encrypt all the things
play

Encrypt All The Things: Implementing App Mobile Security Nathan - PowerPoint PPT Presentation

Dec 31, 2022 •214 likes •816 views

Encrypt All The Things: Implementing App Mobile Security Nathan Freitas @n8fr8 @guardianproject https://guardianproject.info INTENTION vs. EXECUTION The Guardian Project https://guardianproject.info Secure Your Mobile Life Apps &

  1. Encrypt All The Things: Implementing App Mobile Security Nathan Freitas @n8fr8 @guardianproject https://guardianproject.info

  2. INTENTION vs. EXECUTION

  3. The Guardian Project https://guardianproject.info Secure Your Mobile Life Apps & Tools You Can Trust The Guardian Project creates easy-to-use open source apps, mobile OS security enhancements, and customized mobile devices for people around the world to help them communicate more freely, and protect themselves from intrusion and monitoring.

  4. Session Overview ● Overview of Guardian Project ● Encrypted Files: securing Apps & Developer Libraries arbitrary files from small to large (30m) (30m) ● Threat Models and War ● Secured Networking: defending Stories: Open Discussion about against man-in-the-middle, SSL Risks, Fears and Security Needs stripping, filtering and more (30m) (30m) ● Encrypted Databases: securing ● Hands-On Implementation time structured data in activities, for sample work or debugging services and content providers your own apps with new security (1hr) features (1.5hr)

  5. Encryption a *very* quick introduction

  6. What is Encryption? ● Plaintext + Algorithm + Key =Ciphertext ● Symmetric vs Asymmetric, Private vs Public ● Randomness: Actual vs Pseudo ● Common Cryptography Tools: OpenSSL, PGP (GnuPG!), BouncyCastle

  7. Android Built-in Encryption ● HTTPS / TLS / SSL ● javax.crypto “BouncyCastle” ● OpenSSL ● Full Disk Encryption ● Android KeyChain ( > API 18)

  8. CipherKit https://guardianproject.info/code

  9. CipherKit “Platform” YOUR APP HERE! Cache IOCipher NetCipher Word Android Orbot: SQLCipher HTTP, Tor for java.io.File java.net.* Android SQLite OpenSSL android.database.*

  10. “CipherKit” Dev Libraries CipherKit is designed for Android app developers to make apps that are able to ensure better privacy, security and anonymity SQLCipher: Encrypted Database SQLCipher is an SQLite extension that provides transparent 256-bit AES encryption of database files. It mirrors the standard android.database API. Pages are encrypted before being written to disk and are decrypted when read back. IOCipher: Encrypted Virtual Disk IOCipher is a virtual encrypted disk for apps without requiring the device to be rooted. It uses a clone of the standard java.io API for working with files. Just password handling & opening the virtual disk are what stand between developers and fully encrypted file storage. It is based on libsqlfs and SQLCipher. NetCipher: Encrypted Network Data & Tor Integration NetCipher is improving network security. It provides a strong TLS/SSL verifier to help mitigate weaknesses in the certificate authority system. It eases the implementation of supporting SOCKS and HTTP proxies into applications and also supports onion routing for anonymity and traffic surveillance circumvention.

  11. Let’s take a step back... (to figure out what it is we are worried about)

  12. Basic Threat Modeling ● “What are you worried about?” aka Possible Attack Vectors ● What data are you collecting or services are you providing that might be enticing or exposed? ● Are the potential threats you face coming from the device (other apps or physical access) or the network?

  13. War Stories? ● Have your apps, your business or your users or customers lives or businesses been affected by malware or security breaches? ● Do you work in an industry that has specific requirements related to security and privacy? ● Do you target a region of the world where users might be more exposed to attack, surveillance or privacy violations?

