Contain Yourself: Building Secure Containers for Mobile Devices

Presented at AppSec USA 2013, Nov. 21, 2013, 9 a.m. (50 minutes).

Video of session: https://www.youtube.com/watch?v=siVS2jmPABM&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=31 In today's world, everyone wants access to information from his or her personal mobile device.  As a business, this includes your customers and/or employees.  What if the information they want access to is highly sensitive?  While it's tempting to resist these pressures for security reasons, providing mobile access can be a significant competitive advantage and most importantly keep your customers and employees happy and productive. The reality is that in order to survive in a connected world, we must provide a way to meet these demands without sacrificing security.   Organizations have begun moving from "managed devices" to a Bring Your Own Device (BYOD) model where company resources can be accessed and stored on unmanaged devices. As you can imagine, there are some inherent risks with this approach due to the organizations inability to enforce policies on personal devices. There is currently a huge market for solutions that allowing enterprises protect their data on unmanaged devices. Enter "Secure Containers" and "Application Wrapping". The basic premise of these solutions is that it allows organizations enforce policies at the application layer rather than the device layer. For example, authentication, remote wipes, lockouts and data encryption can now be enforced on a per application basis. Application Wrapping is a technique, which allows the ability inject their own code into existing iOS applications. Once injected, existing iOS method implementations can be overwritten to enforce these policies. In a nutshell, you can have an existing application and have it wrapped so that it enforces various defined policies and secure it without developers having to manually implement it.   We have performed security assessments of various commercial BYOD solutions and custom secure containers. Additionally, we have also provided guidance in the development and design of such solutions. We plan to share our experiences through various case studies showcasing the various security issues encountered and testing techniques used throughout these assessments. We expect to cover and provide the audience with newfound knowledge in the following topics:   What is Application Wrapping and How It Is Implemented     - Dynamic Library Injection     - iOS Method Swizzling Walkthrough of Common Designs for Secure Containers     - Weak Crypto Key Storage and Generation     - Common Crypto Implementation Flaws        - Online and Offline Authentication Designs Leveraging iOS Runtime Analysis for Reversing Implementations     - Common iOS Reversing Techniques     - Writing Mobile Substrate Hooks Completeness of the Implementation     - Preventing Common Mobile Security Plaintext Storage Issues     - Inadvertent Caching of Sensitive Data     - Jailbreak Detection     - Weaknesses in Policy Enforcement and Remote Wipes Attendees will leave with an understanding of the advantages and disadvantages of using "secure container" solutions. The presentation will be delivered from the point of view of a security tester with experience in assessing various implementations. Organizations can leverage this knowledge in order to perform informed decisions when choosing or developing solutions. Security testers will leave with baseline checks and testing techniques for assessing secure container implementations.

Presenters:

  • Ronald Gutierrez - Senior Security Engineer - Gotham Digital Science
    Ron Gutierrez is a senior engineer at Gotham Digital Science (GDS), where he specializes in a application security code reviews, mobile application assessments, black box application testing and threat modeling. Ron is a member of the SendSafely development team and a frequent contributor to the GDS Security Blog (http://blog.gdssecurity.com). Ron has spoken at security conferences such as AppSec USA and Shmoocon. Ron's current interests include NodeJS Security, iOS Application Security, and Cryptography.

Links:

Similar Presentations: