Recommended
Recommended
More Related Content
What's hot
What's hot (19)
Similar to Xamarin Security Recipes
Similar to Xamarin Security Recipes (20)
More from Nicolas Milcoff
More from Nicolas Milcoff (11)
Recently uploaded
Recently uploaded (20)
Xamarin Security Recipes
- 1. Security recipes for Xamarin Nico Milcoff CTO | Microsoft MVP
- 2. • Mobile developer • Xamarin specialist • Open Source Contributor • Security enthusiast Who am I?
- 4. Why?
- 9. “ “ I want new features every sprint
- 10. Nobody wants to assume the responsibility when security measures fail.
- 11. OK. But how do I start?
- 18. 1. Architecture, Design and Threat Modeling ● Mobile security includes remote services ● Create a mechanism for enforcing app updates ● Don’t hardcode any keys! ● Lots about architecture and code quality ● Compliance and standardization
- 19. ● Secure sensitive information ● Enforce a minimum device-access-security policy ● Hide sensitive data when moved to background ● Prioritize internal memory for storage ● Encrypt local data using secure key (SQLcipher) 2. Data Storage and Privacy
- 20. ● Don’t rely on symmetric crypto with hardcoded keys ● Never re-use keys ● Store the least possible ● Old crypto = No Crypto. Always use latest and greatest 3. Cryptography
- 21. ● Invalidate sessions and expire tokens ● When the user logs out, the server must acknowledge ● Protect against multiple incorrect login attempts ● Display current sessions and allow blocking them 4. Authentication and Session Management
- 22. ● https:// ● Apple ATS & Android ClearText ● Certificate pinning (new modernhttpclient) ● Always use latest and greatest standards 5. Network Communication
- 23. ● Challenge communication with other apps ● About WebViews: ○ Don’t use them, please. ○ Seriously, don’t. ○ OK, but: Use https / No JS / Cleanup resources 6. Platform interaction
- 24. ● Remove logs! #if DEBUG ● Do not crash, do not expose verbose errors ● AOT still includes metadata ● Bundle assemblies into native code 7. Code Quality and Build Settings
- 25. ● Detect jailbreak / root, debugging, emulation ● Detect inverse engineering tooling ● Detect code editions (#tampering) ● Obfuscate source code (Dotfuscator) 8. Resilience
- 26. Conclusion ● Follow OWASP ● You don’t need to be an expert in security to get it right ● You owe this to your users!
- 27. Thank you! Questions? ● @nmilcoff ● n.milcoff@xablu.com
- 28. • Is your team stuck? • Aren’t you reaching a 5-star rating? • Need an expert’s code review? • Struggle with NuGets and configs?
Editor's Notes
- Multiples plataformas, multiples SO. Las medidas tienen que ser iguales para todas las plataformas, si una clave puede leerse en una app, se lee en todas! Android es usualmente el principal problema Fragmentacion y dispositivos viejos
- En mobile apps, estamos entregando nuestro codigo al usuario, tienen control total del mismo!
- Juego del gato y el ratón, las medidas cambian constantemente
- Recursos limitados para hacer apps mobile No se ve el valor (es invisible) “No soy interesante” como app vendor, nadie me va a querer hackear
- The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. Through community-led open source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web. Tools and Resources Community and Networking Education & Training
- 1. We might not be doing things correctly (“we don’t read the manuals”) and any improper usage can be used by an attacker
- The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. Through community-led open source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web. Tools and Resources Community and Networking Education & Training Started as a fork of OWASP Application Security Verification Standard OS Agnostic
- Creating guidelines without explaining the “hows” doesn’t bring any value This is not agnostic, this changes with every iOS or Android release
- Creating guidelines without explaining the “hows” doesn’t bring any value This is not agnostic, this changes with every iOS or Android release
- MASVS-L1: Standard Security A mobile app that achieves MASVS-L1 adheres to mobile application security best practices. It fulfills basic requirements in terms of code quality, handling of sensitive data, and interaction with the mobile environment. A testing process must be in place to verify the security controls. This level is appropriate for all mobile applications. MASVS-L2: Defense-in-Depth MASVS-L2 introduces advanced security controls that go beyond the standard requirements. To fulfill MASVS-L2, a threat model must exist, and security must be an integral part of the app’s architecture and design. Based on the threat model, the right MASVS-L2 controls should have been selected and implemented succesfully. This level is appropriate for apps that handle highly sensitive data, such as mobile banking apps. MASVS-R: Resiliency Against Reverse Engineering and Tampering The app has state-of-the-art security, and is also resilient against specific, clearly defined client-side attacks, such as tampering, modding, or reverse engineering to extract sensitive code or data. Such an app either leverages hardware security features or sufficiently strong and verifiable software protection techniques. MASVS-R is applicable to apps that handle highly sensitive data and may serve as a meansof protecting intellectual property or tamper-proofing an app.
- Xamarin.Essentials VersionTracking
- Demo1: Xamarin.Essentials SecureStorage Demo2: BreachDetector IsDeviceLockScreen… https://www.nuget.org/packages/sqlite-net-sqlcipher If there’s a malware installed, can have access to other apps’s storages, read everything and do something with that
- PCLCrypto is a good option, maybe
- BreachDetector expiración de sesion Offline login opens up a lot of scenarios!!
- Si el certificado de dev esta expirado, aun deberia usar SSL Pinning para PRD, ojo con deshabilitarlo y subirlo al repositorio! https://github.com/alexrainman/ModernHttpClient Your users WILL connect through Starbuck’s WiFi USING THE APPROPIATE CHANNEL (HTTPS) IS ONE THING, BUT ENSURING YOU ARE TALKING TO THE RIGHT BACKEND IS A DIFFERENT THING SSL Pinning: Validate the public key of the certificate, which doesn’t change when you renew it
- AOT stands for Ahead of Time compilation, and compiles your code, to the native platform, dependent upon the architecture. .dll -> .so for libs. This means there’s no need for JIT Xamarin.Android does not 100% AOT, Xamarin.iOS does Bundle Assemblies into Native Code When this option is enabled, assemblies are bundled into a native shared library. This allows assemblies to be compressed, permitting smaller .apk files. Assembly compression also confers a minimal form of obfuscation; such obfuscation should not be relied upon. Requires enterprise license. This also makes your code more difficult to tamper!!
- https://go.xablu.com/xamarinsupport-ws
- https://go.xablu.com/xamarinsupport-ws