SlideShare a Scribd company logo

Security Best Practices for Mobile Development

Salesforce Developers
Salesforce Developers
1 of 72
Download to read offline
Security Best Practices for Mobile Development Developer Track Tom Gersic, Model Metrics / Salesforce.com Director, Technical Solutions Twitter: @tomgersic
Safe Harbor Safe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward- looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of intellectual property and other litigation, risks associated with possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-Q for the most recent fiscal quarter ended July 31, 2012. This documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site. Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
All about Model Metrics  Now a Salesforce.com Company  10 year track record - 2,000+ cloud engagements  Passionate & innovative World-class skills - CRM, Force.com, Heroku, Radian6, Rypple, iOS and Android  In-house design studio – ModelFX  Mobile experts - iPhone, iPad and Android
Agenda 1. Fundamental Principles 2. What iOS and Android Share 3. iOS Specific Characteristics 4. Android Specific Characteristics 5. Salesforce Mobile Offerings
Throwing down the gauntlet… Rules 1. Don’t break the phone or do anything that might break it. 2. You need to be done before Q&A starts. 3. If you are successful, you need to tell us how you did it.
Who thinks the data on their phone is secure?
Welcome to Dreamforce 20.12 LTS (GNU) Last login: Fri Sep 02 12:00:00 2011 from nat- 204-14-239-209-sfo.net.salesforce.com @tomgersic:~$ FUNDAMENTAL SECURITY PRINCIPLES
Vulnerability
Threat
Consequence
Mitigation
Separation of Concerns – Principle of Least Privilege
Security Stack
Welcome to Dreamforce 20.12 LTS (GNU) Last login: Fri Sep 02 12:00:00 2011 from nat- 204-14-239-209-sfo.net.salesforce.com @tomgersic:~$ FUNDAMENTAL SECURITY PRINCIPLES @tomgersic:~$ WHAT iOS AND ANDROID SHARE
Welcome to Dreamforce 20.12 LTS (GNU) Last login: Fri Sep 02 12:00:00 2011 from nat- 204-14-239-209-sfo.net.salesforce.com @tomgersic:~$ FUNDAMENTAL SECURITY PRINCIPLES @tomgersic:~$ WHAT iOS AND ANDROID SHARE device security
Mobile Device Management Providers http://bit.ly/magicmdm
MDM Compliance
Welcome to Dreamforce 20.12 LTS (GNU) Last login: Fri Sep 02 12:00:00 2011 from nat- 204-14-239-209-sfo.net.salesforce.com @tomgersic:~$ FUNDAMENTAL SECURITY PRINCIPLES @tomgersic:~$ WHAT iOS AND ANDROID SHARE device security OS / data security
Data Security – Hardware Encryption Requires PIN/Passcode on both iOS and Android Supported on  iPhone 3GS w/ iOS v4+ (AES 256 bit)  Android Honeycomb+ (AES 128 bit) • Some manufacturers increase to AES 256 bit (Samsung SAFE) SD Card encryption on Android is manufacturer specific.
Last login: Fri Sep 02 12:00:00 2011 from nat- 204-14-239-209-sfo.net.salesforce.com @tomgersic:~$ FUNDAMENTAL SECURITY PRINCIPLES @tomgersic:~$ WHAT iOS AND ANDROID SHARE device security OS / data security OS / application security
Application Sandboxing
Application Signing
In-App Encryption
ASLR (PIE) and DEP
nat-204-14-239-209-sfo.net.salesforce.com @tomgersic:~$ FUNDAMENTAL SECURITY PRINCIPLES @tomgersic:~$ WHAT iOS AND ANDROID SHARE device security OS / data security OS / application security @tomgersic:~$ iOS SPECIFIC CHARACTERISTICS
@tomgersic:~$ FUNDAMENTAL SECURITY PRINCIPLES @tomgersic:~$ WHAT iOS AND ANDROID SHARE device security OS / data security OS / application security @tomgersic:~$ iOS SPECIFIC CHARACTERISTICS known historical exploits
Libtiff Image Exploit / Jailbreak • iPhone 1 – patched in 1.1.2 • Tiff buffer overflow • No DEP/ASLR – nothing to prevent executing code on the heap • Gained root access from viewing an image on the web
Concatenated SMS Exploit – Charlie Miller
Concatenated SMS Exploit • Takes 519 SMS messages – all but 1 is invisible • Send message -1 of X to underflow the array buffer • Can’t be stopped by the user • Used to write an entire binary executable to the heap, and run it, taking over the phone.
@tomgersic:~$ FUNDAMENTAL SECURITY PRINCIPLES @tomgersic:~$ WHAT iOS AND ANDROID SHARE device security OS / data security OS / application security @tomgersic:~$ iOS SPECIFIC CHARACTERISTICS known historical exploits application sandbox
Stripped down OS • Unix/BSD based OS, but… • No shell (/bin/sh). • No typical Unix utilities like ls, rm, cd, ps, etc. • All public apps reviewed. • Private “Enterprise” apps contractually limited to internal organization.
