SlideShare a Scribd company logo

Secure Salesforce: Hardened Apps with the Mobile SDK

Salesforce Developers
Salesforce Developers

The document discusses the security aspects of Salesforce's Mobile SDK, highlighting risks and best practices for secure app development. It covers topics such as authentication, secure storage, data transmission, and threats such as insecure storage and client-side injection. Additionally, it emphasizes the importance of following secure coding guidelines and using platform-specific security mechanisms.

Technology
1 of 40
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Secure Salesforce: Hardened Apps with the Mobile SDK ​ Martin Vigo ​ Product Security Engineer ​ mvigo@salesforce.com ​ @martin_vigo ​  ​ Max Feldman ​ Product Security Engineer ​ m.feldman@salesforce.com ​ 
​ Safe harbor statement under the Private Securities Litigation Reform Act of 1995: ​ This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward- looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. ​ The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site. ​ Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements. Safe Harbor
Slides will be made available after the talk No photos required
Martin Vigo Product Security Engineer @martin_vigo
Max Feldman Product Security Engineer
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Risks OWASP Top 10
Native VS Hybrid
Native VS Hybrid ​ Overview
•  File system / Insecure storage •  Network communication •  Crypto •  Clipboard •  Backups •  RPC, URL scheme handlers •  XSS •  CSRF •  SQLi •  Input validation •  Output encoding •  Application logic flaws Native VS Hybrid ​ Threats
Binary Protections/Server Side Controls
•  Binary protections •  Best practice •  Security through obscurity •  Server side controls •  Our servers take care of this •  The SDK will talk to our APIs Not applicable Binary Protections/Server Side Controls
Insecure Storage
•  Explicit storage •  Credentials / OAuth tokens •  Personal data •  Preferences •  Logs •  Automatic storage •  Temp files •  Cache data Storing secrets the wrong way Insecure Storage App Sandbox External storage Backups Hardcoded data
•  Logs •  Debugging information •  Crashes •  Analytics •  Caches •  Unique urls •  Requests/Responses containing sensitive data •  Images Leaving traces behind Data Leakage
Broken Crypto
•  ROT-13 isn’t the only insecure means of encrypting •  “secret” => “frperg” •  AES - advanced encryption standard •  Secure, but that security depends on •  Key length •  Cipher mode •  Others •  Lots of ways to mess up •  So what can you do? https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Electronic_Codebook_.28ECB.29 Keeping your secrets safe Encryption Original Encrypted with ECB mode
SmartStore Demo Secure storage with the SDK
How to store a secret SmartStore
Bad TLS / Transport Security
•  HTTP? •  No guarantee of confidentiality •  HTTPS •  Which protocol? Which version? Which cipher suites? •  How can this go wrong? •  Handled by our servers automatically •  Certificates •  What will we accept? Self-signed? Mismatched hostnames? •  How can this go wrong? •  The mobile SDK will take care of this Securely transmitting data TLS/Secure Transport
Secure Transport with the SDK Demo The SDK can easily handle secure callouts to Salesforce
How to query Salesforce securely Secure Transport
Client Side Injection
•  Tampering with network traffic •  Bypass validations •  Modify user flow •  Break restrictions •  Tampering with the application logic •  Activities / Intents •  RPC and URL scheme handlers •  Memory Tampering with data locally Client Side Injection
•  Validation / Sanitization must be server side •  Everything can be tampered with client side •  Client side validation is only for usability, not security •  Don’t make security decisions based on client side data Delegating to the server Client Side Injection
