Upgrading approaches to the secure mobile architectures

Transcript

1. Upgrading approaches to the secure mobile architectures #appbuilders16 @vixentael

2. OR

3. Everything will be BROKEN! #appbuilders16 @vixentael

4. Everything will be BROKEN, so what should we do? #appbuilders16

   @vixentael

5. Intro: this is a picture

6. This is a picture: virgin sight network backend logic the

   app server environment #appbuilders16 @vixentael

7. UI/UX deliver fast! GTD! swift boring crap, waste of life

   maaaagic! magic.. MVP! #appbuilders16 @vixentael This is a picture: mobile focus

8. source of trust risk we control sandbox dragons lots of

   risk even if app is good easy to f*ck up #appbuilders16 @vixentael This is a picture: security vision

9. #appbuilders16 @vixentael This is a picture: the reality FBI CIA

   NSA hackers QA engineers

10. the brains! #appbuilders16 @vixentael This is a picture: our control

11. The problem

12. The problem bad cryptography insecure API’s plaintext traffic data leakage

    denial of service remote jailbreak over bluetooth stolen credentials man-in-the-middle

13. Openness Speed Ignorance The problem #appbuilders16 @vixentael

14. How bad is it? Like this Control Nissan LEAF via

    vulnerable APIs http://www.troyhunt.com/2016/02/controlling- vehicle-features-of-nissan.html #appbuilders16 @vixentael http://www.wired.com/2015/07/gadget-hacks- gm-cars-locate-unlock-start/ http://samy.pl/defcon2015/ hacking cars using OnStar app to locate, unlock and remote start vehicles what could possibly go wrong?
15. None

16. iMessage Recovery of Plaintext iMessage Data using Javascript http://www.bishopfox.com/blog/2016/04/if-you-cant-break-crypto-break-the-client- recovery-of-plaintext-imessage-data/

    Grab all your iMess aHachments via key enumeraIon http://blog.cryptographyengineering.com/2016/03/attack-of- week-apple-imessage.html #appbuilders16 @vixentael

17. This is how bad it is! #appbuilders16 @vixentael iOS vulnerabilities

    by years raw data from cvedetails.com 0 100 200 300 400 2007 2008 2009 2010 2011 2012 2013 2014 2015 1 9 27 32 37 112 90 120 384

18. This is how bad it is! http://blog.mindedsecurity.com/2015/03/ssl- mitm-attack-in-afnetworking-251-do.html >1500 vulnerable

    apps via flawed AFNetworking <10% popular apps use SSL pinning #appbuilders16 @vixentael iOS vulnerabilities by years raw data from cvedetails.com 0 100 200 300 400 2007 2008 2009 2010 2011 2012 2013 2014 2015 1 9 27 32 37 112 90 120 384

19. SO WHAT?

20. Why does this even happen?

21. Our mindset is wrong a bit “It works” != “It’s

    secure” Mobile’s limited abilities require specific server behavior Mobile is not traditional client- server Design-driven development is frequently a security disaster #appbuilders16 @vixentael

22. Mobile is an odd thin client #appbuilders16 @vixentael – Can

    server really address you by IP address? – Can server expect RFC behavior of your IP stack? – Can server and client share code and components with proper trust? – Is IPC / RPC behavior reciprocal between client and server? – Is client and server equal in their capacity for technical decisions? Mobile considers itself in a proper client-server relationship, but:

23. Mobile is an odd thin client #appbuilders16 @vixentael – Can

    server really address you by IP address? – Can server expect RFC behavior of your IP stack? – Can server and client share code and components with proper trust? – Is IPC / RPC behavior reciprocal between client and server? – Is client and server equal in their capacity for technical decisions? Mobile considers itself in a proper client-server relationship, but: NOPE ;)

