保护流动应用程序 With Secure Development Life Cycle Approach

在今天这个自带设备(BYOD)的时代, 智能手机是访问澳门赌场官方下载信息的首选移动设备之一. 软件是任何信息技术资产的关键组成部分. Smart devices either are embedded with application software or allow users to install software on the devices to add functions that accomplish intended objectives. 因此，应用程序对移动设备至关重要. Securing these applications from security vulnerabilities and risk is fundamental.¹

This article focuses on secure development practices in mobile applications development and suggests a few open-source security tools to perform an application security assessment to strengthen mobile applications.

Web应用程序安全问题导致澳门赌场官方下载违规

Major information security breaches have occurred in the last few years. 安全研究人员仔细研究了其中一些违规行为的潜在原因, and their studies reveal that the security of a web application is of paramount importance to the enterprise perimeter and gateway-level security.^{2, 3, 4, 5, 6, 7, 8}

An insecure web application can compromise the best enterprise security arrangements and can help adversaries steal data and gain a foothold into the enterprise’s internal network.

移动应用程序安全问题

安全问题在移动应用程序的情况下没有什么不同，其中应用程序是从互联网下载的(例如.g., Apple Store or Google Play Store) and installed in the user’s device. 类似于在Internet上公开的web应用程序, BYOD设备中安装的移动应用程序是澳门赌场官方下载网络的入口.

已安装的流动应用程序, 如果没有适当的保护, 可以通过逆向工程获得它们的源代码吗, 哪个是人类可读的形式. 像iOS和android这两个当今最流行的移动平台也不能幸免于逆向工程的威胁. 一些简单的步骤和广泛可用的(通常是免费的)工具使攻击者很容易:

• 从移动设备中提取已安装的应用程序
• Analyze or reverse engineer the code to find vital information, e.g.、业务逻辑、使用的应用程序编程接口(API)和嵌入的内部url
• 修改代码以更改应用程序行为
• 注入恶意代码

逆向工程移动应用程序是澳门赌场官方下载应该考虑的安全问题. 代码混淆是一种众所周知的技术，它使移动应用程序的逆向工程变得困难,⁹ but this technique is often ignored by the development community. 移动应用程序存在以下安全漏洞:¹⁰

• 缺乏对隐私的考虑
• 缺少二进制保护
• 不安全的数据存储
• 交通安全
• 弱服务器端控制

Research by two security experts representing different security firms reveals that the mobile banking applications of top influential banks around the world have many common security vulnerabilities.^{11, 12} 这些研究人员在移动应用程序(客户端)上进行测试，并排除任何服务器端测试(后端)。. 客户端只占移动银行攻击面很小的一部分, 因为大部分的处理都发生在后端. 研究人员揭示的安全问题不是业务逻辑或特定于应用程序的问题. 这些问题是应用程序开发中的弱点.e., security tasks that developers should be doing, but they are not doing.

在研究过程中测试的移动应用程序通过不安全的编码泄露信息. 例如，这些应用程序容易受到以下攻击:

• 中间人攻击(MitM)
• 跨站点脚本(XSS)攻击
• 通过系统日志泄露敏感信息
• 代码中硬编码的凭据
• 使用非SSL (secure Socket Layer) HTTP协议在远程服务器和用户设备之间传输敏感信息

研究人员提出的提高移动应用程序安全性的建议包括:¹³

• 确保移动应用程序和后端服务器之间的所有连接都使用SSL执行. SSL证书检查由客户端应用程序强制执行，以防止拦截和MitM.
• 通过加密保护存储在设备(客户端)中的敏感数据.
• 使用代码混淆和反调试技巧来阻止攻击者对应用程序二进制进行反向工程.
• Enable the protections that are provided by the mobile operating platform, such as:
  • 自动引用计数(ARC)
  • 与位置无关的可执行文件
  • iOS平台的堆栈保护
  • 使用最新的软件开发工具包(SDK)
  • 禁用编译二进制文件中的调试功能
  • android应用的权限加固

楼宇保安发展

Performing application security assessments and incorporating security in the application just prior to the release of the software is not an ideal approach. Remediating the security vulnerabilities in the later stages of the software development life cycle (SDLC) is time consuming and very costly.

