![Page 1: Addressing the OWASP Mobile Security Threats using Xamarin](https://reader036.vdocuments.site/reader036/viewer/2022062306/58d016ef1a28ab97708b48f7/html5/thumbnails/1.jpg)
![Page 2: Addressing the OWASP Mobile Security Threats using Xamarin](https://reader036.vdocuments.site/reader036/viewer/2022062306/58d016ef1a28ab97708b48f7/html5/thumbnails/2.jpg)
Addressing the OWASP Mobile Security Threats using XamarinAlec TuckerWhite Clarke Group@alecdtucker
![Page 3: Addressing the OWASP Mobile Security Threats using Xamarin](https://reader036.vdocuments.site/reader036/viewer/2022062306/58d016ef1a28ab97708b48f7/html5/thumbnails/3.jpg)
Intro to StandardsHow can you prove to an enterprise client that your apps are secure?
What boxes might a security conscious client require you to tick to comply with policy?
What are the industry guidelines for app security?
![Page 4: Addressing the OWASP Mobile Security Threats using Xamarin](https://reader036.vdocuments.site/reader036/viewer/2022062306/58d016ef1a28ab97708b48f7/html5/thumbnails/4.jpg)
The Open Web Application Security ProjectOWASP Top 10https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
OWASP Top 10 for Mobile 2014 / 2016https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
OWASP Application Security Verification Standards (ASVS) v3.0https://www.owasp.org/images/6/67/OWASPApplicationSecurityVerificationStandard3.0.pdfChapter 17 covers mobile
![Page 5: Addressing the OWASP Mobile Security Threats using Xamarin](https://reader036.vdocuments.site/reader036/viewer/2022062306/58d016ef1a28ab97708b48f7/html5/thumbnails/5.jpg)
OWASP Top 10 for Mobile 2014M1 – Weak server side controls
M2 – Insecure data storage on the device
M3 – Insufficient transport layer protection
M4 – Unintended data leakage
M5 – Poor authentication and authorization
M6 – Broken cryptography
M7 – Client side injection
M8 – Security decisions via untrusted inputs
M9 – Improper session handling
M10 – Lack of binary protection
![Page 6: Addressing the OWASP Mobile Security Threats using Xamarin](https://reader036.vdocuments.site/reader036/viewer/2022062306/58d016ef1a28ab97708b48f7/html5/thumbnails/6.jpg)
OWASP Top 10 for Mobile 2016 RC
M1 – Improper Platform Usage
M2 – Insecure Data Storage
M3 – Insecure Communication
M4 – Insecure Authentication
M5 – Insufficient Cryptography
M6 – Insecure Authorization
M7 – Client Code Quality
M8 – Code Tampering
M9 – Reverse Engineering
M10 – Extraneous Functionality
![Page 7: Addressing the OWASP Mobile Security Threats using Xamarin](https://reader036.vdocuments.site/reader036/viewer/2022062306/58d016ef1a28ab97708b48f7/html5/thumbnails/7.jpg)
2014 2016 RCM1 – Weak server side controls
M2 – Insecure data storage on the device
M3 – Insufficient transport layer protection
M4 – Unintended data leakage
M5 – Poor authentication and authorization
M6 – Broken cryptography
M7 – Client side injection
M8 – Security decisions via untrusted inputs
M9 – Improper session handling
M10 – Lack of binary protection
M1 – Improper Platform Usage
M2 – Insecure Data Storage
M3 – Insecure Communication
M4 – Insecure Authentication
M5 – Insufficient Cryptography
M6 – Insecure Authorization
M7 – Client Code Quality
M8 – Code Tampering
M9 – Reverse Engineering
M10 – Extraneous Functionality
![Page 8: Addressing the OWASP Mobile Security Threats using Xamarin](https://reader036.vdocuments.site/reader036/viewer/2022062306/58d016ef1a28ab97708b48f7/html5/thumbnails/8.jpg)
Why do common breaches still occur?• Rush to release• Insufficient testing• Malware-infected apps and devices• Lower security budgets for mobile apps• Lack of expertise• Lack of policies
Ponemon Institute: https://www.ponemon.org/news-2/64• Assumption that the OS covers all security requirements• Weaknesses due to cross-platform development and compilation
OWASP docs
![Page 9: Addressing the OWASP Mobile Security Threats using Xamarin](https://reader036.vdocuments.site/reader036/viewer/2022062306/58d016ef1a28ab97708b48f7/html5/thumbnails/9.jpg)
M1 – Improper Platform UsageMisuse of a platform feature or failure to use platform security controls
