How iOS and Android Handle Security Webinar
Download as PPTX, PDF3 likes2,662 views
The document discusses how iOS and Android handle security for mobile applications. It covers several areas of concern for secure mobile development including application development basics, secure data storage, secure data communication, mobile browsers, SMS/push messaging, and licensing/payments. The document provides an overview of the security capabilities and approaches of both platforms, noting challenges for developers to consider like permissions, encryption, and treating all inputs as untrusted. It recommends that security professionals understand the mobile threat models and that developers learn the platform security features and stay updated on vulnerabilities.
How iOS and Android Handle Security Webinar
- 1. How iOS and Android Handle Security Dan Cornell @danielcornell
- 2. Dan’s Background • Founder and CTO of Denim Group • Software developer by background • OWASP San Antonio
- 3. Denim Group Company Background • Professional services firm that builds & secures enterprise applications • External application & network assessments • Web, mobile, and cloud • Software development lifecycle development (SDLC) consulting • Secure development services: • Secure .NET and Java application development & remediation • Classroom secure developer training for PCI compliance • Develop ThreadFix
- 4. Overview • Challenges of secure mobile development • Areas of concern: • Basics of (secure) application development • Secure data storage • Secure data communication • Mobile browsers • Handling SMS and push messaging • Licensing and in-app payments • Questions and Answers
- 5. Secure Mobile Application Development Reference • Topics include: • Overview of Application Development • Overview of Secure Development • Defeating Platform Environment Restrictions • Installing Applications • Application Permissions Model • Local Storage • Encryption APIs • Network Communications • Protecting Network Communications • Application Licensing and Payments • Mobile Browser • Native Code Execution • Browser URL Handling • Mobile Application SMS/Push Update Handling http://www.denimgroup.com/know_artic_secure_mobile_application_development_reference.html
- 6. Secure Mobile Application Development Reference • For developers: • Learn the security capabilities of your mobile development platform • Get access to further learning resources • For security professionals: • Learn the security capabilities of the mobile development platform(s) your organization is targeting http://www.denimgroup.com/know_artic_secure_mobile_application_development_reference.html
- 7. CHALLENGES OF SECURE MOBILE DEVELOPMENT How iOS and Android Handle Security
- 8. Mobile Application Threat Model • More complicated than standard web application threat model • Chess versus checkers • Today we will focus on code running on the mobile device
- 9. Generic Mobile Application Threat Model 9
- 10. Typical Mobile Threats • Spoofing: Users to the Mobile Application • Spoofing: Web Services to Mobile Application • Tampering: Mobile Application • Tampering: Device Data Stores • Disclosure: Device Data Stores or Residual Data • Disclosure: Mobile Application to Web Service • Denial of Service: Mobile Application • Elevation of Privilege: Mobile Application or Web Services User Local App Storage Mobile Application Mobile Web Services Device Keychain Main Site Pages
- 11. AREAS OF CONCERN How iOS and Android Handle Security
- 12. Areas of Concern • Basics of (Secure) Application Development • Secure Data Storage • Secure Data Communication • Mobile Browsers • Handling SMS and Push Messaging • Licensing and In-App Payments
- 13. AREAS OF CONCERN How iOS and Android Handle Security Basics of (Secure) Application Development
- 14. Basics of (Secure) Application Development • Overview of Application Development • Overview of Secure Development • Defeating Platform Environmental Restrictions • Installing Applications • Application Permissions Model • Native Code Execution
- 15. Overview of Application Development iOS • Objective-C is most common • Swift for newer applications • iOS Developer program allows installing and testing applications to developer phones • Actual applications installed from iTunes Store Android • Typically written in Java • Previously: Dalvik and DEX • More recently: Android Runtime (ART) • Applications installed from Android Play store or side-loaded via USB
- 16. Overview of Secure Development iOS • Apple provides Secure Coding Guide with both: • General secure coding recommendations • iOS-specific recommendations Android • Google provides a Google Group with secure Android coding recommendations • Many 3rd party resources available as well