  14. Threat Landscape •Forensic Analysis •Removable Storage •Rooting / Jail breaking •Cloud Services •OS Issues •Targeted Attacks •Infrequent Updates •Device Sharing

  15. Malware on the rise: http://blog.trendmicro.com/trendlabs-security-intelligence/mobile- malware-high-risk-apps-hit-1m-mark/

  16. Cached GPS data stored in plain text http://elifelog.org/book/iphone-gps-cache-data

  17. "Universal Forensic Extraction Devices" can quickly and easily copy all of the data from a mobile phone. If tools like these fall into the wrong hands, it is easy to assume any unencrypted data on a device can be easily stolen. Forensic Extraction http://www.cellebrite.com/mobile-forensics

  18. Man-in-the-Middle: http://thehackernews.com/2013/03/t-mobile-wi-fi-calling- app-vulnerable.html

  19. Trust Levels ID Name Description The primary operator of the mobile device. Assumed to have full access to 1 Owner of the mobile phone the device, potentially secured with a PIN/password screen. An authority figure or criminal who has or will be detaining the Owner[1]; 2 Detainer / criminal / bad actor has access to mobile phone. may have only manual/brute force access, or could have more sophisticated forensic extraction tools. Access to call and message logs (sender/receiver/message content) and 3 Operator of the mobile network cell tower association data (rough location) May know the Owner[1]'s PIN/password, but otherwise has no access to 4 Employer, family or support organization; data or network information; On the receiving end of an emergency message Access to some or all of the the Owner[1]'s data depending upon app data Malicious App / Backdoor / Malware / 5 permissions and encryption, as well as how full the backdoor is. Forensics App Authorization is often required by the user to allow apps to access data.

  20. Assets ID Name Description Trust Level Names, emails, phone numbers, calendar events, mostly [1] Owner 1 Personal data stored on internal device memory [5] Malicious App (as authorized) [1] Owner Text messages, emails, call logs, mostly stored on internal 2 Communication data [3] Operator device memory [5] Malicious App (as authorized) [1] Owner Custom data stored by browsers, chat, social networking 3 Application data [3] Operator (if not HTTP/S or SSL) apps, on both internal and memory card; [5] Malicious App (as authorized) User generated and download photos, videos and music, [1] Owner 4 Media files primarily stored on memory card [5] Malicious App

  21. STRIDE Threat List Type Examples Spoofing - Detainer[2] or Malicious App[5] may gain control of mobile phone and pretend to be Owner[1] Tampering - Malicious App[5] changes configuration data on the device - Malicious App[5] or other system backdoor may disable or block app Repudiation - Operator[3] may passively monitor messages and pass the information along to the Detainer[2] Detainer[2] could have full access to Assets stored on the mobile device Information - Detainer[2] may have physical and logical forensic data extraction tools that can override password controls on Disclosure device and read from "wiped" storage - Operator[3] may learn identity of Support Org[4] - Communications may be blocked from being sent or received by Operator [3] Denial of Service - Mobile phone may be disabled by Operator[3] or Malicious App[5] from running remote wipe Elevation of - Malicious App [5] launches insecured intents or exploits known bug Privilege - Detainer[2] or Operator[3] may be able to impersonate the Owner[1]

  22. Security Controls / Mitigation Type Tactics Authentication - Create a a non obvious passphrase for use in app (vs. Spoofing) - Lock screen of your mobile phone using passphrase or PIN Authorization & Auditing - Do not install any unnecessary, third-party mobile apps with network access (vs Tampering, - Scan your mobile device using available malware tools Repudiation, Elevation of - Install a firewall or network connection monitoring utility Priv) - Use a non-real name registered SIM card and mobile phone - For extra sensitive data, use an app that supports an and password authentication and encrypted database Cryptography and - Use a mobile OS with disk and memory card encryption Identity Protection - Use only browser-based HTTPS services that do not store data locally (vs Information - Do not store or save web service passwords on your mobile phone Disclosure) Alternate - Use VPNs or Tor proxying software to hide source IP and traffic Communications - Use apps/services that work in WIFI only mode if data service disabled (vs Denial of Service) - Use apps that allow device-to-device data sharing

  23. SQLCipher Encrypted Database

  24. SQLCipher: Encrypted DB SQLCipher is an SQLite extension that provides transparent 256-bit AES encryption of database files. It mirrors the standard android.database API. Pages are encrypted before being written to disk and are decrypted when read back. SQLCipher has a small footprint and great performance so it’s ideal for protecting embedded application databases and is well suited for mobile development. ● Blazing fast performance with as little as 5-15% overhead for encryption ● 100% of data in the database file is encrypted ● Uses good security practices (CBC mode, key derivation) ● Zero-configuration and application level cryptography ● Algorithms provided by the peer reviewed OpenSSL crypto library.