• Violation of published guidelines• Violation of convention or common practice• Unintentional misuse• Includes requesting too many permissions, or the wrong
permissions
Example- usesClearTextTraffic on Android, API23+
![Page 10: Addressing the OWASP Mobile Security Threats using Xamarin](https://reader036.vdocuments.site/reader036/viewer/2022062306/58d016ef1a28ab97708b48f7/html5/thumbnails/10.jpg)
M1 – Improper Platform Usage
![Page 11: Addressing the OWASP Mobile Security Threats using Xamarin](https://reader036.vdocuments.site/reader036/viewer/2022062306/58d016ef1a28ab97708b48f7/html5/thumbnails/11.jpg)
Exposing usesClearTextTraffic in Xamarinusing Services;using Xamarin.Forms;
[assembly:Dependency(typeof(M1.Droid.NetworkSecurityPolicyService_Droid))]namespace M1.Droid{ public class NetworkSecurityPolicyService_Droid : INetworkPolicyService { public NetworkSecurityPolicyService_Droid() { }
public bool isClearTextTrafficPermitted() { return Android.Security.NetworkSecurityPolicy.Instance.IsCleartextTrafficPermitted; } }}
![Page 12: Addressing the OWASP Mobile Security Threats using Xamarin](https://reader036.vdocuments.site/reader036/viewer/2022062306/58d016ef1a28ab97708b48f7/html5/thumbnails/12.jpg)
Checking usesClearTextTraffic in Xamarinpublic async Task<string> DownloadContentDishonour(string url){ WebClient client = new WebClient(); return await client.DownloadStringTaskAsync(url);}
![Page 13: Addressing the OWASP Mobile Security Threats using Xamarin](https://reader036.vdocuments.site/reader036/viewer/2022062306/58d016ef1a28ab97708b48f7/html5/thumbnails/13.jpg)
Checking usesClearTextTraffic in Xamarinpublic async Task<string> DownloadContentHonour(string url){ if (networkPolicyService != null && url.StartsWith("http:") && !networkPolicyService.isClearTextTrafficPermitted) { throw new InvalidOperationException( "Clear text network requests are not permitted"); }
WebClient client = new WebClient(); return await client.DownloadStringTaskAsync(url);}
![Page 14: Addressing the OWASP Mobile Security Threats using Xamarin](https://reader036.vdocuments.site/reader036/viewer/2022062306/58d016ef1a28ab97708b48f7/html5/thumbnails/14.jpg)
M1 – Improper Platform Usage - Components…that honour usesClearTextTraffic• DownloadManager• MediaPlayer• SocketHandler• Java.* / Android.* HTTP, FTP,
WebSockets, XMPP, IMAP, SMTP network components
• Some third party libraries• OkHttp• ModernHttpClient
…that dishonour usesClearTextTraffic• Android.WebKit.WebView• Java.* / Android.* UDP and TCP
connections• Any related low-level network stacks• All managed networking components
Sydney Mobile .Net (Xamarin) Developershttp://www.meetup.com/SydneyMobileDotNetDevelopers/
![Page 15: Addressing the OWASP Mobile Security Threats using Xamarin](https://reader036.vdocuments.site/reader036/viewer/2022062306/58d016ef1a28ab97708b48f7/html5/thumbnails/15.jpg)
M2 – Insecure Data Storage
2014 M2 – Insecure Data Storage• SQL databases• Log files• XML datastores / manifest files• Binary data stores• SD card• Cloud sync’d folders
2014 M4 – Unintended Data Leakage• Leaked without developer’s
knowledge• Cached data• Images – e.g. task switcher• Key presses• Logging• Buffers
This covers two of the 2014 top 10 risks:
![Page 16: Addressing the OWASP Mobile Security Threats using Xamarin](https://reader036.vdocuments.site/reader036/viewer/2022062306/58d016ef1a28ab97708b48f7/html5/thumbnails/16.jpg)
Blurring the screen during auto-snapshotpublic override void OnResignActivation(UIApplication uiApplication){ // 1. Take a screenshot // 2. Blur it // 3. Add the blurred view to the RootViewController.View base.OnResignActivation(uiApplication);}
public override void OnActivated(UIApplication uiApplication){ // 4. Remove the blurred view, if there is one base.OnActivated(uiApplication);}
![Page 17: Addressing the OWASP Mobile Security Threats using Xamarin](https://reader036.vdocuments.site/reader036/viewer/2022062306/58d016ef1a28ab97708b48f7/html5/thumbnails/17.jpg)
Blurring the screen during auto-snapshot// 1. Take a screenshotUIView view = UIApplication.SharedApplication.KeyWindow.RootViewController.View;UIGraphics.BeginImageContext(view.Frame.Size);view.DrawViewHierarchy(view.Frame, true);UIImage image = UIGraphics.GetImageFromCurrentImageContext();UIGraphics.EndImageContext();
