SlideShare a Scribd company logo

Security Best Practices for Mobile Development

Salesforce Developers, profile picture
Salesforce Developers

The document outlines security best practices for mobile development, highlighting vulnerabilities and threats associated with mobile operating systems iOS and Android. It discusses key security principles, the importance of data encryption, application sandboxing, and several specific exploits that have affected mobile devices over time. The presentation also emphasizes the need for robust development strategies to mitigate risks and ensure user data security.

TechnologyBusiness
Related topics:
Mobile App Insights
1 of 53
Downloaded 15 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
Security Best Practices for Mobile Development Mobile SDK Entity Framework and SmartStore Tom Gersic, Salesforce.com Director, Mobile Services Delivery @tomgersic
Safe Harbor Safe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site. Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
Tom Gersic Director, Mobile Services Delivery @tomgersic
Agenda • Fundamental Principles • What iOS and Android Share • iOS Specific Characteristics • Android Specific Characteristics • Salesforce Mobile Offerings
Who thinks the data on their phone is secure?
Fundamental Security Principles
Security Best Practices for Mobile Development
Vulnerability
Threat
Consequence
Mitigation
Separation of Concerns – Principle of Least Privilege
Security Stack
Real life examples
Libtiff Image Exploit / Jailbreak • iPhone 1 – patched in 1.1.2 • Tiff buffer overflow • No DEP/ASLR – nothing to prevent executing code on the heap • Gained root access from viewing an image on the web
ASLR (PIE) and DEP
iOS 7 Lock Screen Bypass
Fingerprint Hacking
“Bluebox Uncovers Android Master Key -- 2013”
Concatenated SMS Exploit – Charlie Miller
Concatenated SMS Exploit • Takes 519 SMS messages – all but 1 is invisible • Send message -1 of X to underflow the array buffer • Can’t be stopped by the user • Used to write an entire binary executable to the heap, and run it, taking over the phone.
NFC Exploit
But most of the time…
Data Security – Hardware Encryption Requires PIN/Passcode on both iOS and Android On iOS, apps opt-in Supported on ▪ iPhone 3GS w/ iOS v4+ (AES 256 bit) ▪ Android Honeycomb+ (AES 128 bit) • Some manufacturers increase to AES 256 bit (Samsung SAFE) SD Card encryption on Android is manufacturer specific.
Is Facebook.app Secure?
App Security
Layers of Defense
Application Signing
Application Sandboxing
iOS Sandbox • All apps (Apple’s and App Store) run as “mobile” user. • Sandboxing is bolted on -- handled via XNU Sandbox “Seatbelt” kernel extension. • Applications run in separate subdirectories of /private/var/mobile/Applications • Any app in this directory is loaded with “container” (sandboxed) profile.
Android Sandbox • Uses underlying Linux security model • Every app runs as a separate user • Apps signed by the same developer can run as the same user, if desired (not the default, though) • Every app runs in its own instance of the Android Runtime (Dalvik Virtual Machine) • Like iOS, every app has its own directory structure • SD Card, though, is generally public – accessible to all apps and unencrypted unless manufacturer has added encryption (Samsung SAFE)
Background Processing • iOS 6: • Audio Streaming (Spotify, Pandora) • GPS / Navigation • VOIP • Newsstand app content downloading • Hardware integrations (bluetooth, other external accessories) • iOS 7 • 10 3 minute window after app closes to finish any task. • Background Fetch • Remote Notifications • Background Transfer Service
iOS 7 Backgrounding
Background Processes / App Interaction
Types of Android Components ▪ Activities ▪ Intent ▪ Service ▪ Content Provider ▪ Broadcast Receiver
Public / Private Components
But what about custom keyboards?
Keyboard Security Risks
Except Passwords? https://github.com/tomgersic/AndroidKeyLogger
Permissions
Mitigation
Static Analysis Tools
Application Encryption • Encrypt your data yourself using PIN / Passcode • CoreData/SQLCipher ▪ NSIncrementalStore ▪ Good Dynamics • FMDB/SQLCipher ▪ Salesforce Smartstore
Jailbreak Detection • Sandbox integrity check: fork() should fail • Check for jailbreak files: ▪ /Applications/Cydia.app ▪ /Library/MobileSubstrate/MobileSubstrate.dylib ▪ /var/cache/apt ▪ /bin/sh ▪ /bin/bash
In-App Encryption
SmartStore Stack
Enable ASLR in Your App • ASLR: Address Space Layout Randomization
Stack Canaries • AKA Stack Smashing Protection • Protect against buffer overflows • Places random known value (canary) before local variables • Use Apple LLVM – won’t work with LLVM GCC
Hide Data from App Snapshot Images
Who STILL thinks the data on their phone is secure?
Tom Gersic Director, Mobile Services Delivery @tomgersic
We want to hear from YOU! Please take a moment to complete our session survey Surveys can be found in the “My Agenda” portion of the Dreamforce app
@tomgersic