iOS Sandbox Specifics • All apps (Apple’s and App Store) run as “mobile” user. • Sandboxing is bolted on -- handled via XNU Sandbox “Seatbelt” kernel extension. • Applications run in separate subdirectories of /private/var/mobile/Applications • Any app in this directory is loaded with “container” (sandboxed) profile.
Platform Apps • Some platform apps, like Mobile Safari run with a sandbox profile as well.
Limited Background Processing Unlimited:  Audio Streaming (Spotify, Pandora)  GPS / Navigation  VOIP  Newsstand app content downloading  Hardware integrations (bluetooth, other external accessories) Everything else: 10 minute window after app closes to finish any task.
@tomgersic:~$ FUNDAMENTAL SECURITY PRINCIPLES @tomgersic:~$ WHAT iOS AND ANDROID SHARE device security OS / data security OS / application security @tomgersic:~$ iOS SPECIFIC CHARACTERISTICS known historical exploits application sandbox hardware encryption
Hardware Encryption • Everything is encrypted, right?
Hardware Encryption • With a PIN/Passcode, Email, Attachments, and some other system files are encrypted while device is locked • Any other app is storing the keys with the lock unless app specifies NSFileProtectionComplete
@tomgersic:~$ WHAT iOS AND ANDROID SHARE device security OS / data security OS / application security @tomgersic:~$ iOS SPECIFIC CHARACTERISTICS known historical exploits application sandbox hardware encryption simple hacking – no jailbreak required
Facebook
My Secret Apps
My Secret Apps
device security OS / data security OS / application security @tomgersic:~$ iOS SPECIFIC CHARACTERISTICS known historical exploits application sandbox hardware encryption simple hacking – no jailbreak required jailbreak
data security network security application security @tomgersic:~$ iOS SPECIFIC CHARACTERISTICS known historical exploits application sandbox hardware encryption simple hacking – no jailbreak required jailbreak mitigation
Application Encryption • Encrypt your data yourself using PIN / Passcode • CoreData/SQLCipher  NSIncrementalStore  Good Dynamics • FMDB/SQLCipher  Salesforce Smartstore
Jailbreak Detection • Sandbox integrity check: fork() should fail • Check for jailbreak files:  /Applications/Cydia.app  /Library/MobileSubstrate/MobileSubstrate.dylib  /var/cache/apt  /bin/sh  /bin/bash
Enable ASLR in your app • ASLR: Address Space Layout Randomization
Stack Canaries • AKA Stack Smashing Protection • Protect against buffer overflows • Places random known value (canary) before local variables • Use Apple LLVM – won’t work with LLVM GCC
Hide Data from App Snapshot Images
application security @tomgersic:~$ iOS SPECIFIC CHARACTERISTICS known historical exploits application sandbox hardware encryption simple hacking – no jailbreak required jailbreak mitigation @tomgersic:~$ ANDROID SPECIFIC CHARACTERISTICS
@tomgersic:~$ iOS SPECIFIC CHARACTERISTICS known historical exploits application sandbox hardware encryption simple hacking – no jailbreak required jailbreak mitigation @tomgersic:~$ ANDROID SPECIFIC CHARACTERISTICS newsworthy exploits
NFC Exploit
DroidDream Malware
@tomgersic:~$ iOS SPECIFIC CHARACTERISTICS known historical exploits application sandbox hardware encryption simple hacking – no jailbreak required jailbreak mitigation @tomgersic:~$ ANDROID SPECIFIC CHARACTERISTICS newsworthy exploits android sandbox
Android Sandbox
Permissions
Background Processes / App Interaction
The Return of Separation of Concerns and the Principle of Least Privilege
Types of Android Components  Activities  Intent  Service  Content Provider  Broadcast Receiver
Public / Private Components
But what about custom keyboards?
Keyboard Security Risks
Except Passwords? https://github.com/tomgersic/AndroidKeyLogger
known historical exploits application sandbox hardware encryption simple hacking – no jailbreak required jailbreak mitigation @tomgersic:~$ ANDROID SPECIFIC CHARACTERISTICS newsworthy exploits android sandbox @tomgersic:~$ Salesforce SmartStore
Force.com Mobile SDK https://github.com/forcedotcom
Salesforce.com Mobile SDK SmartStore • SQLite ORM wrapper for Native and Hybrid apps built on the SFDC Mobile SDK • NoSQL style JSON-based document store
SmartStore Stack
SmartStore PIN
Who STILL thinks the data on their phone is secure?
Tom Gersic Director, Technical Solutions @tomgersic
Security Best Practices for Mobile Development

