Mobile App Security - Best Practices
0 likes319 views
Kadhambari Anbalagan, a software architect at RedBlackTree Terrace, will give a talk on Monday, April 8th at 5:00pm about security best practices for mobile apps. Research shows that the majority of top free and paid apps have been subjected to hacking. Common mobile app security issues include improper platform usage, insecure data storage, insecure communication, insecure authentication, insufficient cryptography, insecure authorization, code quality issues, code tampering, reverse engineering, and including extraneous functionality. The talk will provide best practices to address each of these issues.
Mobile App Security - Best Practices
- 1. Security Best Practices MOBILE APPS <CodeRed> Talks Kadhambari Anbalagan, Software Architect 5:00pm Monday, 8 April, 2017 RedBlackTree Terrace
- 2. What do the statistics say? Popular Free App Findings Among top 20 free apps, 80% of Android and 75% of iOS apps have been subjected to hacking. Top Paid Apps Findings Research reveals, among top 100 paid apps, 97% of Android and 87% of iOS apps have been subjected to hacking. <CodeRed> Talks
- 3. Reason? Apps that we build are Insecure <CodeRed> Talks
- 4. Mobile App Security Issues • Improper Platform usage • Insecure data • Insecure communication • Insecure Authentication • Insufficient Cryptography • Insecure Authorization • Code Quality Issues • Code Tampering • Reverse Engineering • Extraneous functionality <CodeRed> Talks
- 5. Improper Platform Usage Misuse of platform feature or lack of platform security controls for the android or IOS operating system What can happen? 1. Improper implementation of android Intents - Data leakage, restricted functions being called and program flow being manipulated 2. Using Keychain for secure data storage - In several scenarios, the keychain can be compromised and decrypted Best Practices Know your platform well Use intents carefully Use the keychain carefully <CodeRed> Talks
- 6. Insecure Data Vulnerabilities that leak personal information and provide access to hackers Report By NowSecure: 1 in 10 Mobile app leak private, sensitive data like email, username or password. Best Practices • When possible, do not store/cache data • Implement secure data storage • Securely store data only in RAM • Encryption using verified third party libraries <CodeRed> Talks
- 7. Insecure Communication Communication being sent in clear text as well as other insecure methods. Real World Example: Best Practices • Implement secure transmission of sensitive data • Use SSL/TLS or for increased security implement certificate pinning • Leverage app layer encryption to protect user data <CodeRed> Talks<CodeRed> Talks
- 8. Insecure Authentication Inability to Securely identify a user and maintain that user’s identity Real World Example: Best Practices • Use token based Authentication <CodeRed> Talks
- 9. Insufficient Cryptography • Process behind encryption and decryption may allow a hacker to decrypt sensitive data. • Algorithm behind encryption and decryption may be weak in nature. Vulnerable? • Poor key management processes • Use of custom encryption protocols • Use of insecure algorithms Best Practices • Implement secure data storage • Avoid custom encryption methods and use proven encryption algorithm and methods • Avoid storage of sensitive information on mobile • NIST guidelines on recommended algorithms <CodeRed> Talks
- 10. Insecure Authorization Failure of a server to properly enforce identity and permissions as stated by the mobile app Best Practices • Verify the roles and permissions of the authenticated user using only information contained in backend systems. Avoid relying on any roles or permission information that comes from the mobile device itself <CodeRed> Talks
- 11. Client code Quality Risks that come from vulnerabilities like buffer overflows, format string vulnerabilities and various code level mistakes Real World Example: Vitamio SDK – Used in thousands of mobile apps. Have millions of app downloads. In another instance high risk man in the middle vulnerability identified in one of the third party library used in an app. What to do ? • Avoid third party libraries with high risk flaws •Maintain consistent coding patterns •Write well documented and easily readable code •Via automation, identify buffer overflows and memory leaks through the use of third-party static analysis tools; <CodeRed> Talks
- 12. Code Tampering When attackers tamper with or install a backdoor on an app, re-sign it and publish the malicious version to third party app marketplaces. Popular Example: What to Do? • implement anti tampering techniques such as checksums, digital signatures and other validation mechanisms to help detect file tampering <CodeRed> Talks
- 13. Reverse Engineering Analysis of a final binary to determine its source code, libraries, algorithms and more. Real World Example: Hackers decompiled mobile app and recompiled it so they dint have to pay for premium content. What to Do? • Increase code complexity and use obfuscation <CodeRed> Talks
- 14. Extraneous Functionality • Developers frequently include hidden backdoors or security controls they do not plan on releasing into production • This error creates risk when a feature is released to the wild that was never intended to be shared Real World example: What to do? • Carefully manage debug logs • Clean coding practices <CodeRed> Talks
- 15. Thank You