How iOS and Android Handle Security Webinar

How iOS and Android Handle Security

Dan Cornell@danielcornell

https://twitter.com/danielcornell


Dan’s Background

• Founder and CTO of Denim Group

• Software developer by background

• OWASP San Antonio

Denim Group Company Background

• Professional services firm that builds & secures enterprise applications• External application & network assessments• Web, mobile, and cloud• Software development lifecycle development (SDLC) consulting

• Secure development services:• Secure .NET and Java application development & remediation

• Classroom secure developer training for PCI compliance

• Develop ThreadFix

Overview

• Challenges of secure mobile development• Areas of concern:

• Basics of (secure) application development• Secure data storage• Secure data communication• Mobile browsers• Handling SMS and push messaging• Licensing and in-app payments

• Questions and Answers

Secure Mobile Application Development Reference

• Topics include:• Overview of Application Development • Overview of Secure Development • Defeating Platform Environment Restrictions • Installing Applications • Application Permissions Model • Local Storage • Encryption APIs • Network Communications • Protecting Network Communications• Application Licensing and Payments • Mobile Browser • Native Code Execution • Browser URL Handling • Mobile Application SMS/Push Update Handling

http://www.denimgroup.com/know_artic_secure_mobile_application_development_reference.html



Secure Mobile Application Development Reference

• For developers:• Learn the security capabilities

of your mobile development platform

• Get access to further learning resources

• For security professionals:• Learn the security capabilities

of the mobile development platform(s) your organization is targeting




CHALLENGES OF SECURE MOBILE DEVELOPMENT


Mobile Application Threat Model

• More complicated than standard web application threat model

• Chess versus checkers

• Today we will focus on code running on the mobile device

Generic Mobile Application Threat Model

9

Typical Mobile Threats

• Spoofing: Users to the Mobile Application• Spoofing: Web Services to Mobile Application• Tampering: Mobile Application• Tampering: Device Data Stores• Disclosure: Device Data Stores or Residual Data• Disclosure: Mobile Application to Web Service• Denial of Service: Mobile Application• Elevation of Privilege: Mobile Application or Web Services

User

Local App Storage

Mobile Application

Mobile Web Services

Device Keychain

Main Site Pages

AREAS OF CONCERN


Areas of Concern

• Basics of (Secure) Application Development• Secure Data Storage• Secure Data Communication• Mobile Browsers• Handling SMS and Push Messaging• Licensing and In-App Payments

AREAS OF CONCERN


Basics of (Secure) Application Development

Basics of (Secure) Application Development

• Overview of Application Development• Overview of Secure Development• Defeating Platform Environmental Restrictions• Installing Applications• Application Permissions Model• Native Code Execution

Overview of Application Development

iOS• Objective-C is most common• Swift for newer applications• iOS Developer program allows

installing and testing applications to developer phones

• Actual applications installed from iTunes Store

Android• Typically written in Java• Previously: Dalvik and DEX• More recently: Android

Runtime (ART)• Applications installed from

Android Play store or side-loaded via USB

Overview of Secure Development

iOS• Apple provides Secure Coding

Guide with both:• General secure coding

recommendations• iOS-specific recommendations

Android• Google provides a Google

Group with secure Android coding recommendations

• Many 3rd party resources available as well

Defeating Platform Environmental Restrictions

iOS• iOS devices can be “jailbroken”• Allows access to the device as

the root user• Allows for loading of 3rd party

applications to be installed• Allows for use of alternate app

stores

Android• Android devices can be

“rooted”• Allows for root-level access to

the device• Allows for custom kernels on

many devices

Installing Applications

iOS• Non-jailbroken iOS devices:

• Apple iTunes Store• Developers can install

applications on a set of test devices

• Alternate app stores for jailbroken devices

Android• Google Play store• Side-loading applications

• For development/debugging• For general usage

• Alternate app stores for rooted devices

Application Permissions Model

iOS• App asks for relevant

permission when needed• Can allow or deny• Can review permissions and

which applications are requesting them

Android• Baked into

AndroidManifest.xml• Fairly fine-grained• But must be accepted

wholesale

• Take a look at what apps from the app store ask for…

Native Code Execution

iOS• Objective-C compiles to ARM

machine code• Objective-C not safe by nature

(super)• Swift offers much more

protection

Android• Dalvik/ART should provide

memory safety• Can run code via the Native

Development Kit (NDK)

AREAS OF CONCERN


Secure Data Storage

Secure Data Storage

• Local Storage• Encryption APIs

Local Storage

iOS• iOS (since 3.0) provides AES-

based full-disk encryption (hooray!)

