BW8 Session 6/5/2013 2:15 PM 

       

"Software Security Goes Mobile"    

Presented by:

Erik Costlow HP Enterprise Security Products

          

Brought to you by:  

  

340 Corporate Way, Suite 300, Orange Park, FL 32073 888‐268‐8770 ∙ 904‐278‐0524 ∙ sqeinfo@sqe.com ∙ www.sqe.com

Erik Costlow HP Enterprise Security

Product manager for HP’s Enterprise Security group, Erik Costlow is responsible for product strategy, working closely with customers as well as development, sales, and marketing teams. He has contributed to industry best practices including OpenSAMM. Previously, Erik worked as a software security consultant for Fortify Software (acquired by HP). His projects there included designing and leading a security static analysis project at a large financial services firm, designing a project plan to guide developers of externally-facing applications across three continents, and preparing for a 2013 implementation of twenty key application security controls affecting 15,000 developers globally, across seven functional lines of business.

 

SOFTWARE SECURITY GOES MOBILE

Erik CostlowErik.Costlow@hp.com

Erik Costlow

Product Manager

• Suite of software security products.– Help builders create secure 

software.– Help buyers procure secure 

software.– Help operators run software 

securely.

About this presentation

What it is:

• Risks of building mobile 

What it isn’t:

• Sky is fallingapps

• Some examples• Talk about viruses/malware• Platform A better than B• Code in PowerPointIntentionally dated.

Not going to disclose 0‐days.

Agenda

1. Motivation2. Landscape3. Mobile Threats4. Things to keep in mind

1. MOTIVATION

Smartphones outpacing PCs and Laptops

80%

100%

0%

20%

40%

60%

0%2005 2006 2007 2008 2009 2010E 2011E 2012E 2013E

Smartphones Laptops Desktops

Source: Morgan Stanley Research

*Not just “bought an app”

Mobile Purchasers

4050

ers 

0102030

$ /

% of p

urchase

$300/yearper user 

Source: Google The Mobile Movement Study

Mobile threats and malwareThreats to your own apps:• Coding errors/omissions allow compromise/theft• Someone injects malware into your app and redistributes it• Steal credentials, commit fraudI 2012In 2012:• 100% of the Top 100 Android apps were found cracked and available on third‐party sites.• 92%  of the Top 100 Apple iOS apps were found cracked and available on third‐party sitesSource: Arxan’s State of Security in the App Economy

FTC held public forum yesterday, June 4th

2. MOBILE LANDSCAPE

What isMobile?

serverconnection

device

os

Familiar model

device

serverserver

browser

Example: Many mobile applications can be written for browsers and cross‐compiled: Apache Cordova/PhoneGap, Sencha Touch, etc.

Same old server

InformationInformation

Security ServicesSecurity Services

OperationsOperations SoftwareSoftware

Client‐side persistence

Local data persistence

Similar to HTML 5

Alex

******

321‐15‐5124

Invisible to users and always available

Mobile OS

Benefit of hindsight

S i fSecurity features- Read‐only stack- Data encryption- Permissions

Confusingg- Wait, permissions?

Who cares about permissions?

Free app of the day 2/14

More people hated this than bothered to rate it.

Can’t we all just get along?Formal communication- Inter‐application

I t li ti- Intra‐application- With the OS

A new trust boundary

What matters?

Old

• Handling sensitive user and 

New

• Local storage (e.g. SD card)app data

• Environment and configuration

• Standbys like XSS and SQL Injection

• Communication (SMS, MMS, GPS)

• Security features (privileges, crypto)

Injection • Increased risk of device loss

Who cares?

AppOwners

AppDevelopersDevice

Builders

OSAuthors Network

Providers

Users

3. MOBILE THREATS

Mobile Threats

• Shoot yourself in the foot1. Intent Hijacking2. Intent Spoofing3. Insecure network communication4. Promiscuous Privileges

• Outrun the bear1. Increased risk of loss2. Effective authentication

Effects on app developers

• Other apps monitor yours• Other apps communicate inside yours• Negative reviews from permissions• Leverage permissions of other apps• Etc.

Criminals in the audience today?

Intent Hijacking

Description:  Malicious app intercepts an intent bound for another app to compromise data or alter behavior

1 of 4

Cause: Implicit intents (do not require strong permissions to receive)

Fix: Explicit intents and receiver permissions

Intent Hijacking – Expected Action1 of 4

ShowtimeSearch Results UI Handles Actions:

willUpdateShowtimes,showtimesNoLocationError

IMDb App

Implicit IntentAction: willUpdateShowtimes

Intent Hijacking – In the wild

IMDB Application

User wants to get showtimes:

1 of 4

• willupdateShowtimes• showtimesNoLocationError

Examples are intentionally dated.

