Secure App Development on iOS and Android 1
Secure App Development on Mobile Platforms
Mohit MathurSenior Software Engineer, SymantecSeptember 10th, 2011
Goal of the Session
Myths about Data Security on Smartphones1
How to Develop a Secure Application?2
Agenda
3
Data Storage Options available on iOS and Android2
Myths about Data Security on Smartphones3
How to really Safeguard your Data?4
Conclusion5
Popular Smartphone Platforms - iOS & Android1
Agenda
4
Data Storage Options available on iOS and Android2
Myths about Data Security on Smartphones3
How to really Safeguard your Data?4
Conclusion5
Popular Smartphone Platforms - iOS & Android1
Popular Smartphone Platforms
Agenda
6
Data Storage Options available on iOS and Android2
Myths about Data Security on Smartphones3
How to really Safeguard your Data?4
Conclusion5
Popular Smartphone Platforms - iOS & Android1
Data Storage Options Available• iOS Keychain:
– Storage area available on iOS devices.
– Gets preserved across app re-installation.
– Data lives in the keychain for eternity once saved.
• Android Internal Storage:
– Store private data on the device memory.
– Files saved to the internal storage are private to your application.
– When the user uninstalls the application, the associated files are removed.
Data Storage Options Available• iOS Keychain:
– NSMutableDictionary *addQuery = [[NSMutableDictionary alloc] init];
– [addQuery setObject:data forKey:(NSData *)kSecValueData];– SecItemAdd((CFDictionaryRef)addQuery, NULL);
• Android Internal Storage:– File file = new File(filesDir, “myData");– DataOutputStream dos = new DataOutputStream
(new FileOutputStream(file));– dos.write(data); //byte[]
Add Data to the Keychain
Create Keychain
Create File
Add Data to the file
Data Storage Options Available
Agenda
10
Data Storage Options available on iOS and Android2
Myths about Data Security on Smartphones3
How to really Safeguard your Data?4
Conclusion5
Popular Smartphone Platforms - iOS & Android1
Myths about Data Security on Smartphones• Security features provided by iOS & Android:
– Passcode
– Hardware Encryption
– Encrypted Keychain
– “Just” Delete your Data
– Relying on User IDs and File Access
Myths about Data Security on iOS• Passcode:
– Anyone with the right know-how can delete a file and your passcode goes away.
– All it takes is “ONE MINUTE” to do it.
Courtesy: Dark Myles Source:YouTube
Myths about Data Security on iOS• Hardware Encryption:
– Russian security outfit ElcomSoft has have discovered a method that allows them to copy and decrypt the memory of iOS devices that have built-in hardware encryption.
– Using a special RAMDisk driver they could boot the iOS device in DFU (Device Firmware Upgrade) Mode.
– This exposes the data stored in the memory.– Various keys to decrypt the data are extracted
from the device by running special tools.– ElcomSoft maintains that it will restrict its
discovery only to law enforcement, forensic and intelligence organizations.
– But thousands of similar tools are already freely available on internet for anyone to use.
Myths about Data Security on iOS• Encrypted Keychain Backup:
– There are simple tools available on the internet which void the password set to take encrypted keychain backup.
– Within no time hacker can access any file of your encrypted backup.
• Just “Delete” the Data:– People who are already familiar with OS X raw disks know how to
access deleted information, like email, images, voicemail and application data.
– The raw disk gives [hackers] access to the iPhone's entire file system, not just user data, including stuff that's not normally synchronized.
– Even if you delete data on any iOS device, its no actually deleted.– One should use Apple’s disk utility service to wipe an entire device
clean.
Myths about Data Security on Android• Relying on User IDs and File Access:
– Filesystem is still accessible to hackers.
– App data can easily be cloned.
Given a thought anytime???
Courtesy: Mohit
Myths about Data Security on Smartphones• Lets revisit security features provided by iOS & Android:
– Passcode
– Hardware Encryption
– Encrypted Keychain
– “Just” Delete your Data
– Relying on User IDs and File Access
• Just relying on platform security features doesn’t suffice the purpose.
