super) • Swift offers much more protection Android • Dalvik/ART should provide memory safety • Can run code via the Native Development Kit (NDK)
  21. 21. AREAS OF CONCERN How iOS and Android Handle Security Secure Data Storage
  22. 22. Secure Data Storage • Local Storage • Encryption APIs
  23. 23. Local Storage iOS • iOS (since 3.0) provides AES- based full-disk encryption (hooray!) • Based on a burned-in hardware UID (hrm…) • iOS 8 added a 5 second hardware delay to passcode attempts for newer hardware (hooray!) and moved more data under default protection mechanisms Android • Uses Linux user/group permissions • Android 5.0 allows for full-disk encryption based on PIN and password (hooray!) • Also can have hardware-backed storage of the encryption key via Trusted Execution Environment (TEE)
  24. 24. Encryption APIs iOS • Provides access to a variety of certificate and key management functions • iOS Keychain provides device- supported encryption capabilities Android • Now has Keystore system • Allows for more secure storage of key materials to prevent unauthorized use • Provides access to javax.crypto APIs • Can also use 3rd party Java libraries for encryption • Like BouncyCastle (be careful of vulnerable versions…)
  25. 25. AREAS OF CONCERN How iOS and Android Handle Security Secure Data Communication
  26. 26. Secure Data Communication • Network Communications • Protecting Network Communications
  27. 27. Network Communications iOS • Provides access to BSD sockets • Provides implementations of many higher-level protocols Android • Provides access to standard java.net.* classes • Provides access to a number of Apache HTTP Utilities • Provides some Android-specific classes for HTTP/S, SIP, and WiFi
  28. 28. Protecting Network Communications iOS • Provides implementations of common transport-layer security protocols • Default settings are not terrible Android • Provides access to javax.net.ssl classes allowing for TLS network communications • Be careful using the android.net.SSLCertificateSocketF actory because they make it easy to disable protections
  29. 29. AREAS OF CONCERN How iOS and Android Handle Security Mobile Browsers
  30. 30. Mobile Browsers • Mobile Browser Basics • Browser URL Handling
  31. 31. Mobile Browser Basics iOS • Mobile version of Safari browser that uses the WebKit HTML rendering engine Android • WebKit HTML rendering engine and a version of the Chrome V8 JavaScript engine
  32. 32. Browser URL Handling iOS • Allows applications to register to handle different URL schemes • Apple applications are given precedence for the schemes they register for • Developers should treat inputs as untrusted Android • Allows applications to register to handle events raised by the browser for different protocols • Uses the Android “intent” facility to deliver • Developers should treat inputs as untrusted
  33. 33. AREAS OF CONCERN How iOS and Android Handle Security Handling SMS and Push Messaging
  34. 34. Handling SMS and Push Messages iOS • Allows applications to receive pushed notifications so that they can display a message or download new data • Must treat inputs from push notifications as potentially malicious Android • Cloud to Device Messaging Framework (C2DM) has been deprecated and replaced by Google Cloud Messaging (GCM) • Must treat inputs from push notifications as potentially malicious
  35. 35. AREAS OF CONCERN How iOS and Android Handle Security Licensing and In-App Payments
  36. 36. Application Licensing and Payments iOS • In-App purchases allow you to sell items from within iOS applications • StoreKit API allows for these capabilities Android • In-App purchases allow you to sell items from within Android applications • Billing API proxies communications between your application and the relevant Google Play services • Supports purchases, subscriptions and in-app products
  37. 37. So Where Do You Go From Here?
  38. 38. So What Should Security People Do? • Understand the general mobile application threat model and any peculiarities of platforms your organization supports • Work with developers to set architecture, design, and coding guidelines and standards • Test the securing of mobile application systems – the entirety of systems, not just code running on the device – taking into account the security characteristics of your target platform 38
  39. 39. So What Should Developers Do? • Threat model your mobile application prior to development • Learn the security properties and capabilities of the platform(s) you develop for • Stay current as new security vulnerabilities and weaknesses are discovered and as new security capabilities are added to your target platform(s) 39
  40. 40. How Do iOS and Android Handle Security? • Denim Group Secure Mobile Application Development Reference • Overview of Application Development • Overview of Secure Development • Defeating Platform Environment Restrictions • Installing Applications • Application Permissions Model • Local Storage • Encryption APIs • Network Communications • Protecting Network Communications • Application Licensing and Payments • Mobile Browser • Native Code Execution • Browser URL Handling • Mobile Application SMS/Push Update Handling http://www.denimgroup.com/know_artic_secure_mobile_application_development_reference.html
  41. 41. QUESTIONS AND ANSWERS How iOS and Android Handle Security Dan Cornell @danielcornell

×