  25. CipherKit “Platform” YOUR APP HERE! Cache NetCipher IOCipher Word Android Orbot: SQLCipher HTTP, Tor for java.io.File java.net.* Android SQLite OpenSSL android.database.*

  26. Make attacks difficult with multiple layers Defense in Depth of security

  27. Access to device should not allow Principle of access to all apps and Least Privilege data

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Encrypt ALL the things with LetsEncrypt Created by : Justin W. Flory Solomon Rubin

Encrypt ALL the things with LetsEncrypt Created by : Justin W. Flory Solomon Rubin

Encrypt ALL the things with LetsEncrypt Created by : Justin W. Flory Solomon Rubin License : CC-BY-SA 4.0 Introduction What is TLS and why do I need it? TLS stands for Transport Layer Security Difference between https and

360 views • 23 slides
Several possibilities for combination: So far: had cryptographic algorithms to achieve

Several possibilities for combination: So far: had cryptographic algorithms to achieve

Several possibilities for combination: So far: had cryptographic algorithms to achieve Encrypt-then MAC: encrypt message, then compute MAC of Privacy: use encryption ciphertext. Integrity: use MAC MAC-then-encrypt: First compute MAC, and then

203 views • 3 slides
Close lid to encrypt Hard disk encryption in Linux suspend mode Tim Dittler FOSDEM, 02.02.2020

Close lid to encrypt Hard disk encryption in Linux suspend mode Tim Dittler FOSDEM, 02.02.2020

Close lid to encrypt Hard disk encryption in Linux suspend mode Tim Dittler FOSDEM, 02.02.2020 Whats Close lid to encrypt? Project by Jonas Meurer and me Freelancing systems engineers living in Germany Full-disk encryption

397 views • 16 slides
Why Encrypt Data? We have already discussed authentication and access control as means to

Why Encrypt Data? We have already discussed authentication and access control as means to

Security in Outsourced Databases II Outsourced Databases II (Query Processing on Encrypted Data) Disks replaced Data worthless if encrypted Customer Credit for maintenance Card Number Laptops stolen Backups lost p 1 Why Encrypt Data?

759 views • 19 slides
Why (Special Agent) Johnny (Still) Cant Encrypt: A Security Analysis of the APCO Project 25

Why (Special Agent) Johnny (Still) Cant Encrypt: A Security Analysis of the APCO Project 25

Why (Special Agent) Johnny (Still) Cant Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System Sandy Clark | Travis Goodspeed | Perry Metzger Zachary Wasserman | Kevin Xu | Matt Blaze Usenix 2011 P25 Modulates voice

147 views • 14 slides
Exercise: Encrypting and Decrypting with RSA In this exercise, you will encrypt and decrypt

Exercise: Encrypting and Decrypting with RSA In this exercise, you will encrypt and decrypt

Exercise: Encrypting and Decrypting with RSA In this exercise, you will encrypt and decrypt numbers using a simple version of the RSA algorithm. Each team should have two members. Each team-member should complete the exercise as Bob, then pass

228 views • 4 slides
No domain left behind is Lets Encrypt democratizing encryption? M. Aertsen 1 , M. Korzyski 2

No domain left behind is Lets Encrypt democratizing encryption? M. Aertsen 1 , M. Korzyski 2

. . . . . . . . . . . . . . No domain left behind is Lets Encrypt democratizing encryption? M. Aertsen 1 , M. Korzyski 2 , G. Moura 3 1 National Cyber Security Centre The Netherlands 2 Delft University of Technology The

