SlideShare a Scribd company logo

CYA: Mobile app security begins at the server

NowSecure
NowSecure

Don’t take the security of servers and services that support your app’s functionality for granted. Mobile apps are now the client, servers are no less juicy a target, and developers and security practitioners can’t ignore an app’s backend. NowSecure VP of Risk and Privacy Ted Eull discusses how attackers can take advantage of an app’s remote infrastructure, and learn how to cover your apps.

Technology
1 of 30
Download to read offline
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. CYA: MOBILE APP SECURITY Begins at the Server
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Connect with us Connect with us on Twitter @NowSecureMobile — Visit our website at https://www.nowsecure.com
Ted Eull VP, Risk and Privacy © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. ● Built NowSecure’s mobile security and risk assessment practices ● 15+ years in development and information security ● Certified CRISC, GWAPT
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Contents ● The mobile backend ● Backend security challenges ● Backend security fundamentals ● A five-step plan ● Questions
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. The mobile backend
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. A simplified diagram
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Various implementations ● Proprietary / On-prem - you provision servers, configure OS, write APIs, etc. yourself and host the technology in a datacenter you control or access. Example: Your server room ● Infrastructure-as-a-Service (IaaS) - a third party provides physical or virtual servers, and essential resources such as network and block storage. You provision OS and software but don’t access or control the hosting environment. Example: VM instances in EC2, Rackspace ● Platform-as-a-Service (PaaS) - rather than build systems on third-party servers, you access a provided platform such as a database or app building platform and configure within that platform. Examples: Google App Engine, Force.com, Azure SQL DB ● Software-as-a-Service (SaaS) - complete software application you may access via REST APIs (typically) in addition to web based access. Examples: Zendesk, Stripe, Salesforce, etc. Normally a combination of these
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. One app, many APIs A single app can have many backend services
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Challenges in securing your mobile app’s backend
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Keeping up with the pace of mobile ● Demand for new features to compete ● Short cycles, frequent releases ● New technology with different/less security control - (NoSQL) ● Developers retooling skills to new technology quickly ● Numerous functions and libraries, incorporation of OSS ● Less time for infrastructure review ● Instituting security checkpoints with agile ● Proliferation of micro-services Consumers want the app yesterday
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Mobile API services are web services ● Common misconception that mobile services are more secure by default (false) ● Manipulating web traffic in-browser is easier, but mobile APIs can be attacked by injection, fuzzing, and brute force ● HTTPS (TLS) does not protect from attacks or ensure client is your app ● Proxies, web app firewalls and proper server config can help repel attacks hidden != secure
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Security responsibilities
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. MBaaS ● MBaaS is a form of PaaS providing API configuration/coding, data object management, data connectors, versioning, access control and more through custom hosted interfaces. ● Range from simpler API builder to fully-featured management system. ● e.g. Appcelerator Arrow, Parse, Firebase, AWS Mobile Hub, Azure Mobile Services ● Key issues ○ Assurance of security in infrastructure ○ Provider stability ○ Auditability ○ Granularity of control Faster, easier... but secure? It depends
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Real world examples ● API communications without HTTPS - Many apps fail to use TLS on some or all API calls, exposing sensitive data such as user location or personal info. (NFL Mobile app, CBS Sports app) ● Instagram bug (delete comments) - 10-year-old from Finland proved he could delete anyone’s comments (including Justin Bieber) and received a $10k bug bounty. ● Trusting input from the mobile app - NowSecure’s @0xroot responsibly disclosed that Evernote trusted the app to tell it whether the customer was “premium” or “free” enabling user to get elevated access without paying. ● Improper authentication / session management - Banking app (!!) function enabled user to change password without being authenticated. ● User data enumeration (no authentication required) - By knowing some user info we could rapidly query the API endpoint and ultimately access SSN for some accounts. ● Open API for credit card validation - We found an open API endpoint that would validate Credit Card numbers with no rate limiting and easily stolen credential. Involving insecure backend
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Security fundamentals for your mobile backend
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Proven security techniques Secure backend systems with these famous infosec techniques Limit access Harden servers Update software Monitor and log Develop securely* Hack yourself *Easier said than done, but you have to try.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Limit access ● Require secure connections - VPN + SSH ● Use firewall rules to control connections ● Use strong multi-factor authentication ● No apps running as root ● Do your developers have access to production? ● Physical access still matters Least privilege for all!
