Developing Secure Mobile              Applications    Clinton Mugge    Symosis Security1
Introduction    Clinton Mugge       • 18 Years as a Security Professional       • Counterintelligence Agent/Big “5” Securi...
Agenda    • Rise of “Mobile”    • What is “Mobile”    • “Mobile” Fears    • “Mobile” Mindset    • “Mobile” Best Practices ...
The Rise of “MOBILE”     Mobile Data Growth                  Source: Cisco Global Mobile Data Traffic Forecast4   Symosis...
The Rise of “MOBILE”     Mobile Device Growth               Source: Gartner Group and JPMorgan Chase5   Symosis Security
What is “MOBILE”    •   Is it defined by Hardware Platform?6        Symosis Security
What is “MOBILE”    •   Is it defined by size?7        Symosis Security
What is “MOBILE”    •   Is it defined by a constant idea?8        Symosis Security
What is “MOBILE”    •   Mobile IS perception        • Mobile tomorrow will not resemble what          we perceive today   ...
The Fear     Understanding what can go wrong10   Symosis Security
“Mobile” Fears     • Platforms Behaving Badly11     Symosis Security
“Mobile” Fears     • Developers Behaving Badly12     Symosis Security
“Mobile” Fears     • Applications Behaving Badly13     Symosis Security
“Mobile” Fears     • Applications Behaving Badly14     Symosis Security
“Mobile” Fears     • Many applications have known security issues:                           Application            Platfo...
“Mobile” Fears     • Mobile platforms are targeted by common security      threats:       • Phishing       • Malware      ...
The Mindset     Think Security17   Symosis Security
Embrace a Secure “Mobile” Mindset       This is NOT your fathers Oldsmobile       Users do NOT own the file system      ...
Avoid “Mobile” Pitfalls       HTTP used instead of HTTPS       Keychains used improperly       User input not sanitized...
Best Practices     Understanding how to do right20   Symosis Security
“Mobile” Best Practices      Breakdown approach into core elements:         Design         Installation         Privac...
“Mobile” Best Practices      Design       Define Engineering Goals       Define Type of Data       Define Use Cases   ...
“Mobile” Best Practices Installation Concerns          Privacy Concerns      Application Rights          Terms of Serv...
“Mobile” Best Practices      Authentication         Passwords         Pins      Authorization         API Keys       ...
“Mobile” Best Practices      Data Storage and Handling        Encrypted/Unencrypted        Validate Input        URL/U...
Cardinal Rules          Do NOT blindly trust the OS (OS behaving badly)          Trust Nobody (Developers behaving badly...
Security Testing     Trust but VERIFY!27   Symosis Security
iOS / Andriod Testing Tools      Platform SDKs         Understand the strengths and weaknesses      Communication Chann...
Questions                 ??????????29   Symosis Security
Contact Information            Clinton Mugge            Symosis Security            www.symosis.com            clinton@sym...
Upcoming SlideShare
Loading in …5
×

Developing Secure Mobile Applications

491 views

Published on

Developing secure mobile applications Developing secure IOS applications
Developing secure Android applications

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
491
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Developing Secure Mobile Applications