292 views • 18 slides
POST-QUANTUM CRYPTOGRAPHY HOW WILL WE ENCRYPT TOMORROW? Hanno Bck https://hboeck.de 1

POST-QUANTUM CRYPTOGRAPHY HOW WILL WE ENCRYPT TOMORROW? Hanno Bck https://hboeck.de 1

POST-QUANTUM CRYPTOGRAPHY HOW WILL WE ENCRYPT TOMORROW? Hanno Bck https://hboeck.de 1 INTRODUCTION Hanno Bck, freelance journalist and hacker. Writing for Golem.de and others. Fuzzing Project , funded by Linux Foundation's Core

1.09k views • 46 slides
Revelation 1:19 Write the things which you have seen, and the things which are, and the

Revelation 1:19 Write the things which you have seen, and the things which are, and the

Revelation 1:19 Write the things which you have seen, and the things which are, and the things which will take place after this. Revelation 4:1 After these things I looked, and behold, a door standing open in heaven. And the

438 views • 30 slides
No domain left behind: is Lets Encrypt democratizing encryption? Maarten Aertsen 1 , Maciej

No domain left behind: is Lets Encrypt democratizing encryption? Maarten Aertsen 1 , Maciej

No domain left behind: is Lets Encrypt democratizing encryption? Maarten Aertsen 1 , Maciej Korczy nski 2 , Giovane C. M. Moura 3 , Samaneh Tajalizadehkhoob 2 , Jan van den Berg 2 1 National Cyber Security Centre The Netherlands 2 Delft

423 views • 21 slides
Lets Encrypt as a Startup Success Story Security and Ops and Encrypting the web Daniel

Lets Encrypt as a Startup Success Story Security and Ops and Encrypting the web Daniel

Lets Encrypt as a Startup Success Story Security and Ops and Encrypting the web Daniel Jeffery Linux Foundation Why HTTPS? As our dependency on the internet has grown, the risk to users' privacy and safety has grown along with it.

746 views • 40 slides
tcpcrypt Mark Handley What would it take to encrypt all the traffic on the Internet, by

tcpcrypt Mark Handley What would it take to encrypt all the traffic on the Internet, by

tcpcrypt Mark Handley What would it take to encrypt all the traffic on the Internet, by default, all the time? Crypto 101: Encryption without authentication is useless. Encryption without authentication is like meeting a stranger in a

813 views • 31 slides
Securing the Web of Things Andrei Sabelfeld @asabelfeld Web of Things Internet of Things (IoT)

Securing the Web of Things Andrei Sabelfeld @asabelfeld Web of Things Internet of Things (IoT)

Securing the Web of Things Andrei Sabelfeld @asabelfeld Web of Things Internet of Things (IoT) Incompatible standards, platforms, technologies World Wide Web Consortium (W3C) is in a unique position to create the royalty-free and

273 views • 15 slides
On the (In)Security of IPsec in MAC-then-Encrypt Configurations Jean Paul Degabriele Kenneth G.

On the (In)Security of IPsec in MAC-then-Encrypt Configurations Jean Paul Degabriele Kenneth G.

Motivation The Attacks Concluding Remarks On the (In)Security of IPsec in MAC-then-Encrypt Configurations Jean Paul Degabriele Kenneth G. Paterson Information Security Group Royal Holloway, University of London CCS 2010 Jean Paul

930 views • 68 slides
Why Can't Online Social Networks Encrypt? Ero Balsa , Filipe Beato, Seda Grses KU Leuven NYU

Why Can't Online Social Networks Encrypt? Ero Balsa , Filipe Beato, Seda Grses KU Leuven NYU

Why Can't Online Social Networks Encrypt? Ero Balsa , Filipe Beato, Seda Grses KU Leuven NYU W3C Workshop on Privacy and UserCentric Controls 1 20-21 November 2014, Berlin << Facebook has been able to deploy end-to-end encryption