Agenda
17
Data Storage Options available on iOS and Android2
Myths about Data Security on Smartphones3
How to really Safeguard your Data?4
Conclusion5
Popular Smartphone Platforms - iOS & Android1
How to Really Safeguard your Data• What a typical Mobile app needs???
– Secure Local Device Storage.
– Secure Communication with Cloud.
– Share Data among Same Family of Apps.
How to Really Safeguard your Data• Secure Data Storage:
– Use 3 levels of security: Encipher your Data with Stronger Encryption.
Tie Data to the Device.
Sign your app.
Protection from Hacker
Strong Protection from Hacker
Protection from Malicious App
How to Really Safeguard your Data– Encrypt Data:
iOS - CCCrypt API of Security.h package
o Uses strong Encryption – AES + 256 bits key.
o Supports CBC.
How to Really Safeguard your Data– Encrypt Data:
Android - Bouncy Castle Crypto APIs
o Uses strong Encryption – AES + 256 bits key.
o Supports CBC.Consumes the key, salt & iter to initialize generator
Generated the key and iv. Of the given size
Initializing the cipher engine; type – AES, padding – PKCS7Indicating it’s an encryption flow
Byte array that will hold the cipher text
Encrypting the plaintextFinalizing the cipher text
How to Really Safeguard your Data– Tie Data to the Device:
Use Device Specific Unique Data as a part of your Encryption Key.
o iOS – MAC address or UDID
o Android – IMEI for GSM and the MEID or ESN for CDMA phones.
How to Really Safeguard your Data– Sign your App:
iOS:
o Use Apple issued Signing Certs & Provisioning Profiles.
o In Xcode, under Project Edit Project Settings Build Code Signing Identity Select your Cert to sign you app file.
Android:
o Use Signing Certs issued by any CA (like Symantec).
o Symantec issues Signing Cert @ $499/year Subscription Charge. https://www.verisign.com/code-signing/sun-java/index.html?sl=productdetails)
o Use <signjar> ant task in build.xml to sign your apk file.
– Platform enforces data sand-boxing for your app.
– Malicious app cannot access your app data as its not signed by the same certificate.
How to Really Safeguard your Data• Secure Communication with Cloud:
– Use HTTPS protocol. iOS – NSURLConnection + HTTPS Protocol
Android – javax.net.ssl.HttpsURLConnection
– Identify list of supported cipher suites and enable only strong ciphers. Example – TLS_RSA_WITH_AES_256_CBC_SHA
iOS – CFNetwork Framework.
Android – SSLEngine.h [getSupportedCipherSuites(), setEnabledCipherSuites()]
– Use MAC (Message Authentication Code) to identify that the request is coming from a legitimate client.
How to Really Safeguard your Data• Share Data among Same Family of Apps:
– iOS: App ID = <Bundle Seed ID> . <Bundle Identifier>
App IDs should be added to Entitlement.plist file in Xcode.
Add kSecAttrAccessGroup attribute to you keychain
All the apps MUST be signed with the same certificate.
Must be Same for all the Apps of your
family
Same Same
Same
How to Really Safeguard your Data• Share Data among Same Family of Apps:
– Android: Add “sharedUserId” attribute value in the AndroidManifest.xml
Sign all the apps with the same certificate.
Agenda
27
Data Storage Options available on iOS and Android2
Myths about Data Security on Smartphones3
How to really Safeguard your Data?4
Conclusion5
Popular Smartphone Platforms - iOS & Android1
Conclusion• Do not completely rely on security features provided by the platform.
• Enforce Stronger Security:
– Encipher your data with stronger encryption.
– Tie data to the device.
– App Signing.
– Eliminate weak SSL cipher suites for your platform.
– Securely share data among family of applications.
VIP Access• VIP = Validation & ID Protection.• Provides OATH Compliant Second Factor
Authentication.• Protects your online accounts by
requiring a security code -- in addition to your user name and password -- for safe and secure account access.
• App available both for Consumer and Enterprise users.
• Supports around 800+ Mobile Devices across the globe.
• To get your own VIP Credential for FREE, log-on to the following URL from your mobile browser:
m.verisign.com• For more information, visit:
idprotect.verisign.com
Q&A
Thank you!
Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
31
Mohit [email protected]