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Harden servers + update software ● Use a standard, minimal build OS ○ Only services necessary to support the app(s) ○ Commercially supported - e.g. Windows, RHEL ○ IaaS-provided - e.g. Amazon Linux AMI ○ Security-optimized - BSD ● Watch for CVEs or alerts for high-risk vulns ○ Heartbleed, Shellshock, OpenSSL ○ Patch quickly, then fix what breaks ○ Don’t confuse antivirus for vulnerability protection Windows Server 2003 standard install? Not so much.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Monitor and log ● Log and monitor access requests to all APIs ○ Monitor all access attempts for brute-force and lateral attacks ○ Deploy risk-based access controls to adapt and modify the app’s execution flow ● API Rate Limits (“throttling”) ○ Locks down services implemented and used by the app ○ Provides control over the assignment of server-side resources ○ Prevents brute force, account harvesting (user enumeration), and replay attacks ● Log and monitor all connected systems for suspicious activity Is anyone watching this API?
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Hack Yourself ● Perform vulnerability scanning and pen testing of backend infrastructure ● Automation for basic testing (e.g patch level, configuration) ● Red Team testing to emulate malicious actors ● 3rd party to avoid internal conflicts ○ Vet credentials and references ○ Require detailed reporting, replication steps and risk rating (CVSS) Before they do.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Develop securely ● Hire, design, build, test, deploy and iterate with security in mind ● Evaluate threats, create “misuse cases” ● Build security-focused test cases for QA ● Test iteratively with builds/releases ● Pay special attention to authentication, session management, input validation and sensitive transactions ● Train architects, developers, and QA on security Agile and secure SDLC are not enemies
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Secure authentication + session management ● Secure Authentication (OWASP) ○ Avoid outmoded or custom implementations.; Limit attempts, add 2nd factor ○ Prevent use of API services by unknown/untrusted devices (device registration step) ● Use session-based authentication ○ Avoid storing passwords by using token-based (OpenID, OAuth2, SAML, JWT) ○ Use TLS (https) and ensure access tokens are stored securely ○ Use a session token via POST (not GET) or Use an API key (POST body argument or secure cookie) ○ DO NOT include sensitive information in the URL (can be compromised) ● Prevent CSRF, XSS and replay attacks ○ Proper authentication on all API endpoints ○ Server-side session termination ● Make security decisions on the server side (!) Welcome to our API, two forms of ID please.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Input validation ● Treat calls from mobile app as untrusted ○ Validate content-types and response-types ○ Need to ensure the security of all content sources for the app ○ Assume malicious party could replace content going to server, including an authenticated session ○ Use message signatures for stronger validation ● Sanitize user input ○ Perform client-side for efficiency but still must check on server ○ Especially watch - files/images, URLs, XML, JSON, blobs ○ Implement secure parsing to avoid deserialization vulns Don’t trust your own app HTTP://XKCD.COM/327/
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. About agile + devops ● Expect upfront challenges introducing security controls in agile ● Devops process and tools can help with security checkpoints and standard environments ● Key change - breaking down walls between security and development Don’t hate the process, hate the flaw “I have seen productivity gains of 15% and greater when preventative and detective security controls are embedded in the development process” Jim Routh, CSO, Aetna SearchSecurity interview
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Resources CERT Top 10 Secure Coding Practices SAFECode Practical Security Stories and Tasks for Agile Dev Environments OWASP REST Security Cheat Sheet OWASP Application Security Verification Standard NowSecure Secure Mobile Development Best Practices View now
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. A five-step plan
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. There are far more complicated ones available, if you want... Five-step plan to secure the mobile backend 1 Establish ownership + key roles Document architecture Analyze risk + requirements Assess security Remediate + repeat 2 3 4 5
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Key steps and questions 1. Establish ownership + key roles a. Who represents business, security, network admin, dev b. Authority to test and mandate changes 2. Document architecture a. Include third-party systems b. GSD beats perfection 3. Analyze risk + requirements a. What data are we handling? b. What policies or regulations do we need to comply with? (PCI-DSS, FFIEC, FERC, HIPAA) The nitty gritty. 4. Assess security a. Begin with vulnerability scan at minimum b. Target higher-risk functions/features c. Rate issues for severity, prioritize 5. Remediate + repeat a. Add security into issue tracking b. Escalate where necessary c. Communicate results, metrics d. Automation for scanning, config checks e. Regular log/alert monitoring? f. Security training for dev team
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. On PaaS, IaaS and SaaS ● Advantages of more outsourced backend: ○ Dedicated infrastructure personnel ○ Purpose-built systems ○ Isolation from other business systems ○ DoS resistance, resiliency ● Disadvantages: XaaS may not protect you from: ○ Compromised admin credentials ○ Flawed API logic ○ Data flows to another system ○ Regulatory problem ○ All CVEs in server software ○ Reduced control and visibility It’s a cloud world, we’re just living in it
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Questions? teull@nowsecure.com +1 312.878.1100 @tedtalks2 Read more on securing your mobile apps’ backend, and secure mobile development in general, in our Secure Mobile Development Best Practices https://www. nowsecure.com/resources/secure-mobile-development/

