is your mobile app as secure as you think?

Is your mobile app as secure as you think?

Matt Lacey@mrlacey

Cross promotion

network for Windows

Phone and Windows

Store apps and games.

Advertise before you monetize

Register using

promo code

NDCL14

http://gapingvoid.com/

Who am I?

Who are you?

∙ App creators∙ iOS/Android/Windows/Other∙ Native/Hybrid∙ Client apps

OWASP

(The Open Web Application Security Project) Organisation, formed in 2001, with the core aim to “Be the thriving global community that drives visibility and evolution in the safety and security of the world’s software.”

OWASP Mobile Security Project - Top 10 Mobile Risks

https://www.google.co.uk/#q=define:+security

Threat of what?

∙ Identity theft∙ Fraud∙ Reputation damage∙ External Policy Violation (e.g. PCI compliance)∙ Losses (IP or money/business)

How secure?

secure insecure

Do we really need to care?

https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html

http://threatpost.com/critical-android-fakeid-bug-allows-attackers-to-impersonate-trusted-apps

http://mobilephonedevelopment.com/archives/1813

http://blog.trendmicro.com/trendlabs-security-intelligence/the-severe-flaw-found-in-certain-file-locker-apps/

http://wmpoweruser.com/latest-android-zero-day-hack-will-make-you-glad-you-have-a-windows-phone/

http://www.cert.org/blogs/certcc/post.cfm?EntryID=204

http://www.mobileindustryreview.com/2014/08/finextra-ibm-uncovers-android-banking-vulnerability-consumers-turned-off-by-security-fears.html

http://www.finextra.com/news/fullstory.aspx?newsitemid=26342

http://arstechnica.com/security/2014/09/android-browser-flaw-a-privacy-disaster-for-half-of-android-users/

http://blog.ioactive.com/2014/01/personal-banking-apps-leak-info-through.html

http://www.androidpolice.com/2011/04/14/exclusive-vulnerability-in-skype-for-android-is-exposing-your-name-phone-number-chat-logs-and-a-lot-more/

http://bas.bosschert.nl/steal-whatsapp-database/

http://blog.trendmicro.com/trendlabs-security-intelligence/same-origin-policy-bypass-vulnerability-has-wider-reach-than-thought/

https://daoyuan14.github.io/news/newattackvector.html

http://www.slashgear.com/gmail-other-android-apps-hacked-with-92-success-rate-22342456/

http://www.zdnet.com/hundreds-of-android-apps-open-to-ssl-linked-intercept-fail-7000033365/

http://www.windowscentral.com/snapchat-clamping-down-3rd-parties-locks-accounts

http://www.cultofmac.com/304401/ubers-android-app-literally-malware/

http://www.huffingtonpost.com/sam-fiorella/the-insidiousness-of-face_b_4365645.html

http://www.zdnet.com/2014-the-year-everyones-security-took-a-hit-7000036224/

Do we really need to care?

Hack Yourself First

“… advocates building up our cyber-offense skills, and focusing these skills inward at ourselves, to find and fix security issues before the bad guys find and exploit them.”

Pluralsight screenshot

M1 - Weak Server Side Controls

Exploitability Impact

EASY SEVERE

Prevalence Detectability

COMMON AVERAGE

Web API ≈ Website

OWASP Top Ten (2013 Edition)

43

Weak Server Side Controls

Issues

- Biggest threat surface

- Underpins everything

Actions

- Prioritize

- Review

M2 - Insecure Data Storage


EASY SEVERE


COMMON EASY

What data?

• Usernames

• Authentication tokens

• Passwords

• Cookies

• Location data

• UDID/EMEI, Device Name, Network Connection Name

• Personal Information: DoB, Address, Social, Credit Card Data

• Application Data: • Stored application logs • Debug information • Cached application messages • Transaction histories• Tokens or secrets

Where stored?