More Related Content

PDF
Secure Salesforce: Hardened Apps with the Mobile SDK
Martin Vigo
 
PDF
Secure Salesforce: Hardened Apps with the Mobile SDK
Salesforce Developers
 
PPTX
Backstage Tour of Identity - London Identity Summit
ForgeRock
 
PDF
Android Q & iOS 13 Privacy Enhancements
NowSecure
 
PDF
Appaloosa & AppDome: deploy & protect mobile applications
Julien Ott
 
PDF
FIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok Labs
Nok Nok Labs, Inc
 
PPT
You Can't Spell Enterprise Security without MFA
Ping Identity
 
PDF
Mobile App Security Predictions 2019
NowSecure
 
Secure Salesforce: Hardened Apps with the Mobile SDK
Martin Vigo
 
Secure Salesforce: Hardened Apps with the Mobile SDK
Salesforce Developers
 
Backstage Tour of Identity - London Identity Summit
ForgeRock
 
Android Q & iOS 13 Privacy Enhancements
NowSecure
 
Appaloosa & AppDome: deploy & protect mobile applications
Julien Ott
 
FIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok Labs
Nok Nok Labs, Inc
 
You Can't Spell Enterprise Security without MFA
Ping Identity
 
Mobile App Security Predictions 2019
NowSecure
 

What's hot (20)

PDF
SecuSUITE for Enterprise Brochure
BlackBerry
 
PPTX
Managing Identity without Boundaries
Ping Identity
 
PDF
Nexsign Biometric Authentication
Samsung SDS America
 
PDF
HYPR: The Leading Provider of True Passwordless Security®
HYPR
 
PDF
Google Case Study - Towards simpler, stronger authentication
FIDO Alliance
 
PDF
Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...
Ping Identity
 
PDF
SYPHERSAFE
Mustafa Kuğu
 
PPTX
Connecting The Real World With The Virtual World
Ping Identity
 
PPTX
Identity Beyond Employees: How Customer Experience Impacts Your IAM Practices
Ping Identity
 
PDF
Beyond username and password it's continuous authorization webinar
ForgeRock
 
PDF
2014 IoT Forum_ Fido Alliance
COMPUTEX TAIPEI
 
PPTX
CIS 2013 Ping Identity Chalktalk
Craig Wu
 
PDF
The Password Is Dead: An Argument for Multifactor Biometric Authentication
Veridium
 
PDF
Sydney Identity Unconference Introduction and Highlights
ForgeRock
 
PDF
Google FIDO Authentication Case Study
FIDO Alliance
 
PDF
Argentinian Security Services Company Relies On BES10 For Secure Cross-Platfo...
BlackBerry
 
PDF
Major Spanish Risk-Prevention Consultancy Relies On BlackBerry To Safeguard M...
BlackBerry
 
PDF
White Paper: Balance Between Embedded Operating System Security Features and ...
Samsung Biz Mobile
 
PPTX
Passwordless auth
Lesha Bhansali
 
PDF
Local Government Balances Security, Flexibility and Productivity with BlackBe...
BlackBerry
 
