SlideShare a Scribd company logo

Creating secure apps using the salesforce mobile sdk

Martin Vigo
Martin Vigo

Creating a mobile app has never been easier with the wide-range of frameworks and languages available at your fingertips. But is it easy to secure a mobile app? Join our mobile security experts as they walkthrough the Salesforce Mobile SDK and learn everything you need to know about hardening your mobile apps. We will discuss common vulnerabilities and mistakes, followed by a dive deep into how the Salesforce Mobile SDK makes following our security best practices easy and painless!

Technology
1 of 39
Download to read offline
Creating Secure Apps Using The Salesforce Mobile SDK mvigo@salesforce.com, @martin_vigo ​Martin Vigo, Senior Product Security Engineer jkinser@salesforce.com ​Jesse Kinser, Senior Product Security Engineer
​Senior Product Security Eng. ​mvigo@salesforce.com ​Senior Product Security Eng. ​jkinser@salesforce.com Martin Vigo Jesse Kinser Speakers
Native vs Hybrid ​Overview
Native vs Hybrid • File system / Insecure storage • Network communication • Crypto • Clipboard • Backups • RPC, URL scheme handlers ​Threats • XSS • CSRF • SQLi • Input validation • Output encoding • Application logic flaws
OWASP Mobile Top 10 ​2016 version
M1 - Improper Platform Usage
M1 - Improper Platform Usage • Violation of published guidelines • iOS Keychain • Android Intents • Violation of convention or common practice • Unintentional Misuse • Misunderstanding documentation • Wrong implementations ​Insecure implementation of native security features
Mobile SDK • Open source • Specific security training program for developers • Code reviews part of the SDLC • Security reviews • In house • Independent 3rd parties • Scanners • Bug bounty program ​Taking advantage of all security layers
M2 – Insecure Data Storage
M2 – Insecure Data Storage • Explicit storage • Credentials / OAuth tokens • Personal data • Preferences • Logs • Automatic storage • Temp files • Cache data • Leaks • Logs • Debugging information • Crashes • Analytics • Caches • Unique urls • Requests/Responses containing sensitive data • Images ​Leaving traces behind App Sandbox External storage Backups Hardcoded data
Mobile SDK • Uses OS provided secure storage for secrets • Encrypts sensitive files in the sandbox • Does not log any sensitive information • Server-side and client-side cache control • Cleanup routines for logged out users ​No trace App Sandbox External storage Backups Hardcoded data
M3 – Insecure Communication
M3 – Insecure Communication • HTTP • No confidentiality • HTTPS • Version? • Cipher suites? • Enforced? • Mixed content • Certificates • Self-signed • Mismatched hostnames • Other protocols • Bluetooth, NFC, etc. ​Eavesdropping
Mobile SDK • Uses HTTPS only • Deprecates retired/vulnerable cipher suites and versions (server side) • Accepts only trusted certificates ​Properly encrypted communications
M4 – Insecure Authentication
M4 – Insecure Authentication • Vulnerable APIs • No authentication • Poor entropy in tokens • Weaker authentication than Web version • Password/Token stored insecurely • No revocation ​Who am I?
Mobile SDK • Uses standard protocols • Oauth 2.0 • No passwords are stored • Session token stored securely • Token revocation • Inactivity logout ​You are who you claim to be
M5 – Insufficient Cryptography
M5 – Insufficient Cryptography • ROT-13 isn’t the only insecure means of encrypting • “secret” => “frperg” • AES - advanced encryption standard • Secure, but that security depends on • Key length • Cipher mode • Others • Lots of ways to mess up • So what can you do? ​Weak protection for your secrets
Mobile SDK encryption support • AES - CBC • Secure keys • Created using native PRNG • 256 bits • Unique per installation • Stored in native secure storage • Or derived from PIN using PBKDF2 • SmartStore • Based on SQLCipher • Secure storage without crypto knowledge ​Crypto following standards and best practices
M6 – Insecure Authorization
M6 – Insecure Authorization • Insecure Direct Object Reference (IDOR) vulnerabilities • User role / Permission transmission • Hidden endpoints • Client side checks ​What can I do?
Mobile SDK • Clear User roles and permission model • Permission checks on every request • Based on session ID • Checks only server side • Use of public and documented APIs • Security reviews • In house • Independent 3rd parties • Scanners • Bug bounty program ​You can only do what you are supposed to
M7 – Poor Code Quality
M7 – Poor Code Quality • Good developers but limited security knowledge • Buffer overflows • Format string vulnerabilities • XSS in Webviews • Ignoring best practices • No code reviews ​Insecure coding practices
Mobile SDK • Open source • Specific security training program for developers • Code reviews part of the SDLC • Security reviews • In house • Independent 3rd parties • Scanners • Bug bounty program ​Following best practices
M8 – Code Tampering
M8 – Code Tampering • Attacker modifies binary file • Applies specially to games • Cheats • Free resources • Etc. ​Binary manipulation
Mobile SDK • Mobile SDK is open source • No gain from real-time manipulation • Compatible with MDM • Add additional restrictions ​Not applicable
M9 – Reverse Engineering
M9 – Reverse Engineering • Binary extraction from the device • Or download binary directly from online store • Decrypt/Decompress • String analysis, binary protections • Decompile • Source code analysis • Disassembly • Reverse engineering • Debugging / Real time manipulation ​Protecting binaries
Mobile SDK • Security though obscurity • Highly discouraged by the industry • Mobile SDK is open source • The more eyes looking at it, the better! • Mobile SDK uses public/documented APIs • No secrets in • How it is built • How it works • How it provides security • Bug bounty • Ethical hackers are welcome! ​No need to reverse anything!
M10 – Extraneous Functionality
M10 – Extraneous Functionality • Hidden menus • “Legit” back doors • Debug flags • Test code • Comments including sensitive information in webviews ​Finding edge cases
Mobile SDK • Open source • Rigorous deployment cycle • 3rd party reviews ​Transparent
Conclusions
Conclusions • Open source platform • Active project • Provides secure storage through encryption • Enforces secure communication • Provides easy authentication and authorization ​What is the Mobile SDK in terms of security? • Uses platform-specific security mechanisms • Follows best practices and secure coding guidelines • It is constantly reviewed by security engineers • Goes through independent security audits • In scope in our Bug Bounty program
Security @ Dreamforce ​Find the “Salesforce Security” booth in Developer Forest ​Salesforce Security Booth & Developer Sessions Information
Creating secure apps using the salesforce mobile sdk