![Page 18: Addressing the OWASP Mobile Security Threats using Xamarin](https://reader036.vdocuments.site/reader036/viewer/2022062306/58d016ef1a28ab97708b48f7/html5/thumbnails/18.jpg)
Blurring the screen during auto-snapshot// 2. Blur itUIImage newImage = null;using(var inputImage = new CoreImage.CIImage(image)) { using(var blur = new CoreImage.CIGaussianBlur()) { blur.Image = inputImage; blur.Radius = 25f;
using(var outputImage = blur.OutputImage) { using(var context = CoreImage.CIContext.FromOptions(new CoreImage.CIContextOptions() { UseSoftwareRenderer = false })) { using(var cgImage = context.CreateCGImage(outputImage, new System.Drawing.RectangleF ( new System.Drawing.PointF(0,0), new System.Drawing.SizeF((float)image.Size.Width, (float)image.Size.Height)))) { newImage = UIImage.FromImage(cgImage); } } } }}
![Page 19: Addressing the OWASP Mobile Security Threats using Xamarin](https://reader036.vdocuments.site/reader036/viewer/2022062306/58d016ef1a28ab97708b48f7/html5/thumbnails/19.jpg)
Blurring the screen during auto-snapshot// 3. Add the blurred view to the RootViewController.Viewview.AddSubview(new UIImageView(newImage));
// 4. Remove the blurred view, if there is oneint lastIndex = UIApplication.SharedApplication.KeyWindow .RootViewController.View.Subviews.GetUpperBound(0);if (lastIndex > 0){ UIApplication.SharedApplication.KeyWindow .RootViewController.View.Subviews[lastIndex] .RemoveFromSuperview();}
![Page 20: Addressing the OWASP Mobile Security Threats using Xamarin](https://reader036.vdocuments.site/reader036/viewer/2022062306/58d016ef1a28ab97708b48f7/html5/thumbnails/20.jpg)
M2 – Insecure Data StorageiOS Developer Cheat Sheet- https://www.owasp.org/index.php/IOS_Developer_Cheat_Sheet- Small amounts of sensitive data should go in the Keychain- Recommends usage of a third party encryption API “not
encumbered by inherent weaknesses in Apple’s encryption”- Singles out SQLCipher- Key management then becomes critical ( M5)
- https://www.owasp.org/index.php/Key_Management_Cheat_SheetWindows Mobile 10 Security Guide- https://technet.microsoft.com/en-us/library/
mt674915(v=vs.85).aspx
![Page 21: Addressing the OWASP Mobile Security Threats using Xamarin](https://reader036.vdocuments.site/reader036/viewer/2022062306/58d016ef1a28ab97708b48f7/html5/thumbnails/21.jpg)
M3 – Insecure CommunicationThis covers:• Poor handshaking• Incorrect SLL versions• Weak negotiation• Cleartext communication of sensitive assets *• SSL certificate validity
* Sensitive assets can include things like the IMEI and other hardware addresses. Some jurisdictions consider these to be private data that must be given the same privacy treatment as a phone number or home address
![Page 22: Addressing the OWASP Mobile Security Threats using Xamarin](https://reader036.vdocuments.site/reader036/viewer/2022062306/58d016ef1a28ab97708b48f7/html5/thumbnails/22.jpg)
Checking certificate validity – iOS / AndroidSystem.Net.ServicePointManager.ServerCertificateValidationCallback += ((sender, certificate, chain, sslPolicyErrors) =>{ return sslPolicyErrors == System.Net.Security.SslPolicyErrors.None && validCertificates.Contains(certificate.GetCertHashString);});
![Page 23: Addressing the OWASP Mobile Security Threats using Xamarin](https://reader036.vdocuments.site/reader036/viewer/2022062306/58d016ef1a28ab97708b48f7/html5/thumbnails/23.jpg)
M4 – Insecure AuthenticationIn general, follow the same rules as a web app for authenticationi.e. if porting a web app, it should not be possible to authenticate with less auth factors than the web browserNever use a device identifier (UDID, IP, MAC address, IMEI) to identify a user or a sessionRemember that some jurisdictions treat these as personal data
![Page 24: Addressing the OWASP Mobile Security Threats using Xamarin](https://reader036.vdocuments.site/reader036/viewer/2022062306/58d016ef1a28ab97708b48f7/html5/thumbnails/24.jpg)
M4 – Insecure AuthenticationAvoid out-of-band authentication tokens being sent to the same device as the user is using to login (e.g. SMS to phone)http://www.smh.com.au/technology/consumer-security/malware-hijacks-big-four-australian-banks-apps-steals-twofactor-sms-codes-20160309-gnf528.html
