Upload
lxt04
View
900
Download
0
Embed Size (px)
DESCRIPTION
Slides from the Mobile Apps Security presentation at Over The Air 2011 - apologies for the PDF, but I use Keynote and I figure you'll probably want to have them in a format you can open!
Citation preview
IM IN UR CODEZSecuring Mobile Apps
Sunday, 2 October 11
Hello!
My name’s Nick.
I work for Mobile Interactive Group
We’re going to talk about app security
...also cats
Sunday, 2 October 11
What this session is about...Mobile application security
Developing apps defensively
...and what it’s not aboutUser-based vulnerabilities (tap-jacking, etc)
Mobile web security
Sunday, 2 October 11
Mobile Web
Mobile Apps
Sunday, 2 October 11
SQL injection
Insecure Data Transmission
Hardcoded passwords
Storing user dataBuffer overflows
API impersonation
In-app XSS
Data leakage
Remote code execution
Sunday, 2 October 11
Web & Apps have similar problems...
...they just appear in different places
Sunday, 2 October 11
Your app will be reverse engineered
It’s only a matter of time
Obfuscation is not a be-all/end-all
A fact (or two)
Sunday, 2 October 11
You might think (comparatively) that your mobile platform is not compromised...
...but how many rooted/jailbreaked phones are out there?
Assume your platform is compromised, and your app will be reverse engineered
Sunday, 2 October 11
You must therefore strongly protect your APIs and supporting application servers
Let’s look at three of the most common issues with apps
Two of these relate to API/server issues
Sunday, 2 October 11
...but first...
Sunday, 2 October 11
We’re all pretty smart developers(...hopefully!)
Sunday, 2 October 11
Your AppYour GoalsThe chasm of misfortune
We are all cats - we have good intentions......and sometimes can’t foresee the consequences
Sunday, 2 October 11
Your AppYour Goals
Banking AppRemembering Users
Storing credentials insecurely
Blogging AppUsing an APINot using SSL
UCG AppUploading Content
Hardcoding your API keys?
Sunday, 2 October 11
Keys and Secrets
Sunday, 2 October 11
1 Keys and Secrets 2 leaking information 3 storing details
“API keys must be protected just like passwords.This means they should not be [...] baked into non-obfuscated applications that can be analysed relatively easily”Cloud Security Alliance, April 18 2011
(...assume this means all mobile apps)
Sunday, 2 October 11
1 Keys and Secrets 2 leaking information 3 storing details
Demo time
Major paid for API
About 1,000,000 downloads
...let’s take a look!
Sunday, 2 October 11
1 Keys and Secrets 2 leaking information 3 storing details
Demo time
User: iPhonePassword: PnkFdrYRh75N
Sunday, 2 October 11
1 Keys and Secrets 2 leaking information 3 storing details
Consequences
The bad
Somebody pulls your S3 secret key and charges £££ to your account
The ugly
A competing app uses your API key to exceed your rate limitsYour users get frustrated and leave
Sunday, 2 October 11
1 Keys and Secrets 2 leaking information 3 storing details
This API is now compromised
I can use it in my own apps without paying the license fee
Because it’s hard-coded in the app it can’t be revoked
Sunday, 2 October 11
1 Keys and Secrets 2 leaking information 3 storing details
This API is now compromised
I can use it in my own apps without paying the license fee
Because it’s hard-coded in the app it can’t be revoked
Sunday, 2 October 11
1 Keys and Secrets 2 leaking information 3 storing details
Prevention
Use an alternative method to authenticateFacebook, Amazon, and other large providers provide these
Don’t trust key verificationIf you have an API that uses a key, don’t assume you can trust the user
Think permissionsIf you do have to use keys, limit the damage that can be done with them
Have a plan...think about the inevitable. What happens if your API is outed?
Sunday, 2 October 11
Leaking Information
Sunday, 2 October 11
1 keys and secrets 2 Leaking Information 3 storing details
This shouldn’t need a slide
If you’re sending passwords in the clear, leave the room
...no, wait - come back! I forgive you!
People share passwords. All the time.My Tumblr password might be my Facebook password
Sunday, 2 October 11
1 keys and secrets 2 Leaking Information 3 storing details
Specific shaming:
...but not the app!
Sunday, 2 October 11
1 keys and secrets 2 Leaking Information 3 storing details
“But Nick, everyone knows SSL/TLS is totally broken!”
“It’s the user’s fault for connecting to an insecure network”
“It’s too much effort / time-consuming to implement”
“My app isn’t important enough for this to be a problem”
Sunday, 2 October 11
1 keys and secrets 2 Leaking Information 3 storing details
Not using TLS is like leaving your house unlocked
Nobody is saying locks are going to stop you from getting burgled...
...but not locking your door is stupid.
Sunday, 2 October 11
Storing Details
Sunday, 2 October 11
1 keys and secrets 2 leaking information 3 Storing Details
Very popular!
According to ViaForensics, June 2011
Username and password in plain text!
Sunday, 2 October 11
1 keys and secrets 2 leaking information 3 Storing Details
Location informationPersonal information (date of birth, address,
Overlooked information
Obvious informationPasswords, usernamesAccount numbers, etc
Sunday, 2 October 11
1 keys and secrets 2 leaking information 3 Storing Details
Consequences
You store passwords or account information unencryptedThis compromises your app, and users information is leakedYou are fined by the ICO
The ugly
The badYou get some bad PRPeople laugh at you as you walk down the street
Sunday, 2 October 11
In Summary
...we’re all smart developers...(remember this bit? from earlier on?)
Sunday, 2 October 11
...but so are the...
Bank of America, Citibank, National Rail Enquiries, Tumblr, AOL, Bump, Flirtomatic, Foursquare, Groupon, LinkedIn, Mint, Skype, Wells Fargo,
WordPress, Match.com Yahoo! Messenger, and many many more...
...developers.
Nobody is perfect, no app is truly secure(including me!)
Sunday, 2 October 11
Remember the cat*
*unlike the cat, your app will not survive a fall from height
Sunday, 2 October 11
Thanks :)
[email protected](I don’t tweet - booo!)
Slides will be available on the OTA site soon!
Sunday, 2 October 11