Recommended

Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M8Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M85h1vang
 
Owasp Mobile Top 10 – 2014
Owasp Mobile Top 10 – 2014Owasp Mobile Top 10 – 2014
Owasp Mobile Top 10 – 2014n|u - The Open Security Community
 
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null MeetOwasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet5h1vang
 
(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile Security(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile SecurityMichalis Kamprianis
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidMobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidNikola Milosevic
 
Mobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 RisksMobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 RisksSantosh Satam
 
Understanding passwordless technologies
Understanding passwordless technologiesUnderstanding passwordless technologies
Understanding passwordless technologiesDavid Strom
 
Login cat tekmonks - v3
Login cat tekmonks - v3Login cat tekmonks - v3
Login cat tekmonks - v3TEKMONKS
 

Recommended

Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M8Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M85h1vang
 
Owasp Mobile Top 10 – 2014
Owasp Mobile Top 10 – 2014Owasp Mobile Top 10 – 2014
Owasp Mobile Top 10 – 2014n|u - The Open Security Community
 
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null MeetOwasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet5h1vang
 
(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile Security(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile SecurityMichalis Kamprianis
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidMobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidNikola Milosevic
 
Mobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 RisksMobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 RisksSantosh Satam
 
Understanding passwordless technologies
Understanding passwordless technologiesUnderstanding passwordless technologies
Understanding passwordless technologiesDavid Strom
 
Login cat tekmonks - v3
Login cat tekmonks - v3Login cat tekmonks - v3
Login cat tekmonks - v3TEKMONKS
 
The use case for Cassandra at Ping Identity
The use case for Cassandra at Ping IdentityThe use case for Cassandra at Ping Identity
The use case for Cassandra at Ping IdentityPing Identity
 
