Successfully reported this slideshow.
Your SlideShare is downloading. ×

Creating secure apps using the salesforce mobile sdk

Dec. 03, 2017
1 like 359 views
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Upcoming SlideShare
Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M8
Loading in …3
×

Check these out next

The use case for Cassandra at Ping Identity
Ping Identity
IoT World - creating a secure robust IoT reference architecture
Paul Fremantle
Building powerful apps with ArangoDB & KeyLines
Cambridge Intelligence
Ten security product categories you've (probably) never heard of
Adrian Sanabria
Сергей Харюк (Украина). Проверка безопасности приложений на платформе iOS
KazHackStan
Mobile App Hacking In A Nutshell
Prathan Phongthiproek
Owasp for testing_mobile_apps_opd
Pawel Rzepa
Owasp top 10
veerababu penugonda(Mr-IoT)
1 of 39 Ad

Creating secure apps using the salesforce mobile sdk

Dec. 03, 2017
1 like 359 views

Download to read offline

Technology

Creating a mobile app has never been easier with the wide-range of frameworks and languages available at your fingertips. But is it easy to secure a mobile app? Join our mobile security experts as they walkthrough the Salesforce Mobile SDK and learn everything you need to know about hardening your mobile apps. We will discuss common vulnerabilities and mistakes, followed by a dive deep into how the Salesforce Mobile SDK makes following our security best practices easy and painless!

Creating a mobile app has never been easier with the wide-range of frameworks and languages available at your fingertips. But is it easy to secure a mobile app? Join our mobile security experts as they walkthrough the Salesforce Mobile SDK and learn everything you need to know about hardening your mobile apps. We will discuss common vulnerabilities and mistakes, followed by a dive deep into how the Salesforce Mobile SDK makes following our security best practices easy and painless!

Technology
Advertisement

Recommended

Owasp Mobile Top 10 - M7 & M8
5h1vang
1k views
17 slides
Owasp Mobile Top 10 – 2014
n|u - The Open Security Community
7.7k views
16 slides
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
5h1vang
1.3k views
9 slides
(ISC)2 Kamprianis - Mobile Security
Michalis Kamprianis
163 views
16 slides
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Nikola Milosevic
2.1k views
24 slides
Mobile Threats and Owasp Top 10 Risks
Santosh Satam
5.2k views
56 slides
Understanding passwordless technologies
David Strom
549 views
34 slides
Login cat tekmonks - v3
TEKMONKS
170 views
26 slides
Advertisement

More Related Content

Slideshows for you (20)

The use case for Cassandra at Ping Identity
Ping Identity
1.7k views
IoT World - creating a secure robust IoT reference architecture
Paul Fremantle
2k views
Building powerful apps with ArangoDB & KeyLines
Cambridge Intelligence
667 views
Ten security product categories you've (probably) never heard of
Adrian Sanabria
1.9k views
Сергей Харюк (Украина). Проверка безопасности приложений на платформе iOS
KazHackStan
374 views
Mobile App Hacking In A Nutshell
Prathan Phongthiproek
230 views
Owasp for testing_mobile_apps_opd
Pawel Rzepa
416 views
Owasp top 10
veerababu penugonda(Mr-IoT)
731 views
Hacking & Securing of iOS Apps by Saurabh Mishra
OWASP Delhi
372 views
Two factor authentication 2018
Will Adams
2.7k views
Inria Tech Talk IoT - 28 Mars 2018
FrenchTechCentral
169 views
Multi-Factor Authentication - "Moving Towards the Enterprise"
mycroftinc
959 views
Application Security within Agile
Netlight Consulting
646 views
Top 3 tips for security documentation
Michael Furman
569 views
Seminar-Two Factor Authentication
Dilip Kr. Jangir
5.9k views
Menofia UN -Mobile Security
Ahmed Samara
286 views
Security in microservices architectures
inovia
914 views
How can you deliver a secure product
Michael Furman
516 views
Berkarir di Cyber Security
Satria Ady Pradana
160 views
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Ajin Abraham
7k views
The use case for Cassandra at Ping Identity
Ping Identity
1.7k views
15 slides
IoT World - creating a secure robust IoT reference architecture
Paul Fremantle
2k views
39 slides
Building powerful apps with ArangoDB & KeyLines
Cambridge Intelligence
667 views
23 slides
Ten security product categories you've (probably) never heard of
Adrian Sanabria
1.9k views
38 slides
Сергей Харюк (Украина). Проверка безопасности приложений на платформе iOS
KazHackStan
374 views
40 slides
Mobile App Hacking In A Nutshell
Prathan Phongthiproek
230 views
26 slides

