Security - CS 4720 - Mobile Application Development · Mobile Security • Core Features / Best...
Transcript of Security - CS 4720 - Mobile Application Development · Mobile Security • Core Features / Best...
![Page 1: Security - CS 4720 - Mobile Application Development · Mobile Security • Core Features / Best Practices – Executing in a sandbox – Utilizing system level permissions – Implementing](https://reader035.fdocuments.net/reader035/viewer/2022071018/5fd1cfa602efc90ea634f14d/html5/thumbnails/1.jpg)
CS4720
Security
CS4720– MobileApplicationDevelopment
![Page 2: Security - CS 4720 - Mobile Application Development · Mobile Security • Core Features / Best Practices – Executing in a sandbox – Utilizing system level permissions – Implementing](https://reader035.fdocuments.net/reader035/viewer/2022071018/5fd1cfa602efc90ea634f14d/html5/thumbnails/2.jpg)
CS4720
TheTraditionalSecurityModel• TheFirewallApproach• “Keepthegoodguysinandthebadguysout”
2
![Page 3: Security - CS 4720 - Mobile Application Development · Mobile Security • Core Features / Best Practices – Executing in a sandbox – Utilizing system level permissions – Implementing](https://reader035.fdocuments.net/reader035/viewer/2022071018/5fd1cfa602efc90ea634f14d/html5/thumbnails/3.jpg)
CS4720
DistributedSystemSecurity
3
• “IslandsofSecurity”
![Page 4: Security - CS 4720 - Mobile Application Development · Mobile Security • Core Features / Best Practices – Executing in a sandbox – Utilizing system level permissions – Implementing](https://reader035.fdocuments.net/reader035/viewer/2022071018/5fd1cfa602efc90ea634f14d/html5/thumbnails/4.jpg)
CS4720
SecuritywithWebServices• Thesemodelswerejustfinewhencorporationshadtheirownnetworks
• Ifyouneededin,youusedaVPN• NowtheopenInternetisusedasthemainnetwork
• Howdoesthischangethesecuritymodel?• Considerthis:howdoyouaccessawebservice?
4
![Page 5: Security - CS 4720 - Mobile Application Development · Mobile Security • Core Features / Best Practices – Executing in a sandbox – Utilizing system level permissions – Implementing](https://reader035.fdocuments.net/reader035/viewer/2022071018/5fd1cfa602efc90ea634f14d/html5/thumbnails/5.jpg)
CS4720
SecuritywithWebServices
5
• Firewallsecurityhappensatthenetworklayer
• Butnowweneedaccessonaper-applicationbasis
• Howcanweachievethat?
![Page 6: Security - CS 4720 - Mobile Application Development · Mobile Security • Core Features / Best Practices – Executing in a sandbox – Utilizing system level permissions – Implementing](https://reader035.fdocuments.net/reader035/viewer/2022071018/5fd1cfa602efc90ea634f14d/html5/thumbnails/6.jpg)
CS4720
SecuritywithWebServices
6
• Webservicesaredesignedtopenetratefirewalls,sincetheyuseport80
• Application-levelsecurityisneededtoexamine:– Whoismakingarequest– Whatinfoisbeingaccessed– Whatservicesisbeingaddressed
• IPbasedsecurityisstillneededthough!
![Page 7: Security - CS 4720 - Mobile Application Development · Mobile Security • Core Features / Best Practices – Executing in a sandbox – Utilizing system level permissions – Implementing](https://reader035.fdocuments.net/reader035/viewer/2022071018/5fd1cfa602efc90ea634f14d/html5/thumbnails/7.jpg)
CS4720
ApplicationSecurity101• Whataresomebasicthingsyoudotoprotectyoursystemattheapplicationlevel?
