ASFWS 2011 - Secure software development for mobile devices
-
Upload
application-security-forum-western-switzerland -
Category
Technology
-
view
706 -
download
3
description
Transcript of ASFWS 2011 - Secure software development for mobile devices
DDÉVELOPPEMENTÉVELOPPEMENT DD’’APPLICATIONSAPPLICATIONS
MOBILESMOBILES SÉCURISÉESSÉCURISÉES
Julien ProbstCofondateur Sysmosoft SA
27.10.2011 Application Security Forum - Western Switzerland - 2011 1
Application Security ForumWestern Switzerland
27 octobre 2011 - HEIGVD Yverdon-les-Bainshttp://appsec-forum.ch
Swiss based company
Specialized in Mobile Security
Spinoff of the University of Applied Sciences in Yverdon-les-Bains (HEIG-VD)
2
Mobility
Working since 2008 with private banks to create an adapted solution
In production since 2010
Security
Threat and vulnerability analysis linked to mobility
Agile & Security Development Lifecycle
Theft/LostProperty of the
enterprise
3
Company NetworkOutside
Virus/Malwares
Unauthorized
access
enterprise
User’s personal
phone
4
Purpose
‒ Install Free Apps from “Alternative Stores”
‒ Unlock some new device features
Security Issues
5
Source : jailbreakme.com
Security Issues
‒ All OS Security mechanisms are disabled…
‒ … So all data can potentially be accessed
‒ “Alternative stores” do not verify Apps
JailbreakMe
‒ Jailbreak your iPhone/iPad from a web page
‒ Uses a third party App Security Flaw
‒ Versions : v1 2007, v2 2010, v3 2011
Purpose
‒ To improve user’s experience, some data are shared between Apps
‒ “Official” APIs are usually provided by the OS
6
Security Issues
‒ Easy for Developers to access your shared data…
‒ …and do what they want with it
Wall Street Journal Analysis
‒ Over 100 analyzed legal applications
‒ 5 of them transmitted address book to outsiders
Source : Wall Street Journal, Your Apps Are Watching You, 17 Dec. 2010
PoC
How It Works
1. Get access to an iPhone
2. Execute a Jailbreak
7
2. Execute a Jailbreak
3. Install and run the Fraunhofer’s script
4. Wait for the OS to decrypt the Keychain
— The PIN Code is not required
— Not all secrets are decrypted
5. Access user’s secrets in 6 minutes
Source : http://www.fraunhofer.de/
Grant Access to iOS 4.x
Purpose
‒ Commercial and Free/Open Source solutions
‒ Access “all” data stored on a Smartphone
8Source : www.viaforensic.com & www.elcomsoft.com
Physical imaging
Logical imaging
Passcode recovery
Keychain decryption
Disk decryption
Compromised data
AttackAffected
users
Shared
Data
Keychain
Data
Application
Data
Data
Transport
Device
Specific.
Malicious legal
App.
9
App.
JailBreak(with malicious App.)
Fraunhofer’s PoC
Forensic Solution
10
Operating System
Professional Configuration
11
Operating System
ResourcesApplications
Device Security features Device Configuration
Operating System
User Config.Prof. Config.
12
Operating System
Re
sou
rces
Applications
Secure Application
Security
Device Security features Device Configuration
Business
13
Device OS
Display
Output
Memory
Manag.
Keychain
Application
Memory’s Data
User’s secrets
Interface
“Screenshots”
14
Data
Transport
Keyboard
Input
OS App.
Manager
Storage
Backup
Dictionary cacheApplication’s State
Application Data
Device’s Data
Shared Data
Encrypt
Protection
Clean
keyboard
Prevention
Application : Secure Document Reader
Keyboard
Input
OS
Features
Keychain
OS
Security Business
15
Auth &
Encrypt
Encrypt
Encrypt
Clean
mem. on
standby
Clean
state on
standby
keyboard
on exitInput
OS App.
Manager
Memory
Manag.
Data
Transport
Keychain
Storage
Cryptographic algorithms
Implements all cryptographic algorithms at the application level
Usually the strongest part of the application
16
Usually the strongest part of the application
Key Management
Manages all cryptographic keys at the application level
Usually a weak point of the application
View Mode – Best security
Do not store data on the device
Only use the established ephemeral session key to exchange the data
17
Offline Mode – Less Secure
Encrypt data on the device
Store and protect the key on the device
Cache Mode – Best compromise
Encrypt data on the device
Store and protect the key on the server only
Offline authentication limitation
‒ Device ID cannot be verified by the device itself
‒ Hardware Tokens ID are verified by a trusted server
18
‒ Hardware Tokens ID are verified by a trusted server
‒ Only the user’s ID can be verified by the device
Potential attacks against offline authentication
‒ Social engineering to obtain user’s credentials
‒ Brute force attack against data encryption’s key
• Even if crypto algorithms (PBKDF2) are used
Check the operating system
Verify the version of the OS
Control the integrity of the OS (jailbreak, etc.)
19
Check for systems unsecure caches and features
Avoid/Clean caches (keyboard, pasteboard, screenshots, etc.)
Detect undesired features (multitasking manage., backup, etc.)
Apply device specific best practice
Security recommendations
Memory management, …
20
Comply with company security policies
Countermeasures are implemented according to the security needs
21
Use high level standards cryptographic algorithms
Crypto algorithms can be used without limitation or restrictions
Apply the same security mechanisms to each platform
Same mechanisms can be implemented and managed for each platform
The Application still relies on the operating system
Critical flaw in the OS can potentially lead to data breach
22
Implementing security inside Apps. requires experience and time
Integrating a Security Development Lifecycle (SDLC) is recommended
Some mechanisms remain out of the control of the application
OS Prevention/Control mechanisms must be developed (cache cleaning, etc.)
Offline Mode remains a potential issue
Trusted specific hardware can potentially be used
Mobile Devices are new threat vectors for companies’ data
Misconfigured devices are vulnerable to a multitude of new types of attacks
Conventional security solutions are not really adapted for mobility
23
Isolate sensitive or corporate data from private data
End users keep their habits while companies apply specific rules to sensitive data
Integrate security inside Apps and not rely only on OS or infrastructure
Sensitive data is protected by additional applicative security mechanisms
Conventional security solutions are not really adapted for mobility
Applying company security policies to personal mobile devices is not possible
24
Contact
Sysmosoft SARue Galilée 9
1400 Yverdon-les-Bains
Julien Probst+41 (0) 24 524 10 36