Similar to Creating secure apps using the salesforce mobile sdk (20)

OWASP Mobile TOP 10 2014
Islam Azeddine Mennouchi
7k views
Owasp advanced mobile-application-code-review-techniques-v0.2
drewz lin
2.5k views
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
iphonepentest
2k views
How to create a secure IoT device
Abhijeet Rane
227 views
Android Application Security
Chong-Kuan Chen
1.2k views
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Sina Manavi
3.9k views
Mobile App Security - Best Practices
RedBlackTree
300 views
Runtime Analysis on Mobile Applications (February 2017)
Sandeep Jayashankar
96 views
Hacking Mobile Apps
Sophos Benelux
1.7k views
Indianapolis Splunk User Group Dec 22
WesComer2
40 views
Iot secure connected devices indicthreads
IndicThreads
589 views
Hacking mobile apps
kunwaratul hax0r
92 views
Smartphone security issues
Aleksandra Gavrilovska
852 views
[OWASP Poland Day] Saving private token
OWASP
329 views
Open source iam value, benefits, and risks
WSO2
280 views
Top 10 mobile security risks - Khổng Văn Cường
Võ Thái Lâm
1.3k views
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
1k views
Top 10 mobile security risks - Khổng Văn Cường
Security Bootcamp
1.2k views
iOS application (in)security
iphonepentest
9.1k views
Mobile Application Security Threats through the Eyes of the Attacker
bugcrowd
1.7k views
OWASP Mobile TOP 10 2014
Islam Azeddine Mennouchi
7k views
43 slides
Owasp advanced mobile-application-code-review-techniques-v0.2
drewz lin
2.5k views
65 slides
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
iphonepentest
2k views
45 slides
How to create a secure IoT device
Abhijeet Rane
227 views
21 slides
Android Application Security
Chong-Kuan Chen
1.2k views
43 slides
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Sina Manavi
3.9k views
43 slides
Advertisement

More from Martin Vigo (11)

From email address to phone number, a new OSINT approach
Martin Vigo
2.9k views
Ransombile: yet another reason to ditch sms
Martin Vigo
993 views
Compromising online accounts by cracking voicemail systems
Martin Vigo
1.3k views
Mobile apps security. Beyond XSS, CSRF and SQLi
Martin Vigo
1.9k views
Building secure mobile apps
Martin Vigo
498 views
Secure Salesforce: Hardened Apps with the Mobile SDK
Martin Vigo
341 views
Breaking vaults: Stealing Lastpass protected secrets
Martin Vigo
533 views
Even the LastPass Will be Stolen Deal with It!
Martin Vigo
451 views
Security Vulnerabilities: How to Defend Against Them
Martin Vigo
439 views
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Martin Vigo
353 views
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Martin Vigo
309 views
From email address to phone number, a new OSINT approach
Martin Vigo
2.9k views
30 slides
Ransombile: yet another reason to ditch sms
Martin Vigo
993 views
36 slides
Compromising online accounts by cracking voicemail systems
Martin Vigo
1.3k views
46 slides
Mobile apps security. Beyond XSS, CSRF and SQLi
Martin Vigo
1.9k views
46 slides
Building secure mobile apps
Martin Vigo
498 views
19 slides
Secure Salesforce: Hardened Apps with the Mobile SDK
Martin Vigo
341 views
40 slides

Recently uploaded (20)

