Security CS 4720 – Mobile Application Development CS 4720
The Traditional Security Model • The Firewall Approach • “Keep the good guys in and the bad guys out” CS 4720 2
Distributed System Security • “Islands of Security” CS 4720 3
Security with Web Services • These models were just fine when corporations had their own networks • If you needed in, you used a VPN • Now the open Internet is used as the main network • How does this change the security model? • Consider this: how do you access a web service? CS 4720 4
Security with Web Services • Firewall security happens at the network layer • But now we need access on a per-application basis • How can we achieve that? CS 4720 5
Security with Web Services • Web services are designed to penetrate firewalls, since they use port 80 • Application-level security is needed to examine: – Who is making a request – What info is being accessed – What services is being addressed • IP based security is still needed though! CS 4720 6
Application Security 101 • What are some basic things you do to protect your system at the application level? • Catch exceptions and don’t show detailed error messages • Hide interfaces • “Don’t trust your users” • Encryption CS 4720 7
Application Security 101 • Well… shoot. • Web services: – Have publically announced interfaces! – Must return detailed exceptions to debug systems! – At some level, must trust users! • We need security that is basically content- aware CS 4720 8
System Security • Human: social engineering attacks • Physical: “steal the server itself” • Network: treat your server like a 2 year old • Operating System: the war continues • Application: just discussed • Database: protecting the data CS 4720 9
Content-Aware Security • Must be able to inspect content of network traffic • Must be able to make authorization decisions • Must be able to make authentication decisions • Must be able to verify data as valid for this transaction • Must also deal with confidentiality and privacy concerns (encryption, message integrity, audit) CS 4720 10
Web Service Security Concerns • Unauthorized Access: people view info that they shouldn’t from a message • Unauthorized Alteration: an attacker modifies part of a message • Man-in-the-Middle: an attacker sits in-between two parties and views messages (or alters them) as they pass by • Denial-of-Service: flood the service with so many messages that it can’t keep up CS 4720 11
Application Level Security • Refers to security safeguards built into a particular application and operate independently from the network level security • Authentication • Authorization • Integrity / Confidentiality • Non-repudiation / Auditing CS 4720 12
Authentication • Verifying that the requester is the requester… • … and that the service is the service • This requires a mechanism of “proof of identity” • What are some ways accomplish this? • Username / password • Signed Certificates • Authentication Applications CS 4720 13
A little closer to home • Netbadge (or more accurately, PubCookie or Shiboleth) • http://www.pubcoo kie.org/docs/how- pubcookie- works.html CS 4720 14
Authorization • Now that we know who you are, what are you allowed to do? • Permissions • Role-based security • How does this work in a database system? • How about an operating system? CS 4720 15
Integrity / Confidentiality • What happens if a message is: – Captured and reused? – Captured and modified? – Monitored as is passes by in a passive manner? • How do we verify a message hasn’t been tampered with? – Digital signature • How do we verify it hasn’t been viewed? – Encryption CS 4720 16
Non-repudiation / Auditing • When we’re charging to use a web service, how do we prove you used the service so we can charge you? • How do we track your activities? • Digitally signed logs, effectively • Also saves the certificate used to perform the transaction (like a signature on a receipt) CS 4720 17
Mobile Security • Questions to ask yourself as a developer: – Is the mobile backend as secure as the app itself? – Is data encrypted whenever and wherever it’s stored? – Does the app use HTTPS encryption – and enforce it? – Has the app binary been scrubbed of sensitive information? – Have steps been taken to thwart reverse engineering and analysis? CS 4720 18
Mobile Security • What are the “bad guys” after? CS 4720 19
Mobile Security • Personal data stored on the device – Not just name and address! – Passwords – Confidential documents – Financial information • Sensor data – GPS location (to track people) – Microphone / Camera (espionage) • False installs (for ad hits, for instance) CS 4720 20
Mobile Security • Now we know what we are up against • So… how do we stop them? • What are some “best practices”? • What features of the platforms should we be utilizing? • Where are the attacks coming from (where are the weak points)? CS 4720 21
Mobile Security • Core Features / Best Practices – Executing in a sandbox – Utilizing system level permissions – Implementing application permissions – Encrypted or “hardened” file system – Remote policy management – Remote device locating / wipe CS 4720 22
Executing in a Sandbox • Both iOS and Android run on a Unix-based kernel • Apps are given their own user id and execution space with each app running in a VM • By default, one app cannot touch another app’s data CS 4720 23
Permissions • Android: permissions declared up-front on install • iOS: permissions requested ad hoc during execution • In both cases, the main problem is an uninformed (or misinformed) user CS 4720 24
Permissions • Example: The app wants to access your location… why? • Does it have a purpose for the functionality? • If it does, does the author communicate the benefits of this feature appropriately? • What is the challenge to do this between Android and iOS? CS 4720 25
Encryption / Hardened File System • What if you just don’t trust Google / Apple? • For Android, the OS is open source • Blackberry offered a hardened version for a long time – that one reason it was adopted as the platform of choice for the government • https://copperhead.co/android/ CS 4720 26
Policy Management • Ever been issued a laptop as a part of an internship? • What could you do with/on that machine? • What protections were on that machine? CS 4720 27
Policy Management • You don’t expect to get to use your personal machine for work stuff… • … but many (most? all?) people don’t want to have two phones! • A large problem with mobile security in a corporation is BYOD (Bring Your Own Device) • How do you keep things separate? CS 4720 28
Policy Management • MDM (Mobile Device Management) • Can put specific usage policies on a device (if owned by company) • Can partition away business operations – Can run basically like a virtual machine on the same device • http://www.apple.com/iphone/business/it/ CS 4720 29
Compression and Obfuscation • Java bytecode, unlike fully compiled code, is relatively easy to reverse engineer • Further, we tend to leave lots of “clues” in our code – Variable names – Class names – Method names • It’s relatively easy to “rebuild” a Java app! CS 4720 30
Compression and Obfuscation • Java programmers also tend to leave a lot of “cruft” behind… – Debug messages (logging that’s not needed) – Lots of extra white space – Lots of comments • Sometimes, you have to get that .apk as small as possible… CS 4720 31
Compression and Obfuscation • ProGuard – detects and removes unused classes, fields, methods, and attributes from your packaged app – optimizes the bytecode – removes unused code instructions – obfuscates the remaining classes, fields, and methods with short names CS 4720 32
ProGuard CS 4720 33
ProGuard public void onCreate(Bundle paramBundle) { super .onCreate(paramBundle); WL.createInstance( this ); WL.getInstance().showSplashScreen( this ); WL.getInstance().initializeWebFramework(getAppl icationContext(), this ); } CS 4720 34
ProGuard public void onCreate(Bundle paramBundle) { super .onCreate(paramBundle); com.worklight.androidgap.b.a.a( this ); com.worklight.androidgap.b.a.b(); com.worklight.androidgap.b.a.b( this ); com.worklight.androidgap.b.a.b().a(getApplicati onContext(), this ); } CS 4720 35
Stack Traces? • What do you do when a user (or app) submits a stack trace for you to debug? • Ever run of ProGuard generates a mapping.txt file that contains info on how to undo the obfuscation • This file can be uploaded to Google Play with your .apk and Google will handle it for you! CS 4720 36
Recommend
More recommend
