How iOS and Android Handle Security Webinar
-
Upload
denim-group -
Category
Technology
-
view
1.657 -
download
2
Transcript of How iOS and Android Handle Security Webinar
How iOS and Android Handle Security
Dan Cornell@danielcornell
Dan’s Background
• Founder and CTO of Denim Group
• Software developer by background
• OWASP San Antonio
Denim Group Company Background
• Professional services firm that builds & secures enterprise applications• External application & network assessments• Web, mobile, and cloud• Software development lifecycle development (SDLC) consulting
• Secure development services:• Secure .NET and Java application development & remediation
• Classroom secure developer training for PCI compliance
• Develop ThreadFix
Overview
• Challenges of secure mobile development• Areas of concern:
• Basics of (secure) application development• Secure data storage• Secure data communication• Mobile browsers• Handling SMS and push messaging• Licensing and in-app payments
• Questions and Answers
Secure Mobile Application Development Reference
• Topics include:• Overview of Application Development • Overview of Secure Development • Defeating Platform Environment Restrictions • Installing Applications • Application Permissions Model • Local Storage • Encryption APIs • Network Communications • Protecting Network Communications• Application Licensing and Payments • Mobile Browser • Native Code Execution • Browser URL Handling • Mobile Application SMS/Push Update Handling
http://www.denimgroup.com/know_artic_secure_mobile_application_development_reference.html
Secure Mobile Application Development Reference
• For developers:• Learn the security capabilities
of your mobile development platform
• Get access to further learning resources
• For security professionals:• Learn the security capabilities
of the mobile development platform(s) your organization is targeting
http://www.denimgroup.com/know_artic_secure_mobile_application_development_reference.html
CHALLENGES OF SECURE MOBILE DEVELOPMENT
How iOS and Android Handle Security
Mobile Application Threat Model
• More complicated than standard web application threat model
• Chess versus checkers
• Today we will focus on code running on the mobile device
Generic Mobile Application Threat Model
9
Typical Mobile Threats
• Spoofing: Users to the Mobile Application• Spoofing: Web Services to Mobile Application• Tampering: Mobile Application• Tampering: Device Data Stores• Disclosure: Device Data Stores or Residual Data• Disclosure: Mobile Application to Web Service• Denial of Service: Mobile Application• Elevation of Privilege: Mobile Application or Web Services
User
Local App Storage
Mobile Application
Mobile Web Services
Device Keychain
Main Site Pages
AREAS OF CONCERN
How iOS and Android Handle Security
Areas of Concern
• Basics of (Secure) Application Development• Secure Data Storage• Secure Data Communication• Mobile Browsers• Handling SMS and Push Messaging• Licensing and In-App Payments
AREAS OF CONCERN
How iOS and Android Handle Security
Basics of (Secure) Application Development
Basics of (Secure) Application Development
• Overview of Application Development• Overview of Secure Development• Defeating Platform Environmental Restrictions• Installing Applications• Application Permissions Model• Native Code Execution
Overview of Application Development
iOS• Objective-C is most common• Swift for newer applications• iOS Developer program allows
installing and testing applications to developer phones
• Actual applications installed from iTunes Store
Android• Typically written in Java• Previously: Dalvik and DEX• More recently: Android
Runtime (ART)• Applications installed from
Android Play store or side-loaded via USB
Overview of Secure Development
iOS• Apple provides Secure Coding
Guide with both:• General secure coding
recommendations• iOS-specific recommendations
Android• Google provides a Google
Group with secure Android coding recommendations
• Many 3rd party resources available as well
Defeating Platform Environmental Restrictions
iOS• iOS devices can be “jailbroken”• Allows access to the device as
the root user• Allows for loading of 3rd party
applications to be installed• Allows for use of alternate app
stores
Android• Android devices can be
“rooted”• Allows for root-level access to
the device• Allows for custom kernels on
many devices
Installing Applications
iOS• Non-jailbroken iOS devices:
• Apple iTunes Store• Developers can install
applications on a set of test devices
• Alternate app stores for jailbroken devices
Android• Google Play store• Side-loading applications
• For development/debugging• For general usage
• Alternate app stores for rooted devices
Application Permissions Model
iOS• App asks for relevant
permission when needed• Can allow or deny• Can review permissions and
which applications are requesting them
Android• Baked into
AndroidManifest.xml• Fairly fine-grained• But must be accepted
wholesale
• Take a look at what apps from the app store ask for…
Native Code Execution
iOS• Objective-C compiles to ARM
machine code• Objective-C not safe by nature
(super)• Swift offers much more
protection
Android• Dalvik/ART should provide
memory safety• Can run code via the Native
Development Kit (NDK)
AREAS OF CONCERN
How iOS and Android Handle Security
Secure Data Storage
Secure Data Storage
• Local Storage• Encryption APIs
Local Storage
iOS• iOS (since 3.0) provides AES-
based full-disk encryption (hooray!)
