310 likes | 492 Views
Secure App Development on Mobile Platforms. Mohit Mathur. Senior Software Engineer, Symantec. September 10 th , 2011. Goal of the Session. Myths about Data Security on Smartphones. 1. How to Develop a Secure Application?. 2. Agenda. Popular Smartphone Platforms - iOS & Android. 1.
E N D
Secure App Development on Mobile Platforms Mohit Mathur Senior Software Engineer, Symantec September 10th, 2011 Secure App Development on iOS and Android
Goal of the Session Myths about Data Security on Smartphones 1 How to Develop a Secure Application? 2
Agenda Popular Smartphone Platforms - iOS & Android 1 Data Storage Options available on iOS and Android 2 Myths about Data Security on Smartphones 3 How to really Safeguard your Data? 4 Conclusion 5
Agenda Popular Smartphone Platforms - iOS & Android 1 Data Storage Options available on iOS and Android 2 Myths about Data Security on Smartphones 3 How to really Safeguard your Data? 4 Conclusion 5
Agenda Popular Smartphone Platforms - iOS & Android 1 Data Storage Options available on iOS and Android 2 Myths about Data Security on Smartphones 3 How to really Safeguard your Data? 4 Conclusion 5
Data Storage Options Available • iOS Keychain: • Storage area available on iOS devices. • Gets preserved across app re-installation. • Data lives in the keychain for eternity once saved. • Android Internal Storage: • Store private data on the device memory. • Files saved to the internal storage are private to your application. • When the user uninstalls the application, the associated files are removed.
Data Storage Options Available Create Keychain • iOS Keychain: • NSMutableDictionary *addQuery = [[NSMutableDictionaryalloc] init]; • [addQuerysetObject:dataforKey:(NSData *)kSecValueData]; • SecItemAdd((CFDictionaryRef)addQuery, NULL); • Android Internal Storage: • File file = new File(filesDir, “myData"); • DataOutputStream dos = new DataOutputStream • (new FileOutputStream(file)); • dos.write(data); //byte[] Add Data to the Keychain Create File Add Data to the file
Agenda Popular Smartphone Platforms - iOS & Android 1 Data Storage Options available on iOS and Android 2 Myths about Data Security on Smartphones 3 How to really Safeguard your Data? 4 Conclusion 5
Myths about Data Security on Smartphones • Security features provided by iOS & Android: • Passcode • Hardware Encryption • Encrypted Keychain • “Just” Delete your Data • Relying on User IDs and File Access
Myths about Data Security on iOS • Passcode: • Anyone with the right know-how can delete a file and your passcode goes away. • All it takes is “ONE MINUTE” to do it. Courtesy: Dark MylesSource:YouTube
Myths about Data Security on iOS • Hardware Encryption: • Russian security outfit ElcomSoft has have discovered a method that allows them to copy and decrypt the memory of iOS devices that have built-in hardware encryption. • Using a special RAMDisk driver they could boot the iOS device in DFU (Device Firmware Upgrade) Mode. • This exposes the data stored in the memory. • Various keys to decrypt the data are extracted from the device by running special tools. • ElcomSoft maintains that it will restrict its discovery only to law enforcement, forensic and intelligence organizations. • But thousands of similar tools are already freely available on internet for anyone to use.
Myths about Data Security on iOS • Encrypted Keychain Backup: • There are simple tools available on the internet which void the password set to take encrypted keychain backup. • Within no time hacker can access any file of your encrypted backup. • Just “Delete” the Data: • People who are already familiar with OS X raw disks know how to access deleted information, like email, images, voicemail and application data. • The raw disk gives [hackers] access to the iPhone's entire file system, not just user data, including stuff that's not normally synchronized. • Even if you delete data on any iOS device, its no actually deleted. • One should use Apple’s disk utility service to wipe an entire device clean.
Myths about Data Security on Android • Relying on User IDs and File Access: • Filesystem is still accessible to hackers. • App data can easily be cloned. Given a thought anytime??? Courtesy: Mohit
Myths about Data Security on Smartphones • Lets revisit security features provided by iOS & Android: • Passcode • Hardware Encryption • Encrypted Keychain • “Just” Delete your Data • Relying on User IDs and File Access • Just relying on platform security features doesn’t suffice the purpose.