Recommended

YOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS ApplicationsYOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS Applicationseightbit
 
Jail breaking
Jail breakingJail breaking
Jail breakingRokkam Reddy
 
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash CourseCrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash Courseeightbit
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesTom Eston
 
Iphone Presentation for MuMe09
Iphone Presentation for MuMe09Iphone Presentation for MuMe09
Iphone Presentation for MuMe09Gonzalo Parra
 
iOS Security and Encryption
iOS Security and EncryptioniOS Security and Encryption
iOS Security and EncryptionUrvashi Kataria
 
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Tom Eston
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testingeightbit
 

Recommended

YOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS ApplicationsYOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS Applicationseightbit
 
Jail breaking
Jail breakingJail breaking
Jail breakingRokkam Reddy
 
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash CourseCrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash Courseeightbit
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesTom Eston
 
Iphone Presentation for MuMe09
Iphone Presentation for MuMe09Iphone Presentation for MuMe09
Iphone Presentation for MuMe09Gonzalo Parra
 
iOS Security and Encryption
iOS Security and EncryptioniOS Security and Encryption
iOS Security and EncryptionUrvashi Kataria
 
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Tom Eston
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testingeightbit
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applicationsSatish b
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applicationsmgianarakis
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testingeightbit
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...eightbit
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Subhransu Behera
 
I Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingI Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingJason Haddix
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testingn|u - The Open Security Community
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applicationsSatish b
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesÖmer Coşkun
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]Kuba Břečka
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)ClubHack
 
The state of the art in iOS Forensics
The state of the art in iOS ForensicsThe state of the art in iOS Forensics
The state of the art in iOS ForensicsReality Net System Solutions
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation TestJongWon Kim
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applicationsjasonhaddix
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application SecurityEgor Tolstoy
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!espheresecurity
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSEC-Council
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSalesforce Developers
 
Security Best Practices for Mobile Development @ Dreamforce 2013
Security Best Practices for Mobile Development @ Dreamforce 2013Security Best Practices for Mobile Development @ Dreamforce 2013
Security Best Practices for Mobile Development @ Dreamforce 2013Tom Gersic
 

More Related Content

What's hot

Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applicationsSatish b
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applicationsmgianarakis
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testingeightbit
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...eightbit
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Subhransu Behera
 
I Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingI Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingJason Haddix
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applicationsSatish b
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesÖmer Coşkun
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]Kuba Břečka
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)ClubHack
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation TestJongWon Kim
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applicationsjasonhaddix
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application SecurityEgor Tolstoy
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!espheresecurity
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSEC-Council
 

What's hot (20)

Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applications
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applications
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testing
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1
 
I Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingI Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security Testing
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 
iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testing
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic Techniques
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 
Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 
The state of the art in iOS Forensics
The state of the art in iOS ForensicsThe state of the art in iOS Forensics
The state of the art in iOS Forensics
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OS
 

Similar to Security Best Practices for Mobile Development

Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSalesforce Developers
 
Security Best Practices for Mobile Development @ Dreamforce 2013
Security Best Practices for Mobile Development @ Dreamforce 2013Security Best Practices for Mobile Development @ Dreamforce 2013
Security Best Practices for Mobile Development @ Dreamforce 2013Tom Gersic
 
120019_top5_security
120019_top5_security120019_top5_security
120019_top5_securityJessica Hirst
 
Don't Risk Your Reputation or Your Mainframe: Best Practices for Demonstratin...
Don't Risk Your Reputation or Your Mainframe: Best Practices for Demonstratin...Don't Risk Your Reputation or Your Mainframe: Best Practices for Demonstratin...
Don't Risk Your Reputation or Your Mainframe: Best Practices for Demonstratin...IBM Security
 
Appaloosa & AppDome: deploy & protect mobile applications
Appaloosa & AppDome: deploy & protect mobile applicationsAppaloosa & AppDome: deploy & protect mobile applications
Appaloosa & AppDome: deploy & protect mobile applicationsJulien Ott
 
ERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERPScan
 
Building secure mobile apps
Building secure mobile appsBuilding secure mobile apps
Building secure mobile appsMartin Vigo
 