• Catchexceptionsanddon’tshowdetailederrormessages
• Hideinterfaces• “Don’ttrustyourusers”• Encryption
7
![Page 8: Security - CS 4720 - Mobile Application Development · Mobile Security • Core Features / Best Practices – Executing in a sandbox – Utilizing system level permissions – Implementing](https://reader035.fdocuments.net/reader035/viewer/2022071018/5fd1cfa602efc90ea634f14d/html5/thumbnails/8.jpg)
CS4720
ApplicationSecurity101
8
• Well…shoot.• Webservices:
– Havepublicallyannouncedinterfaces!– Mustreturndetailedexceptionstodebugsystems!– Atsomelevel,musttrustusers!
• Weneedsecuritythatisbasicallycontent-aware
![Page 9: Security - CS 4720 - Mobile Application Development · Mobile Security • Core Features / Best Practices – Executing in a sandbox – Utilizing system level permissions – Implementing](https://reader035.fdocuments.net/reader035/viewer/2022071018/5fd1cfa602efc90ea634f14d/html5/thumbnails/9.jpg)
CS4720
SystemSecurity
9
• Human:socialengineeringattacks• Physical:“stealtheserveritself”• Network:treatyourserverlikea2yearold• OperatingSystem:thewarcontinues• Application:justdiscussed• Database:protectingthedata
![Page 10: Security - CS 4720 - Mobile Application Development · Mobile Security • Core Features / Best Practices – Executing in a sandbox – Utilizing system level permissions – Implementing](https://reader035.fdocuments.net/reader035/viewer/2022071018/5fd1cfa602efc90ea634f14d/html5/thumbnails/10.jpg)
CS4720
Content-AwareSecurity• Mustbeabletoinspectcontentofnetworktraffic
• Mustbeabletomakeauthorizationdecisions• Mustbeabletomakeauthenticationdecisions• Mustbeabletoverifydataasvalidforthistransaction
• Mustalsodealwithconfidentialityandprivacyconcerns(encryption,messageintegrity,audit)
10
![Page 11: Security - CS 4720 - Mobile Application Development · Mobile Security • Core Features / Best Practices – Executing in a sandbox – Utilizing system level permissions – Implementing](https://reader035.fdocuments.net/reader035/viewer/2022071018/5fd1cfa602efc90ea634f14d/html5/thumbnails/11.jpg)
CS4720
WebServiceSecurityConcerns• UnauthorizedAccess:peopleviewinfothattheyshouldn’tfromamessage
• UnauthorizedAlteration:anattackermodifiespartofamessage
• Man-in-the-Middle:anattackersitsin-betweentwopartiesandviewsmessages(oraltersthem)astheypassby
• Denial-of-Service:floodtheservicewithsomanymessagesthatitcan’tkeepup
11
![Page 12: Security - CS 4720 - Mobile Application Development · Mobile Security • Core Features / Best Practices – Executing in a sandbox – Utilizing system level permissions – Implementing](https://reader035.fdocuments.net/reader035/viewer/2022071018/5fd1cfa602efc90ea634f14d/html5/thumbnails/12.jpg)
CS4720
ApplicationLevelSecurity• Referstosecuritysafeguardsbuiltintoaparticularapplicationandoperateindependently fromthenetworklevelsecurity
• Authentication• Authorization• Integrity/Confidentiality• Non-repudiation/Auditing
12
![Page 13: Security - CS 4720 - Mobile Application Development · Mobile Security • Core Features / Best Practices – Executing in a sandbox – Utilizing system level permissions – Implementing](https://reader035.fdocuments.net/reader035/viewer/2022071018/5fd1cfa602efc90ea634f14d/html5/thumbnails/13.jpg)
CS4720
Authentication• Verifyingthattherequesteristherequester…• …andthattheserviceistheservice• Thisrequiresamechanismof“proofofidentity”
• Whataresomewaysaccomplishthis?• Username/password• SignedCertificates• AuthenticationApplications
13
![Page 14: Security - CS 4720 - Mobile Application Development · Mobile Security • Core Features / Best Practices – Executing in a sandbox – Utilizing system level permissions – Implementing](https://reader035.fdocuments.net/reader035/viewer/2022071018/5fd1cfa602efc90ea634f14d/html5/thumbnails/14.jpg)
CS4720
Alittleclosertohome• Netbadge (ormoreaccurately,PubCookie orShiboleth)
• http://www.pubcookie.org/docs/how-pubcookie-works.html
14
![Page 15: Security - CS 4720 - Mobile Application Development · Mobile Security • Core Features / Best Practices – Executing in a sandbox – Utilizing system level permissions – Implementing](https://reader035.fdocuments.net/reader035/viewer/2022071018/5fd1cfa602efc90ea634f14d/html5/thumbnails/15.jpg)
CS4720
Authorization• Nowthatweknowwhoyouare,whatareyouallowedtodo?