Authentication and Authorization Proper access controls
•  Authentication – verify that someone claiming to be “Bob” is indeed “Bob” •  Authorization – verifying that Bob can access only what he should •  No guarantee of confidentiality •  We want a user to be able to login and access their Salesforce data •  But we don’t want every app developer to have the credentials of a Salesforce user •  OAuth allows us to do this •  Only Salesforce sees their credentials •  The mobile SDK makes this easy and accessible Who is who and what can they access Authentication and Authorization
Session Management
•  Sessions must be: •  Unguessable/unpredictable •  Short-lived enough to be secure, long-lived enough to be useful •  Other requirements •  The OAuth flow, sessions, tokens are all managed by our servers •  then stored and managed securely by the SDK https://www.owasp.org/index.php/Session_Management_Cheat_Sheet Session Management
Mobile SDK OAuth Demo The SDK makes OAuth easy
Security Decisions via Untrusted Inputs
•  Malicious apps can try to interact with our app •  We have to verify who is talking to us •  Use whitelists of trusted applications •  Handlers can trigger sensitive actions •  Make the user aware of them •  Don’t perform actions automatically •  Spoofing / Eavesdropping •  Don’t pass any sensitive information •  Malicious payloads •  Always validate IPC input Trusting malicious sources Untrusted Inputs
Conclusion
•  Open source platform •  Active project •  Provides secure storage through encryption •  Enforces secure communication •  Provides easy authentication/authorization •  Uses platform-specific security mechanisms •  Follows best practices and secure coding guidelines Security-wise What is the Mobile SDK?
•  Secure storage and data management •  Use SmartStore •  Secure transport and data transmission •  Use built in SFDC APIs •  Easy and manageable authentication and authorization •  Use SDK’s OAuth handling •  Untrusted inputs •  Salesforce enforces server side validation Recap
•  Mobile SDK - https://developer.salesforce.com/page/Mobile_SDK •  Secure Coding Guidelines - https://developer.salesforce.com/page/Testing_CRUD_and_FLS_Enforcement •  CRUD & FLS Enforcement Guide - https://developer.salesforce.com/page/Enforcing_CRUD_and_FLS •  Salesforce StackExchange - http://salesforce.stackexchange.com/questions/tagged/security •  Developer.Salesforce.com Security Forum - https://developer.salesforce.com/forums/#!/feedtype=RECENT&criteria=ALLQUESTIONS •  Security Office Hours (Partners) - http://security.force.com/security/contact/ohours •  Security Implementation Guide - https://developer.salesforce.com/docs/atlas.en-us.securityImplGuide.meta/ securityImplGuide/ Additional Resources
Secure Salesforce at Dreamforce 2015 ​  10 DevZone Talks and 2 Lighting Zone Talks covering all aspects of Security on the Salesforce Platform ​  Visit our booth in the DevZone with any security questions ​  Check out the schedule and details at http://bit.ly/DF15Sec ​  Admin-related security questions? ​  Join us for coffee in the Admin Zone Security Cafe
Q&A
Secure Salesforce ​  Code Scanning with Checkmarx ​  Robert Sussland and Gideon Kreiner ​  3:30 pm in Moscone West 2011 ​  Lightning Components Best Practices ​  Robert Sussland and Sergey Gorbaty ​  4:45 pm in Moscone West 2007 ​  Common Secure Coding Mistakes ​  Rachel Black and Alejandro Raigon Munoz ​  5:00 pm in Moscone West 2006 ​  Chimera: External Integration Security ​  Tim Bach and Travis Safford ​  Friday, 9/18 10:00 am in Moscone West 2009
Share Your Feedback, and Win a GoPro! 3 Earn a GoPro prize entry for each completed surveyTap the bell to take a survey2Enroll in a session1

