Mobile Security PitfallsCommon goofs we make and how to avoid them

Ynon Perek

tocode.co.il

ynon@tocode.co.il

You Don’t Need To Be a Hacker

✤ Bug -> Vulnerability -> Exploit

✤ Hackers use exploits

✤ We’ll focus on fixing bugs

Types of Vulnerabilities

Platform

Application ServerCommunicationTechnical

Human Factor

Platform

Need To Protect…

✤ Our own private data

✤ Server

✤ Application secrets

✤ Our user’s private data

Guidelines: Server

✤ Assume Evil Teddy Bear is writing your client app

✤ Now write the server

Common Security Pitfalls - Server

✤ Trusting client application with too much data

✤ Leaving secrets in application source code

✤ Leaving server unprotected

Demo: Tinder Location Bug

Demo: Tinder Location Bug

"birth_date": "1992-06-24T00:00:00.000Z", "gender": 1, "name": "Daisie", "pos": { "lon": -73.9977375759311, "lat": 40.72255556095288 }, "fbId": "185"

And the fix ???

"photos":[ ... ],"id":"52617e698525596018001418","common_friends":[],"common_likes":[ ],"common_like_count":0,"common_friend_count":0,"distance_mi":4.760408451724539

Found Ya!

How I Hacked Your Facebook Photos

Request :-DELETE /518171421550249 HTTP/1.1Host : graph.facebook.comContent-Length: 245access_token=CAACEdEose0cBAABAXPPuULhNCsYZA2cgSbajNEV99ZCHXoNPvp6LqgHmTNYvuNt3e5DD4wZA1eAMflPMCAGKVlaDbJQXPZAWqd3vkaAy9VvQnxyECVD0DYOpWm3we0X3lp6ZB0hlaSDSkbcilmKYLAzQ6ql1ChyViTiSH1ZBvrjZAH3RQoova87KKsGJT3adTVZBaDSIZAYxRzCNtAC0SZCMzKAyCfXXy4RMUZD

Response :-{"error":{"message":"(#200) Application does not have the capability to make this API call.","type":"OAuthException","code":200}}

Now let’s try with FB for Android token …

Request :-DELETE /518171421550249 HTTP/1.1Host : graph.facebook.comContent-Length: 245access_token=<Facebook_for_Android_Access_Token>

Response :-true

Interesting, Now let’s try another album…

Request :-DELETE /518171421550249 HTTP/1.1Host : graph.facebook.comContent-Length: 245access_token=<Facebook_for_Android_Access_Token>

Response :-true

OMG! Album Got Deleted

Bug Bounty Programs

https://hackerone.com/

Getting It Wrong: Parse Todo App

http://code.tutsplus.com/tutorials/getting-started-with-parse--net-28000

Getting It Right: Parse Todo App

http://todolist.parseapp.com/#

And now for the client

Platform

Application ServerCommunicationTechnical

Human Factor

Platform

Guidelines: Client app

✤ Assume phone was hijacked by evil teddy bear

✤ Assume server was hacked by evil teddy bear

✤ Assume all external data is fed in by evil teddy bear

Apple Storing Location Data in iOS4

What makes this issue worse is that the file is unencrypted and unprotected, and it’s on any machine you’ve synched with your iOS device…

http://radar.oreilly.com/2011/04/apple-location-tracking.html

JS Code Injections

Evil Hacker

Honest User

Web Application

(Email)

Send message to honest user

Message includes evil JS code

Why Is It Bad?

✤ PhoneGap apps provide no protection against evil JS

✤ Can use all device capabilities

JS Code Injections - PhoneGap

✤ WiFi network names

✤ QR Code

✤ NFC

✤ SMS

✤ Address Book

✤ iFrames

Communication Layer

Platform

Application ServerCommunicationTechnical

Human Factor

Platform

Guidelines: Communication

✤ Oh no evil teddy bear PWNS the router

✤ Encrypted

✤ Authenticated

✤ Tamper proof

✤ => HTTPS

Remember Firesheep?

Demo: Listening on unencrypted mobile traffic using a proxy

Q & A

Thanks For Listening

✤ Ynon Perek

✤ tocode.co.il

✤ ynon@tocode.co.il