• Permissions• Role-basedsecurity• Howdoesthisworkinadatabasesystem?• Howaboutanoperatingsystem?
15
![Page 16: Security - CS 4720 - Mobile Application Development · Mobile Security • Core Features / Best Practices – Executing in a sandbox – Utilizing system level permissions – Implementing](https://reader035.fdocuments.net/reader035/viewer/2022071018/5fd1cfa602efc90ea634f14d/html5/thumbnails/16.jpg)
CS4720
Integrity/Confidentiality• Whathappensifamessageis:
– Capturedandreused?– Capturedandmodified?– Monitoredasispassesbyinapassivemanner?
• Howdoweverifyamessagehasn’tbeentamperedwith?– Digitalsignature
• Howdoweverifyithasn’tbeenviewed?– Encryption
16
![Page 17: Security - CS 4720 - Mobile Application Development · Mobile Security • Core Features / Best Practices – Executing in a sandbox – Utilizing system level permissions – Implementing](https://reader035.fdocuments.net/reader035/viewer/2022071018/5fd1cfa602efc90ea634f14d/html5/thumbnails/17.jpg)
CS4720
Non-repudiation/Auditing• Whenwe’rechargingtouseawebservice,howdoweproveyouusedtheservicesowecanchargeyou?
• Howdowetrackyouractivities?• Digitallysignedlogs,effectively• Alsosavesthecertificateusedtoperformthetransaction(likeasignatureonareceipt)
17
![Page 18: Security - CS 4720 - Mobile Application Development · Mobile Security • Core Features / Best Practices – Executing in a sandbox – Utilizing system level permissions – Implementing](https://reader035.fdocuments.net/reader035/viewer/2022071018/5fd1cfa602efc90ea634f14d/html5/thumbnails/18.jpg)
CS4720
MobileSecurity• Questionstoaskyourselfasadeveloper:
– Isthemobilebackendassecureastheappitself?– Isdataencryptedwheneverandwhereverit’sstored?
– DoestheappuseHTTPSencryption– andenforceit?
– Hastheappbinarybeenscrubbedofsensitiveinformation?
– Havestepsbeentakentothwartreverseengineeringandanalysis?
18
![Page 19: Security - CS 4720 - Mobile Application Development · Mobile Security • Core Features / Best Practices – Executing in a sandbox – Utilizing system level permissions – Implementing](https://reader035.fdocuments.net/reader035/viewer/2022071018/5fd1cfa602efc90ea634f14d/html5/thumbnails/19.jpg)
CS4720
MobileSecurity• Whatarethe“badguys”after?
19
![Page 20: Security - CS 4720 - Mobile Application Development · Mobile Security • Core Features / Best Practices – Executing in a sandbox – Utilizing system level permissions – Implementing](https://reader035.fdocuments.net/reader035/viewer/2022071018/5fd1cfa602efc90ea634f14d/html5/thumbnails/20.jpg)
CS4720
MobileSecurity• Personaldatastoredonthedevice
– Notjustnameandaddress!– Passwords– Confidentialdocuments– Financialinformation
• Sensordata– GPSlocation(totrackpeople)– Microphone/Camera(espionage)
• Falseinstalls(foradhits,forinstance)
20
![Page 21: Security - CS 4720 - Mobile Application Development · Mobile Security • Core Features / Best Practices – Executing in a sandbox – Utilizing system level permissions – Implementing](https://reader035.fdocuments.net/reader035/viewer/2022071018/5fd1cfa602efc90ea634f14d/html5/thumbnails/21.jpg)
CS4720
MobileSecurity• Nowweknowwhatweareupagainst• So…howdowestopthem?• Whataresome“bestpractices”?• Whatfeaturesoftheplatformsshouldwebeutilizing?