More Related Content

What's hot (20)

PDF
Security Best Practices for Mobile Development
Salesforce Developers
 
PDF
Dreamforce 15 - Platform Encryption for Developers
Peter Chittum
 
POTX
OAuth for Non Developers in Salesforce
Peter Chittum
 
PDF
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
CA Technologies
 
PPTX
OAuth with Salesforce - Demystified
Calvin Noronha
 
PPTX
OAuth - Don’t Throw the Baby Out with the Bathwater
Apigee | Google Cloud
 
PDF
Salesforce Platform Encryption Developer Strategy
Peter Chittum
 
PDF
What’s new in summer’15 release - Security & Compliance
Shesh Kondi
 
PDF
Authentication with OAuth and Connected Apps
Salesforce Developers
 
PDF
Identity As A Service Evaluation, Implementation, Realized Benefits
CA Technologies
 
PDF
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
PPTX
DevOps & Apps - Building and Operating Successful Mobile Apps
Apigee | Google Cloud
 
PPTX
Integrating The Cloud - How to integrate Salesforce
Roy Gilad
 
PDF
Going Offline with Salesforce1 Mobile SDK
WinWire Technologies Inc
 
PDF
Deep Dive into OAuth for Connected Apps
Salesforce Developers
 
PDF
API Security and OAuth for the Enterprise
CA API Management
 
PPTX
Managing Identities in the World of APIs
Apigee | Google Cloud
 
PPTX
Navi Mumbai Salesforce DUG meetup on integration
Rakesh Gupta
 
PPTX
Privileged Access Management (PAM)
danb02
 
PPTX
Data-driven API Security
Apigee | Google Cloud
 
Security Best Practices for Mobile Development
Salesforce Developers
 
Dreamforce 15 - Platform Encryption for Developers
Peter Chittum
 
OAuth for Non Developers in Salesforce
Peter Chittum
 
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
CA Technologies
 
OAuth with Salesforce - Demystified
Calvin Noronha
 
OAuth - Don’t Throw the Baby Out with the Bathwater
Apigee | Google Cloud
 
Salesforce Platform Encryption Developer Strategy
Peter Chittum
 
What’s new in summer’15 release - Security & Compliance
Shesh Kondi
 
Authentication with OAuth and Connected Apps
Salesforce Developers
 
Identity As A Service Evaluation, Implementation, Realized Benefits
CA Technologies
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
DevOps & Apps - Building and Operating Successful Mobile Apps
Apigee | Google Cloud
 
Integrating The Cloud - How to integrate Salesforce
Roy Gilad
 
Going Offline with Salesforce1 Mobile SDK
WinWire Technologies Inc
 
Deep Dive into OAuth for Connected Apps
Salesforce Developers
 
API Security and OAuth for the Enterprise
CA API Management
 
Managing Identities in the World of APIs
Apigee | Google Cloud
 
Navi Mumbai Salesforce DUG meetup on integration
Rakesh Gupta
 
Privileged Access Management (PAM)
danb02
 
Data-driven API Security
Apigee | Google Cloud
 

Viewers also liked (15)

PPTX
Addressing the OWASP Mobile Security Threats using Xamarin
Alec Tucker
 
PPTX
Analisi e sviluppo di un algoritmo di pianificazione ordini di una ditta di t...
Marco Furlanetto
 
PDF
Tugas minggu 1
Arif Krisnahadi
 
PPTX
Ques una Taxonomia XBRL
Mario Perez Villeda
 
PPTX
PresentaciĂłn
Abraham Oliva
 
PDF
Ascm powerpoint
Richard Biddulph
 
PDF
Asset Price Bubbles
Sam Rasmussen
 
PDF
El informador renegociaciĂłn del tlcan, sobre la mesa
lucy_revelde89
 
PPTX
Windows Azure 개요
Keon Lee
 
PPTX
Pitch
Raj Pratim Bhattacharya
 
PPTX
Diapositiva informatica android e ios
Maria Gabriela R.
 
PDF
Analisi sperimentale comparativa dell’evolvibilità nei sistemi di evoluzione ...
Danny Tagliapietra
 
PPTX
Azure Architecture Solutions Overview: Part 1
Dzmitry Durasau
 
PDF
Las CampaĂąas Cyber Days - 2016
Jaime Montenegro
 
PDF
Distance measure between two biological sequences
ShwetA Kumari
 
Addressing the OWASP Mobile Security Threats using Xamarin
Alec Tucker
 
Analisi e sviluppo di un algoritmo di pianificazione ordini di una ditta di t...
Marco Furlanetto
 
Tugas minggu 1
Arif Krisnahadi
 
Ques una Taxonomia XBRL
Mario Perez Villeda
 
PresentaciĂłn
Abraham Oliva
 
Ascm powerpoint
Richard Biddulph
 
Asset Price Bubbles
Sam Rasmussen
 
El informador renegociaciĂłn del tlcan, sobre la mesa
lucy_revelde89
 
Windows Azure 개요
Keon Lee
 
Pitch
Raj Pratim Bhattacharya
 
Diapositiva informatica android e ios
Maria Gabriela R.
 