Agenda Popular Smartphone Platforms - iOS & Android 1 Data Storage Options available on iOS and Android 2 Myths about Data Security on Smartphones 3 How to really Safeguard your Data? 4 Conclusion 5
How to Really Safeguard your Data • What a typical Mobile app needs??? • Secure Local Device Storage. • Secure Communication with Cloud. • Share Data among Same Family of Apps.
How to Really Safeguard your Data • Secure Data Storage: • Use 3 levels of security: • Encipher your Data with Stronger Encryption. • Tie Data to the Device. • Sign your app. Protection from Hacker Strong Protection from Hacker Protection from Malicious App
How to Really Safeguard your Data • Encrypt Data: • iOS - CCCrypt API of Security.h package • Uses strong Encryption – AES + 256 bits key. • Supports CBC. Flag indicating Encryption; kCCDecrypt for Decryption AES with 128 bits block size Use 0 if no padding Your encryption key encryption key size Initialization vector Plaintext to encrypt; ciphertext in case of Decryption Length of plaintext Ciphertext ; plaintext in case of Decryption Size of ciphertext ; size of plaintext in case of Decryption Number of bytes written to encryptedResult
How to Really Safeguard your Data • Encrypt Data: • Android - Bouncy Castle Crypto APIs • Uses strong Encryption – AES + 256 bits key. • Supports CBC. Consumes the key, salt & iter to initialize generator Generated the key and iv. Of the given size Initializing the cipher engine; type – AES, padding – PKCS7 Indicating it’s an encryption flow Byte array that will hold the cipher text Encrypting the plaintext Finalizing the cipher text
How to Really Safeguard your Data • Tie Data to the Device: • Use Device Specific Unique Data as a part of your Encryption Key. • iOS – MAC address or UDID • Android – IMEI for GSM and the MEID or ESN for CDMA phones.
How to Really Safeguard your Data • Sign your App: • iOS: • Use Apple issued Signing Certs & Provisioning Profiles. • In Xcode, under Project Edit Project Settings Build Code Signing Identity Select your Cert to sign you app file. • Android: • Use Signing Certs issued by any CA (like Symantec). • Symantec issues Signing Cert @ $499/year Subscription Charge. https://www.verisign.com/code-signing/sun-java/index.html?sl=productdetails) • Use <signjar> ant task in build.xml to sign your apk file. • Platform enforces data sand-boxing for your app. • Malicious app cannot access your app data as its not signed by the same certificate.
How to Really Safeguard your Data • Secure Communication with Cloud: • Use HTTPS protocol. • iOS – NSURLConnection + HTTPS Protocol • Android – javax.net.ssl.HttpsURLConnection • Identify list of supported cipher suites and enable only strong ciphers. • Example – TLS_RSA_WITH_AES_256_CBC_SHA • iOS – CFNetwork Framework. • Android – SSLEngine.h [getSupportedCipherSuites(), setEnabledCipherSuites()] • Use MAC (Message Authentication Code) to identify that the request is coming from a legitimate client.
How to Really Safeguard your Data • Share Data among Same Family of Apps: • iOS: • App ID = <Bundle Seed ID> . <Bundle Identifier> • App IDs should be added to Entitlement.plist file in Xcode. • Add kSecAttrAccessGroup attribute to you keychain • All the apps MUST be signed with the same certificate. Must be Same for all the Apps of your family Same Same Same
How to Really Safeguard your Data • Share Data among Same Family of Apps: • Android: • Add “sharedUserId” attribute value in the AndroidManifest.xml • Sign all the apps with the same certificate.
Agenda Popular Smartphone Platforms - iOS & Android 1 Data Storage Options available on iOS and Android 2 Myths about Data Security on Smartphones 3 How to really Safeguard your Data? 4 Conclusion 5
Conclusion • Do not completely rely on security features provided by the platform. • Enforce Stronger Security: • Encipher your data with stronger encryption. • Tie data to the device. • App Signing. • Eliminate weak SSL cipher suites for your platform. • Securely share data among family of applications.
VIP Access • VIP = Validation & ID Protection. • Provides OATH Compliant Second Factor Authentication. • Protects your online accounts by requiring a security code -- in addition to your user name and password -- for safe and secure account access. • App available both for Consumer and Enterprise users. • Supports around 800+ Mobile Devices across the globe. • To get your own VIP Credential for FREE, log-on to the following URL from your mobile browser: • m.verisign.com • For more information, visit: • idprotect.verisign.com
Mohit Mathur mohit_mathur@symantec.com