• SQLite databases

• Log Files

• Plist Files

• XML Data Stores or Manifest Files

• Binary data stores

• Cookie stores

• SD Card

• Cloud synced

• Temp files

• Cache

Insecure Data Storage

Issues

- Easy access to [potentially] sensitive information

Actions

- Don’t store what isn’t absolutely necessary

- Secure what you store: ProtectedData, CommonCrypto, SQLCipher, !NSUserDefaults, !NSManagedObjects, setStorageEncryption, javax.crypto

M3 - Insufficient Transport Layer Protection


DIFFICULT MODERATE


COMMON EASY

http://googlewebmastercentral.blogspot.co.uk/2014/08/https-as-ranking-signal.html

http://msdn.microsoft.com/en-us/library/windows/apps/xaml/Hh464985(v=win.10).aspx

https://developer.android.com/training/articles/security-ssl.html

https://developer.apple.com/library/ios/documentation/NetworkingInternetWeb/Conceptual/NetworkingOverview/SecureNetworking/SecureNetworking.html

Insufficient Transport Layer Protection

Issues

- Eavesdropping > data loss, impersonation, privacy issues, etc.

- Reverse engineering of API / IP

Actions

- Always SSL: trusted CA; long keys

- All connections: your servers and other peoples

- Verify the signature

- Encrypt sensitive information before sending

- setAllowsAnyHttpCertificate + connection:willSendRequestForAuthenticationChallenge

- Say NO to org.apache.http.conn.ssl.AllowAllHostnameVerifier or SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER

M4 - Unintended Data Leakage


EASY SEVERE


COMMON EASY

PARTYPARTYPARTY

Ad providers

http://REDACTED.com/LogAdClick?hostAppId=22099&installationId=4d52233531d145859d0943a70cc428da&controlVersion=2.7.0.2.beta&isTest=False&deviceManufacturer=NOKIA&deviceName=RM-821_eu_euro1_276&deviceFirmwareVersion=1232.2109.1242.10 01&deviceHardwareVersion=1.0.0.0&osPlatform=WinCE&osVersion=8.0.9903.0&devPlatform=XAML&deviceId=&userId=&culture=en-GB&uiCulture=en-GB&mobileOperator=EE&connectionType=&scaleFactor=100&adType=&textAdId=0

http://techcrunch.com/2006/08/06/aol-proudly-releases-massive-amounts-of-user-search-data/

https://shkspr.mobi/blog/2014/10/privacy-and-security-flaw-with-cab/

https://shkspr.mobi/blog/2014/11/why-are-virginmedia-hijacking-my-http-connections/

https://support.twitter.com/articles/20172069-what-is-app-graph-on-twitter

On device too

•Temp files

•Cached request

•Key press caches

•Clipboard

•Memory buffers

•Html/browser caches

•Error report logs in emails

Unintended Data Leakage

Issues

- Data loss and privacy issues

Actions

- Check 3rd party controls and services

- Check what you put on disk

M5 - Poor Authorization and Authentication


EASY SEVERE


COMMON EASY

“The value provided for the new password does not meet the length complexity or history requirements of the domain”

First Obligatory XKCD comic - http://xkcd.com/936/

https://flic.kr/p/ccpNdS

REQUEST

POST http://www.naughtybank.com/p/logon HTTP/1.1

device-id: 094618F99-036C5B8A3-064CF990B

device-type: HP Z220 SFF Workstation-OS8.1

encrypt: N

Content-Type: application/json; charset=utf-8

Content-Length: 45

{"username":"mrlacey","password":"P4ssw0rd!"}

RESPONSE

HTTP/1.1 200 OK

Content-Length: 164

Set-Cookie: value1=REDACTED; Expires=Wed, 08-Dec-15 14:07:03 GMT; Path=/

Set-Cookie: Value2=REDACTED; Expires=Wed, 08-Dec-15 14:07:03 GMT; Path=/

Set-Cookie: JSESSIONID=0000F22fVkgbL9uis1Xh0N539uY:17XXX4XXXX; Path=/; Secure; HttpOnly

Content-Type: application/json; charset=UTF-8

{"logonInfo":{"mail":"[email protected]","givenName":"Matt","lastName":"Lacey","username":"mrlacey","moduleList":[],"applicationAllowedFlg":true,"ldapPassFlg":true}}

Some modifications made - to protect the guilty!