IoT World - creating a secure robust IoT reference architecture
IoT World - creating a secure robust IoT reference architectureIoT World - creating a secure robust IoT reference architecture
IoT World - creating a secure robust IoT reference architecturePaul Fremantle
 
Building powerful apps with ArangoDB & KeyLines
Building powerful apps with ArangoDB & KeyLinesBuilding powerful apps with ArangoDB & KeyLines
Building powerful apps with ArangoDB & KeyLinesCambridge Intelligence
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofAdrian Sanabria
 
Сергей Харюк (Украина). Проверка безопасности приложений на платформе iOS
Сергей Харюк (Украина). Проверка безопасности приложений на платформе iOSСергей Харюк (Украина). Проверка безопасности приложений на платформе iOS
Сергей Харюк (Украина). Проверка безопасности приложений на платформе iOSKazHackStan
 
Mobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellMobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellPrathan Phongthiproek
 
Owasp for testing_mobile_apps_opd
Owasp for testing_mobile_apps_opdOwasp for testing_mobile_apps_opd
Owasp for testing_mobile_apps_opdPawel Rzepa
 
Owasp top 10
Owasp top 10 Owasp top 10
Owasp top 10 veerababu penugonda(Mr-IoT)
 
Hacking & Securing of iOS Apps by Saurabh Mishra
Hacking & Securing of iOS Apps by Saurabh MishraHacking & Securing of iOS Apps by Saurabh Mishra
Hacking & Securing of iOS Apps by Saurabh MishraOWASP Delhi
 
Two factor authentication 2018
Two factor authentication 2018Two factor authentication 2018
Two factor authentication 2018Will Adams
 
Inria Tech Talk IoT - 28 Mars 2018
Inria Tech Talk IoT - 28 Mars 2018Inria Tech Talk IoT - 28 Mars 2018
Inria Tech Talk IoT - 28 Mars 2018FrenchTechCentral
 
Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise" Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise" mycroftinc
 
Application Security within Agile
Application Security within AgileApplication Security within Agile
Application Security within AgileNetlight Consulting
 
Top 3 tips for security documentation
Top 3 tips for security documentationTop 3 tips for security documentation
Top 3 tips for security documentationMichael Furman
 
Seminar-Two Factor Authentication
Seminar-Two Factor AuthenticationSeminar-Two Factor Authentication
Seminar-Two Factor AuthenticationDilip Kr. Jangir
 
Menofia UN -Mobile Security
Menofia UN -Mobile SecurityMenofia UN -Mobile Security
Menofia UN -Mobile SecurityAhmed Samara
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architecturesinovia
 
How can you deliver a secure product
How can you deliver a secure productHow can you deliver a secure product
How can you deliver a secure productMichael Furman
 
Berkarir di Cyber Security
Berkarir di Cyber SecurityBerkarir di Cyber Security
Berkarir di Cyber SecuritySatria Ady Pradana
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham
 
OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014Islam Azeddine Mennouchi
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdfRavi Aggarwal
 

More Related Content

What's hot

The use case for Cassandra at Ping Identity
The use case for Cassandra at Ping IdentityThe use case for Cassandra at Ping Identity
The use case for Cassandra at Ping IdentityPing Identity
 
IoT World - creating a secure robust IoT reference architecture
IoT World - creating a secure robust IoT reference architectureIoT World - creating a secure robust IoT reference architecture
IoT World - creating a secure robust IoT reference architecturePaul Fremantle
 
Building powerful apps with ArangoDB & KeyLines
Building powerful apps with ArangoDB & KeyLinesBuilding powerful apps with ArangoDB & KeyLines
Building powerful apps with ArangoDB & KeyLinesCambridge Intelligence
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofAdrian Sanabria
 
Сергей Харюк (Украина). Проверка безопасности приложений на платформе iOS
Сергей Харюк (Украина). Проверка безопасности приложений на платформе iOSСергей Харюк (Украина). Проверка безопасности приложений на платформе iOS
Сергей Харюк (Украина). Проверка безопасности приложений на платформе iOSKazHackStan
 