Recommended

Mobile_app_security
Mobile_app_securityMobile_app_security
Mobile_app_securityHassan El Hadary
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptxAnkit Giri
 
Nii sample pt_report
Nii sample pt_reportNii sample pt_report
Nii sample pt_reportChandan Bagai, GWAPT, CEHv8, CCNA
 
Smartgrid training gsnconsult
Smartgrid training gsnconsultSmartgrid training gsnconsult
Smartgrid training gsnconsultGunti Vijay
 
Mobile App Security Testing -2
Mobile App Security Testing -2Mobile App Security Testing -2
Mobile App Security Testing -2Krisshhna Daasaarii
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code ReviewsDenim Group
 
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)OWASP Ottawa
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityEryk Budi Pratama
 

Recommended

Mobile_app_security
Mobile_app_securityMobile_app_security
Mobile_app_securityHassan El Hadary
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptxAnkit Giri
 
Nii sample pt_report
Nii sample pt_reportNii sample pt_report
Nii sample pt_reportChandan Bagai, GWAPT, CEHv8, CCNA
 
Smartgrid training gsnconsult
Smartgrid training gsnconsultSmartgrid training gsnconsult
Smartgrid training gsnconsultGunti Vijay
 
Mobile App Security Testing -2
Mobile App Security Testing -2Mobile App Security Testing -2
Mobile App Security Testing -2Krisshhna Daasaarii
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code ReviewsDenim Group
 
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)OWASP Ottawa
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityEryk Budi Pratama
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile ApplicationsDenim Group
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Securitycclark_isec
 
2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer ConferenceFabio Pietrosanti
 
Iot top 10 vulnerabilities and misconceptions 2016
Iot top 10 vulnerabilities and misconceptions 2016Iot top 10 vulnerabilities and misconceptions 2016
Iot top 10 vulnerabilities and misconceptions 2016Erez Metula
 
Mobile App Security: How Secure is your Mobile App
Mobile App Security: How Secure is your Mobile AppMobile App Security: How Secure is your Mobile App
Mobile App Security: How Secure is your Mobile AppDoug Sillars
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applicationsGTestClub
 
iOS recon with Radare2
iOS recon with Radare2iOS recon with Radare2
iOS recon with Radare2NowSecure
 
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureFrom Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureNowSecure
 
Android Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsAndroid Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsNowSecure
 
Debunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecDebunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecNowSecure
 
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaOSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaNowSecure
 
Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintNowSecure
 
Mobile App Security Predictions 2019
Mobile App Security Predictions 2019Mobile App Security Predictions 2019
Mobile App Security Predictions 2019NowSecure
 
Jeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOpsJeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOpsNowSecure
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesNowSecure
 
A Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyA Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyNowSecure
 
Android P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowAndroid P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowNowSecure
 
iOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To KnowiOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To KnowNowSecure
 
5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security TestingNowSecure
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDANowSecure
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?NowSecure
 
5 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 20185 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 2018NowSecure
 