安全开发生命周期旨在将安全性纳入软件开发的所有阶段, 从需求收集到测试, 发放及维修(figure 1).^{14, 15}

The following sections aim to provide guidance to application development and security personnel for embedding specific information security activities in each phase of the SDLC.

需求收集

在应用程序开发中嵌入安全性始于需求收集阶段. Apart from business functionality requirements of the software, determine the:

1. User-specific security requirements expected in the application. This can include confidentiality, integrity, availability and authentication.
2. 应用程序处理的数据的重要性和保护数据的安全需求
3. Compliance and regulatory mandates that are applicable for the users, 将使用应用程序的区域以及应用程序处理的信息
4. 从安全角度看使用和误用案例
5. Requirement traceability matrix to map requirements with security risk

Design

在应用程序设计阶段，将功能需求转换为体系结构. 在设计阶段为应用程序安全性嵌入安全控制非常重要. Constructing a secure design minimizes the majority of security issues, 因为代码级问题可以通过静态分析或手动代码审查来识别. 此外, 自动化工具不能识别设计不一致，除非努力进行威胁模型和体系结构审查.¹⁶ Strict adherence to secure design principles greatly improves security.

Recognizing the importance of design in the security of applications, 电气和电子工程师协会(IEEE)发起了安全设计中心(CSD)倡议. CSD列出了十大设计缺陷以及避免它们的方法.¹⁷ CSD的建议可以为应用程序的设计提供有价值的指导.

Performing threat modeling and architecture risk analysis of the design gives a measure of how likely it is that the software will be attacked and the extent of damage that an attack could cause. Start the analysis by building a high-level overview of the proposed system; then, 从攻击者的角度分析设计, i.e.，找到利用该应用程序的方法.

Coding

在编码阶段，将业务/客户/产品需求转换为应用程序. 此阶段的输入来自SDLC(需求收集和设计)的前几个阶段。. Developers convert the design documents into functioning software. 不正确的代码编写会导致软件错误. 在应用程序开发中应用安全编码准则可以大大减少编码错误.

编码准则可以是以下任意一种:

• Generic, 哪些应用于所有开发环境，而不考虑选择构建应用程序的平台. The Open Web 应用程序 Security Project (OWASP) Mobile Security Project¹⁸ 以及欧盟网络和信息安全局(ENISA)安全移动应用指南¹⁹ 是通用的指导方针吗?.
• Platform-specific coding guidelines related to a development platform, e.g., Android²⁰ or iOS²¹

第三方代码的使用
编码过程中的另一个重要考虑是开发框架和第三方库的使用, 包括开源组件. Today, many applications are assembled out of multiple sets of libraries, 其中大多数都是开源的, 允许开发人员专注于核心应用程序功能，同时依赖第三方代码提供支持功能. Although this is beneficial to develop the functionality quickly, some security breaches have happened due to vulnerabilities found in the libraries. Examples include the OpenSSL flaw that led to the Heartbleed vulnerability.²²

It is recommended to create an inventory of open-source and third-party libraries that are used in the application that is being developed and retain the inventory as part of the development artifacts. Because open source comes from multiple parties and is introduced in the application code by developers from in-house and/or outsourced partners, it is essential that the inventory tracks the open-source component in the code and determines if these components are affected by known vulnerabilities.

开源库存的一个好处是，当发生涉及这些库的任何安全事件时, 补救可以非常迅速, especially when the enterprise has several applications in its portfolio. 缺乏应用程序中使用的开源组件的信息会使启动补救活动变得困难.²³

Another advantage of open-source inventory is proactive monitoring of vulnerabilities in open-source components by referring to the inventory sheet (figure 2) and taking appropriate corrective action when something undesirable is forthcoming. 对于那些在移动应用程序中使用OpenSSL加密库的人来说，心脏出血导致了一种危机局面, 更新到当前版本是一个挑战.^{24, 25} In circumstances such as this, having an inventory sheet is helpful. The personnel who are responsible for support and maintenance know the details of applications and can use the inventory sheet to find where the vulnerable component is in use and then plan for remediation.