Analisi sperimentale comparativa dell’evolvibilità nei sistemi di evoluzione ...
Danny Tagliapietra
 
Azure Architecture Solutions Overview: Part 1
Dzmitry Durasau
 
Las CampaĂąas Cyber Days - 2016
Jaime Montenegro
 
Distance measure between two biological sequences
ShwetA Kumari
 
Ad

Similar to Secure Salesforce: Hardened Apps with the Mobile SDK (20)

PPTX
Secure Development on the Salesforce Platform - Part 3
Mark Adcock
 
PDF
Building secure mobile apps
Martin Vigo
 
PDF
Secure Salesforce: Lightning Components Best Practices
Salesforce Developers
 
PDF
Secure Salesforce: External App Integrations
Salesforce Developers
 
PDF
Secure Salesforce: Common Secure Coding Mistakes
Salesforce Developers
 
PDF
Developing Offline-Capable Apps with the Salesforce Mobile SDK and SmartStore
Salesforce Developers
 
PPTX
Secure Coding: SSL, SOAP, and REST
Salesforce Developers
 
PPTX
ISV Tech Talk: Distributing Lightning Components
CodeScience
 
PPTX
Introduction to lightning out df16
Mohith Shrivastava
 
PDF
What’s new in summer’15 release - Security & Compliance
Shesh Kondi
 
PDF
How to Become a Security-Minded Admin
Salesforce Admins
 
PDF
Introduction to the Salesforce Security Model
Salesforce Developers
 
POTX
Using the Google SOAP API
Salesforce Developers
 
PPTX
How a PDO Can Help Get You to Market Faster
CodeScience
 
PDF
Salesforce shield & summer 20 release
Devendra Sawant
 
PDF
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
Salesforce Developers
 
PPTX
Salesforce Identity Management
Jayant Jindal
 
PDF
Salesforce API Series: Integrating Applications with Force.com Webinar
Salesforce Developers
 
PPTX
Building Apps Faster with Lightning and Winter '17
Mark Adcock
 
PPTX
Building apps faster with lightning and winter '17
Salesforce Developers
 
Secure Development on the Salesforce Platform - Part 3
Mark Adcock
 
Building secure mobile apps
Martin Vigo
 
Secure Salesforce: Lightning Components Best Practices
Salesforce Developers
 
Secure Salesforce: External App Integrations
Salesforce Developers
 
Secure Salesforce: Common Secure Coding Mistakes
Salesforce Developers
 
Developing Offline-Capable Apps with the Salesforce Mobile SDK and SmartStore
Salesforce Developers
 
Secure Coding: SSL, SOAP, and REST
Salesforce Developers
 
ISV Tech Talk: Distributing Lightning Components
CodeScience
 
Introduction to lightning out df16
Mohith Shrivastava
 
What’s new in summer’15 release - Security & Compliance
Shesh Kondi
 
How to Become a Security-Minded Admin
Salesforce Admins
 
Introduction to the Salesforce Security Model
Salesforce Developers
 
Using the Google SOAP API
Salesforce Developers
 
How a PDO Can Help Get You to Market Faster
CodeScience
 
Salesforce shield & summer 20 release
Devendra Sawant
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
Salesforce Developers
 
Salesforce Identity Management
Jayant Jindal
 
Salesforce API Series: Integrating Applications with Force.com Webinar
Salesforce Developers
 
Building Apps Faster with Lightning and Winter '17
Mark Adcock
 
Building apps faster with lightning and winter '17
Salesforce Developers
 
Ad

More from Salesforce Developers (20)

PDF
Sample Gallery: Reference Code and Best Practices for Salesforce Developers
Salesforce Developers
 
PDF
Maximizing Salesforce Lightning Experience and Lightning Component Performance
Salesforce Developers
 