Owasp for testing_mobile_apps_opd
Owasp for testing_mobile_apps_opdOwasp for testing_mobile_apps_opd
Owasp for testing_mobile_apps_opdPawel Rzepa
 
Hacking & Securing of iOS Apps by Saurabh Mishra
Hacking & Securing of iOS Apps by Saurabh MishraHacking & Securing of iOS Apps by Saurabh Mishra
Hacking & Securing of iOS Apps by Saurabh MishraOWASP Delhi
 
Two factor authentication 2018
Two factor authentication 2018Two factor authentication 2018
Two factor authentication 2018Will Adams
 
Inria Tech Talk IoT - 28 Mars 2018
Inria Tech Talk IoT - 28 Mars 2018Inria Tech Talk IoT - 28 Mars 2018
Inria Tech Talk IoT - 28 Mars 2018FrenchTechCentral
 
Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise" Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise" mycroftinc
 
Application Security within Agile
Application Security within AgileApplication Security within Agile
Application Security within AgileNetlight Consulting
 
Top 3 tips for security documentation
Top 3 tips for security documentationTop 3 tips for security documentation
Top 3 tips for security documentationMichael Furman
 
Seminar-Two Factor Authentication
Seminar-Two Factor AuthenticationSeminar-Two Factor Authentication
Seminar-Two Factor AuthenticationDilip Kr. Jangir
 
Menofia UN -Mobile Security
Menofia UN -Mobile SecurityMenofia UN -Mobile Security
Menofia UN -Mobile SecurityAhmed Samara
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architecturesinovia
 
How can you deliver a secure product
How can you deliver a secure productHow can you deliver a secure product
How can you deliver a secure productMichael Furman
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham
 

What's hot (20)

The use case for Cassandra at Ping Identity
The use case for Cassandra at Ping IdentityThe use case for Cassandra at Ping Identity
The use case for Cassandra at Ping Identity
 
IoT World - creating a secure robust IoT reference architecture
IoT World - creating a secure robust IoT reference architectureIoT World - creating a secure robust IoT reference architecture
IoT World - creating a secure robust IoT reference architecture
 
Building powerful apps with ArangoDB & KeyLines
Building powerful apps with ArangoDB & KeyLinesBuilding powerful apps with ArangoDB & KeyLines
Building powerful apps with ArangoDB & KeyLines
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard of
 
Сергей Харюк (Украина). Проверка безопасности приложений на платформе iOS
Сергей Харюк (Украина). Проверка безопасности приложений на платформе iOSСергей Харюк (Украина). Проверка безопасности приложений на платформе iOS
Сергей Харюк (Украина). Проверка безопасности приложений на платформе iOS
 
Mobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellMobile App Hacking In A Nutshell
Mobile App Hacking In A Nutshell
 
Owasp for testing_mobile_apps_opd
Owasp for testing_mobile_apps_opdOwasp for testing_mobile_apps_opd
Owasp for testing_mobile_apps_opd
 
Owasp top 10
Owasp top 10 Owasp top 10
Owasp top 10
 
Hacking & Securing of iOS Apps by Saurabh Mishra
Hacking & Securing of iOS Apps by Saurabh MishraHacking & Securing of iOS Apps by Saurabh Mishra
Hacking & Securing of iOS Apps by Saurabh Mishra
 
Two factor authentication 2018
Two factor authentication 2018Two factor authentication 2018
Two factor authentication 2018
 
Inria Tech Talk IoT - 28 Mars 2018
Inria Tech Talk IoT - 28 Mars 2018Inria Tech Talk IoT - 28 Mars 2018
Inria Tech Talk IoT - 28 Mars 2018
 
Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise" Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise"
 
Application Security within Agile
Application Security within AgileApplication Security within Agile
Application Security within Agile
 
Top 3 tips for security documentation
Top 3 tips for security documentationTop 3 tips for security documentation
Top 3 tips for security documentation
 
Seminar-Two Factor Authentication
Seminar-Two Factor AuthenticationSeminar-Two Factor Authentication
Seminar-Two Factor Authentication
 
