Transcript

The Developer’s Guide to Building Secure Mobile Applications

The Developer's Guide To BUILDING SECURE MOBILE APPLICATIONS Why You Should Care $30 $0 BILLION 24 total worth of mobile devices lost or stolen in 2011 in the U.S. This value equates to 9 MILLION MOBILE DEVICES This means that a mobile device is LOST OR STOLEN EVERY 3.5 SECONDS In 10 mins... In 30 mins... In 60 mins... 10 30 60 514 devices 171 devices are stolen 1,028 devices are stolen are stolen One way or another, malicious characters are accessing your applications. Top Apps Expose Sensitive Data 91% Identity 90% Files 10 67% Privacy 90 67% Location 29% Phone 16% Contacts 0.1% Malware TOP RISKS TO MOBILE APPS & HOW TO DEAL WITH THEM Unsafe Sensitive Data Storage RISK Mobile apps often store sensitive data such as: ***** Banking & payment system PIN numbers Credit card numbers Online service passwords. HOW TO FIX: Identify & Protect Sensitive Data Mobile device Sensitive data should always be stored encrypted so that attackers cannot simply retrieve this data off of the file system. theft makes up 30% To When available, use file encryption APIS that protect secret keys with 40% the device unlock code and render files unrecoverable of all robberies after a remote wipe. in the United States Hardcoded Password/Key RISK The use of hardcoded passwords or keys is sometimes used as a shortcut by developers to make the application easier to: Implement Support Debug HOW TO FIX: Do Not Store Passwords Or Secrets In The ZTE ScoreM mobile phone Application Binary came with a hardcoded password which grants access to a root shell backdoor Application binaries can be reverse engineered to detect hardcoded passwords. This renders the security of the application or the systems it authenticates to with this ALLOWING НАСКERS TO GAIN ACCESS то THE password ineffective. DEVICE Unauthorized Dialing/SMS/Payments RISK Attackers can access a user's financial resources because 3 some smartphone apps give programmatic (automatic) access to: •) Phone Calls SMS Roaming Data NFC Payments TOLL FRAUD is now the most prevalent type of mobile malware, accounting for 91% of all Unauthorized mobile malware. SMS text messages could be used as a spreading vector for worms. Once infected a worm a link is sent in the can send SMS text text to trick the messages to all contacts in the address book recipient into downloading and installing the worm. HOW TO FIX: Implement Controls To Prevent Unauthorized Access To Paid-for Resources Review all third-party code integrated with your application. For example, look if changes in phone user language or location occur. Warn user and obtain consent for any cost 333 implications of app behavior. Maintain logs of access to paid-for resources in a non-repudiable format (e.g. a signed receipt sent to a trusted server backend – with user consent) and make them available to the end-user for monitoring. Unsafe Sensitive Data Transmission RISK Mobile devices are especially susceptible because they use wireless communications exclusively and often public WiFi, which is known to be insecure. OVER 1/3 of IT professionals don't encrypt data they send over a mobile device HOW TO FIX: Ensure Sensitive Data Is Protected In Transit Applications should enforce the use of an end-to-end secure channel (such as SSL/TLS) when sending sensitive information over the wire/air. Applications should not override the trust manager provided by the mobile operating system. Doing so may enable attackers to conduct man-in-the-middle скиетосат attacks using forged SSL certificates. Sensitive Data Leakage RISK Sensitive data leakage can be inadvertent, side channel or both. If an app implements poor usage of device information and poor authentication credentials, it can expose sensitive data to third parties. Certain advertising libraries are commonly found in mobile devices. A Praetorian study found that Also, users may install applications that can transmit personal data (or other sensitive stored data) unintentionally, but with undesirable consequences. 38% of apps in the Google Play marketplace were connecting to advertising libraries. HOW TO FIX: Secure Data Integration With Third Party Services And Applications Vet the security/authenticity of any third party code/libraries used in your mobile application (e.g. make sure they come from a reliable source, with maintenance and support, and without Trojans). Understand the origin of your third party components used in the mobile application and potential threats they may pose. Understand the functionality of what it does because it could be leaking information by design (another caution when using third party code: look for flaws in the code!). Pay particular attention to validating all data received from and sent to non-trusted third party apps (e.g. ad network software) before processing within the application. Want to Dive Deeper? Download our Free Whitepaper: Understanding the Risks of Mobile Applications Available at: https://info.veracode.com/Whitepaper-2011-Mobile.html Brought To You By VERACODE Designed By A) AVALAUNCH" HEDIA Sources: https://www.owasp.crg/index.php/CWASP_Mobile_Security_Project htto://www.veracóde.com/dlirectory/mobileapp-top-10.html https://www.mylookout.com/_downloads/lookout-state-of-mobile-security-2012.pdf http://www.pcworld.com/article/262066/mobile_malware_shifts R0_Sms_fraud.html http://news.consumerreports.org/electronics/2012/04/carriers-to-disable-stolen-smart-phones-permanently.html http://www.echowDK. com/2012/04/more-than-40-percent-dont-encrypt-sensitive-data-on-mobile-devices-says-echoworx-2011-study http://www.osvdb.com/show/oswdb/82146 http://www.slideshare.net/praetorianlabs/staaf-an-efficieni-distributed-framework-for-performing-largescale-android-application-analysis http://www.forrester.com/Mobile+Is+The+New+Face+Of+Engagement/fultext/-/E-ŘESSO54470bjectid=RES60544 *****.. .... . . . .

The Developer’s Guide to Building Secure Mobile Applications

shared by Neostrategos on Aug 14
551 views
0 shares
0 comments
Mobile apps, there’s one for everything. Has any trend dominated headlines more over the past few years? With mobile usage exploding thanks to smartphone adoption and tablets, it seems like every co...

Publisher

Veracode

Category

Technology
Did you work on this visual? Claim credit!

Embed Code

For hosted site:

Click the code to copy

For wordpress.com:

Click the code to copy
Customize size