PDF
Local development with Open Source Base Components
Salesforce Developers
 
PPTX
TrailheaDX India : Developer Highlights
Salesforce Developers
 
PDF
Why developers shouldn’t miss TrailheaDX India
Salesforce Developers
 
PPTX
CodeLive: Build Lightning Web Components faster with Local Development
Salesforce Developers
 
PPTX
CodeLive: Converting Aura Components to Lightning Web Components
Salesforce Developers
 
PPTX
Enterprise-grade UI with open source Lightning Web Components
Salesforce Developers
 
PPTX
TrailheaDX and Summer '19: Developer Highlights
Salesforce Developers
 
PDF
Live coding with LWC
Salesforce Developers
 
PDF
Lightning web components - Episode 4 : Security and Testing
Salesforce Developers
 
PDF
LWC Episode 3- Component Communication and Aura Interoperability
Salesforce Developers
 
PDF
Lightning web components episode 2- work with salesforce data
Salesforce Developers
 
PDF
Lightning web components - Episode 1 - An Introduction
Salesforce Developers
 
PDF
Migrating CPQ to Advanced Calculator and JSQCP
Salesforce Developers
 
PDF
Scale with Large Data Volumes and Big Objects in Salesforce
Salesforce Developers
 
PDF
Replicate Salesforce Data in Real Time with Change Data Capture
Salesforce Developers
 
PDF
Modern Development with Salesforce DX
Salesforce Developers
 
PDF
Get Into Lightning Flow Development
Salesforce Developers
 
PDF
Integrate CMS Content Into Lightning Communities with CMS Connect
Salesforce Developers
 
Sample Gallery: Reference Code and Best Practices for Salesforce Developers
Salesforce Developers
 
Maximizing Salesforce Lightning Experience and Lightning Component Performance
Salesforce Developers
 
Local development with Open Source Base Components
Salesforce Developers
 
TrailheaDX India : Developer Highlights
Salesforce Developers
 
Why developers shouldn’t miss TrailheaDX India
Salesforce Developers
 
CodeLive: Build Lightning Web Components faster with Local Development
Salesforce Developers
 
CodeLive: Converting Aura Components to Lightning Web Components
Salesforce Developers
 
Enterprise-grade UI with open source Lightning Web Components
Salesforce Developers
 
TrailheaDX and Summer '19: Developer Highlights
Salesforce Developers
 
Live coding with LWC
Salesforce Developers
 
Lightning web components - Episode 4 : Security and Testing
Salesforce Developers
 
LWC Episode 3- Component Communication and Aura Interoperability
Salesforce Developers
 
Lightning web components episode 2- work with salesforce data
Salesforce Developers
 
Lightning web components - Episode 1 - An Introduction
Salesforce Developers
 
Migrating CPQ to Advanced Calculator and JSQCP
Salesforce Developers
 
Scale with Large Data Volumes and Big Objects in Salesforce
Salesforce Developers
 
Replicate Salesforce Data in Real Time with Change Data Capture
Salesforce Developers
 
Modern Development with Salesforce DX
Salesforce Developers
 
Get Into Lightning Flow Development
Salesforce Developers
 
Integrate CMS Content Into Lightning Communities with CMS Connect
Salesforce Developers
 

Recently uploaded (20)

PPTX
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
PDF
Reverse Engineering of Security Products: Developing an Advanced Microsoft De...
nwbxhhcyjv
 
PPTX
The Project Compass - GDG on Campus MSIT
dscmsitkol
 
DOCX
Python coding for beginners !! Start now!#
Rajni Bhardwaj Grover
 
PDF
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
PDF
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
PDF
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
PDF
Go Concurrency Real-World Patterns, Pitfalls, and Playground Battles.pdf
Emily Achieng
 
PPTX
COMPARISON OF RASTER ANALYSIS TOOLS OF QGIS AND ARCGIS
Sharanya Sarkar
 
PDF
Mastering Financial Management in Direct Selling
Epixel MLM Software
 
PPTX
Designing Production-Ready AI Agents
Kunal Rai
 
PDF
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 
PDF
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
PDF
Bitcoin for Millennials podcast with Bram, Power Laws of Bitcoin
Stephen Perrenod
 