Page.Replacement.OS.ppt
amadayshwan
0 views
Chang_Lu.pdf
AbdetaImi
0 views
Digital Transformation
MarketingKulsys
0 views
Data Communication.pptx
sandhyakiran10
0 views
Web Development Services.pdf
sanjanasingh745202
0 views
artificialintelligenceingaming-221113091057-b894cc20.pdf
ArghyaGayen2
0 views
AI.ppt
ArghyaGayen2
0 views
USS-12-bay_SetupGuide_v1.pdf
FinnJohn2
0 views
Why Regular Maintenance Is Essential For Your Residential Generator
Leddy Power Systems Inc
0 views
Web3 & Vernacular Arts.pdf
SwatiJain891352
0 views
ATC Tech Summit - Welcome and Intro Comments
Advanced Technology Consulting (ATC)
0 views
NISO Plus 2023 - Publisher Perspectives on Metadata Quality and Completeness....
Matthew Ragucci
0 views
EyeWay user experience
Boris Greenberg
0 views
transformer解説~Chat-GPTの源流~
MasayoshiTsutsui
0 views
Insulation-Resistance By Rohit Damodaran.pdf
Rohit Damodaran
0 views
JavaScript Vs. Python: Which One is Better?
Syed Hassan Raza
0 views
Accessibility In Mobile Dev LifeCycle.pptx
MarkSteadman7
0 views
Artificial Intelligence's use cases in various industries.
MindInventory
0 views
Cyber Defined! MDR, XDR, EDR, NDR
Advanced Technology Consulting (ATC)
0 views
AR-VR.pptx
DhrumiMahar
0 views
Page.Replacement.OS.ppt
amadayshwan
0 views
28 slides
Chang_Lu.pdf
AbdetaImi
0 views
82 slides
Digital Transformation
MarketingKulsys
0 views
6 slides
Data Communication.pptx
sandhyakiran10
0 views
170 slides
Web Development Services.pdf
sanjanasingh745202
0 views
1 slide
artificialintelligenceingaming-221113091057-b894cc20.pdf
ArghyaGayen2
0 views
55 slides
Advertisement