It is also worthwhile to vet the open-source and third-party libraries. The objective of vetting them is to minimize vulnerabilities, e.g.、嵌入后门或其他安全问题. Securing third-party open-source code can be approached in two ways: by embedding administrative controls and by embedding technical controls throughout the SDLC.

第一种方法包括管理控制，例如策略和程序. 这种方法可以包括:

• Developer awareness training to educate how developers inadvertently inherit security risk from open-source components to their application when the third-party code is not validated
• Audit of any open-source software in use, especially in high-priority applications
• 创建和维护已批准/白名单的开源代码列表，并限制未批准软件的使用. However, white-listing may not be helpful when the volume of applications that an enterprise releases is high and when there is an increased need for the use of third-party code. 在这种情况下, 将白名单方法与技术控制相结合可以帮助实现良好的平衡.

The second approach consists of technical controls and performing source-code analysis and run-time analysis on the third-party code using automated tools. All third-party code that is used in the application should be subjected to these analyses to make sure that the potential security risk is identified and managed appropriately.

免费的工具，比如Androwarn，²⁶ LinkedIn Android快速评测工具包(QARK)，²⁷ FindBugs²⁸ 和Facebook Infer²⁹ 可以用于分析代码吗.

静态应用程序安全测试
Running static analysis on the source code early in the life cycle helps to fix code-level bugs before the application is released for general use. Static analysis finds incorrect coding that can potentially cause security risk. 在不实际执行程序的情况下执行分析. The entire source code or binary is covered in this kind of analysis. 它可以在开发过程中构建，并在软件开发生命周期的早期执行.

开发人员可以被授权对他们的代码执行静态分析，并定期修正不正确的代码. Integrating static analysis with continuous integration servers, e.g., Jenkins, 最大限度地减少人工干预的需要, 减少对安全团队的依赖，并在无法管理之前修复可能变成安全漏洞的错误. 安全工具，如Androwarn、QARK、FindBugs和Infer，也可以用于此分析.

开发人员培训
An IT organization striving to deliver secure applications (including mobile) must engage its developers and train them in secure coding practices. 除了功能和特性之外，重点必须包括交付无安全风险的应用程序.

例如，《澳门赌场官方下载》(DVIA)³⁰ 顾名思义，是一个易受攻击的移动应用程序. 该应用程序的主要目标是向开发人员和安全爱好者介绍iOS移动应用程序中的漏洞, 基于OWASP“十大移动风险”.”³¹ 类似地，OWASP GoatDroid为Android开发人员和测试人员提供了一个培训环境.

Testing

在测试阶段, 执行安全性测试和质量保证(QA)测试以持续地将安全性集成到开发中是很重要的. QA保证应用程序的质量，以交付所需的业务功能. 安全性测试确保应用程序正在安全地处理业务信息.

动态应用程序安全测试(DAST)或运行时分析适用于SDLC的这个阶段. Dynamic analysis is performed against a running instance of a program. This test most accurately mimics how a malicious user can attack the application.

类似于传统的web应用程序安全测试, 移动应用评估需要一个测试环境来有效地进行评估. However, 移动设备的安全测试环境各不相同，因为评估涉及审查多个组件, including how the application behaves when installed on the mobile device.

建立移动测试实验室
移动测试实验室需要以下要素:

• 网络连接. This environment must be isolated from the corporate or production network. 使用3G/4G数据卡创建Wi-Fi热点也是一种选择. It is important to remember that both the analysis laptop and the device in which the mobile application is installed need to connect to the same network for some of the tests.
• A Mac or Windows laptop loaded with open-source security software
• 一个越狱³² device for iOS application security testing (iPhone, iPod or iPad)
• 适用于Android设备, 一个Android SDK和Eclipse集成开发环境(IDE)来设置模拟器³³

最小基线安全性测试用例
动态分析中需要涵盖移动应用环境的四个主要组件:

• 安装移动应用程序的设备
• 应用程序
• Network communication between the application and enterprise server
• 在应用程序中处理的数据

When establishing mobile application security testing capability, 可能不可能专注于所有事情. The best approach is to start small and iterate continuously to mature the capability, 在这个过程中吸取经验教训. OWASP“十大移动风险”可以作为构建移动安全测试用例的一个很好的起点. 参与应用程序安全的安全专业人员自愿为OWASP做出贡献, which fairly represents the major security issues with mobile applications.