PDF
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
PDF
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
PPTX
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
PPTX
Future Tech Innovations 2025 – A TechLists Insight
TechLists
 
PPTX
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
DOCX
Cryptography Quiz: test your knowledge of this important security concept.
Rajni Bhardwaj Grover
 
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
Reverse Engineering of Security Products: Developing an Advanced Microsoft De...
nwbxhhcyjv
 
The Project Compass - GDG on Campus MSIT
dscmsitkol
 
Python coding for beginners !! Start now!#
Rajni Bhardwaj Grover
 
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
Go Concurrency Real-World Patterns, Pitfalls, and Playground Battles.pdf
Emily Achieng
 
COMPARISON OF RASTER ANALYSIS TOOLS OF QGIS AND ARCGIS
Sharanya Sarkar
 
Mastering Financial Management in Direct Selling
Epixel MLM Software
 
Designing Production-Ready AI Agents
Kunal Rai
 
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
Bitcoin for Millennials podcast with Bram, Power Laws of Bitcoin
Stephen Perrenod
 
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
Future Tech Innovations 2025 – A TechLists Insight
TechLists
 
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
Cryptography Quiz: test your knowledge of this important security concept.
Rajni Bhardwaj Grover
 

Secure Salesforce: Hardened Apps with the Mobile SDK

  • 1. Secure Salesforce: Hardened Apps with the Mobile SDK ​ Martin Vigo ​ Product Security Engineer ​ [email protected] ​ @martin_vigo ​  ​ Max Feldman ​ Product Security Engineer ​ [email protected] ​ 
  • 2. ​ Safe harbor statement under the Private Securities Litigation Reform Act of 1995: ​ This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward- looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other nancial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. ​ The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the nancial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent scal year and in our quarterly report on Form 10-Q for the most recent scal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site. ​ Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements. Safe Harbor
  • 3. Slides will be made available after the talk No photos required
  • 4. Martin Vigo Product Security Engineer @martin_vigo
  • 9. •  File system / Insecure storage •  Network communication •  Crypto •  Clipboard •  Backups •  RPC, URL scheme handlers •  XSS •  CSRF •  SQLi •  Input validation •  Output encoding •  Application logic flaws Native VS Hybrid ​ Threats
  • 11. •  Binary protections •  Best practice •  Security through obscurity •  Server side controls •  Our servers take care of this •  The SDK will talk to our APIs Not applicable Binary Protections/Server Side Controls
  • 13. •  Explicit storage •  Credentials / OAuth tokens •  Personal data •  Preferences •  Logs •  Automatic storage •  Temp les •  Cache data Storing secrets the wrong way Insecure Storage App Sandbox External storage Backups Hardcoded data
  • 14. •  Logs •  Debugging information •  Crashes •  Analytics •  Caches •  Unique urls •  Requests/Responses containing sensitive data •  Images Leaving traces behind Data Leakage
  • 16. •  ROT-13 isn’t the only insecure means of encrypting •  “secret” => “frperg” •  AES - advanced encryption standard •  Secure, but that security depends on •  Key length •  Cipher mode •  Others •  Lots of ways to mess up •  So what can you do? https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Electronic_Codebook_.28ECB.29 Keeping your secrets safe Encryption Original Encrypted with ECB mode
  • 18. How to store a secret SmartStore
  • 19. Bad TLS / Transport Security
  • 20. •  HTTP? •  No guarantee of condentiality •  HTTPS •  Which protocol? Which version? Which cipher suites? •  How can this go wrong? •  Handled by our servers automatically •  Certicates •  What will we accept? Self-signed? Mismatched hostnames? •  How can this go wrong? •  The mobile SDK will take care of this Securely transmitting data TLS/Secure Transport
  • 21. Secure Transport with the SDK Demo The SDK can easily handle secure callouts to Salesforce