- 17. Defeating Platform Environmental Restrictions iOS • iOS devices can be “jailbroken” • Allows access to the device as the root user • Allows for loading of 3rd party applications to be installed • Allows for use of alternate app stores Android • Android devices can be “rooted” • Allows for root-level access to the device • Allows for custom kernels on many devices
- 18. Installing Applications iOS • Non-jailbroken iOS devices: • Apple iTunes Store • Developers can install applications on a set of test devices • Alternate app stores for jailbroken devices Android • Google Play store • Side-loading applications • For development/debugging • For general usage • Alternate app stores for rooted devices
- 19. Application Permissions Model iOS • App asks for relevant permission when needed • Can allow or deny • Can review permissions and which applications are requesting them Android • Baked into AndroidManifest.xml • Fairly fine-grained • But must be accepted wholesale • Take a look at what apps from the app store ask for…
- 20. Native Code Execution iOS • Objective-C compiles to ARM machine code • Objective-C not safe by nature (super) • Swift offers much more protection Android • Dalvik/ART should provide memory safety • Can run code via the Native Development Kit (NDK)
- 21. AREAS OF CONCERN How iOS and Android Handle Security Secure Data Storage
- 22. Secure Data Storage • Local Storage • Encryption APIs
- 23. Local Storage iOS • iOS (since 3.0) provides AES- based full-disk encryption (hooray!) • Based on a burned-in hardware UID (hrm…) • iOS 8 added a 5 second hardware delay to passcode attempts for newer hardware (hooray!) and moved more data under default protection mechanisms Android • Uses Linux user/group permissions • Android 5.0 allows for full-disk encryption based on PIN and password (hooray!) • Also can have hardware-backed storage of the encryption key via Trusted Execution Environment (TEE)
- 24. Encryption APIs iOS • Provides access to a variety of certificate and key management functions • iOS Keychain provides device- supported encryption capabilities Android • Now has Keystore system • Allows for more secure storage of key materials to prevent unauthorized use • Provides access to javax.crypto APIs • Can also use 3rd party Java libraries for encryption • Like BouncyCastle (be careful of vulnerable versions…)
- 25. AREAS OF CONCERN How iOS and Android Handle Security Secure Data Communication
- 26. Secure Data Communication • Network Communications • Protecting Network Communications
- 27. Network Communications iOS • Provides access to BSD sockets • Provides implementations of many higher-level protocols Android • Provides access to standard java.net.* classes • Provides access to a number of Apache HTTP Utilities • Provides some Android-specific classes for HTTP/S, SIP, and WiFi
- 28. Protecting Network Communications iOS • Provides implementations of common transport-layer security protocols • Default settings are not terrible Android • Provides access to javax.net.ssl classes allowing for TLS network communications • Be careful using the android.net.SSLCertificateSocketF actory because they make it easy to disable protections
- 29. AREAS OF CONCERN How iOS and Android Handle Security Mobile Browsers
- 30. Mobile Browsers • Mobile Browser Basics • Browser URL Handling
- 31. Mobile Browser Basics iOS • Mobile version of Safari browser that uses the WebKit HTML rendering engine Android • WebKit HTML rendering engine and a version of the Chrome V8 JavaScript engine
- 32. Browser URL Handling iOS • Allows applications to register to handle different URL schemes • Apple applications are given precedence for the schemes they register for • Developers should treat inputs as untrusted Android • Allows applications to register to handle events raised by the browser for different protocols • Uses the Android “intent” facility to deliver • Developers should treat inputs as untrusted
- 33. AREAS OF CONCERN How iOS and Android Handle Security Handling SMS and Push Messaging
- 34. Handling SMS and Push Messages iOS • Allows applications to receive pushed notifications so that they can display a message or download new data • Must treat inputs from push notifications as potentially malicious Android • Cloud to Device Messaging Framework (C2DM) has been deprecated and replaced by Google Cloud Messaging (GCM) • Must treat inputs from push notifications as potentially malicious
- 35. AREAS OF CONCERN How iOS and Android Handle Security Licensing and In-App Payments
- 36. Application Licensing and Payments iOS • In-App purchases allow you to sell items from within iOS applications • StoreKit API allows for these capabilities Android • In-App purchases allow you to sell items from within Android applications • Billing API proxies communications between your application and the relevant Google Play services • Supports purchases, subscriptions and in-app products
- 37. So Where Do You Go From Here?
- 38. So What Should Security People Do? • Understand the general mobile application threat model and any peculiarities of platforms your organization supports • Work with developers to set architecture, design, and coding guidelines and standards • Test the securing of mobile application systems – the entirety of systems, not just code running on the device – taking into account the security characteristics of your target platform 38
- 39. So What Should Developers Do? • Threat model your mobile application prior to development • Learn the security properties and capabilities of the platform(s) you develop for • Stay current as new security vulnerabilities and weaknesses are discovered and as new security capabilities are added to your target platform(s) 39
- 40. How Do iOS and Android Handle Security? • Denim Group Secure Mobile Application Development Reference • Overview of Application Development • Overview of Secure Development • Defeating Platform Environment Restrictions • Installing Applications • Application Permissions Model • Local Storage • Encryption APIs • Network Communications • Protecting Network Communications • Application Licensing and Payments • Mobile Browser • Native Code Execution • Browser URL Handling • Mobile Application SMS/Push Update Handling http://www.denimgroup.com/know_artic_secure_mobile_application_development_reference.html
- 41. QUESTIONS AND ANSWERS How iOS and Android Handle Security Dan Cornell @danielcornell
Editor's Notes
- #2: -Will look at the capabilities of the two platforms, as well as how those capabilities are implemented
- #3: -My background is as a developer so when I look at the different mobile application platforms I want to know what their capabilities are, as well as how those capabilities are implemented so development teams know how to best use them
- #4: Have done a tremendous amount of mobile testing for our clients, including Fortune 500 and sensitive Have assessed MDM systems And made recommendation to sensitive .gov and .mil clients surrounding application testing Also do secure mobile development and secure mobile application remediation Can also use ThreadFix to keep track of your mobile application security program
- #5: -Looking at two mobile environments: iOS and Android -Those are the most dominant. We also do work with Window Mobile, Blackberry, etc – but the majority of the work we do is for iOS and Android -Story: “We should only develop for Blackberry because of the way they handle ephemeral crypto keys” BUT only 10% of their users were on Blackberry and that number was declining
- #6: -This webinar is actually a concentrated version of Denim Group’s Secure Mobile Application Development Reference (available for download) -That guide has a more in-depth look at the topic as well as links to supporting resources
- #7: -This webinar is actually a concentrated version of Denim Group’s Secure Mobile Application Development Reference (available for download) -That guide has a more in-depth look at the topic as well as links to supporting resources
- #8: With apologies to folks with Windows Mobile, Blackberry, Tizen…
- #10: -Hopefully most developers have a feel for the standard web application Thread Model (not really, but we can hope) -Smartphone applications have a different Thread Model and this has a huge impact on the security of the systems being created around them -Smartphone applications run on a device that can’t be trusted – it might have been jailbroken/rooted, it might have been stolen, code might be running in a debugger. Much like Rich Internet Applications (RIA) more code and data is running in an untrusted and unreliable environment -Also we’re talking about “interesting” smartphone applications. Not “make fart noise” or “shake the phone to throw the monkey” application. Instead we are talking about applications that use the capabilities of the device – GPS, camera, ability to make calls – and combine those capabilities with network services to do something cool and valuable -3rd party web services are often in use and their output should not be trusted -Enterprise services are often used for access to customer or transaction data and these will need to be protected -So smartphone application security isn’t just about the application on the smartphone, it is about the entire system that supports the smartphone application
- #11: -Hopefully most developers have a feel for the standard web application Threat Model (not really, but we can hope) -Smartphone applications have a different Threat Model and this has a huge impact on the security of the systems being created around them -Smartphone applications run on a device that can’t be trusted – it might have been jailbroken/rooted, it might have been stolen, code might be running in a debugger. Much like Rich Internet Applications (RIA) more code and data is running in an untrusted and unreliable environment -Also we’re talking about “interesting” smartphone applications. Not “make fart noise” or “shake the phone to throw the monkey” application. Instead we are talking about applications that use the capabilities of the device – GPS, camera, ability to make calls – and combine those capabilities with network services to do something cool and valuable -3rd party web services are often in use and their output should not be trusted -Enterprise services are often used for access to customer or transaction data and these will need to be protected -So smartphone application security isn’t just about the application on the smartphone, it is about the entire system that supports the smartphone application
- #12: So let’s drill in and look at different areas of concern, and how iOS and Android treat these areas. There are both similarities and differences, and if developers want to build secure applications they need to understand these fo
- #14: So what are the basics of developing applications, and what resources are available for developers who want to build secure applications?
- #19: -Most corporate environments will rely on users using the most basic installation cases – iTunes Store and Apple Play store -Other folks may have different use cases
- #41: -This webinar is actually a concentrated version of Denim Group’s Secure Mobile Application Development Reference (available for download) -That guide has a more in-depth look at the topic as well as links to supporting resources