429 views • 10 slides
Cybersecurity Considerations for Telework Security for Enterprises Enterprise Planning Plan

Cybersecurity Considerations for Telework Security for Enterprises Enterprise Planning Plan

Cybersecurity Considerations for Telework Security for Enterprises Enterprise Planning Plan telework-related security policies and controls based on a zero-trust model. Encrypt client devices storage, encrypt all sensitive data stored on

371 views • 9 slides
Bot BotNets Nets- Cy Cyber ber To Torr rriris irism Battling Battling the the threats

Bot BotNets Nets- Cy Cyber ber To Torr rriris irism Battling Battling the the threats

Bot BotNets Nets- Cy Cyber ber To Torr rriris irism Battling Battling the the threats threats of of interne internet Assoc. Prof. Dr. Sureswaran Ramadass National Advanced IPv6 Center - Director Why Talk About Botnets? Because Bot

379 views • 27 slides
Important Hardware Security Primitive Rajat Subhra Chakraborty Department of Computer Science and

Important Hardware Security Primitive Rajat Subhra Chakraborty Department of Computer Science and

Physically Unclonable Function: an Important Hardware Security Primitive Rajat Subhra Chakraborty Department of Computer Science and Engineering Indian Institute of Technology Kharagpur, West Bengal, INDIA - 721302 E-mail:

274 views • 23 slides
Local Asymptotic Normality in Quantum Statistics M d lin Gu School of

Local Asymptotic Normality in Quantum Statistics M d lin Gu School of

Local Asymptotic Normality in Quantum Statistics M d lin Gu School of Mathematical Sciences University of Nottingham Richard Gill (Leiden) Jonas Kahn (Paris XI) Bas Janssens (Utrecht) Anna Jencova (Bratislava) Luc Bouten

560 views • 42 slides
Clinical trials and the impact Clinical trials and the impact of regulations of regulations of

Clinical trials and the impact Clinical trials and the impact of regulations of regulations of

Clinical trials and the impact Clinical trials and the impact of regulations of regulations of regulations of regulations Cytel Conference Cytel Conference Octobe Octobe October 12, 2012 October 12, 2012 , , 0 0 David L DeMets, PhD

641 views • 41 slides
Social Media for Success Mark Ellerby @CloudberryOrgUK & @SE_Mentor Martin Hogg

Social Media for Success Mark Ellerby @CloudberryOrgUK & @SE_Mentor Martin Hogg

Social Media for Success Mark Ellerby @CloudberryOrgUK & @SE_Mentor Martin Hogg @MartinHogg #FindItInBrum What's All The Fuss About? 65% of UK spend over one day a month online Take A Look That's on the increase Around because of

645 views • 30 slides
Beata VARGA Central Agricultural Office Food and Feed Safety Directorate HUNGARY E MRAS II,

Beata VARGA Central Agricultural Office Food and Feed Safety Directorate HUNGARY E MRAS II,

Beata VARGA Central Agricultural Office Food and Feed Safety Directorate HUNGARY E MRAS II, WG2 January 2010 1. Clear, well understandable, definite and simply regulation, which is defendable before the court if any disagreement occurs 2.

198 views • 15 slides
PRESENTATION AGM 2015 ABOUT SKDP SKDP is An integrated local development company which works

PRESENTATION AGM 2015 ABOUT SKDP SKDP is An integrated local development company which works

PRESENTATION AGM 2015 ABOUT SKDP SKDP is An integrated local development company which works in partnership with state agencies, the social partners, local elected members and community & voluntary representatives Mission To promote

997 views • 83 slides
Emma Nohrn Member of Parliament So far Lower VAT from 25 % to 6 % on guided nature

Emma Nohrn Member of Parliament So far Lower VAT from 25 % to 6 % on guided nature

Emma Nohrn Member of Parliament So far Lower VAT from 25 % to 6 % on guided nature experiences More than 100 million Euro each year on saving and preserving biological diversity. Marine protected areas, from 6,4% to 13,7 %

222 views • 21 slides

More recommend