Here’s a report from the first publicly released security audit of an iPad app using the iMAS developed open-source security libraries. This report shows that securing an iOS app isn’t too difficult, can greatly improve security without affecting usability, and tools are now freely available (at Project iMAS).

iMAS has partnered with hReader to bolster the Apple provided security model. The developers added iMAS security controls to the application resulting in an experience that proved to be a great test-bed and partnership. hReader is a patient-centric mobile health data manager that securely provides patients and their families with their complete health information. To learn more about the application, go to hReader.org or check out their source code.

hReader Security Audit technical report is now available. The report describes a security audit conducted on hReader in the summer of 2012 and it details the resulting, measured security compliance increase along with the labor costs. Based on this, the iMAS community can add measured security to their applications in a cost effective manner. To read more about this, please read the full report here

Now Available!

iMAS – iOS Mobile Application Security

January 2013

iMAS is a secure iOS application framework research project focused on reducing iOS application vulnerabilities and information loss.

Now Available – iMAS and its first open source static security controls for download and use in iOS applications. Visit and browse our project to find out more; download and give it a try. Once you do, tell us what you think or better yet, get involved and participate!

http://project-imas.github.io/

 

 

Details:

iMAS is a collaborative research project from the MITRE Corporation focused on open source iOS security controls.  Today, iOS meets the enterprise security needs of customers, however many security experts cite critical vulnerabilities and have demonstrated exploits, which pushes enterprises to augment iOS deployments with commercial solutions.  The iMAS intent is to protect iOS applications and data beyond the Apple provided security model and reduce the adversary’s ability and efficiency to perform recon, exploitation, control and execution on iOS mobile applications.  iMAS will transform the effectiveness of the existing iOS security model across major vulnerability areas including the System Passcode, jailbreak, debugger / run-time, flash storage, and the system keychain.  Research outcomes include an open source secure application framework, including an application container, developer and validation tools/techniques.  With iMAS, a developer can leverage our research to considerably raise their iOS applications security level in a measured way.
Principal Investigator: Gregg Ganley
Security Research: Shawn Valle

This is the publicly released slide deck that accompanies a 1-hour webinar that briefed the security (and anti-security) techniques of the Android operating system and applications.

I developed a course, based on my years experience with that platform, and shared my learnings at several public and privately hosted events. Here’s a link to the PDF slide deck from an ITEA (International Test & Evaluation Association) webinar that I hosted.

https://www.itea.org/images/webinar/2013/Android_Forensics_and_Security_Testing_Webinar_2013_05_06.pdf

1st Cyber Workshop Proceedings (2012)

Led research and development of white paper on technical details of developing Android mobile applications with a focus on data security and software assurance. Leveraged emerging guidance from NIST and DISA, for high-assurance.

co-authors: Shawn Valle, Michael Peck

September 30, 2011

Executive Summary

Android applications developed for US Department of Defense (DoD), are required to go through a workflow process to evaluate and test for meeting expected Cyber Security and Information Assurance guidelines. Applications that meet the evaluation guidelines can be permitted into the enterprise application market, known as CAPStore, for user distribution. The following documentation identifies the technical requirements and guidance Android application developers should adhere to when developing applications for DoD.

The details within are technical and security focused, and should be made available to software engineers and IA engineers. The material is organized with a logical flow in mind, initially focusing on application permissions, then into securing code and data, and finally focusing on multiple application interaction.

Android Secure Application Development Guidance_Public_Release