1 © Copyright 2013 Coveros, Inc.. All rights reserved. Tips and Tricks for Building Secure Mobile Applications Jeffery Payne Chief Executive Officer, Coveros, Inc. [email protected] www.coveros.com Twitter: @jefferyepayne
1© Copyright 2013 Coveros, Inc.. All rights reserved.
Tips and Tricks for Building Secure Mobile Applications
Jeffery Payne
Chief Executive Officer, Coveros, Inc.
www.coveros.com
Twitter: @jefferyepayne
2© Copyright 2013 Coveros, Inc.. All rights reserved.
Bio
Jeffery PayneJeffery Payne is CEO and founder of Coveros, Inc., a software company that helps organizations accelerate the delivery of secure, reliable software. Coveros uses agile development methods and a proven software assurance framework to build security and quality into software from the ground up. Prior to founding Coveros, Jeffery was Chairman of the Board, CEO, and co-founder of Cigital, Inc. Under his direction, Cigital became a leader in software security and software quality solutions, helping clients mitigate the risk of software failure. Jeffery is a recognized software expert and popular speaker at both business and technology conferences on a variety of software quality, security, and agile development topics. He has also testified before Congress on issues of national importance, including intellectual property rights, cyber-terrorism, software research funding, and software quality.
3© Copyright 2013 Coveros, Inc.. All rights reserved.
Coveros helps organizations accelerate the delivery of secure, reliable software
Our consulting services:– Agile software development– Application security– Software quality assurance
Agile services– Agility assessments– Process improvement– Hands-on agile software development– Agile project management– Agile testing and automation– Agile training by role
About Coveros
Areas of Expertise
4© Copyright 2013 Coveros, Inc.. All rights reserved.
Agenda
Mobile applications: the perfect security storm– Typical architecture(s)– A changing threat model
Mobile risks and development strategies– Local storage– Session management– Untrusted clients– Native code – Mobile platforms– Traditional risks
Getting more help
5© Copyright 2013 Coveros, Inc.. All rights reserved.
Mobile Apps: The Perfect Security Storm
Smartphones
Database
ConnectivityGateways
Tablets
Cell Network
Laptops withmobile data modems
Internet
App server
Web server
Sw Apps & Data
Fat clientconcerns
UntrustedappsUntrustedusers
Traditionalweb securityconcerns
Traditionalsw securityconcerns
6© Copyright 2013 Coveros, Inc.. All rights reserved.
A Changing Threat Model
New Attack Profiles– Increased access by malicious users– Malicious 3rd party applications– Increased information for attacking application back-ends
Fluid Trust Boundaries– Level of trust necessary to use 3rd party applications– Local access to sensitive data
Nuances of Mobile Platforms– Differing security models– Different vulnerabilities due to programming languages
Mobile Apps: The Perfect Security Storm
7© Copyright 2013 Coveros, Inc.. All rights reserved.
Mobile Risks
Local storage – Storage of data (implicitly or explicitly) on a device
Session management – Managing the on-going interactions between a mobile app user and the rest of a distributed environment
Untrusted clients – Client requests might not be legitimate
Native Code – Native code is still prevalent in mobile applications
Mobile Platforms – How the device (and OS) configures and controls apps
Traditional Risks – Other risks we already know about
Mobile App Security
8© Copyright 2013 Coveros, Inc.. All rights reserved.
Do Not Allow Storage of Sensitive Data on Devices
Why?– Devices use flash memory for local storage– External devices have global data permissions– Data encryption libraries and key management functions are often
misused by developers– UI screens are captured and stored in “temporary” storage
What to do– Store sensitive data on back-end servers behind a firewall– Replace sensitive data that must be entered / displayed on UI with
replacement tokens or partial data when it doesn’t need to be fully viewable
– If you must store some data locally, use encryption routines and a computational key derivation function for generating keys
Mobile App Security: Best Practices
9© Copyright 2013 Coveros, Inc.. All rights reserved.
Make Sure Sessions are Managed Carefully
Why?– Mobile application sessions tend to be left open longer on mobile
devices to support mobile app use cases– Untrusted applications that are malicious can compromise your
applications if session management isn’t secure– People often leave their phones laying around …
What to do– Terminate idle sessions after automatically after no more than 5
minutes if application is security-critical– Do not use device identifier / MEID as a session token– Support token revocation that includes the ability to revoke tokens
remotely– Use only temporary session keys (to thwart ‘replay attacks’)
Mobile App Security: Best Practices
10© Copyright 2013 Coveros, Inc.. All rights reserved.
Assume No Client (or App) is Trustworthy Why?
– The increased threat of mobile device compromise means no client / App requesting information can be trusted
– Trusted apps may have been misconfigured to allow easy compromise
What to do– Make sure lower levels of encryption (export grade) have been
disabled on the backend servers– Validate the integrity of all data received from a client or other
application (trust no one!)– Sanitize all data receive from a client or other input– Return the minimum amount of information to the user when an
error has occured– Move all default directories on all servers– Do not allow software to be installed/configured with default
passwords
Mobile App Security: Best Practices
11© Copyright 2013 Coveros, Inc.. All rights reserved.
Test Native Code for Known Vulnerabilities
Why?– Mobile platforms often support the development of native code
applications that are vulnerable to traditional attacks– Software written for Apple devices are written in Objective-C, Java
can call native code– VM’s often include vulnerabilities!
What to do– Use Address Space Layout Randomization (ASLR) to combat
overflow attacks– Perform traditional secure code scanning on all native code as part
of the software development process– Avoid using native code if possible
Mobile App Security: Best Practices
12© Copyright 2013 Coveros, Inc.. All rights reserved.
Understand Your Mobile Platform
Why?– Each platform uses a different security model– Each platform manages applications differently
What to learn– Learn how applications store data, protect it from access, and when
data is physically deleted from the device– Understand the default configurations for applications, browsers,
and communication protocols– Learn how and when information is cached, keyboard keys are
logged, and screenshots are saved– Understand how libraries are loaded and run (and in what order)
Mobile App Security: Best Practices
13© Copyright 2013 Coveros, Inc.. All rights reserved.
Don’t Forget About Traditional Risks
Why?– Mobile applications are often just mobile front-ends for our
traditional systems (banking, e-commerce, etc.)– Mysql often ships with devices and are susceptible to SQL injection– Web vulnerabilities exist in thin client mobile apps
What to do– Check for SQL injections– Check for web application security issues (XSS, CRSF, etc.)
Mobile App Security: Best Practices
14© Copyright 2013 Coveros, Inc.. All rights reserved.
Getting Smarter
OWASP Mobile Security Project– https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
Coveros Labs – R&D in:– Secure mobile development– Malicious code analysis– Cloud security– http://www.coveros.com/content/coveros-labs
Mobile App Security
15© Copyright 2013 Coveros, Inc.. All rights reserved.
Questions?
Thank You
Contact Information:
Jeffery [email protected]