另外, mobile application security test cases can be built based on the five security issues highlighted in the Hewlett-Packard “移动应用程序安全研究” report.³⁴ 研究中发现的安全问题是OWASP十大安全问题的精简版, 因为研究结果映射了OWASP的顶级问题.

Previous security assessment results of applications developed/used in the enterprise are other valuable resources to consult when building the test cases.

尝试建立安全测试用例的最低基线可以确定高级别的安全目标. These objectives are unique and relevant to mobile application security, as shown in figure 3.

下一步是将安全目标划分为可操作的安全测试用例. 用安全评估工具映射安全测试用例是这项工作中的另一个子活动. 用于移动应用程序评估的商业安全工具可能无法覆盖所有的测试场景. 使用一些免费可用的开源工具执行手动测试可以提供合理的覆盖率，以识别安全风险.

Figures 4 and 5 将安全测试目标分解为测试用例，并将其映射到iOS和Android移动平台的安全评估工具.

Maintenance

应用程序 security is an ongoing task; it continues to be important even when the application is released for public use. Proactively monitoring the security vulnerabilities in platform system software and embedded components and then initiating incident response and remediation, 适当的, are crucial.

使用信誉良好的来源识别安全漏洞以获取安全信息是一个连续的循环. 来源，如软件供应商网站, 美国国家标准与技术研究院(NIST)国家漏洞数据库(NVD), MITRE公司通用漏洞和暴露(CVE)是可靠的漏洞研究.

移动应用程序中使用的所有第三方框架/ api的清单有助于处理安全补丁. 每当任何漏洞成为公众所知, 必须对使用这些易受攻击的第三方api /框架的移动应用程序进行相应的安全更新.

Conclusion

移动和web应用程序处理敏感, private or other at-risk information require a secure development life cycle. 不考虑安全性的应用程序可能会出现意想不到的隐私漏洞. 解决应用程序安全问题, developers are encouraged to understand the potential risk for each business function, 代码更改和第三方框架和api的使用, while security teams can help to improve application security through training, 定期扫描, ongoing vulnerability assessments and proactive engagement with developers. Incorporating security in all phases of SDLC instead of incorporating security just prior to release of the software not only benefits the organization from an economic and efficiency perspective, it also ensures that the business services are enabled securely.

作者的注意

本文中表达的观点是作者的观点，绝不代表其雇主的立场.