  1. 1. Developing Secure Mobile Applications Clinton Mugge Symosis Security1
  2. 2. Introduction Clinton Mugge • 18 Years as a Security Professional • Counterintelligence Agent/Big “5” Security Auditor/Director of Consulting/Symosis Security Symosis Security • Web Application and Web Services • Mobile Assessments • Compliance Tailored Audits • Application Security Training • U.S. Based Consultants2 Symosis Security
  3. 3. Agenda • Rise of “Mobile” • What is “Mobile” • “Mobile” Fears • “Mobile” Mindset • “Mobile” Best Practices • Security Tools for Testing “Mobile” • Questions?3 Symosis Security
  4. 4. The Rise of “MOBILE”  Mobile Data Growth Source: Cisco Global Mobile Data Traffic Forecast4 Symosis Security
  5. 5. The Rise of “MOBILE”  Mobile Device Growth Source: Gartner Group and JPMorgan Chase5 Symosis Security
  6. 6. What is “MOBILE” • Is it defined by Hardware Platform?6 Symosis Security
  7. 7. What is “MOBILE” • Is it defined by size?7 Symosis Security
  8. 8. What is “MOBILE” • Is it defined by a constant idea?8 Symosis Security
  9. 9. What is “MOBILE” • Mobile IS perception • Mobile tomorrow will not resemble what we perceive today • Mobile today is the convergence of data and voice communications and entertainment • Mobile will constantly change9 Symosis Security
  10. 10. The Fear Understanding what can go wrong10 Symosis Security
  11. 11. “Mobile” Fears • Platforms Behaving Badly11 Symosis Security
  12. 12. “Mobile” Fears • Developers Behaving Badly12 Symosis Security
  13. 13. “Mobile” Fears • Applications Behaving Badly13 Symosis Security
  14. 14. “Mobile” Fears • Applications Behaving Badly14 Symosis Security
  15. 15. “Mobile” Fears • Many applications have known security issues: Application Platform Score • Banking Chase Mobile iPhone • Investing Wikinvest iPhone • Commerce • Mail Amazon Mobile Android • Social Hushmail Android • Tax Facebook iPhone IRS2Go iPhone Source: ViaForensics15 Symosis Security
  16. 16. “Mobile” Fears • Mobile platforms are targeted by common security threats: • Phishing • Malware • Viruses • Worms Do not become an easy target!16 Symosis Security
  17. 17. The Mindset Think Security17 Symosis Security
  18. 18. Embrace a Secure “Mobile” Mindset  This is NOT your fathers Oldsmobile  Users do NOT own the file system  Users EXPECT you to protect them  Others WILL be looking  Users ARE more educated, - kind of -  Educate them to the “WHY” in your experience18 Symosis Security
  19. 19. Avoid “Mobile” Pitfalls  HTTP used instead of HTTPS  Keychains used improperly  User input not sanitized  Improper caching of data  Sensitive log files  URL handler parameters  UIPasteboard UITextAutocorrection (iOS)  Backgrounding Sensitive Screens (iOS)19 Symosis Security
  20. 20. Best Practices Understanding how to do right20 Symosis Security
  21. 21. “Mobile” Best Practices  Breakdown approach into core elements:  Design  Installation  Privacy  Authentication and Authorization  Communications and Session Management  Data Validation  Data Storage  Error Handling  Auditing21 Symosis Security
  22. 22. “Mobile” Best Practices  Design  Define Engineering Goals  Define Type of Data  Define Use Cases  Authenticated/Unauthenticated  Online/Offline Use  Identify if Previously Solved  Evaluate Platform Controls  HTML5 vs. Native22 Symosis Security
  23. 23. “Mobile” Best Practices Installation Concerns  Privacy Concerns  Application Rights  Terms of Service / License Agreement  Installation Locations  Function Follows Disclosure  File Permissions  Third Party Calls  Code Signing  Masking Input23 Symosis Security
  24. 24. “Mobile” Best Practices  Authentication  Passwords  Pins  Authorization  API Keys  Cookies  Impersonation  Communications  Encrypted/Unencrypted Transport  Proper SSL Certification Validation  Handling of the User Context24 Symosis Security
  25. 25. “Mobile” Best Practices  Data Storage and Handling  Encrypted/Unencrypted  Validate Input  URL/URI Handlers  Error Handling and Auditing  Server Errors / Information Disclosure  Logged Data (client/server)25 Symosis Security
  26. 26. Cardinal Rules  Do NOT blindly trust the OS (OS behaving badly)  Trust Nobody (Developers behaving badly)  Do NOT trust the User (Applications behaving badly) “If there’s any way they can do it wrong, they will” Captain Ed Murphy Jr., US Army “If anything can go wrong, it will”26 Symosis Security
  27. 27. Security Testing Trust but VERIFY!27 Symosis Security
  28. 28. iOS / Andriod Testing Tools  Platform SDKs  Understand the strengths and weaknesses  Communication Channels  HTTP Proxy  NSURL files  Reverse engineering / Code analysis / Debugging  Otool, shark / davlik/dexdump/smali  Review Memory leaks, uninitialized variables, buffer overflow, type mismatch, dead code,  Sensitive data in storage  Cached (keyboard, snapshots), plist files, SQLite database, log files  Jailbreaking / Rooting28 Symosis Security
  29. 29. Questions ??????????29 Symosis Security
  30. 30. Contact Information Clinton Mugge Symosis Security www.symosis.com clinton@symosis.com30 Symosis Security

×