Menofia UN -Mobile Security
Menofia UN -Mobile SecurityMenofia UN -Mobile Security
Menofia UN -Mobile Security
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architectures
 
How can you deliver a secure product
How can you deliver a secure productHow can you deliver a secure product
How can you deliver a secure product
 
Berkarir di Cyber Security
Berkarir di Cyber SecurityBerkarir di Cyber Security
Berkarir di Cyber Security
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
 

Similar to Creating secure apps using the salesforce mobile sdk

iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdfRavi Aggarwal
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLiphonepentest
 
How to create a secure IoT device
How to create a secure IoT deviceHow to create a secure IoT device
How to create a secure IoT deviceAbhijeet Rane
 
Android Application Security
Android Application SecurityAndroid Application Security
Android Application SecurityChong-Kuan Chen
 
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Sina Manavi
 
Mobile App Security - Best Practices
Mobile App Security - Best PracticesMobile App Security - Best Practices
Mobile App Security - Best PracticesRedBlackTree
 
Runtime Analysis on Mobile Applications (February 2017)
Runtime Analysis on Mobile Applications (February 2017)Runtime Analysis on Mobile Applications (February 2017)
Runtime Analysis on Mobile Applications (February 2017)Sandeep Jayashankar
 
Indianapolis Splunk User Group Dec 22
Indianapolis Splunk User Group Dec 22Indianapolis Splunk User Group Dec 22
Indianapolis Splunk User Group Dec 22WesComer2
 
Iot secure connected devices indicthreads
Iot secure connected devices indicthreadsIot secure connected devices indicthreads
Iot secure connected devices indicthreadsIndicThreads
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private tokenOWASP
 
Open source iam value, benefits, and risks
Open source iam value, benefits, and risksOpen source iam value, benefits, and risks
Open source iam value, benefits, and risksWSO2
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngVõ Thái Lâm
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngSecurity Bootcamp
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)securityiphonepentest
 

Similar to Creating secure apps using the salesforce mobile sdk (20)

OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdf
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
 
How to create a secure IoT device
How to create a secure IoT deviceHow to create a secure IoT device
How to create a secure IoT device
 
Android Application Security
Android Application SecurityAndroid Application Security
Android Application Security
 
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
 
Mobile App Security - Best Practices
Mobile App Security - Best PracticesMobile App Security - Best Practices
Mobile App Security - Best Practices
 
Runtime Analysis on Mobile Applications (February 2017)
Runtime Analysis on Mobile Applications (February 2017)Runtime Analysis on Mobile Applications (February 2017)
Runtime Analysis on Mobile Applications (February 2017)
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
 
Indianapolis Splunk User Group Dec 22
Indianapolis Splunk User Group Dec 22Indianapolis Splunk User Group Dec 22
Indianapolis Splunk User Group Dec 22
 
Iot secure connected devices indicthreads
Iot secure connected devices indicthreadsIot secure connected devices indicthreads
Iot secure connected devices indicthreads
 
Hacking mobile apps
Hacking mobile appsHacking mobile apps
Hacking mobile apps
 
Smartphone security issues
Smartphone security issuesSmartphone security issues
Smartphone security issues
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token
 
Open source iam value, benefits, and risks
Open source iam value, benefits, and risksOpen source iam value, benefits, and risks
Open source iam value, benefits, and risks
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn Cường
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn Cường
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)security
 

More from Martin Vigo

Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needsPhonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needsMartin Vigo
 
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needsPhonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needsMartin Vigo
 
From email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approachFrom email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approachMartin Vigo
 
Ransombile: yet another reason to ditch sms
Ransombile: yet another reason to ditch smsRansombile: yet another reason to ditch sms
Ransombile: yet another reason to ditch smsMartin Vigo
 
Compromising online accounts by cracking voicemail systems
Compromising online accounts by cracking voicemail systemsCompromising online accounts by cracking voicemail systems
Compromising online accounts by cracking voicemail systemsMartin Vigo
 