• Wherearetheattackscomingfrom(wherearetheweakpoints)?
21
![Page 22: Security - CS 4720 - Mobile Application Development · Mobile Security • Core Features / Best Practices – Executing in a sandbox – Utilizing system level permissions – Implementing](https://reader035.fdocuments.net/reader035/viewer/2022071018/5fd1cfa602efc90ea634f14d/html5/thumbnails/22.jpg)
CS4720
MobileSecurity• CoreFeatures/BestPractices
– Executinginasandbox– Utilizingsystemlevelpermissions– Implementingapplicationpermissions– Encryptedor“hardened”filesystem– Remotepolicymanagement– Remotedevicelocating/wipe
22
![Page 23: Security - CS 4720 - Mobile Application Development · Mobile Security • Core Features / Best Practices – Executing in a sandbox – Utilizing system level permissions – Implementing](https://reader035.fdocuments.net/reader035/viewer/2022071018/5fd1cfa602efc90ea634f14d/html5/thumbnails/23.jpg)
CS4720
ExecutinginaSandbox• BothiOSandAndroidrunonaUnix-basedkernel
• AppsaregiventheirownuseridandexecutionspacewitheachapprunninginaVM
• Bydefault,oneappcannottouchanotherapp’sdata
23
![Page 24: Security - CS 4720 - Mobile Application Development · Mobile Security • Core Features / Best Practices – Executing in a sandbox – Utilizing system level permissions – Implementing](https://reader035.fdocuments.net/reader035/viewer/2022071018/5fd1cfa602efc90ea634f14d/html5/thumbnails/24.jpg)
CS4720
Permissions• Android:permissionsdeclaredup-frontoninstall
• iOS:permissionsrequestedadhocduringexecution
• Inbothcases,themainproblemisanuninformed(ormisinformed)user
24
![Page 25: Security - CS 4720 - Mobile Application Development · Mobile Security • Core Features / Best Practices – Executing in a sandbox – Utilizing system level permissions – Implementing](https://reader035.fdocuments.net/reader035/viewer/2022071018/5fd1cfa602efc90ea634f14d/html5/thumbnails/25.jpg)
CS4720
Permissions• Example:Theappwantstoaccessyourlocation…why?
• Doesithaveapurposeforthefunctionality?• Ifitdoes,doestheauthorcommunicatethebenefitsofthisfeatureappropriately?
• WhatisthechallengetodothisbetweenAndroidandiOS?
25
![Page 26: Security - CS 4720 - Mobile Application Development · Mobile Security • Core Features / Best Practices – Executing in a sandbox – Utilizing system level permissions – Implementing](https://reader035.fdocuments.net/reader035/viewer/2022071018/5fd1cfa602efc90ea634f14d/html5/thumbnails/26.jpg)
CS4720
Encryption/HardenedFileSystem• Whatifyoujustdon’ttrustGoogle/Apple?• ForAndroid,theOSisopensource• Blackberryofferedahardenedversionforalongtime– thatonereasonitwasadoptedastheplatformofchoiceforthegovernment
• https://copperhead.co/android/
26
![Page 27: Security - CS 4720 - Mobile Application Development · Mobile Security • Core Features / Best Practices – Executing in a sandbox – Utilizing system level permissions – Implementing](https://reader035.fdocuments.net/reader035/viewer/2022071018/5fd1cfa602efc90ea634f14d/html5/thumbnails/27.jpg)
CS4720
PolicyManagement• Everbeenissuedalaptopasapartofaninternship?