SecuSUITE for Enterprise Brochure
BlackBerry
 
Managing Identity without Boundaries
Ping Identity
 
Nexsign Biometric Authentication
Samsung SDS America
 
HYPR: The Leading Provider of True Passwordless Security®
HYPR
 
Google Case Study - Towards simpler, stronger authentication
FIDO Alliance
 
Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...
Ping Identity
 
SYPHERSAFE
Mustafa Kuğu
 
Connecting The Real World With The Virtual World
Ping Identity
 
Identity Beyond Employees: How Customer Experience Impacts Your IAM Practices
Ping Identity
 
Beyond username and password it's continuous authorization webinar
ForgeRock
 
2014 IoT Forum_ Fido Alliance
COMPUTEX TAIPEI
 
CIS 2013 Ping Identity Chalktalk
Craig Wu
 
The Password Is Dead: An Argument for Multifactor Biometric Authentication
Veridium
 
Sydney Identity Unconference Introduction and Highlights
ForgeRock
 
Google FIDO Authentication Case Study
FIDO Alliance
 
Argentinian Security Services Company Relies On BES10 For Secure Cross-Platfo...
BlackBerry
 
Major Spanish Risk-Prevention Consultancy Relies On BlackBerry To Safeguard M...
BlackBerry
 
White Paper: Balance Between Embedded Operating System Security Features and ...
Samsung Biz Mobile
 
Passwordless auth
Lesha Bhansali
 
Local Government Balances Security, Flexibility and Productivity with BlackBe...
BlackBerry
 
Ad

Similar to Security Best Practices for Mobile Development (20)

PPT
Security Best Practices for Mobile Development @ Dreamforce 2013
Tom Gersic
 
PDF
Security Best Practices for Mobile Development
Salesforce Developers
 
PDF
Building secure mobile apps
Martin Vigo
 
PDF
Creating HTML5 Applications with jQuery Mobile, Ruby and Database.com
Salesforce Developers
 
PDF
Creating HTML5 Applications with jQuery Mobile, Ruby and Database.com
Salesforce Developers
 
PPTX
Salesforce.com Mobile Dev Week Chicago DUG
Tom Gersic
 
PPTX
Mobile architecture overview
David Scruggs
 
PPTX
Creating HTML5 Applications with jQuery Mobile, Ruby and Database.com
Jeff Douglas
 
PPTX
Salesforce Mobile architecture introduction
David Scruggs
 
PDF
Mobile SSO: Give App Users a Break from Typing Passwords
CA API Management
 
PPTX
Modev presentation
Ryan Upton
 
PPTX
Con8896 securely enabling mobile access for business transformation - final
OracleIDM
 
PPT
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
 
PPT
Don't Risk Your Reputation or Your Mainframe: Best Practices for Demonstratin...
IBM Security
 
PDF
120019_top5_security
Jessica Hirst
 
PDF
API Design for Your Packaged App
Salesforce Developers
 
PDF
Developing Offline-Capable Apps with the Salesforce Mobile SDK and SmartStore
Salesforce Developers
 
PDF
API Design for Your Packaged App
Salesforce Developers
 
PDF
MobileIron's Enterprise Solution for Mobile Web Browsing
MobileIron
 
PPTX
Location-aware Mobile Apps with Chatter & iBeacon
johngifford
 
Security Best Practices for Mobile Development @ Dreamforce 2013
Tom Gersic
 
Security Best Practices for Mobile Development
Salesforce Developers
 
Building secure mobile apps
Martin Vigo
 
Creating HTML5 Applications with jQuery Mobile, Ruby and Database.com
Salesforce Developers
 
Creating HTML5 Applications with jQuery Mobile, Ruby and Database.com
Salesforce Developers
 
Salesforce.com Mobile Dev Week Chicago DUG
Tom Gersic
 
Mobile architecture overview
David Scruggs
 
Creating HTML5 Applications with jQuery Mobile, Ruby and Database.com
Jeff Douglas
 
Salesforce Mobile architecture introduction
David Scruggs
 
Mobile SSO: Give App Users a Break from Typing Passwords
CA API Management
 
Modev presentation
Ryan Upton
 
Con8896 securely enabling mobile access for business transformation - final
OracleIDM
 
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
 
Don't Risk Your Reputation or Your Mainframe: Best Practices for Demonstratin...
IBM Security
 
