Tip:
Highlight text to annotate it
X
Pete: So, what are the basic things that most mobile OS's do in terms of helping enforce
security? Like, what in these features in these, perhaps somewhat immature, OS's that
you mention that developers can take advantage of?
Mike: Sure. So, I'll cover two at a very high level. We'll talk about application sandboxing
first of all. And, that basically means your application is running on the device and it's
in its own protected sandbox. It can potentially write to the file system, it can write and
read to its own files, but it can't necessarily touch the files of another application. So,
if your banking application is storing some sort of potentially sensitive data on a file,
the newest game that you've downloaded can't necessarily, out of the box, reach in and
touch- you know, read- those bits of data. The operating system won't let that happen.
Now, when the device is jailbroken, those controls are removed. And now, a rogue or
malicious application running on the device is running at a higher privilege level and
can potentially do a lot of things. It can attack other applications, it can abuse other
bits of functionality on the phone, like turn on the microphone, for example, steal your
contacts or send out SMS messages or email. The other bit that I'd like to talk about,
would be security data storage. So, I've already talked a little bit about just data storage
on the device- writing to files. You don't want to- if you're, for example, storing credentials
on the device, or you have the need to store credentials on a device so that a user doesn't
need to enter them every time, they authenticate to your app. You don't want to just write
them to a flat text file in plaintext on the device. Something like that is easily recoverable,
whether or not the device is jailbroken. And, we're talking about applications using it.
If the person loses their device, you don't want somebody to be able to pick it up and,
with minimal skill or ability, be able to pull a file off your device and now have your
banking credentials. So, the platforms provide certain methods of securely storing data on
the devices. For example, on iOS, there's the keychain. Data stored in the keychain
isn't necessarily encrypted unless the user has a passcode on their device. So, if they
don't have a passcode on their device, and as a developer, you're storing something in
the keychain, and the device is not jailbroken, you have the application sandboxing. So, my
app can't access your app's credentials. But, if an attacker picks up the device and has
physical access to it, he can get at that keychain data and it's not protected without
the passcode. So, there are lots of little nuances that people need to be aware of.
Pete: Do you think developers are commonly aware that this sort of scenario exists? For
instance, on the iOS platform?
Mike: I think the documentation could always be improved upon. And there's a lot of just
general awareness that needs to happen. It's also very easy to go down the encryption rabbit
hole, 'OK, we know we need to protect this data, so let's encrypt it and we'll use a
symmetric key.' You come across that quite often when you're reviewing mobile applications.
You just happen to find a hardcoded encryption code right in the application code base, used
to store the credentials and the file system "encrypted". But, what the developers don't
always realize is that that key is easily recoverable, and now, in that case, OK, now
the key is on a million devices for the one million users that have installed your application.
So, now you've got a situation where a bad buy can say, 'OK, well, I see how poorly this
app is protecting this sensitive data, I can see, based on the number of downloads, that
it's installed on bizillions of devices, now I can target this application. And, I can
write a trojan or some piece of malware that will masquerade as a legitimate mobile application
and seek out this other app on the installed user base.'