• Based on a burned-in hardware UID (hrm…)

• iOS 8 added a 5 second hardware delay to passcode attempts for newer hardware (hooray!) and moved more data under default protection mechanisms

Android• Uses Linux user/group

permissions• Android 5.0 allows for full-disk

encryption based on PIN and password (hooray!)

• Also can have hardware-backed storage of the encryption key via Trusted Execution Environment (TEE)

Encryption APIs

iOS• Provides access to a variety of

certificate and key management functions

• iOS Keychain provides device-supported encryption capabilities

Android• Now has Keystore system• Allows for more secure storage

of key materials to prevent unauthorized use

• Provides access to javax.crypto APIs

• Can also use 3rd party Java libraries for encryption• Like BouncyCastle (be careful of

vulnerable versions…)

AREAS OF CONCERN


Secure Data Communication

Secure Data Communication

• Network Communications• Protecting Network Communications

Network Communications

iOS• Provides access to BSD sockets• Provides implementations of

many higher-level protocols

Android• Provides access to standard

java.net.* classes• Provides access to a number of

Apache HTTP Utilities• Provides some Android-specific

classes for HTTP/S, SIP, and WiFi

Protecting Network Communications

iOS• Provides implementations of

common transport-layer security protocols

• Default settings are not terrible

Android• Provides access to

javax.net.ssl classes allowing for TLS network communications

• Be careful using the android.net.SSLCertificateSocketFactory because they make it easy to disable protections

AREAS OF CONCERN


Mobile Browsers

Mobile Browsers

• Mobile Browser Basics• Browser URL Handling

Mobile Browser Basics

iOS• Mobile version of Safari

browser that uses the WebKit HTML rendering engine

Android• WebKit HTML rendering engine

and a version of the Chrome V8 JavaScript engine

Browser URL Handling

iOS• Allows applications to register

to handle different URL schemes

• Apple applications are given precedence for the schemes they register for

• Developers should treat inputs as untrusted

Android• Allows applications to register

to handle events raised by the browser for different protocols

• Uses the Android “intent” facility to deliver

• Developers should treat inputs as untrusted

AREAS OF CONCERN


Handling SMS and Push Messaging

Handling SMS and Push Messages

iOS• Allows applications to receive

pushed notifications so that they can display a message or download new data

• Must treat inputs from push notifications as potentially malicious

Android• Cloud to Device Messaging

Framework (C2DM) has been deprecated and replaced by Google Cloud Messaging (GCM)

• Must treat inputs from push notifications as potentially malicious

AREAS OF CONCERN


Licensing and In-App Payments

Application Licensing and Payments

iOS• In-App purchases allow you to

sell items from within iOS applications

• StoreKit API allows for these capabilities

Android• In-App purchases allow you to

sell items from within Android applications

• Billing API proxies communications between your application and the relevant Google Play services

• Supports purchases, subscriptions and in-app products

So Where Do You Go From Here?

So What Should Security People Do?

• Understand the general mobile application threat model and any peculiarities of platforms your organization supports

• Work with developers to set architecture, design, and coding guidelines and standards

• Test the securing of mobile application systems – the entirety of systems, not just code running on the device – taking into account the security characteristics of your target platform

38

So What Should Developers Do?

• Threat model your mobile application prior to development

• Learn the security properties and capabilities of the platform(s) you develop for

• Stay current as new security vulnerabilities and weaknesses are discovered and as new security capabilities are added to your target platform(s)

39

How Do iOS and Android Handle Security?

• Denim Group Secure Mobile Application Development Reference • Overview of Application Development • Overview of Secure Development • Defeating Platform Environment Restrictions • Installing Applications • Application Permissions Model • Local Storage • Encryption APIs • Network Communications • Protecting Network Communications• Application Licensing and Payments • Mobile Browser • Native Code Execution • Browser URL Handling • Mobile Application SMS/Push Update Handling




QUESTIONS AND ANSWERS


Dan Cornell@danielcornell


How iOS and Android Handle Security Webinar

Technology

Transcript of How iOS and Android Handle Security Webinar