More Related Content

Viewers also liked

Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile ApplicationsDenim Group
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Securitycclark_isec
 
2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer ConferenceFabio Pietrosanti
 
Iot top 10 vulnerabilities and misconceptions 2016
Iot top 10 vulnerabilities and misconceptions 2016Iot top 10 vulnerabilities and misconceptions 2016
Iot top 10 vulnerabilities and misconceptions 2016Erez Metula
 
Mobile App Security: How Secure is your Mobile App
Mobile App Security: How Secure is your Mobile AppMobile App Security: How Secure is your Mobile App
Mobile App Security: How Secure is your Mobile AppDoug Sillars
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applicationsGTestClub
 

Viewers also liked (6)

Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference
 
Iot top 10 vulnerabilities and misconceptions 2016
Iot top 10 vulnerabilities and misconceptions 2016Iot top 10 vulnerabilities and misconceptions 2016
Iot top 10 vulnerabilities and misconceptions 2016
 
Mobile App Security: How Secure is your Mobile App
Mobile App Security: How Secure is your Mobile AppMobile App Security: How Secure is your Mobile App
Mobile App Security: How Secure is your Mobile App
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
 

More from NowSecure

iOS recon with Radare2
iOS recon with Radare2iOS recon with Radare2
iOS recon with Radare2NowSecure
 
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureFrom Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureNowSecure
 
Android Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsAndroid Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsNowSecure
 
Debunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecDebunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecNowSecure
 
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaOSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaNowSecure
 
Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintNowSecure
 
Mobile App Security Predictions 2019
Mobile App Security Predictions 2019Mobile App Security Predictions 2019
Mobile App Security Predictions 2019NowSecure
 
Jeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOpsJeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOpsNowSecure
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesNowSecure
 
A Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyA Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyNowSecure
 
Android P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowAndroid P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowNowSecure
 
iOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To KnowiOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To KnowNowSecure
 
5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security TestingNowSecure
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDANowSecure
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?NowSecure
 
5 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 20185 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 2018NowSecure
 
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App RiskMobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App RiskNowSecure
 
What attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTechWhat attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTechNowSecure
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesNowSecure
 
Leaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowLeaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowNowSecure
 

More from NowSecure (20)

iOS recon with Radare2
iOS recon with Radare2iOS recon with Radare2
iOS recon with Radare2
 
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureFrom Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
 
Android Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsAndroid Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy Enhancements
 
Debunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecDebunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSec
 
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaOSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
 
Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing Blueprint
 
Mobile App Security Predictions 2019
Mobile App Security Predictions 2019Mobile App Security Predictions 2019
Mobile App Security Predictions 2019
 
Jeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOpsJeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOps
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
 
A Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyA Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing Strategy
 
Android P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowAndroid P Security Updates: What You Need to Know
Android P Security Updates: What You Need to Know
 
iOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To KnowiOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To Know
 
5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
 
5 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 20185 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 2018
 
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App RiskMobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
 
What attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTechWhat attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTech
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial services
 
Leaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowLeaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to Know
 