![Page 25: Addressing the OWASP Mobile Security Threats using Xamarin](https://reader036.vdocuments.site/reader036/viewer/2022062306/58d016ef1a28ab97708b48f7/html5/thumbnails/25.jpg)
M5 – Insufficient Cryptographyhttps://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet
• Only store sensitive data that you need• Use strong approved authenticated encryption• Store a one-way and salted value of passwords• Ensure that the cryptographic protection remains secure
even if access controls fail• Ensure that any secret key is protected from unauthorised
access• Follow applicable regulations on use of cryptography• PCLCrypto component
![Page 26: Addressing the OWASP Mobile Security Threats using Xamarin](https://reader036.vdocuments.site/reader036/viewer/2022062306/58d016ef1a28ab97708b48f7/html5/thumbnails/26.jpg)
M5 – Insufficient CryptographyUse of hardware information in key:
SQLCipher advice- What’s unacceptable is to use this in entirety and nothing else- They propose it’s acceptable to use it as a portion of a key, but
point out that it’s critical that at least a portion of the key is both:- Entered by the user- Never stored on the device
https://discuss.zetetic.net/t/sqlcipher-database-key-material-and-selection/25
![Page 27: Addressing the OWASP Mobile Security Threats using Xamarin](https://reader036.vdocuments.site/reader036/viewer/2022062306/58d016ef1a28ab97708b48f7/html5/thumbnails/27.jpg)
M6 – Insecure AuthorizationApp may restrict functions based on user’s authorization levelWeb service endpoints cannot assume this is sufficientClassic finding is a server implicitly trusting the mobile code to only generate requests appropriate to the user’s privilege levelOf course this cannot be assumed of a compromised app
![Page 28: Addressing the OWASP Mobile Security Threats using Xamarin](https://reader036.vdocuments.site/reader036/viewer/2022062306/58d016ef1a28ab97708b48f7/html5/thumbnails/28.jpg)
M7 – Client Code QualityIs Your App Secure?- Kerry Lothrop, Thursday
Think Like a Hacker- Sam Rehman & Lou Crocker, Wednesday
![Page 29: Addressing the OWASP Mobile Security Threats using Xamarin](https://reader036.vdocuments.site/reader036/viewer/2022062306/58d016ef1a28ab97708b48f7/html5/thumbnails/29.jpg)
M8 – Code Tampering private bool IsJailBroken() { return UIApplication.SharedApplication.CanOpenUrl(new NSUrl("cydia://package/com.example.package"))); }
![Page 30: Addressing the OWASP Mobile Security Threats using Xamarin](https://reader036.vdocuments.site/reader036/viewer/2022062306/58d016ef1a28ab97708b48f7/html5/thumbnails/30.jpg)
M9 – Reverse Engineering
![Page 31: Addressing the OWASP Mobile Security Threats using Xamarin](https://reader036.vdocuments.site/reader036/viewer/2022062306/58d016ef1a28ab97708b48f7/html5/thumbnails/31.jpg)
M10 – Extraneous Functionality
![Page 32: Addressing the OWASP Mobile Security Threats using Xamarin](https://reader036.vdocuments.site/reader036/viewer/2022062306/58d016ef1a28ab97708b48f7/html5/thumbnails/32.jpg)
Where to from here?
Source: Arxan State of Application Security 2016 – Financial Services Report
2014 M3 2016 M3Insecure Communication
2014 M10 2016 M9Reverse Engineering
Remembering…
![Page 33: Addressing the OWASP Mobile Security Threats using Xamarin](https://reader036.vdocuments.site/reader036/viewer/2022062306/58d016ef1a28ab97708b48f7/html5/thumbnails/33.jpg)
Where to from here?• OWASP ASVS
• PCI standards
• If you don’t have a security policy, reference these standards
• If you do have a security policy, check it against these standards
• If you’re writing or reviewing a security policy, check it against these standards
• Awareness and further research
• Build in house expertise, outsource, bring in specialised security products / consultants
• A combination of the abovehttp://www.amazon.com/Xamarin-Unleashed-Alec-Tucker/dp/0672337509
![Page 34: Addressing the OWASP Mobile Security Threats using Xamarin](https://reader036.vdocuments.site/reader036/viewer/2022062306/58d016ef1a28ab97708b48f7/html5/thumbnails/34.jpg)
Thank you / Questions