120019_top5_security
Jessica Hirst
 
API Design for Your Packaged App
Salesforce Developers
 
Developing Offline-Capable Apps with the Salesforce Mobile SDK and SmartStore
Salesforce Developers
 
API Design for Your Packaged App
Salesforce Developers
 
MobileIron's Enterprise Solution for Mobile Web Browsing
MobileIron
 
Location-aware Mobile Apps with Chatter & iBeacon
johngifford
 
Ad

More from Salesforce Developers (20)

PDF
Sample Gallery: Reference Code and Best Practices for Salesforce Developers
Salesforce Developers
 
PDF
Maximizing Salesforce Lightning Experience and Lightning Component Performance
Salesforce Developers
 
PDF
Local development with Open Source Base Components
Salesforce Developers
 
PPTX
TrailheaDX India : Developer Highlights
Salesforce Developers
 
PDF
Why developers shouldn’t miss TrailheaDX India
Salesforce Developers
 
PPTX
CodeLive: Build Lightning Web Components faster with Local Development
Salesforce Developers
 
PPTX
CodeLive: Converting Aura Components to Lightning Web Components
Salesforce Developers
 
PPTX
Enterprise-grade UI with open source Lightning Web Components
Salesforce Developers
 
PPTX
TrailheaDX and Summer '19: Developer Highlights
Salesforce Developers
 
PDF
Live coding with LWC
Salesforce Developers
 
PDF
Lightning web components - Episode 4 : Security and Testing
Salesforce Developers
 
PDF
LWC Episode 3- Component Communication and Aura Interoperability
Salesforce Developers
 
PDF
Lightning web components episode 2- work with salesforce data
Salesforce Developers
 
PDF
Lightning web components - Episode 1 - An Introduction
Salesforce Developers
 
PDF
Migrating CPQ to Advanced Calculator and JSQCP
Salesforce Developers
 
PDF
Scale with Large Data Volumes and Big Objects in Salesforce
Salesforce Developers
 
PDF
Replicate Salesforce Data in Real Time with Change Data Capture
Salesforce Developers
 
PDF
Modern Development with Salesforce DX
Salesforce Developers
 
PDF
Get Into Lightning Flow Development
Salesforce Developers
 
PDF
Integrate CMS Content Into Lightning Communities with CMS Connect
Salesforce Developers
 
Sample Gallery: Reference Code and Best Practices for Salesforce Developers
Salesforce Developers
 
Maximizing Salesforce Lightning Experience and Lightning Component Performance
Salesforce Developers
 
Local development with Open Source Base Components
Salesforce Developers
 
TrailheaDX India : Developer Highlights
Salesforce Developers
 
Why developers shouldn’t miss TrailheaDX India
Salesforce Developers
 
CodeLive: Build Lightning Web Components faster with Local Development
Salesforce Developers
 
CodeLive: Converting Aura Components to Lightning Web Components
Salesforce Developers
 
Enterprise-grade UI with open source Lightning Web Components
Salesforce Developers
 
TrailheaDX and Summer '19: Developer Highlights
Salesforce Developers
 
Live coding with LWC
Salesforce Developers
 
Lightning web components - Episode 4 : Security and Testing
Salesforce Developers
 
LWC Episode 3- Component Communication and Aura Interoperability
Salesforce Developers
 
Lightning web components episode 2- work with salesforce data
Salesforce Developers
 
Lightning web components - Episode 1 - An Introduction
Salesforce Developers
 
Migrating CPQ to Advanced Calculator and JSQCP
Salesforce Developers
 
Scale with Large Data Volumes and Big Objects in Salesforce
Salesforce Developers
 
Replicate Salesforce Data in Real Time with Change Data Capture
Salesforce Developers
 
Modern Development with Salesforce DX
Salesforce Developers
 
Get Into Lightning Flow Development
Salesforce Developers
 
Integrate CMS Content Into Lightning Communities with CMS Connect
Salesforce Developers
 

Recently uploaded (20)

PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Teaching material agriculture food technology
LiaRayya
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 

