Monday night, Director of Research highlighted key trends in Android and iOS security in 2016 and participated in a panel discussion during Security by Design’s event “iOS and Android Security – Differences You Need to Know” in McLean, VA.
Security by Design educates developers about secure development practices by connecting them with security experts at Meetups and other events such as the Security by Design 2016 Conference coming up on October 28. is a sponsor and shares the group’s mission to make sure security isn’t an afterthought and help developers think about security throughout the development process.
David set the stage for the panel discussion with a presentation covering platform security developments over the past year in both Android and iOS, highlighting developments in Android Nougat and iOS 10, and how those changes foreshadow where each OS is headed and how developers can prepare themselves.
The goal wasn’t to cover the entirety of Android and iOS security developments of the past year but instead focus on those items most relevant to developers. Overall, David highlighted trends suggesting that in general Apple is opening up a little bit while Android is locking down, but both are making progress in improving the security of data.
In particular, many attendees were surprised to learn that Apple intends to fully enforce its App Transport Security (ATS) feature by the end of the year. David had performed a quick static analysis of the top 50 free apps on the Apple App Store and Google Play focusing on ATS and network policy information and shared his findings.
Top 50 free iOS apps:
Top 50 free Android apps:
Here’s a list of links to resources relevant to or mentioned by David during his talk:
The panel then discussed a number of good security habits – for example, not relying on security by obscurity. Specifically, a question was asked about incidents whereby attackers insert ad libraries into apps available on the Apple App Store or Google Play, repackage them, and then make them available on third-party markets.
The question was whether code obfuscation made it any more difficult for someone to repackage and release their own version of an app. Attendees learned that obscuring the app’s code doesn’t do much to mitigate this risk. However adding sanity checks within the app’s code to verify it was signed by the right certificate can help, but it won’t necessarily prevent repackaging.
From there the conversation moved into how and whether to obfuscate one’s application. Obfuscation can make it more difficult for someone to understand the inner-workings of an app, but not so much that you break your app. Static analysis tools can apply heuristics about the type of obfuscation applied to the application. Using obfuscation to hide a password or private key in an application isn’t a good idea. David’s thought on the topic was that ideally, a developer won’t rely on hiding how their app works with obfuscation and instead make the app fundamentally secure and tested.
In the end, panelists agreed that how fast the platforms are evolving and adding security features very quickly, and it can be a challenge for developers to keep up. Though on the bright side, over time some things that had to be done manually are being made a bit easier to opt-into thanks to new APIs and other measures.