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016Advanced monitoring
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesNowSecure
 
Creating HTML5 Applications with jQuery Mobile, Ruby and Database.com
Creating HTML5 Applications with jQuery Mobile, Ruby and Database.comCreating HTML5 Applications with jQuery Mobile, Ruby and Database.com
Creating HTML5 Applications with jQuery Mobile, Ruby and Database.comSalesforce Developers
 
Creating HTML5 Applications with jQuery Mobile, Ruby and Database.com
Creating HTML5 Applications with jQuery Mobile, Ruby and Database.comCreating HTML5 Applications with jQuery Mobile, Ruby and Database.com
Creating HTML5 Applications with jQuery Mobile, Ruby and Database.comSalesforce Developers
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM
 
Mobile Protection Application Development
Mobile Protection Application Development Mobile Protection Application Development
Mobile Protection Application Development Sigma Infosolutions, LLC
 
Android Penetration Testing - OWASP Chapter (June 2016)
Android Penetration Testing - OWASP Chapter (June 2016)Android Penetration Testing - OWASP Chapter (June 2016)
Android Penetration Testing - OWASP Chapter (June 2016)Sandeep Jayashankar
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedJoe McCray
 
MobileIron plus Cisco - Mobilizing Network Security
MobileIron plus Cisco - Mobilizing Network SecurityMobileIron plus Cisco - Mobilizing Network Security
MobileIron plus Cisco - Mobilizing Network Securitymobileironmarketing
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
Debunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecDebunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecNowSecure
 

Similar to Security Best Practices for Mobile Development (20)

Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile Development
 
Security Best Practices for Mobile Development @ Dreamforce 2013
Security Best Practices for Mobile Development @ Dreamforce 2013Security Best Practices for Mobile Development @ Dreamforce 2013
Security Best Practices for Mobile Development @ Dreamforce 2013
 
120019_top5_security
120019_top5_security120019_top5_security
120019_top5_security
 
Don't Risk Your Reputation or Your Mainframe: Best Practices for Demonstratin...
Don't Risk Your Reputation or Your Mainframe: Best Practices for Demonstratin...Don't Risk Your Reputation or Your Mainframe: Best Practices for Demonstratin...
Don't Risk Your Reputation or Your Mainframe: Best Practices for Demonstratin...
 
Appaloosa & AppDome: deploy & protect mobile applications
Appaloosa & AppDome: deploy & protect mobile applicationsAppaloosa & AppDome: deploy & protect mobile applications
Appaloosa & AppDome: deploy & protect mobile applications
 
ERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, Solutions
 
Building secure mobile apps
Building secure mobile appsBuilding secure mobile apps
Building secure mobile apps
 
ZSS03120USEN.PDF
ZSS03120USEN.PDFZSS03120USEN.PDF
ZSS03120USEN.PDF
 
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
 
Creating HTML5 Applications with jQuery Mobile, Ruby and Database.com
Creating HTML5 Applications with jQuery Mobile, Ruby and Database.comCreating HTML5 Applications with jQuery Mobile, Ruby and Database.com
Creating HTML5 Applications with jQuery Mobile, Ruby and Database.com
 
Creating HTML5 Applications with jQuery Mobile, Ruby and Database.com
Creating HTML5 Applications with jQuery Mobile, Ruby and Database.comCreating HTML5 Applications with jQuery Mobile, Ruby and Database.com
Creating HTML5 Applications with jQuery Mobile, Ruby and Database.com
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future
 
Mobile Protection Application Development
Mobile Protection Application Development Mobile Protection Application Development
Mobile Protection Application Development
 
Android Penetration Testing - OWASP Chapter (June 2016)
Android Penetration Testing - OWASP Chapter (June 2016)Android Penetration Testing - OWASP Chapter (June 2016)
Android Penetration Testing - OWASP Chapter (June 2016)
 
Secure enterprise mobility
Secure enterprise mobilitySecure enterprise mobility
Secure enterprise mobility
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got Owned
 
MobileIron plus Cisco - Mobilizing Network Security
MobileIron plus Cisco - Mobilizing Network SecurityMobileIron plus Cisco - Mobilizing Network Security
MobileIron plus Cisco - Mobilizing Network Security
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
Debunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecDebunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSec
 

More from Salesforce Developers

Sample Gallery: Reference Code and Best Practices for Salesforce Developers
Sample Gallery: Reference Code and Best Practices for Salesforce DevelopersSample Gallery: Reference Code and Best Practices for Salesforce Developers
Sample Gallery: Reference Code and Best Practices for Salesforce DevelopersSalesforce Developers
 
Maximizing Salesforce Lightning Experience and Lightning Component Performance
Maximizing Salesforce Lightning Experience and Lightning Component PerformanceMaximizing Salesforce Lightning Experience and Lightning Component Performance
Maximizing Salesforce Lightning Experience and Lightning Component PerformanceSalesforce Developers
 
Local development with Open Source Base Components
Local development with Open Source Base ComponentsLocal development with Open Source Base Components
Local development with Open Source Base ComponentsSalesforce Developers
 
TrailheaDX India : Developer Highlights
TrailheaDX India : Developer HighlightsTrailheaDX India : Developer Highlights
TrailheaDX India : Developer HighlightsSalesforce Developers
 
Why developers shouldn’t miss TrailheaDX India
Why developers shouldn’t miss TrailheaDX IndiaWhy developers shouldn’t miss TrailheaDX India
Why developers shouldn’t miss TrailheaDX IndiaSalesforce Developers
 
CodeLive: Build Lightning Web Components faster with Local Development
CodeLive: Build Lightning Web Components faster with Local DevelopmentCodeLive: Build Lightning Web Components faster with Local Development
CodeLive: Build Lightning Web Components faster with Local DevelopmentSalesforce Developers
 
CodeLive: Converting Aura Components to Lightning Web Components
CodeLive: Converting Aura Components to Lightning Web ComponentsCodeLive: Converting Aura Components to Lightning Web Components
CodeLive: Converting Aura Components to Lightning Web ComponentsSalesforce Developers
 
Enterprise-grade UI with open source Lightning Web Components
Enterprise-grade UI with open source Lightning Web ComponentsEnterprise-grade UI with open source Lightning Web Components
Enterprise-grade UI with open source Lightning Web ComponentsSalesforce Developers
 
TrailheaDX and Summer '19: Developer Highlights
TrailheaDX and Summer '19: Developer HighlightsTrailheaDX and Summer '19: Developer Highlights
TrailheaDX and Summer '19: Developer HighlightsSalesforce Developers
 
Lightning web components - Episode 4 : Security and Testing
Lightning web components - Episode 4 : Security and TestingLightning web components - Episode 4 : Security and Testing
Lightning web components - Episode 4 : Security and TestingSalesforce Developers
 
LWC Episode 3- Component Communication and Aura Interoperability
LWC Episode 3- Component Communication and Aura InteroperabilityLWC Episode 3- Component Communication and Aura Interoperability
LWC Episode 3- Component Communication and Aura InteroperabilitySalesforce Developers
 
Lightning web components episode 2- work with salesforce data
Lightning web components episode 2- work with salesforce dataLightning web components episode 2- work with salesforce data
Lightning web components episode 2- work with salesforce dataSalesforce Developers
 
Lightning web components - Episode 1 - An Introduction
Lightning web components - Episode 1 - An IntroductionLightning web components - Episode 1 - An Introduction
Lightning web components - Episode 1 - An IntroductionSalesforce Developers
 
Migrating CPQ to Advanced Calculator and JSQCP
Migrating CPQ to Advanced Calculator and JSQCPMigrating CPQ to Advanced Calculator and JSQCP
Migrating CPQ to Advanced Calculator and JSQCPSalesforce Developers
 
Scale with Large Data Volumes and Big Objects in Salesforce
Scale with Large Data Volumes and Big Objects in SalesforceScale with Large Data Volumes and Big Objects in Salesforce
Scale with Large Data Volumes and Big Objects in SalesforceSalesforce Developers
 
Replicate Salesforce Data in Real Time with Change Data Capture
Replicate Salesforce Data in Real Time with Change Data CaptureReplicate Salesforce Data in Real Time with Change Data Capture
Replicate Salesforce Data in Real Time with Change Data CaptureSalesforce Developers
 
Modern Development with Salesforce DX
Modern Development with Salesforce DXModern Development with Salesforce DX
Modern Development with Salesforce DXSalesforce Developers
 
Integrate CMS Content Into Lightning Communities with CMS Connect
Integrate CMS Content Into Lightning Communities with CMS ConnectIntegrate CMS Content Into Lightning Communities with CMS Connect
Integrate CMS Content Into Lightning Communities with CMS ConnectSalesforce Developers
 

More from Salesforce Developers (20)

Sample Gallery: Reference Code and Best Practices for Salesforce Developers
Sample Gallery: Reference Code and Best Practices for Salesforce DevelopersSample Gallery: Reference Code and Best Practices for Salesforce Developers
Sample Gallery: Reference Code and Best Practices for Salesforce Developers
 
Maximizing Salesforce Lightning Experience and Lightning Component Performance
Maximizing Salesforce Lightning Experience and Lightning Component PerformanceMaximizing Salesforce Lightning Experience and Lightning Component Performance
Maximizing Salesforce Lightning Experience and Lightning Component Performance
 
Local development with Open Source Base Components
Local development with Open Source Base ComponentsLocal development with Open Source Base Components
Local development with Open Source Base Components
 
TrailheaDX India : Developer Highlights
TrailheaDX India : Developer HighlightsTrailheaDX India : Developer Highlights
TrailheaDX India : Developer Highlights
 
Why developers shouldn’t miss TrailheaDX India
Why developers shouldn’t miss TrailheaDX IndiaWhy developers shouldn’t miss TrailheaDX India
Why developers shouldn’t miss TrailheaDX India
 
CodeLive: Build Lightning Web Components faster with Local Development
CodeLive: Build Lightning Web Components faster with Local DevelopmentCodeLive: Build Lightning Web Components faster with Local Development
CodeLive: Build Lightning Web Components faster with Local Development
 
CodeLive: Converting Aura Components to Lightning Web Components
CodeLive: Converting Aura Components to Lightning Web ComponentsCodeLive: Converting Aura Components to Lightning Web Components
CodeLive: Converting Aura Components to Lightning Web Components
 
Enterprise-grade UI with open source Lightning Web Components
Enterprise-grade UI with open source Lightning Web ComponentsEnterprise-grade UI with open source Lightning Web Components
Enterprise-grade UI with open source Lightning Web Components
 
TrailheaDX and Summer '19: Developer Highlights
TrailheaDX and Summer '19: Developer HighlightsTrailheaDX and Summer '19: Developer Highlights
TrailheaDX and Summer '19: Developer Highlights
 
Live coding with LWC
Live coding with LWCLive coding with LWC
Live coding with LWC
 
Lightning web components - Episode 4 : Security and Testing
Lightning web components - Episode 4 : Security and TestingLightning web components - Episode 4 : Security and Testing
Lightning web components - Episode 4 : Security and Testing
 
LWC Episode 3- Component Communication and Aura Interoperability
LWC Episode 3- Component Communication and Aura InteroperabilityLWC Episode 3- Component Communication and Aura Interoperability
LWC Episode 3- Component Communication and Aura Interoperability
 
Lightning web components episode 2- work with salesforce data
Lightning web components episode 2- work with salesforce dataLightning web components episode 2- work with salesforce data
Lightning web components episode 2- work with salesforce data
 
Lightning web components - Episode 1 - An Introduction
Lightning web components - Episode 1 - An IntroductionLightning web components - Episode 1 - An Introduction
Lightning web components - Episode 1 - An Introduction
 
Migrating CPQ to Advanced Calculator and JSQCP
Migrating CPQ to Advanced Calculator and JSQCPMigrating CPQ to Advanced Calculator and JSQCP
Migrating CPQ to Advanced Calculator and JSQCP
 
Scale with Large Data Volumes and Big Objects in Salesforce
Scale with Large Data Volumes and Big Objects in SalesforceScale with Large Data Volumes and Big Objects in Salesforce
Scale with Large Data Volumes and Big Objects in Salesforce
 
Replicate Salesforce Data in Real Time with Change Data Capture
Replicate Salesforce Data in Real Time with Change Data CaptureReplicate Salesforce Data in Real Time with Change Data Capture
Replicate Salesforce Data in Real Time with Change Data Capture
 
Modern Development with Salesforce DX
Modern Development with Salesforce DXModern Development with Salesforce DX
Modern Development with Salesforce DX
 
Get Into Lightning Flow Development
Get Into Lightning Flow DevelopmentGet Into Lightning Flow Development
Get Into Lightning Flow Development
 
Integrate CMS Content Into Lightning Communities with CMS Connect
Integrate CMS Content Into Lightning Communities with CMS ConnectIntegrate CMS Content Into Lightning Communities with CMS Connect
Integrate CMS Content Into Lightning Communities with CMS Connect
 

