Mobile App Security An introduction Marc Obrador Who am I? Marc - - PowerPoint PPT Presentation

▶

Oct 20, 2022 484 likes •808 views

Mobile App Security An introduction Marc Obrador Who am I? Marc Obrador Co-founder & Head of Product Architecture @ Build38 Barcelona marc@build38.com @marcobrador /in/marc-obrador Build38 | Intro to Mobile App Security February 2020

SLIDE 1

Mobile App Security

An introduction

Marc Obrador

SLIDE 2

Who am I?

Marc Obrador

Co-founder & Head of Product Architecture @ Build38 Barcelona marc@build38.com @marcobrador /in/marc-obrador

February 2020 Build38 | Intro to Mobile App Security

SLIDE 3

Agenda

1. Introduction
2. Some Common Threads
1. Man-In-The-Middle
2. App Tampering & Repackaging
3. Root / Jailbreak
3. Recap

@marcobrador

February 2020 Build38 | Intro to Mobile App Security

SLIDE 4

Agenda

1. Introduction
2. Some Common Threads
1. Man-In-The-Middle
2. App Tampering & Repackaging
3. Root / Jailbreak
3. Recap

@marcobrador

February 2020 Build38 | Intro to Mobile App Security

SLIDE 5

Mobile-first world

Why Mobile App Security?

Smartphone = untrusted device

Regulation (depending on market)

Desktop Mobile 2009 2015 2020 20 40 60 80 100

Source: www.gs.statcounter.com

February 2020 Build38 | Intro to Mobile App Security

SLIDE 6

Mobile AppSec vs “traditional” Cyber Securtity

6 February 2020 Build38 | Intro to Mobile App Security

SLIDE 7

Let’s first switch our perspective Is there anything I can do?

Build38 | Intro to Mobile App Security 7 February 2020

SLIDE 8

20 40 60 80

5 10 15 20 25 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 Investment Income Cumulated Profit

The hacker’s perspective

Build38 | Intro to Mobile App Security 8 February 2020

SLIDE 9

Is there anything I can do?

Build38 | Intro to Mobile App Security 9 February 2020

SLIDE 10

Make it unattractive for the hacker

Is there anything I can do?

Build38 | Intro to Mobile App Security 10 February 2020

SLIDE 11

20 40 60 80

5 10 15 20 25 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 Investment Income Cumulated Profit

Is there anything I can do?

Build38 | Intro to Mobile App Security 11 February 2020

SLIDE 12

20 40 60 80

5 10 15 20 25 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 Investment Income Cumulated Profit

Is there anything I can do?

Build38 | Intro to Mobile App Security 12

1. Increase required investment: Obfuscation + Anti-reversing
2. Reduce income: Diversification
3. Force periodic investment: Renewability

February 2020

SLIDE 13

Things to protect

Build38 | Intro to Mobile App Security 13

User Data Business Data / IP DRM

February 2020

SLIDE 14

Agenda

1. Introduction
2. Some Common Threads
1. Man-In-The-Middle
2. App Tampering & Repackaging
3. Root / Jailbreak
3. Recap

@marcobrador

February 2020 Build38 | Intro to Mobile App Security

SLIDE 15

Agenda

1. Introduction
2. Some Common Threads
1. Man-In-The-Middle
2. App Tampering & Repackaging
3. Root / Jailbreak
3. Recap

@marcobrador

February 2020 Build38 | Intro to Mobile App Security

SLIDE 16

MITM

Build38 | Intro to Mobile App Security 16 February 2020

HTTPS is assumed!

SLIDE 17

MITM with HTTPS?

Build38 | Intro to Mobile App Security 17 February 2020

Android: depends on OEM iOS: requires social engineering

No, if Certificate Pinning is used

SLIDE 18

Agenda

1. Introduction
2. Some Common Threads
1. Man-In-The-Middle
2. App Tampering & Repackaging
3. Root / Jailbreak
3. Recap

@marcobrador

February 2020 Build38 | Intro to Mobile App Security

SLIDE 19

What is it?

19 February 2020 Build38 | Intro to Mobile App Security

1. Download
2. Unpack
3. Modify
4. Repack
5. Distribute

SLIDE 20

But, why?

20 February 2020 Build38 | Intro to Mobile App Security

Cheating on games Getting paid features for free Stealing user data

SLIDE 21

Android: apktool + smali code

21 February 2020 Build38 | Intro to Mobile App Security

SLIDE 22

iOS: dynamic library injection

22 February 2020 Build38 | Intro to Mobile App Security

SLIDE 23

Protecting against app repackaging

Obfuscation Detect it

February 2020 Build38 | Intro to Mobile App Security

SLIDE 24

Agenda

1. Introduction
2. Some Common Threads
1. Man-In-The-Middle
2. App Tampering & Repackaging
3. Root / Jailbreak
3. Recap

@marcobrador

February 2020 Build38 | Intro to Mobile App Security

SLIDE 25

The ”sandbox” model

@marcobrador

February 2020 Build38 | Intro to Mobile App Security

SLIDE 26

Root / Jailbreak Detection

/scottyab/rootbeer /KimChangYoun/rootbeerFresh /Stericson/RootTools /avltree9798/isJailbroken /thii/DTTJailbreakDetection @marcobrador

February 2020 Build38 | Intro to Mobile App Security

SLIDE 27

What to do if Root / Jailbreak is found?

@marcobrador

February 2020 Build38 | Intro to Mobile App Security

SLIDE 28

What to do if Root is found?

Sources:

https://techcrunch.com/2019/08/29/google-iphone-secretly-hacked/
https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html

@marcobrador

February 2020 Build38 | Intro to Mobile App Security

SLIDE 29

Nothing Restrict some sensitive functionality Deny service Design your security model assuming that root can (and will) happen What to do if Root is found?

@marcobrador

February 2020 Build38 | Intro to Mobile App Security

SLIDE 30

Agenda

1. Introduction
2. Some Common Threads
1. Man-In-The-Middle
2. App Tampering & Repackaging
3. Root / Jailbreak
3. Recap

@marcobrador

February 2020 Build38 | Intro to Mobile App Security

SLIDE 31

100% protection does not exist – aim for “good enough”
Certificate Pinning is a good idea
Apps can be reverse engineered and repackaged

§ Move security-relevant logic to backend or write it in native C

Root can be really bad – come up with a plan

Recap

31 February 2020 Build38 | Intro to Mobile App Security

SLIDE 32

Mobile App Security

Marc Obrador

Make it unattractive for the hacker

User Data Business Data / IP DRM

HTTPS is assumed!

No, if Certificate Pinning is used

What to do if Root / Jailbreak is found?

Thank you! Any questions?