Mobile apps security. Beyond XSS, CSRF and SQLi
Mobile apps security. Beyond XSS, CSRF and SQLiMobile apps security. Beyond XSS, CSRF and SQLi
Mobile apps security. Beyond XSS, CSRF and SQLiMartin Vigo
 
Building secure mobile apps
Building secure mobile appsBuilding secure mobile apps
Building secure mobile appsMartin Vigo
 
Secure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDKSecure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDKMartin Vigo
 
Breaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secretsBreaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secretsMartin Vigo
 
Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!Martin Vigo
 
Security Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemSecurity Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemMartin Vigo
 
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay ProtocolDo-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay ProtocolMartin Vigo
 
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay ProtocolDo-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay ProtocolMartin Vigo
 

More from Martin Vigo (13)

Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needsPhonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs
 
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needsPhonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs
 
From email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approachFrom email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approach
 
Ransombile: yet another reason to ditch sms
Ransombile: yet another reason to ditch smsRansombile: yet another reason to ditch sms
Ransombile: yet another reason to ditch sms
 
Compromising online accounts by cracking voicemail systems
Compromising online accounts by cracking voicemail systemsCompromising online accounts by cracking voicemail systems
Compromising online accounts by cracking voicemail systems
 
Mobile apps security. Beyond XSS, CSRF and SQLi
Mobile apps security. Beyond XSS, CSRF and SQLiMobile apps security. Beyond XSS, CSRF and SQLi
Mobile apps security. Beyond XSS, CSRF and SQLi
 
Building secure mobile apps
Building secure mobile appsBuilding secure mobile apps
Building secure mobile apps
 
Secure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDKSecure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDK
 
Breaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secretsBreaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secrets
 
Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!
 
Security Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemSecurity Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against Them
 
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay ProtocolDo-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
 
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay ProtocolDo-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
 

Recently uploaded

Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 

Recently uploaded (20)

Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 

Creating secure apps using the salesforce mobile sdk

  • 1. Creating Secure Apps Using The Salesforce Mobile SDK mvigo@salesforce.com, @martin_vigo ​Martin Vigo, Senior Product Security Engineer jkinser@salesforce.com ​Jesse Kinser, Senior Product Security Engineer
  • 2. ​Senior Product Security Eng. ​mvigo@salesforce.com ​Senior Product Security Eng. ​jkinser@salesforce.com Martin Vigo Jesse Kinser Speakers
  • 4. Native vs Hybrid • File system / Insecure storage • Network communication • Crypto • Clipboard • Backups • RPC, URL scheme handlers ​Threats • XSS • CSRF • SQLi • Input validation • Output encoding • Application logic flaws
  • 5. OWASP Mobile Top 10 ​2016 version
  • 6. M1 - Improper Platform Usage
  • 7. M1 - Improper Platform Usage • Violation of published guidelines • iOS Keychain • Android Intents • Violation of convention or common practice • Unintentional Misuse • Misunderstanding documentation • Wrong implementations ​Insecure implementation of native security features
  • 8. Mobile SDK • Open source • Specific security training program for developers • Code reviews part of the SDLC • Security reviews • In house • Independent 3rd parties • Scanners • Bug bounty program ​Taking advantage of all security layers
  • 9. M2 – Insecure Data Storage
  • 10. M2 – Insecure Data Storage • Explicit storage • Credentials / OAuth tokens • Personal data • Preferences • Logs • Automatic storage • Temp files • Cache data • Leaks • Logs • Debugging information • Crashes • Analytics • Caches • Unique urls • Requests/Responses containing sensitive data • Images ​Leaving traces behind App Sandbox External storage Backups Hardcoded data
  • 11. Mobile SDK • Uses OS provided secure storage for secrets • Encrypts sensitive files in the sandbox • Does not log any sensitive information • Server-side and client-side cache control • Cleanup routines for logged out users ​No trace App Sandbox External storage Backups Hardcoded data
  • 12. M3 – Insecure Communication
  • 13. M3 – Insecure Communication • HTTP • No confidentiality • HTTPS • Version? • Cipher suites? • Enforced? • Mixed content • Certificates • Self-signed • Mismatched hostnames • Other protocols • Bluetooth, NFC, etc. ​Eavesdropping
  • 14. Mobile SDK • Uses HTTPS only • Deprecates retired/vulnerable cipher suites and versions (server side) • Accepts only trusted certificates ​Properly encrypted communications
  • 15. M4 – Insecure Authentication
  • 16. M4 – Insecure Authentication • Vulnerable APIs • No authentication • Poor entropy in tokens • Weaker authentication than Web version • Password/Token stored insecurely • No revocation ​Who am I?
  • 17. Mobile SDK • Uses standard protocols • Oauth 2.0 • No passwords are stored • Session token stored securely • Token revocation • Inactivity logout ​You are who you claim to be
  • 18. M5 – Insufficient Cryptography
  • 19. M5 – Insufficient Cryptography • ROT-13 isn’t the only insecure means of encrypting • “secret” => “frperg” • AES - advanced encryption standard • Secure, but that security depends on • Key length • Cipher mode • Others • Lots of ways to mess up • So what can you do? ​Weak protection for your secrets
  • 20. Mobile SDK encryption support • AES - CBC • Secure keys • Created using native PRNG • 256 bits • Unique per installation • Stored in native secure storage • Or derived from PIN using PBKDF2 • SmartStore • Based on SQLCipher • Secure storage without crypto knowledge ​Crypto following standards and best practices
  • 21. M6 – Insecure Authorization
  • 22. M6 – Insecure Authorization • Insecure Direct Object Reference (IDOR) vulnerabilities • User role / Permission transmission • Hidden endpoints • Client side checks ​What can I do?
  • 23. Mobile SDK • Clear User roles and permission model • Permission checks on every request • Based on session ID • Checks only server side • Use of public and documented APIs • Security reviews • In house • Independent 3rd parties • Scanners • Bug bounty program ​You can only do what you are supposed to
  • 24. M7 – Poor Code Quality
  • 25. M7 – Poor Code Quality • Good developers but limited security knowledge • Buffer overflows • Format string vulnerabilities • XSS in Webviews • Ignoring best practices • No code reviews ​Insecure coding practices
  • 26. Mobile SDK • Open source • Specific security training program for developers • Code reviews part of the SDLC • Security reviews • In house • Independent 3rd parties • Scanners • Bug bounty program ​Following best practices
  • 27. M8 – Code Tampering
  • 28. M8 – Code Tampering • Attacker modifies binary file • Applies specially to games • Cheats • Free resources • Etc. ​Binary manipulation
  • 29. Mobile SDK • Mobile SDK is open source • No gain from real-time manipulation • Compatible with MDM • Add additional restrictions ​Not applicable
  • 30. M9 – Reverse Engineering
  • 31. M9 – Reverse Engineering • Binary extraction from the device • Or download binary directly from online store • Decrypt/Decompress • String analysis, binary protections • Decompile • Source code analysis • Disassembly • Reverse engineering • Debugging / Real time manipulation ​Protecting binaries
  • 32. Mobile SDK • Security though obscurity • Highly discouraged by the industry • Mobile SDK is open source • The more eyes looking at it, the better! • Mobile SDK uses public/documented APIs • No secrets in • How it is built • How it works • How it provides security • Bug bounty • Ethical hackers are welcome! ​No need to reverse anything!
  • 33. M10 – Extraneous Functionality
  • 34. M10 – Extraneous Functionality • Hidden menus • “Legit” back doors • Debug flags • Test code • Comments including sensitive information in webviews ​Finding edge cases
  • 35. Mobile SDK • Open source • Rigorous deployment cycle • 3rd party reviews ​Transparent
  • 37. Conclusions • Open source platform • Active project • Provides secure storage through encryption • Enforces secure communication • Provides easy authentication and authorization ​What is the Mobile SDK in terms of security? • Uses platform-specific security mechanisms • Follows best practices and secure coding guidelines • It is constantly reviewed by security engineers • Goes through independent security audits • In scope in our Bug Bounty program
  • 38. Security @ Dreamforce ​Find the “Salesforce Security” booth in Developer Forest ​Salesforce Security Booth & Developer Sessions Information