Security Best Practices for Mobile Development

  • 1. Security Best Practices for Mobile Development Developer Track Tom Gersic, Model Metrics / Salesforce.com Director, Technical Solutions Twitter: @tomgersic
  • 2. Safe Harbor Safe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward- looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of intellectual property and other litigation, risks associated with possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-Q for the most recent fiscal quarter ended July 31, 2012. This documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site. Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
  • 3. All about Model Metrics  Now a Salesforce.com Company  10 year track record - 2,000+ cloud engagements  Passionate & innovative World-class skills - CRM, Force.com, Heroku, Radian6, Rypple, iOS and Android  In-house design studio – ModelFX  Mobile experts - iPhone, iPad and Android
  • 4. Agenda 1. Fundamental Principles 2. What iOS and Android Share 3. iOS Specific Characteristics 4. Android Specific Characteristics 5. Salesforce Mobile Offerings
  • 5. Throwing down the gauntlet… Rules 1. Don’t break the phone or do anything that might break it. 2. You need to be done before Q&A starts. 3. If you are successful, you need to tell us how you did it.
  • 6. Who thinks the data on their phone is secure?
  • 7. Welcome to Dreamforce 20.12 LTS (GNU) Last login: Fri Sep 02 12:00:00 2011 from nat- 204-14-239-209-sfo.net.salesforce.com @tomgersic:~$ FUNDAMENTAL SECURITY PRINCIPLES
  • 8.
  • 13. Separation of Concerns – Principle of Least Privilege
  • 15. Welcome to Dreamforce 20.12 LTS (GNU) Last login: Fri Sep 02 12:00:00 2011 from nat- 204-14-239-209-sfo.net.salesforce.com @tomgersic:~$ FUNDAMENTAL SECURITY PRINCIPLES @tomgersic:~$ WHAT iOS AND ANDROID SHARE
  • 16. Welcome to Dreamforce 20.12 LTS (GNU) Last login: Fri Sep 02 12:00:00 2011 from nat- 204-14-239-209-sfo.net.salesforce.com @tomgersic:~$ FUNDAMENTAL SECURITY PRINCIPLES @tomgersic:~$ WHAT iOS AND ANDROID SHARE device security
  • 17. Mobile Device Management Providers http://bit.ly/magicmdm
  • 19. Welcome to Dreamforce 20.12 LTS (GNU) Last login: Fri Sep 02 12:00:00 2011 from nat- 204-14-239-209-sfo.net.salesforce.com @tomgersic:~$ FUNDAMENTAL SECURITY PRINCIPLES @tomgersic:~$ WHAT iOS AND ANDROID SHARE device security OS / data security
  • 20. Data Security – Hardware Encryption Requires PIN/Passcode on both iOS and Android Supported on  iPhone 3GS w/ iOS v4+ (AES 256 bit)  Android Honeycomb+ (AES 128 bit) • Some manufacturers increase to AES 256 bit (Samsung SAFE) SD Card encryption on Android is manufacturer specific.
  • 21. Last login: Fri Sep 02 12:00:00 2011 from nat- 204-14-239-209-sfo.net.salesforce.com @tomgersic:~$ FUNDAMENTAL SECURITY PRINCIPLES @tomgersic:~$ WHAT iOS AND ANDROID SHARE device security OS / data security OS / application security
  • 26. nat-204-14-239-209-sfo.net.salesforce.com @tomgersic:~$ FUNDAMENTAL SECURITY PRINCIPLES @tomgersic:~$ WHAT iOS AND ANDROID SHARE device security OS / data security OS / application security @tomgersic:~$ iOS SPECIFIC CHARACTERISTICS
  • 27. @tomgersic:~$ FUNDAMENTAL SECURITY PRINCIPLES @tomgersic:~$ WHAT iOS AND ANDROID SHARE device security OS / data security OS / application security @tomgersic:~$ iOS SPECIFIC CHARACTERISTICS known historical exploits
  • 28. Libtiff Image Exploit / Jailbreak • iPhone 1 – patched in 1.1.2 • Tiff buffer overflow • No DEP/ASLR – nothing to prevent executing code on the heap • Gained root access from viewing an image on the web
  • 29. Concatenated SMS Exploit – Charlie Miller
  • 30. Concatenated SMS Exploit • Takes 519 SMS messages – all but 1 is invisible • Send message -1 of X to underflow the array buffer • Can’t be stopped by the user • Used to write an entire binary executable to the heap, and run it, taking over the phone.
  • 31. @tomgersic:~$ FUNDAMENTAL SECURITY PRINCIPLES @tomgersic:~$ WHAT iOS AND ANDROID SHARE device security OS / data security OS / application security @tomgersic:~$ iOS SPECIFIC CHARACTERISTICS known historical exploits application sandbox
  • 32. Stripped down OS • Unix/BSD based OS, but… • No shell (/bin/sh). • No typical Unix utilities like ls, rm, cd, ps, etc. • All public apps reviewed. • Private “Enterprise” apps contractually limited to internal organization.
