What every developer should know about building trustworthy apps

  • Published on
    25-Feb-2016

  • View
    64

  • Download
    1

Embed Size (px)

DESCRIPTION

What every developer should know about building trustworthy apps. Crispin Cowan, Akriti Dokania Microsoft Windows Security 2-111. Agenda. Trustworthy apps lead to user confidence Threats to confidence Eight most common pitfalls and what to do about them Further reading. Confidence. - PowerPoint PPT Presentation

Transcript

What every developer should know about building trustworthy apps

Build 2012 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.6/28/20131What every developer should know about building trustworthy appsCrispin Cowan, Akriti DokaniaMicrosoft Windows Security2-1116/28/2013Windows Azure2 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.Trustworthy apps lead to user confidenceThreats to confidenceEight most common pitfalls and what to do about themFurther readingAgenda

Build 2012 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.6/28/20133ConfidenceUser confidence comes from trustworthy appsNothing bad happens to the typical userNo matter how many Windows Store Apps they try, buy, and uninstallConfidenceWindows app platform makes it easy to create rich app experiencesBuild 2012 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.6/28/20135Windows Store onboarding

Windows platform provides app isolation

App developers should use secure development practices to defend app from attack

Contribution to confidence Build 2012 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.6/28/20136Apps can be attacked from:NetworkNeighboring apps via Clipboard or contracts like Share

Apps hosting powerful resources (passwords) are attractive targets

Apps can leak valuable secrets to the network

Apps hosting valuable data on a PC that can be physically stolenThreats to apps occur when your app interacts with the worldThreats to apps7Security pitfalls in Windows app developmentExcess CapabilitiesUnnecessary File CapabilitiesStoring app state in a user LibraryShipping Debugging FunctionalityUnnecessary Special Use CapabilitiesInsecure sharingNot using HTTPSTrusting untrusted sourcesEnforcing service security policies on the clientStoring unencrypted passwords & sensitive data8Excess capability pitfallsBuild 2012 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.6/28/20139Scenario: your app needs to open and save files

Pitfall: so you declare some File Capabilities

Threat: app gets access to many user files

Guidance: only need file capabilities for programmatic access to Libraries

Documents is especially sensitivePictures, Music, Videos, and DocumentsPitfall 1: Using unnecessary file capabilities

10What capabilities are there?When should they be used?GroupCapabilitiesUseFile/LibraryPictures, Music, Videos, DocumentsWhen you need programmatic access, e.g. play all music vs. play a single soundDevicesMicrophone, WebCam, LocationWhen you need access to the corresponding deviceNetworkInternetClient, InternetClientServer, PrivateNetworkMostly just use InternetClientUse InternetClientServer for peer-to-peerUse PrivateNetwork for LAN accessEnterpriseEnterpriseAuthentication, SharedUserCertificatesHeavy-duty authentication to enterprise resources11What capabilities are there?When should they be used?GroupCapabilitiesUseFile/LibraryPictures, Music, Videos, DocumentsWhen you need programmatic access, e.g. play all music vs. play a single soundDevicesMicrophone, WebCam, LocationWhen you need access to the corresponding deviceNetworkInternetClient, InternetClientServer, PrivateNetworkMostly just use InternetClientUse InternetClientServer for peer-to-peerUse PrivateNetwork for LAN accessEnterpriseEnterpriseAuthentication, SharedUserCertificatesHeavy-duty authentication to enterprise resourcesSpecial use Capabilities12Scenario: persist app state across uninstalling and re-installing the appPitfall: use Library Capability to store app state in a user libraryThreat: undermine user confidence in uninstallGuidance: persist app state in the cloud, associated with your userStoring app state in a user libraryPitfall 2: Use capability to store app state13Scenario: declare PRIVATE_NETWORK to build client/server app in your private network

Pitfall: shipping with PRIVATE_NETWORK on

Threat: customers may distrust apps that access PRIVATE_NETWORK

Guidance: always disable PRIVATE_NETWORK when you shipPitfall 3: Shipping debugging functionality

14Scenario: declare any of enterprise capabilities in a consumer appPitfall: not needed for consumer appsThreat: reduced adoption because of concern for these CapabilitiesGuidance: dont declare any of these unless you have a very specific needDocuments, SharedUserCerts, EnterpriseAuthPitfall 4: Declaring any of the special use capabilities15Capabilities summaryCapabilities expand resources that your app has access to

The more capabilities you declare:More customers are wary of buying your appMore attackers are interested in attacking your app

So use Capabilities carefullyOnly the minimum necessary for your appBuild 2012 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.6/28/201316Insecure sharing pitfallsScenario: unlike web browsers, users cant see whether you use HTTP or HTTPS

Pitfall: use plain old HTTP to exchange important data

Threat: HTTP in an open WiFi spot everything you can be both intercepted and corrupted

Guidance: Use HTTPS wherever possiblePitfall 5: Not using HTTPS

18Easy HTTPS for your servicePerhaps you havent bought a server certificateWindows app platform enables secure use self-signed certsIn app manifest, package a self-signed certificate with exclusive trust option enabledApp Service connectionresists man-in-the-middlethreatsCertificate revocation is easyShip an app update that embeds a new certificate

19Pitfall 6: Trusting