REQUEST




encrypt: N


Content-Length: 45


RESPONSE

HTTP/1.1 200 OK

Content-Length: 164



Set-Cookie: JSESSIONID=0000F22fVkgbL9uis1Xh0N539uY:17XXX4XXXX; Path=/; Secure;

HttpOnly


{"logonInfo":{"mail":"[email protected]","givenName":"Matt","lastName":"Lacey","username":"mrlacey

","moduleList":[],"applicationAllowedFlg":true,"ldapPassFlg":true}}

REQUEST

POST http://www.naughtybank.com/p/logon HTTP/1.1device-id: 094618F99-036C5B8A3-064CF990B


encrypt: N


Content-Length: 45


REQUEST




encrypt: N


Content-Length: 45


RESPONSE

HTTP/1.1 200 OK

Content-Length: 164



Set-Cookie: JSESSIONID=0000F22fVkgbL9uis1Xh0N539uY:17XXX4XXXX; Path=/; Secure; HttpOnly


{"logonInfo":{"mail":"[email protected]","givenName":"Matt","lastName":"Lac

ey",

"username":"mrlacey","moduleList":[],"applicationAllowedFl

g":true,"ldapPassFlg":true}}

AYFKM?

E F F I N G

G E E !

Poor Authorization and Authentication

Issues

- User privacy; unauthorised access; fraud; data theft

Actions

- Ensure doing on server AND device

- Don’t store on devices - Device specific

- Limit attempts - As complex as backend

- Beware replay attempts - Beware persistence

- Use server for really sensitive data

M6 - Broken Cryptography


EASY SEVERE


COMMON EASY

Broken Cryptography

Issues

- Privacy Violations; - Information Theft;

- Code Theft; - Intellectual Property Theft;

- Reputational Damage

Actions

- Don’t write own - Salt hashes

- Check not using something deemed broken

- Don’t rely on built in device encryption of code

M7 - Client Side Injection


EASY MODERATE


COMMON EASY

Second Obligatory XKCD comic - http://xkcd.com/327/

Injection

SQL

JavaScript

Files

Intents

String

(NS & C)

Indirect

output

Client Side Injection

Issues- Data loss - Reputation damage

- System stability

Actions- Parameterize queries - Validate input

- Use browser, not embedded if can

- NSFileManager webview.getSettings().setAllowFileAccess(false);

- NSLog, [NSString stringWithFormat:], [NSString initWithFormat:], [NSMutableString appendFormat:], [NSAlert informativeTextWithFormat:], [NSPredicate predicateWithFormat:], [NSException format:], NSRunAlertPanel

- strcat, strcpy, strncat, strncpy, sprint, vsprintf, gets, etc.

M8 - Security Decisions Via Untrusted Inputs


EASY SEVERE


COMMON EASY

http://www.bbc.co.uk/news/technology-29427767

Security Decisions Via Untrusted Inputs

Issues

- User privacy - Unauthorised access

- Fraud - Information Theft - Business Interruption

Actions

- ! handleOpenURL openURL:sourceApplication:annotation

- White list callers and actions

M9 - Improper Session Handling


EASY SEVERE


COMMON EASY

Recommended

timeout guidelines

• 15 mins for high security applications

•30 mins for medium security applications

• 1 hour for low security applications

Improper Session Handling

Issues

- Data loss - User privacy - Unauthorised access

- Fraud - Information Theft - Business Interruption

Actions

- Invalidate on server - Timeout

- Don’t reuse tokens - Rotate cookies

- Generate tokens securely - Detect attacks

M10 - Lack of Binary Protections


MEDIUM SEVERE


COMMON EASY

Lack of Binary Protections

Issues

- Loss of IP - Loss of secrets

Actions

- Consider obfuscation - ProGuard

- Sign and strong name

- Tamper detectection

In summary

∙ Hack yourself first∙ Keep security in mind∙ https://www.owasp.org/index.php/Mobile∙ Defence in depth, not obscurity∙ Feedback∙ @mrlacey

is your mobile app as secure as you think?

Technology

attacks17 http

data22 http

mobile5 http

developer4 http

another13 http

mobile app

android banking issues20

windows phone apps