  • 22. How to query Salesforce securely Secure Transport
  • 24. •  Tampering with network trac •  Bypass validations •  Modify user flow •  Break restrictions •  Tampering with the application logic •  Activities / Intents •  RPC and URL scheme handlers •  Memory Tampering with data locally Client Side Injection
  • 25. •  Validation / Sanitization must be server side •  Everything can be tampered with client side •  Client side validation is only for usability, not security •  Don’t make security decisions based on client side data Delegating to the server Client Side Injection
  • 27. •  Authentication – verify that someone claiming to be “Bob” is indeed “Bob” •  Authorization – verifying that Bob can access only what he should •  No guarantee of condentiality •  We want a user to be able to login and access their Salesforce data •  But we don’t want every app developer to have the credentials of a Salesforce user •  OAuth allows us to do this •  Only Salesforce sees their credentials •  The mobile SDK makes this easy and accessible Who is who and what can they access Authentication and Authorization
  • 29. •  Sessions must be: •  Unguessable/unpredictable •  Short-lived enough to be secure, long-lived enough to be useful •  Other requirements •  The OAuth flow, sessions, tokens are all managed by our servers •  then stored and managed securely by the SDK https://www.owasp.org/index.php/Session_Management_Cheat_Sheet Session Management
  • 30. Mobile SDK OAuth Demo The SDK makes OAuth easy
  • 31. Security Decisions via Untrusted Inputs
  • 32. •  Malicious apps can try to interact with our app •  We have to verify who is talking to us •  Use whitelists of trusted applications •  Handlers can trigger sensitive actions •  Make the user aware of them •  Don’t perform actions automatically •  Spoong / Eavesdropping •  Don’t pass any sensitive information •  Malicious payloads •  Always validate IPC input Trusting malicious sources Untrusted Inputs
  • 34. •  Open source platform •  Active project •  Provides secure storage through encryption •  Enforces secure communication •  Provides easy authentication/authorization •  Uses platform-specic security mechanisms •  Follows best practices and secure coding guidelines Security-wise What is the Mobile SDK?
  • 35. •  Secure storage and data management •  Use SmartStore •  Secure transport and data transmission •  Use built in SFDC APIs •  Easy and manageable authentication and authorization •  Use SDK’s OAuth handling •  Untrusted inputs •  Salesforce enforces server side validation Recap
  • 36. •  Mobile SDK - https://developer.salesforce.com/page/Mobile_SDK •  Secure Coding Guidelines - https://developer.salesforce.com/page/Testing_CRUD_and_FLS_Enforcement •  CRUD & FLS Enforcement Guide - https://developer.salesforce.com/page/Enforcing_CRUD_and_FLS •  Salesforce StackExchange - http://salesforce.stackexchange.com/questions/tagged/security •  Developer.Salesforce.com Security Forum - https://developer.salesforce.com/forums/#!/feedtype=RECENT&criteria=ALLQUESTIONS •  Security Oce Hours (Partners) - http://security.force.com/security/contact/ohours •  Security Implementation Guide - https://developer.salesforce.com/docs/atlas.en-us.securityImplGuide.meta/ securityImplGuide/ Additional Resources
  • 37. Secure Salesforce at Dreamforce 2015 ​  10 DevZone Talks and 2 Lighting Zone Talks covering all aspects of Security on the Salesforce Platform ​  Visit our booth in the DevZone with any security questions ​  Check out the schedule and details at http://bit.ly/DF15Sec ​  Admin-related security questions? ​  Join us for coffee in the Admin Zone Security Cafe
  • 38. Q&A
  • 39. Secure Salesforce ​  Code Scanning with Checkmarx ​  Robert Sussland and Gideon Kreiner ​  3:30 pm in Moscone West 2011 ​  Lightning Components Best Practices ​  Robert Sussland and Sergey Gorbaty ​  4:45 pm in Moscone West 2007 ​  Common Secure Coding Mistakes ​  Rachel Black and Alejandro Raigon Munoz ​  5:00 pm in Moscone West 2006 ​  Chimera: External Integration Security ​  Tim Bach and Travis Safford ​  Friday, 9/18 10:00 am in Moscone West 2009
  • 40. Share Your Feedback, and Win a GoPro! 3 Earn a GoPro prize entry for each completed surveyTap the bell to take a survey2Enroll in a session1