Removing Secrets to Make Your Mobile Apps More MASVS-Secure
Conference: Global AppSec Dublin 2023
2023-02-16
Authors: Skip Hovsmith
Summary
The speaker proposes an architecture for securing applications by moving all secrets off the app and into the cloud, minimizing the amount of functionality in the app, and delegating security decisions to an outside entity.
- Observing and detecting information in an application is important for security
- Secrets should not be hard-coded into the application
- Minimizing functionality in the app reduces impact on the application
- Delegating security decisions to an outside entity is more secure
- Proposed architecture involves an App authentication service that makes security decisions and returns a JWT token to the app
- The SDK installed in the app only contains measurement capabilities
- The JWT token is added to networking calls to authenticate the app
Abstract
Secrets and credentials are hardcoded in mobile app packages, saved in persistent storage, exposed in API calls, and mistakenly left in project repos. Mobile has become the easiest place for hackers to steal what they need to abuse your APIs and backend services. It might seem odd that removing secrets from your apps improves your platform security, but not only is it safer, it lets your operations team centrally manage your credentials and security policies on the fly. In this session, you'll learn how to combine mobile app attestation techniques with cloud-based credential services and channel hardening to ensure secrets are never at rest inside your apps. These techniques are fully compatible with your existing API protocols and integrate easily into your app's networking stack. We'll demonstrate and then blunt common static analysis, rooting, instrumentation framework, and man-in-the middle attacks, showing how this approach meets many of the defense-in-depth and resiliency (L2+R) levels of the MASVS mobile app security verification standard.
Materials: