Mobile App Security - Two Key Issues
In this clip, we discuss two of the main concepts of mobile app security - application sandboxing and secure data storage.
(Full transcript after the break, or download MP3 audio here)
Want to know when more clips from this interview are posted? Follow @g33ktalktv on Twitter for updates.
Pete: So, what are the basic things that most mobile OS's do in terms of helping enforce security? Like, what are these features in these, perhaps somewhat immature, OS's that you mention that developers can take advantage of?
Mike: Sure. So, I'll cover two at a very high level. We'll talk about application sandboxing first of all. And, that basically means your application is running on the device and it's in its own protected sandbox. It can potentially write to the file system, it can write and read to its own files, but it can't necessarily touch the files of another application. So, if your banking application is storing some sort of potentially sensitive data on a file, the newest game that you've downloaded can't necessarily, out of the box, reach in and touch- you know, read- those bits of data. The operating system won't let that happen. Now, when the device is jailbroken, those controls are removed. And now, a rogue or malicious application running on the device is running at a higher privilege level and can potentially do a lot of things. It can attack other applications, it can abuse other bits of functionality on the phone, like turn on the microphone, for example, steal your contacts or send out SMS messages or email. The other bit that I'd like to talk about, would be security data storage. So, I've already talked a little bit about just data storage on the device- writing to files. You don't want to- if you're, for example, storing credentials on the device, or you have the need to store credentials on a device so that a user doesn't need to enter them every time, they authenticate to your app. You don't want to just write them to a flat text file in plaintext on the device. Something like that is easily recoverable, whether or not the device is jailbroken. And, we're talking about applications using it. If the person loses their device, you don't want somebody to be able to pick it up and, with minimal skill or ability, be able to pull a file off your device and now have your banking credentials. So, the platforms provide certain methods of securely storing data on the devices. For example, on iOS, there's the keychain. Data stored in the keychain isn't necessarily encrypted unless the user has a passcode on their device. So, if they don't have a passcode on their device, and as a developer, you're storing something in the keychain, and the device is not jailbroken, you have the application sandboxing. So, my app can't access your app's credentials. But, if an attacker picks up the device and has physical access to it, he can get at that keychain data and it's not protected without the passcode. So, there are lots of little nuances that people need to be aware of.
Pete: Do you think developers are commonly aware that this sort of scenario exists? For instance, on the iOS platform?
Mike: I think the documentation could always be improved upon. And there's a lot of just general awareness that needs to happen. It's also very easy to go down the encryption rabbit hole, 'OK, we know we need to protect this data, so let's encrypt it and we'll use a symmetric key.' You come across that quite often when you're reviewing mobile applications. You just happen to find a hardcoded encryption code right in the application code base, used to store the credentials and the file system "encrypted". But, what the developers don't always realize is that that key is easily recoverable, and now, in that case, OK, now the key is on a million devices for the one million users that have installed your application. So, now you've got a situation where a bad buy can say, 'OK, well, I see how poorly this app is protecting this sensitive data, I can see, based on the number of downloads, that it's installed on bizillions of devices, now I can target this application. And, I can write a trojan or some piece of malware that will masquerade as a legitimate mobile application and seek out this other app on the installed user base.'