Endnotes

¹ 2014 Research Into Internet Systems LLC，“十大移动安全风险”，反编译Android, 2014， www.decompilingandroid.com/mobile-app-security/top-10-mobile-security-risks/?_sm_au_ = iHVjTnqfJSv0F6Nj
² Tung, L.; “Hackers Access 800,000 Orange Customers’ Data,” ZDNet2014年2月3日 www.zdnet.com/article/hackers访问- 800000橙色data/——客户
³ TrustedSec，“通过心脏出血漏洞攻击CHS”，TrustedSec更新，2014年8月19日， www.trustedsec.com/august-2014/chs-hacked-heartbleed-exclusive-trustedsec/
⁴ Mumsnet Limited, “The Heartbleed Security Breed—And What To Do,” mumsnet, www.mumsnet.com/info/the-heartbleed-security-breach-to-do
⁵ 帕格尼尼,P.; “Vulnerabilities in Alibaba Threatens Security of Million Users,” 安全事务2014年12月11日 http://securityaffairs.co/wordpress/31028/hacking/vulnerabilities-in-alibaba.html
⁶ Mai-Duc, C.; “Alibaba Security Flaws Exposed Data on Millions of Users, Analysts Say,” 洛杉矶时报， 2014年12月10日; www.latimes.com/business/technology/la-fi-tn-alibaba-security-breach-20141210-story.html
⁷ 惠塔克,Z.; “Kindle Security Vulnerability Can ‘Compromise’ Amazon Accounts,” ZDNet2014年9月16日 www.zdnet.com/article/kindle-security-vulnerability-can-compromise-amazon-accounts/
⁸ Wallop, H.; “eBay Hacking: Online Gangs Are After You,” 《澳门赌场官方下载》2014年5月23日 www.telegraph.co.uk/technology/internet-security/10849689/eBay-hacking-online-gangs-are-after-you.html
⁹ Android Studio，“缩减代码和资源”
¹⁰ 惠普发展公司.P., 移动应用程序安全研究2014年2月
¹¹ Sanchez, A.; “Personal Banking Apps Leak Info Through Phone,” IOActive2014年1月8日
¹² Higgins, K. J.； ”大多数手机银行应用程序安全性较弱。” 信息周DarkReading2013年12月12日 www.darkreading.com/vulnerabilities--threats/weak-security-in-most-mobile-banking-apps/d/d-id/1141054
¹³ Op cit, Sanchez
¹⁴ 微软，“什么是安全开发生命周期??，“安全开发生命周期， www.microsoft.com/en-us/sdl/
¹⁵ BSIMM， "我们澳门赌场官方软件" www.bsimm.com/
¹⁶ Sareen, P.; “Updated: After Ola & ZopNow科技搞砸了，这次Foodpanda成为了获得免费食物的新黑客的目标!!， 2015年4月10日， http://inc42.com/buzz/after-ola-zopnow-this-time-foodpanda-becomes-target-of-a-new-hack-for-getting-free-food/
¹⁷ IEEE 网络安全，“避免十大软件安全设计缺陷”，2015年11月13日， http://cybersecurity.ieee.org/center-for-secure-design/avoiding-the-top-10-security-flaws.html
¹⁸ 开放Web应用程序安全项目，“OWASP移动安全项目”，2016年7月18日， www.owasp.org/index.php / = Mobile_Security_Testing OWASP_Mobile_Security_Project #选项卡
¹⁹ 欧盟网络和信息安全局, “智能手机安全开发指南”,2011年11月25日, www.enisa.europa.欧盟/活动/ Resilience-and-CIIP /关键应用程序/ smartphone-security-1 / smartphone-secure-development-guidelines
²⁰ Android，“安全提示”
²¹ Apple Inc., “Introduction to Secure Coding Guide,” Mac Developer Library, http://developer.apple.com/library/mac/documentation/Security/Conceptual/SecureCodingGuide/Introduction.html
²² 有关更多信息，请参见 http://heartbleed.com/
²³ BlackDuck，“开源调查的未来”，2016年， http://info.blackducksoftware.com/rs/872-OLS-526/images/FOOS_Infographic_Security.pdf
²⁴ Helppi, V.; “What Heartbleed Bug Means to App Developers? Testdroid已经覆盖了你，”bitbar.2014年4月10日 http://bitbar.com/what-heartbleed-bug-means-to-app-developers-testdroid-has-you-covered/
²⁵ Acharya, S.; “Heartbleed Bug: How to Protect Android Devices,” 国际商业时报2014年4月12日 www.ibtimes.co.英国/ heartbleed - bug -保护- android -设备- 1444508
²⁶ GItHub,“Androwarn”, http://github.com/maaaaz/androwarn
²⁷ GItHub,“Qark”, http://github.com/linkedin/qark
²⁸ GItHub:“findbugs。” http://github.com/findbugs/findbugs
²⁹ GItHub,“推断”, http://github.com/facebook/infer
³⁰ 该死的脆弱的iOS应用程序(DVIA)， http://damnvulnerableiosapp.com/
³¹ Op cit, OWASP
³² Gianchandani P.; “iOS 应用程序 Security Part 1—Setting Up a Mobile Pentesting Platform,” 16 June 2013, http://highaltitudehacks.com/2013/06/16/ios-application-security-part-1-setting-up-a-mobile-pentesting-platform//
³³ The Open Web 应用程序 Security Project, “SettingupMobileTestingLab,” 7 June 2013
³⁴ Op cit，惠普发展公司L.P.