Recently uploaded

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 

Recently uploaded (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 

CYA: Mobile app security begins at the server

  • 1. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. CYA: MOBILE APP SECURITY Begins at the Server
  • 2. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Connect with us Connect with us on Twitter @NowSecureMobile — Visit our website at https://www.nowsecure.com
  • 3. Ted Eull VP, Risk and Privacy © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. ● Built NowSecure’s mobile security and risk assessment practices ● 15+ years in development and information security ● Certified CRISC, GWAPT
  • 4. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Contents ● The mobile backend ● Backend security challenges ● Backend security fundamentals ● A five-step plan ● Questions
  • 5. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. The mobile backend
  • 6. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. A simplified diagram
  • 7. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Various implementations ● Proprietary / On-prem - you provision servers, configure OS, write APIs, etc. yourself and host the technology in a datacenter you control or access. Example: Your server room ● Infrastructure-as-a-Service (IaaS) - a third party provides physical or virtual servers, and essential resources such as network and block storage. You provision OS and software but don’t access or control the hosting environment. Example: VM instances in EC2, Rackspace ● Platform-as-a-Service (PaaS) - rather than build systems on third-party servers, you access a provided platform such as a database or app building platform and configure within that platform. Examples: Google App Engine, Force.com, Azure SQL DB ● Software-as-a-Service (SaaS) - complete software application you may access via REST APIs (typically) in addition to web based access. Examples: Zendesk, Stripe, Salesforce, etc. Normally a combination of these
  • 8. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. One app, many APIs A single app can have many backend services
  • 9. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Challenges in securing your mobile app’s backend
  • 10. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Keeping up with the pace of mobile ● Demand for new features to compete ● Short cycles, frequent releases ● New technology with different/less security control - (NoSQL) ● Developers retooling skills to new technology quickly ● Numerous functions and libraries, incorporation of OSS ● Less time for infrastructure review ● Instituting security checkpoints with agile ● Proliferation of micro-services Consumers want the app yesterday
  • 11. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Mobile API services are web services ● Common misconception that mobile services are more secure by default (false) ● Manipulating web traffic in-browser is easier, but mobile APIs can be attacked by injection, fuzzing, and brute force ● HTTPS (TLS) does not protect from attacks or ensure client is your app ● Proxies, web app firewalls and proper server config can help repel attacks hidden != secure
  • 12. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Security responsibilities
  • 13. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. MBaaS ● MBaaS is a form of PaaS providing API configuration/coding, data object management, data connectors, versioning, access control and more through custom hosted interfaces. ● Range from simpler API builder to fully-featured management system. ● e.g. Appcelerator Arrow, Parse, Firebase, AWS Mobile Hub, Azure Mobile Services ● Key issues ○ Assurance of security in infrastructure ○ Provider stability ○ Auditability ○ Granularity of control Faster, easier... but secure? It depends
  • 14. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Real world examples ● API communications without HTTPS - Many apps fail to use TLS on some or all API calls, exposing sensitive data such as user location or personal info. (NFL Mobile app, CBS Sports app) ● Instagram bug (delete comments) - 10-year-old from Finland proved he could delete anyone’s comments (including Justin Bieber) and received a $10k bug bounty. ● Trusting input from the mobile app - NowSecure’s @0xroot responsibly disclosed that Evernote trusted the app to tell it whether the customer was “premium” or “free” enabling user to get elevated access without paying. ● Improper authentication / session management - Banking app (!!) function enabled user to change password without being authenticated. ● User data enumeration (no authentication required) - By knowing some user info we could rapidly query the API endpoint and ultimately access SSN for some accounts. ● Open API for credit card validation - We found an open API endpoint that would validate Credit Card numbers with no rate limiting and easily stolen credential. Involving insecure backend
  • 15. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Security fundamentals for your mobile backend
  • 16. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Proven security techniques Secure backend systems with these famous infosec techniques Limit access Harden servers Update software Monitor and log Develop securely* Hack yourself *Easier said than done, but you have to try.
  • 17. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Limit access ● Require secure connections - VPN + SSH ● Use firewall rules to control connections ● Use strong multi-factor authentication ● No apps running as root ● Do your developers have access to production? ● Physical access still matters Least privilege for all!
  • 18. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Harden servers + update software ● Use a standard, minimal build OS ○ Only services necessary to support the app(s) ○ Commercially supported - e.g. Windows, RHEL ○ IaaS-provided - e.g. Amazon Linux AMI ○ Security-optimized - BSD ● Watch for CVEs or alerts for high-risk vulns ○ Heartbleed, Shellshock, OpenSSL ○ Patch quickly, then fix what breaks ○ Don’t confuse antivirus for vulnerability protection Windows Server 2003 standard install? Not so much.