• Whatcouldyoudowith/onthatmachine?• Whatprotectionswereonthatmachine?
27
![Page 28: Security - CS 4720 - Mobile Application Development · Mobile Security • Core Features / Best Practices – Executing in a sandbox – Utilizing system level permissions – Implementing](https://reader035.fdocuments.net/reader035/viewer/2022071018/5fd1cfa602efc90ea634f14d/html5/thumbnails/28.jpg)
CS4720
PolicyManagement• Youdon’texpecttogettouseyourpersonalmachineforworkstuff…
• …butmany(most?all?)peopledon’twanttohavetwophones!
• AlargeproblemwithmobilesecurityinacorporationisBYOD(BringYourOwnDevice)
• Howdoyoukeepthingsseparate?
28
![Page 29: Security - CS 4720 - Mobile Application Development · Mobile Security • Core Features / Best Practices – Executing in a sandbox – Utilizing system level permissions – Implementing](https://reader035.fdocuments.net/reader035/viewer/2022071018/5fd1cfa602efc90ea634f14d/html5/thumbnails/29.jpg)
CS4720
PolicyManagement• MDM(MobileDeviceManagement)• Canputspecificusagepoliciesonadevice(ifownedbycompany)
• Canpartitionawaybusinessoperations– Canrunbasicallylikeavirtualmachineonthesamedevice
• http://www.apple.com/iphone/business/it/
29
![Page 30: Security - CS 4720 - Mobile Application Development · Mobile Security • Core Features / Best Practices – Executing in a sandbox – Utilizing system level permissions – Implementing](https://reader035.fdocuments.net/reader035/viewer/2022071018/5fd1cfa602efc90ea634f14d/html5/thumbnails/30.jpg)
CS4720
CompressionandObfuscation• Javabytecode,unlikefullycompiledcode,isrelativelyeasytoreverseengineer
• Further,wetendtoleavelotsof“clues”inourcode– Variablenames– Classnames– Methodnames
• It’srelativelyeasyto“rebuild”aJavaapp!
30
![Page 31: Security - CS 4720 - Mobile Application Development · Mobile Security • Core Features / Best Practices – Executing in a sandbox – Utilizing system level permissions – Implementing](https://reader035.fdocuments.net/reader035/viewer/2022071018/5fd1cfa602efc90ea634f14d/html5/thumbnails/31.jpg)
CS4720
CompressionandObfuscation• Javaprogrammersalsotendtoleavealotof“cruft”behind…– Debugmessages(loggingthat’snotneeded)– Lotsofextrawhitespace– Lotsofcomments
• Sometimes,youhavetogetthat.apk assmallaspossible…
31
![Page 32: Security - CS 4720 - Mobile Application Development · Mobile Security • Core Features / Best Practices – Executing in a sandbox – Utilizing system level permissions – Implementing](https://reader035.fdocuments.net/reader035/viewer/2022071018/5fd1cfa602efc90ea634f14d/html5/thumbnails/32.jpg)
CS4720
CompressionandObfuscation• ProGuard
– detectsandremovesunusedclasses,fields,methods,andattributesfromyourpackagedapp
– optimizesthebytecode– removesunusedcodeinstructions– obfuscatestheremainingclasses,fields,andmethodswithshortnames
32
![Page 33: Security - CS 4720 - Mobile Application Development · Mobile Security • Core Features / Best Practices – Executing in a sandbox – Utilizing system level permissions – Implementing](https://reader035.fdocuments.net/reader035/viewer/2022071018/5fd1cfa602efc90ea634f14d/html5/thumbnails/33.jpg)
CS4720
ProGuard
33
![Page 34: Security - CS 4720 - Mobile Application Development · Mobile Security • Core Features / Best Practices – Executing in a sandbox – Utilizing system level permissions – Implementing](https://reader035.fdocuments.net/reader035/viewer/2022071018/5fd1cfa602efc90ea634f14d/html5/thumbnails/34.jpg)