Creating secure apps using the salesforce mobile sdk

  1. 1. Creating Secure Apps Using The Salesforce Mobile SDK mvigo@salesforce.com, @martin_vigo ​Martin Vigo, Senior Product Security Engineer jkinser@salesforce.com ​Jesse Kinser, Senior Product Security Engineer
  2. 2. ​Senior Product Security Eng. ​mvigo@salesforce.com ​Senior Product Security Eng. ​jkinser@salesforce.com Martin Vigo Jesse Kinser Speakers
  3. 3. Native vs Hybrid ​Overview
  4. 4. Native vs Hybrid • File system / Insecure storage • Network communication • Crypto • Clipboard • Backups • RPC, URL scheme handlers ​Threats • XSS • CSRF • SQLi • Input validation • Output encoding • Application logic flaws
  5. 5. OWASP Mobile Top 10 ​2016 version
  6. 6. M1 - Improper Platform Usage
  7. 7. M1 - Improper Platform Usage • Violation of published guidelines • iOS Keychain • Android Intents • Violation of convention or common practice • Unintentional Misuse • Misunderstanding documentation • Wrong implementations ​Insecure implementation of native security features
  8. 8. Mobile SDK • Open source • Specific security training program for developers • Code reviews part of the SDLC • Security reviews • In house • Independent 3rd parties • Scanners • Bug bounty program ​Taking advantage of all security layers
  9. 9. M2 – Insecure Data Storage
  10. 10. M2 – Insecure Data Storage • Explicit storage • Credentials / OAuth tokens • Personal data • Preferences • Logs • Automatic storage • Temp files • Cache data • Leaks • Logs • Debugging information • Crashes • Analytics • Caches • Unique urls • Requests/Responses containing sensitive data • Images ​Leaving traces behind App Sandbox External storage Backups Hardcoded data
  11. 11. Mobile SDK • Uses OS provided secure storage for secrets • Encrypts sensitive files in the sandbox • Does not log any sensitive information • Server-side and client-side cache control • Cleanup routines for logged out users ​No trace App Sandbox External storage Backups Hardcoded data
  12. 12. M3 – Insecure Communication
  13. 13. M3 – Insecure Communication • HTTP • No confidentiality • HTTPS • Version? • Cipher suites? • Enforced? • Mixed content • Certificates • Self-signed • Mismatched hostnames • Other protocols • Bluetooth, NFC, etc. ​Eavesdropping
  14. 14. Mobile SDK • Uses HTTPS only • Deprecates retired/vulnerable cipher suites and versions (server side) • Accepts only trusted certificates ​Properly encrypted communications
  15. 15. M4 – Insecure Authentication
  16. 16. M4 – Insecure Authentication • Vulnerable APIs • No authentication • Poor entropy in tokens • Weaker authentication than Web version • Password/Token stored insecurely • No revocation ​Who am I?
  17. 17. Mobile SDK • Uses standard protocols • Oauth 2.0 • No passwords are stored • Session token stored securely • Token revocation • Inactivity logout ​You are who you claim to be
  18. 18. M5 – Insufficient Cryptography
  19. 19. M5 – Insufficient Cryptography • ROT-13 isn’t the only insecure means of encrypting • “secret” => “frperg” • AES - advanced encryption standard • Secure, but that security depends on • Key length • Cipher mode • Others • Lots of ways to mess up • So what can you do? ​Weak protection for your secrets
  20. 20. Mobile SDK encryption support • AES - CBC • Secure keys • Created using native PRNG • 256 bits • Unique per installation • Stored in native secure storage • Or derived from PIN using PBKDF2 • SmartStore • Based on SQLCipher • Secure storage without crypto knowledge ​Crypto following standards and best practices
  21. 21. M6 – Insecure Authorization
  22. 22. M6 – Insecure Authorization • Insecure Direct Object Reference (IDOR) vulnerabilities • User role / Permission transmission • Hidden endpoints • Client side checks ​What can I do?
  23. 23. Mobile SDK • Clear User roles and permission model • Permission checks on every request • Based on session ID • Checks only server side • Use of public and documented APIs • Security reviews • In house • Independent 3rd parties • Scanners • Bug bounty program ​You can only do what you are supposed to
  24. 24. M7 – Poor Code Quality
  25. 25. M7 – Poor Code Quality • Good developers but limited security knowledge • Buffer overflows • Format string vulnerabilities • XSS in Webviews • Ignoring best practices • No code reviews ​Insecure coding practices
  26. 26. Mobile SDK • Open source • Specific security training program for developers • Code reviews part of the SDLC • Security reviews • In house • Independent 3rd parties • Scanners • Bug bounty program ​Following best practices
  27. 27. M8 – Code Tampering
  28. 28. M8 – Code Tampering • Attacker modifies binary file • Applies specially to games • Cheats • Free resources • Etc. ​Binary manipulation
  29. 29. Mobile SDK • Mobile SDK is open source • No gain from real-time manipulation • Compatible with MDM • Add additional restrictions ​Not applicable
  30. 30. M9 – Reverse Engineering
  31. 31. M9 – Reverse Engineering • Binary extraction from the device • Or download binary directly from online store • Decrypt/Decompress • String analysis, binary protections • Decompile • Source code analysis • Disassembly • Reverse engineering • Debugging / Real time manipulation ​Protecting binaries
  32. 32. Mobile SDK • Security though obscurity • Highly discouraged by the industry • Mobile SDK is open source • The more eyes looking at it, the better! • Mobile SDK uses public/documented APIs • No secrets in • How it is built • How it works • How it provides security • Bug bounty • Ethical hackers are welcome! ​No need to reverse anything!
  33. 33. M10 – Extraneous Functionality
  34. 34. M10 – Extraneous Functionality • Hidden menus • “Legit” back doors • Debug flags • Test code • Comments including sensitive information in webviews ​Finding edge cases
  35. 35. Mobile SDK • Open source • Rigorous deployment cycle • 3rd party reviews ​Transparent
  36. 36. Conclusions
  37. 37. Conclusions • Open source platform • Active project • Provides secure storage through encryption • Enforces secure communication • Provides easy authentication and authorization ​What is the Mobile SDK in terms of security? • Uses platform-specific security mechanisms • Follows best practices and secure coding guidelines • It is constantly reviewed by security engineers • Goes through independent security audits • In scope in our Bug Bounty program
  38. 38. Security @ Dreamforce ​Find the “Salesforce Security” booth in Developer Forest ​Salesforce Security Booth & Developer Sessions Information

×