Security Best Practices for Mobile Development

  • 1. Security Best Practices for Mobile Development Mobile SDK Entity Framework and SmartStore Tom Gersic, Salesforce.com Director, Mobile Services Delivery @tomgersic
  • 2. Safe Harbor Safe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site. Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
  • 3. Tom Gersic Director, Mobile Services Delivery @tomgersic
  • 4. Agenda • Fundamental Principles • What iOS and Android Share • iOS Specific Characteristics • Android Specific Characteristics • Salesforce Mobile Offerings
  • 5. Who thinks the data on their phone is secure?
  • 12. Separation of Concerns – Principle of Least Privilege
  • 15. Libtiff Image Exploit / Jailbreak • iPhone 1 – patched in 1.1.2 • Tiff buffer overflow • No DEP/ASLR – nothing to prevent executing code on the heap • Gained root access from viewing an image on the web
  • 17. iOS 7 Lock Screen Bypass
  • 19. “Bluebox Uncovers Android Master Key -- 2013”
  • 20. Concatenated SMS Exploit – Charlie Miller
  • 21. Concatenated SMS Exploit • Takes 519 SMS messages – all but 1 is invisible • Send message -1 of X to underflow the array buffer • Can’t be stopped by the user • Used to write an entire binary executable to the heap, and run it, taking over the phone.
  • 23. But most of the time…
  • 24. Data Security – Hardware Encryption Requires PIN/Passcode on both iOS and Android On iOS, apps opt-in Supported on ▪ iPhone 3GS w/ iOS v4+ (AES 256 bit) ▪ Android Honeycomb+ (AES 128 bit) • Some manufacturers increase to AES 256 bit (Samsung SAFE) SD Card encryption on Android is manufacturer specific.
  • 30. iOS Sandbox • All apps (Apple’s and App Store) run as “mobile” user. • Sandboxing is bolted on -- handled via XNU Sandbox “Seatbelt” kernel extension. • Applications run in separate subdirectories of /private/var/mobile/Applications • Any app in this directory is loaded with “container” (sandboxed) profile.
  • 31. Android Sandbox • Uses underlying Linux security model • Every app runs as a separate user • Apps signed by the same developer can run as the same user, if desired (not the default, though) • Every app runs in its own instance of the Android Runtime (Dalvik Virtual Machine) • Like iOS, every app has its own directory structure • SD Card, though, is generally public – accessible to all apps and unencrypted unless manufacturer has added encryption (Samsung SAFE)
  • 32. Background Processing • iOS 6: • Audio Streaming (Spotify, Pandora) • GPS / Navigation • VOIP • Newsstand app content downloading • Hardware integrations (bluetooth, other external accessories) • iOS 7 • 10 3 minute window after app closes to finish any task. • Background Fetch • Remote Notifications • Background Transfer Service
  • 34. Background Processes / App Interaction
  • 35. Types of Android Components ▪ Activities ▪ Intent ▪ Service ▪ Content Provider ▪ Broadcast Receiver
  • 36. Public / Private Components
  • 37. But what about custom keyboards?
  • 43. Application Encryption • Encrypt your data yourself using PIN / Passcode • CoreData/SQLCipher ▪ NSIncrementalStore ▪ Good Dynamics • FMDB/SQLCipher ▪ Salesforce Smartstore
  • 44. Jailbreak Detection • Sandbox integrity check: fork() should fail • Check for jailbreak files: ▪ /Applications/Cydia.app ▪ /Library/MobileSubstrate/MobileSubstrate.dylib ▪ /var/cache/apt ▪ /bin/sh ▪ /bin/bash
  • 47. Enable ASLR in Your App • ASLR: Address Space Layout Randomization
  • 48. Stack Canaries • AKA Stack Smashing Protection • Protect against buffer overflows • Places random known value (canary) before local variables • Use Apple LLVM – won’t work with LLVM GCC
  • 49. Hide Data from App Snapshot Images
  • 50. Who STILL thinks the data on their phone is secure?
  • 51. Tom Gersic Director, Mobile Services Delivery @tomgersic
  • 52. We want to hear from YOU! Please take a moment to complete our session survey Surveys can be found in the “My Agenda” portion of the Dreamforce app