• Based on a burned-in hardware UID (hrm…)
• iOS 8 added a 5 second hardware delay to passcode attempts for newer hardware (hooray!) and moved more data under default protection mechanisms
Android• Uses Linux user/group
permissions• Android 5.0 allows for full-disk
encryption based on PIN and password (hooray!)
• Also can have hardware-backed storage of the encryption key via Trusted Execution Environment (TEE)
Encryption APIs
iOS• Provides access to a variety of
certificate and key management functions
• iOS Keychain provides device-supported encryption capabilities
Android• Now has Keystore system• Allows for more secure storage
of key materials to prevent unauthorized use
• Provides access to javax.crypto APIs
• Can also use 3rd party Java libraries for encryption• Like BouncyCastle (be careful of
vulnerable versions…)
AREAS OF CONCERN
How iOS and Android Handle Security
Secure Data Communication
Secure Data Communication
• Network Communications• Protecting Network Communications
Network Communications
iOS• Provides access to BSD sockets• Provides implementations of
many higher-level protocols
Android• Provides access to standard
java.net.* classes• Provides access to a number of
Apache HTTP Utilities• Provides some Android-specific
classes for HTTP/S, SIP, and WiFi
Protecting Network Communications
iOS• Provides implementations of
common transport-layer security protocols
• Default settings are not terrible
Android• Provides access to
javax.net.ssl classes allowing for TLS network communications
• Be careful using the android.net.SSLCertificateSocketFactory because they make it easy to disable protections
AREAS OF CONCERN
How iOS and Android Handle Security
Mobile Browsers
Mobile Browsers
• Mobile Browser Basics• Browser URL Handling
Mobile Browser Basics
iOS• Mobile version of Safari
browser that uses the WebKit HTML rendering engine
Android• WebKit HTML rendering engine
and a version of the Chrome V8 JavaScript engine
Browser URL Handling
iOS• Allows applications to register
to handle different URL schemes
• Apple applications are given precedence for the schemes they register for
• Developers should treat inputs as untrusted
Android• Allows applications to register
to handle events raised by the browser for different protocols
• Uses the Android “intent” facility to deliver
• Developers should treat inputs as untrusted
AREAS OF CONCERN
How iOS and Android Handle Security
Handling SMS and Push Messaging
Handling SMS and Push Messages
iOS• Allows applications to receive
pushed notifications so that they can display a message or download new data
• Must treat inputs from push notifications as potentially malicious
Android• Cloud to Device Messaging
Framework (C2DM) has been deprecated and replaced by Google Cloud Messaging (GCM)
• Must treat inputs from push notifications as potentially malicious
AREAS OF CONCERN
How iOS and Android Handle Security
Licensing and In-App Payments
Application Licensing and Payments
iOS• In-App purchases allow you to
sell items from within iOS applications
• StoreKit API allows for these capabilities
Android• In-App purchases allow you to
sell items from within Android applications
• Billing API proxies communications between your application and the relevant Google Play services
• Supports purchases, subscriptions and in-app products
So Where Do You Go From Here?
So What Should Security People Do?
• Understand the general mobile application threat model and any peculiarities of platforms your organization supports
• Work with developers to set architecture, design, and coding guidelines and standards
• Test the securing of mobile application systems – the entirety of systems, not just code running on the device – taking into account the security characteristics of your target platform
38
So What Should Developers Do?
• Threat model your mobile application prior to development
• Learn the security properties and capabilities of the platform(s) you develop for
• Stay current as new security vulnerabilities and weaknesses are discovered and as new security capabilities are added to your target platform(s)
39
How Do iOS and Android Handle Security?
• Denim Group Secure Mobile Application Development Reference • Overview of Application Development • Overview of Secure Development • Defeating Platform Environment Restrictions • Installing Applications • Application Permissions Model • Local Storage • Encryption APIs • Network Communications • Protecting Network Communications• Application Licensing and Payments • Mobile Browser • Native Code Execution • Browser URL Handling • Mobile Application SMS/Push Update Handling
http://www.denimgroup.com/know_artic_secure_mobile_application_development_reference.html
QUESTIONS AND ANSWERS
How iOS and Android Handle Security
Dan Cornell@danielcornell