  • 33. iOS Sandbox Specifics • All apps (Apple’s and App Store) run as “mobile” user. • Sandboxing is bolted on -- handled via XNU Sandbox “Seatbelt” kernel extension. • Applications run in separate subdirectories of /private/var/mobile/Applications • Any app in this directory is loaded with “container” (sandboxed) profile.
  • 34. Platform Apps • Some platform apps, like Mobile Safari run with a sandbox profile as well.
  • 35. Limited Background Processing Unlimited:  Audio Streaming (Spotify, Pandora)  GPS / Navigation  VOIP  Newsstand app content downloading  Hardware integrations (bluetooth, other external accessories) Everything else: 10 minute window after app closes to finish any task.
  • 36. @tomgersic:~$ FUNDAMENTAL SECURITY PRINCIPLES @tomgersic:~$ WHAT iOS AND ANDROID SHARE device security OS / data security OS / application security @tomgersic:~$ iOS SPECIFIC CHARACTERISTICS known historical exploits application sandbox hardware encryption
  • 37. Hardware Encryption • Everything is encrypted, right?
  • 38. Hardware Encryption • With a PIN/Passcode, Email, Attachments, and some other system files are encrypted while device is locked • Any other app is storing the keys with the lock unless app specifies NSFileProtectionComplete
  • 39. @tomgersic:~$ WHAT iOS AND ANDROID SHARE device security OS / data security OS / application security @tomgersic:~$ iOS SPECIFIC CHARACTERISTICS known historical exploits application sandbox hardware encryption simple hacking – no jailbreak required
  • 43. device security OS / data security OS / application security @tomgersic:~$ iOS SPECIFIC CHARACTERISTICS known historical exploits application sandbox hardware encryption simple hacking – no jailbreak required jailbreak
  • 44.
  • 45. data security network security application security @tomgersic:~$ iOS SPECIFIC CHARACTERISTICS known historical exploits application sandbox hardware encryption simple hacking – no jailbreak required jailbreak mitigation
  • 46. Application Encryption • Encrypt your data yourself using PIN / Passcode • CoreData/SQLCipher  NSIncrementalStore  Good Dynamics • FMDB/SQLCipher  Salesforce Smartstore
  • 47. Jailbreak Detection • Sandbox integrity check: fork() should fail • Check for jailbreak files:  /Applications/Cydia.app  /Library/MobileSubstrate/MobileSubstrate.dylib  /var/cache/apt  /bin/sh  /bin/bash
  • 48. Enable ASLR in your app • ASLR: Address Space Layout Randomization
  • 49. Stack Canaries • AKA Stack Smashing Protection • Protect against buffer overflows • Places random known value (canary) before local variables • Use Apple LLVM – won’t work with LLVM GCC
  • 50. Hide Data from App Snapshot Images
  • 51. application security @tomgersic:~$ iOS SPECIFIC CHARACTERISTICS known historical exploits application sandbox hardware encryption simple hacking – no jailbreak required jailbreak mitigation @tomgersic:~$ ANDROID SPECIFIC CHARACTERISTICS
  • 52. @tomgersic:~$ iOS SPECIFIC CHARACTERISTICS known historical exploits application sandbox hardware encryption simple hacking – no jailbreak required jailbreak mitigation @tomgersic:~$ ANDROID SPECIFIC CHARACTERISTICS newsworthy exploits
  • 55. @tomgersic:~$ iOS SPECIFIC CHARACTERISTICS known historical exploits application sandbox hardware encryption simple hacking – no jailbreak required jailbreak mitigation @tomgersic:~$ ANDROID SPECIFIC CHARACTERISTICS newsworthy exploits android sandbox
  • 58. Background Processes / App Interaction
  • 59. The Return of Separation of Concerns and the Principle of Least Privilege
  • 60. Types of Android Components  Activities  Intent  Service  Content Provider  Broadcast Receiver
  • 61. Public / Private Components
  • 62. But what about custom keyboards?
  • 65. known historical exploits application sandbox hardware encryption simple hacking – no jailbreak required jailbreak mitigation @tomgersic:~$ ANDROID SPECIFIC CHARACTERISTICS newsworthy exploits android sandbox @tomgersic:~$ Salesforce SmartStore
  • 66. Force.com Mobile SDK https://github.com/forcedotcom
  • 67. Salesforce.com Mobile SDK SmartStore • SQLite ORM wrapper for Native and Hybrid apps built on the SFDC Mobile SDK • NoSQL style JSON-based document store
  • 70. Who STILL thinks the data on their phone is secure?
  • 71. Tom Gersic Director, Technical Solutions @tomgersic