CS4720
ProGuard
34
public void onCreate(Bundle paramBundle) {super.onCreate(paramBundle);WL.createInstance(this);WL.getInstance().showSplashScreen(this);WL.getInstance().initializeWebFramework(getAppl
icationContext(), this);}
![Page 35: Security - CS 4720 - Mobile Application Development · Mobile Security • Core Features / Best Practices – Executing in a sandbox – Utilizing system level permissions – Implementing](https://reader035.fdocuments.net/reader035/viewer/2022071018/5fd1cfa602efc90ea634f14d/html5/thumbnails/35.jpg)
CS4720
ProGuard
35
public void onCreate(Bundle paramBundle) {super.onCreate(paramBundle);com.worklight.androidgap.b.a.a(this);com.worklight.androidgap.b.a.b();com.worklight.androidgap.b.a.b(this);com.worklight.androidgap.b.a.b().a(getApplicati
onContext(), this);}
![Page 36: Security - CS 4720 - Mobile Application Development · Mobile Security • Core Features / Best Practices – Executing in a sandbox – Utilizing system level permissions – Implementing](https://reader035.fdocuments.net/reader035/viewer/2022071018/5fd1cfa602efc90ea634f14d/html5/thumbnails/36.jpg)
CS4720
StackTraces?• Whatdoyoudowhenauser(orapp)submitsastacktraceforyoutodebug?
• EverrunofProGuard generatesamapping.txtfilethatcontainsinfoonhowtoundotheobfuscation
• ThisfilecanbeuploadedtoGooglePlaywithyour.apk andGooglewillhandleitforyou!
36
![Page 37: Security - CS 4720 - Mobile Application Development · Mobile Security • Core Features / Best Practices – Executing in a sandbox – Utilizing system level permissions – Implementing](https://reader035.fdocuments.net/reader035/viewer/2022071018/5fd1cfa602efc90ea634f14d/html5/thumbnails/37.jpg)
CS4720
mapping.txt
37
cs4720.cs.virginia.edu.sensorexample.AccelSensor -> cs4720.cs.virginia.edu.sensorexample.AccelSensor: android.hardware.SensorManager mSensorManager -> a android.hardware.Sensor mSensor -> b double maxValue -> c void <init>() -> <init> void onCreate(android.os.Bundle) -> onCreatevoid onAccuracyChanged(android.hardware.Sensor,int) -> onAccuracyChangedvoid onSensorChanged(android.hardware.SensorEvent) -> onSensorChangedvoid onResume() -> onResumevoid onPause() -> onPauseboolean onCreateOptionsMenu(android.view.Menu) -> onCreateOptionsMenu
![Page 38: Security - CS 4720 - Mobile Application Development · Mobile Security • Core Features / Best Practices – Executing in a sandbox – Utilizing system level permissions – Implementing](https://reader035.fdocuments.net/reader035/viewer/2022071018/5fd1cfa602efc90ea634f14d/html5/thumbnails/38.jpg)
CS4720
Passwords?• ProGuard canmakethingsharder…• … butapasswordcan’tbeencrypted,perse,sinceyouhavetouseit!
• Options?– Lockyourkeysinanotherencryptedbox(orDB)– Havetheuserprovideitinsomeway– public/privatekeyhandshake
38
![Page 39: Security - CS 4720 - Mobile Application Development · Mobile Security • Core Features / Best Practices – Executing in a sandbox – Utilizing system level permissions – Implementing](https://reader035.fdocuments.net/reader035/viewer/2022071018/5fd1cfa602efc90ea634f14d/html5/thumbnails/39.jpg)
CS4720
AboveAllElse• CommonSense!!!!• Storehashesofpasswordsifpossible• Usebuilt-inencryptedstores(likeKeyStore orKeyChain)forcredentials
• Don’t“overreach”onpermissions• Don’ttrustyourusers- validateallinput• Don’texposeextrafunctionality• Don’trunanythingasadmin
39