Mobile apps are the main source of security concerns in every software solution nowadays. But it doesn't have to be like that: In this session we will explore best practices, tips and tricks from OWASP MASVS that will take your app to a next level! Just remember: You don't need to be an expert to make an app secure.
18. 1. Architecture, Design and
Threat Modeling
● Mobile security includes remote services
● Create a mechanism for enforcing app updates
● Don’t hardcode any keys!
● Lots about architecture and code quality
● Compliance and standardization
19. ● Secure sensitive information
● Enforce a minimum device-access-security
policy
● Hide sensitive data when moved to background
● Prioritize internal memory for storage
● Encrypt local data using secure key (SQLcipher)
2. Data Storage and Privacy
20. ● Don’t rely on symmetric crypto with hardcoded
keys
● Never re-use keys
● Store the least possible
● Old crypto = No Crypto. Always use latest and
greatest
3. Cryptography
21. ● Invalidate sessions and expire tokens
● When the user logs out, the server must
acknowledge
● Protect against multiple incorrect login
attempts
● Display current sessions and allow blocking
them
4. Authentication and Session
Management
22. ● https://
● Apple ATS & Android ClearText
● Certificate pinning (new modernhttpclient)
● Always use latest and greatest standards
5. Network Communication
23. ● Challenge communication with other apps
● About WebViews:
○ Don’t use them, please.
○ Seriously, don’t.
○ OK, but: Use https / No JS / Cleanup
resources
6. Platform interaction
24. ● Remove logs! #if DEBUG
● Do not crash, do not expose verbose errors
● AOT still includes metadata
● Bundle assemblies into native code
7. Code Quality and
Build Settings
28. • Is your team stuck?
• Aren’t you reaching a 5-star rating?
• Need an expert’s code review?
• Struggle with NuGets and configs?
Editor's Notes
Multiples plataformas, multiples SO. Las medidas tienen que ser iguales para todas las plataformas, si una clave puede leerse en una app, se lee en todas!
Android es usualmente el principal problema
Fragmentacion y dispositivos viejos
En mobile apps, estamos entregando nuestro codigo al usuario, tienen control total del mismo!
Juego del gato y el ratón, las medidas cambian constantemente
Recursos limitados para hacer apps mobile
No se ve el valor (es invisible)
“No soy interesante” como app vendor, nadie me va a querer hackear
The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. Through community-led open source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web.
Tools and Resources
Community and Networking
Education & Training
1. We might not be doing things correctly (“we don’t read the manuals”) and any improper usage can be used by an attacker
The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. Through community-led open source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web.
Tools and Resources
Community and Networking
Education & Training
Started as a fork of OWASP Application Security Verification Standard
OS Agnostic
Creating guidelines without explaining the “hows” doesn’t bring any value
This is not agnostic, this changes with every iOS or Android release
Creating guidelines without explaining the “hows” doesn’t bring any value
This is not agnostic, this changes with every iOS or Android release
MASVS-L1: Standard Security
A mobile app that achieves MASVS-L1 adheres to mobile application security best practices. It fulfills basic requirements in terms of code quality, handling of sensitive data, and interaction with the mobile environment. A testing process must be in place to verify the security controls. This level is appropriate for all mobile applications.
MASVS-L2: Defense-in-Depth
MASVS-L2 introduces advanced security controls that go beyond the standard requirements. To fulfill MASVS-L2, a threat model must exist, and security must be an integral part of the app’s architecture and design. Based on the threat model, the right MASVS-L2 controls should have been selected and implemented succesfully. This level is appropriate for apps that handle highly sensitive data, such as mobile banking apps.
MASVS-R: Resiliency Against Reverse Engineering and Tampering
The app has state-of-the-art security, and is also resilient against specific, clearly defined client-side attacks, such as tampering, modding, or reverse engineering to extract sensitive code or data. Such an app either leverages hardware security features or sufficiently strong and verifiable software protection techniques. MASVS-R is applicable to apps that handle highly sensitive data and may serve as a meansof protecting intellectual property or tamper-proofing an app.
Xamarin.Essentials VersionTracking
Demo1: Xamarin.Essentials SecureStorage
Demo2: BreachDetector IsDeviceLockScreen…
https://www.nuget.org/packages/sqlite-net-sqlcipher
If there’s a malware installed, can have access to other apps’s storages, read everything and do something with that
PCLCrypto is a good option, maybe
BreachDetector expiración de sesion
Offline login opens up a lot of scenarios!!
Si el certificado de dev esta expirado, aun deberia usar SSL Pinning para PRD, ojo con deshabilitarlo y subirlo al repositorio!
https://github.com/alexrainman/ModernHttpClient
Your users WILL connect through Starbuck’s WiFi
USING THE APPROPIATE CHANNEL (HTTPS) IS ONE THING, BUT ENSURING YOU ARE TALKING TO THE RIGHT BACKEND IS A DIFFERENT THING
SSL Pinning: Validate the public key of the certificate, which doesn’t change when you renew it
AOT stands for Ahead of Time compilation, and compiles your code, to the native platform, dependent upon the architecture.
.dll -> .so for libs. This means there’s no need for JIT
Xamarin.Android does not 100% AOT, Xamarin.iOS does
Bundle Assemblies into Native Code
When this option is enabled, assemblies are bundled into a native shared library. This allows assemblies to be compressed, permitting smaller .apk files. Assembly compression also confers a minimal form of obfuscation; such obfuscation should not be relied upon. Requires enterprise license. This also makes your code more difficult to tamper!!