24. Mobile security is hard and yet undeveloped #appbuilders16 @vixentael Sophisticated

    problems security-wise No well established techniques Very blurred risk models

25. What exactly are we risking?

26. Identity Data Control What we risk? #appbuilders16 @vixentael

27. Data #appbuilders16 @vixentael personal data health data conversations certificates passwords

    contacts users’ data

28. Identity #appbuilders16 @vixentael identification (credentials) attacker access allowed! application

29. Control #appbuilders16 @vixentael Remember those cars, right?

30. What should we do?

31. Understand the strong sides #appbuilders16 @vixentael limited ecosystem low collateral

    risk things user has and you can trust authentication/trust is quite good data safety almost network passive narrowed threat scope

32. Trust no one. But yourself #appbuilders16 @vixentael trust server less

    explicit trust involve users ☁

33. Echelonization #appbuilders16 @vixentael if the system has one perimeter, it

    will fail!

34. Echelonization #appbuilders16 @vixentael authenticate manually verify credentials use many factors

    ..add more layers of defense!

35. Compartmentalization #appbuilders16 @vixentael limit the access to information to those

    who need to know it in order to perform certain tasks store secure transmit display

36. SO WHAT?

37. Practice time! techniques for your architectures

38. Do all classic things #appbuilders16 @vixentael https://speakerdeck.com/vixentael/avoiding-damage-shame-and- regrets-data-protection-for-mobile-client-server-architectures Protect transport

    well, authenticate server, pin certificates Authenticate everything Encrypt everything in motion and at rest Protect keys well Then escalate with novel techniques read my previous slides

39. End-to-end encryption 101 #appbuilders16 @vixentael users own all keys server

    can’t see anything important transport keys are ephemeral app state does not rely on server state ☁

40. End-to-end encryption 101+1 #appbuilders16 @vixentael https://cossacklabs.com/choose-your-ios-crypto.html large + text

41. Multi-factor authentication #appbuilders16 @vixentael things you have things you know

    things you are phone device sim card ID docs private/public key password address answer to quesIon biometrics of all kinds

42. Multi-factor authentication #appbuilders16 @vixentael things you have things you know

    things you are phone device sim card ID docs private/public key password address answer to quesIon biometrics of all kinds 2+ = MFA && &&

43. Zero-knowledge: problem no trust :( #appbuilders16 @vixentael

44. Zero-knowledge: proof! trust :) #appbuilders16 @vixentael https://cossacklabs.com/introducing_secure_comparator.html wanna know more?

45. Is this it?

46. Combining things: secure app v.1 SSL storage encryption storage encryption

    data leakage MiTM weak SSL #appbuilders16 @vixentael

47. Combining things: secure app v.2 end-to-end encryption #appbuilders16 @vixentael storage

    encryption storage encryption weak auth blind trust ephemeral keys protected transport

48. Combining things: secure app v.3 #appbuilders16 @vixentael end-to-end encryption storage

    encryption storage encryption ephemeral keys protected transport MFA ZKP

49. It is simple, isn’t it?

50. Key points #appbuilders16 @vixentael 1. read these slides again, tapping

    on links 2. read ‘Additional reading’ 3. read my previous presentations 4. analyze your current system 5. implement the techniques 6. ??? 7. profit! …feel free to contact me

51. Thank you for listening @vixentael iOS developer at stanfy.com iOS

    contributor at Themis/cossacklabs.com

52. Additional reading https://medium.com/stanfy-engineering-practices/data-protection-for-mobile-client-server- architectures-6e6dcabd871a Data Protection For Mobile Client-Server Architectures

    http://mashable.com/2016/04/16/apple-security-explained/ How Apple Security works https://www.cossacklabs.com/avoid-ssl-for-your-next-app.html Why you should avoid ssl for your next application https://cossacklabs.com/choose-your-ios-crypto.html Crypto in iOS: choose your destiny https://www.owasp.org/index.php/IOS_Application_Security_Testing_Cheat_Sheet OWASP: iOS application security testing cheat sheet