  • 19. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Monitor and log ● Log and monitor access requests to all APIs ○ Monitor all access attempts for brute-force and lateral attacks ○ Deploy risk-based access controls to adapt and modify the app’s execution flow ● API Rate Limits (“throttling”) ○ Locks down services implemented and used by the app ○ Provides control over the assignment of server-side resources ○ Prevents brute force, account harvesting (user enumeration), and replay attacks ● Log and monitor all connected systems for suspicious activity Is anyone watching this API?
  • 20. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Hack Yourself ● Perform vulnerability scanning and pen testing of backend infrastructure ● Automation for basic testing (e.g patch level, configuration) ● Red Team testing to emulate malicious actors ● 3rd party to avoid internal conflicts ○ Vet credentials and references ○ Require detailed reporting, replication steps and risk rating (CVSS) Before they do.
  • 21. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Develop securely ● Hire, design, build, test, deploy and iterate with security in mind ● Evaluate threats, create “misuse cases” ● Build security-focused test cases for QA ● Test iteratively with builds/releases ● Pay special attention to authentication, session management, input validation and sensitive transactions ● Train architects, developers, and QA on security Agile and secure SDLC are not enemies
  • 22. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Secure authentication + session management ● Secure Authentication (OWASP) ○ Avoid outmoded or custom implementations.; Limit attempts, add 2nd factor ○ Prevent use of API services by unknown/untrusted devices (device registration step) ● Use session-based authentication ○ Avoid storing passwords by using token-based (OpenID, OAuth2, SAML, JWT) ○ Use TLS (https) and ensure access tokens are stored securely ○ Use a session token via POST (not GET) or Use an API key (POST body argument or secure cookie) ○ DO NOT include sensitive information in the URL (can be compromised) ● Prevent CSRF, XSS and replay attacks ○ Proper authentication on all API endpoints ○ Server-side session termination ● Make security decisions on the server side (!) Welcome to our API, two forms of ID please.
  • 23. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Input validation ● Treat calls from mobile app as untrusted ○ Validate content-types and response-types ○ Need to ensure the security of all content sources for the app ○ Assume malicious party could replace content going to server, including an authenticated session ○ Use message signatures for stronger validation ● Sanitize user input ○ Perform client-side for efficiency but still must check on server ○ Especially watch - files/images, URLs, XML, JSON, blobs ○ Implement secure parsing to avoid deserialization vulns Don’t trust your own app HTTP://XKCD.COM/327/
  • 24. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. About agile + devops ● Expect upfront challenges introducing security controls in agile ● Devops process and tools can help with security checkpoints and standard environments ● Key change - breaking down walls between security and development Don’t hate the process, hate the flaw “I have seen productivity gains of 15% and greater when preventative and detective security controls are embedded in the development process” Jim Routh, CSO, Aetna SearchSecurity interview
  • 25. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Resources CERT Top 10 Secure Coding Practices SAFECode Practical Security Stories and Tasks for Agile Dev Environments OWASP REST Security Cheat Sheet OWASP Application Security Verification Standard NowSecure Secure Mobile Development Best Practices View now
  • 26. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. A five-step plan
  • 27. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. There are far more complicated ones available, if you want... Five-step plan to secure the mobile backend 1 Establish ownership + key roles Document architecture Analyze risk + requirements Assess security Remediate + repeat 2 3 4 5
  • 28. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Key steps and questions 1. Establish ownership + key roles a. Who represents business, security, network admin, dev b. Authority to test and mandate changes 2. Document architecture a. Include third-party systems b. GSD beats perfection 3. Analyze risk + requirements a. What data are we handling? b. What policies or regulations do we need to comply with? (PCI-DSS, FFIEC, FERC, HIPAA) The nitty gritty. 4. Assess security a. Begin with vulnerability scan at minimum b. Target higher-risk functions/features c. Rate issues for severity, prioritize 5. Remediate + repeat a. Add security into issue tracking b. Escalate where necessary c. Communicate results, metrics d. Automation for scanning, config checks e. Regular log/alert monitoring? f. Security training for dev team
  • 29. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. On PaaS, IaaS and SaaS ● Advantages of more outsourced backend: ○ Dedicated infrastructure personnel ○ Purpose-built systems ○ Isolation from other business systems ○ DoS resistance, resiliency ● Disadvantages: XaaS may not protect you from: ○ Compromised admin credentials ○ Flawed API logic ○ Data flows to another system ○ Regulatory problem ○ All CVEs in server software ○ Reduced control and visibility It’s a cloud world, we’re just living in it
  • 30. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Questions? teull@nowsecure.com +1 312.878.1100 @tedtalks2 Read more on securing your mobile apps’ backend, and secure mobile development in general, in our Secure Mobile Development Best Practices https://www. nowsecure.com/resources/secure-mobile-development/