Intent Hijacking – Illustrated Example

IMDb App

1 of 4

ShowtimeSearch Results UI Handles Actions:

willUpdateShowtimes,showtimesNoLocationError

Implicit IntentAction: willUpdateShowtimes

Handles Actions: willUpdateShowtimes,showtimesNoLocationError

Eavesdropping AppMaliciousReceiver

Intent Spoofing

Description: Malicious app spoofs a legitimate intent to inject data or alter behavior.

2 of 4

Cause: Public components (necessary to receive implicit intents)

Fix: Explicit intents and receiver permissionsSensitive operations in private components 

Intent Spoofing – Illustrated Example2 of 4

Malicious ComponentAction: showtimesNoLocationError

Spoofing App

ShowtimeSearch

Results UI Handles Actions: willUpdateShowtimes,showtimesNoLocationError

IMDb App

Intent Spoofing – In the wild

How to execute

• Monitor other intents.

2 of 4

• Look at replies.• Malicious app offers other 

replies.

Examples are intentionally dated.

Insecure Network Communication

Description:Unencrypted channels can be intercepted by attackers sniffing network

3 of 4

Cause: Non‐HTTPS WebView connections

Fix: Send sensitive data only over encrypted channels.

Insecure Network Communication

Twitter: Tweets are sent in the clear

3 of 4

https://freedom‐to‐tinker.com/blog/dwallach/things‐overheard‐wifi‐my‐android‐smartphone

Examples are intentionally dated.

Unencrypted tweets? Who cares.

• Social activist groups.• Coordinating protests.

3 of 4

Insecure network communication

Facebook:  Despite ‘fully encrypted’ option on 

3 of 4

p y yp pthe Web, mobile app sends in the clear

Examples are intentionally dated.

Ignoring Secure Socket Layer

SSL certificates?Just because it’s mobile doesn’t mean you should ignore them

Network‐level attacks

3 of 4

should ignore them.Found in popular open source mobile applications.

ssl_con.setHostnameVerifier(new HostnameVerifier(){

public boolean verify(String host,SSLSession session ){return( true );

}});

If CAs are ignored, easy to spoof DNS/ARP, make people download other things.

Insecure Network Communication 

Telco network (4G, CDMA, etc)Fewer people can monitor.• Telco monitoring

Wireless networksEasy to monitor/hijack.• Easier for you to monitor

3 of 4

• Telco monitoring• Government tap

• US• External

• Easier for you to monitor• Wireshark• Cain & Abel

• Evil Twin attack

Promiscuous Privileges

Description:Extra permissions permit privilege escalation and desensitize users

4 of 4

Cause:Deputies, Artifacts from testing, confusion (inaccurate/incomplete resources)

Fix: Identify unnecessary permissions

Promiscuous Privileges: Example

User App Camera App

4 of 4

User App Camera App

Does NOT need CAMERA permission

Needs CAMERA permission

Wants PictureTakesPicture

Handles Action: IMAGE_CAPTURE

Implicit IntentAction:IMAGE_CAPTURE

Misleading training on permissions

• Third hit on Google search

4 of 4

Third hit on Google search 

http://stackoverflow.com/questions/2676044/broadcast-intent-when-network-state-has-changend

Not true for android.net.wifi.STATE_CHANGE

Promiscuous Privileges used by malware

You don’t need extra permissions just for ads

4 of 4

Users can’t tell 3rd party libraries from your app

Random downloads to your phoneFive of the 100 identified libraries contain functionality that downloads and runs code from the Internet… In one instance, the team discovered an ad library embedded in several apps which downloaded a .jar file containing code to listen to

permissions just for ads.

which downloaded a .jar file containing code to listen to remote commands and turn the host app into a bot. The team actually reported these discoveries to Google, which quickly removed seven incriminated apps from Google Play.Android Authority / Boy Genius Report (2012)

Empirical Results: DEFCON ‘11

Vulnerability Type % of Apps

1 Intent Hijacking 50%1. Intent Hijacking 50%

2. Intent Spoofing 40%

3. Sticky Broadcast Tampering 6%

4. Insecure Storage 28%

5. Insecure Communication N/A

6. SQL Injection 17%

7. Promiscuous Privileges 31%

Examples are intentionally dated.

Outrun the bear

Common joke:Three people walk in woods. Grizzly bear starts to chase.“I don’t have to outrun the bear, I just have to outrun you.”

“I don’t need an ultra‐secure system, I just have to be hard enough to break that people go elsewhere.”

If you haven’t heard this joke before then it’s funny!

Increased risk of loss

Loss• Somewhat common

E i t l th d kt

Theft• Snatch & grab

St l f hi l• Easier to lose than a desktop • Stolen from vehicles

Jan 4 2013, Mountain View CA.“five Apple iPads… No Microsoft products were reported stolen.”

“Cava22, in San Francisco's Mission District, where another unreleased iPhone apparently went missing [July 2011.]”(Credit: James Martin/CNET)

Why does loss/theft matter to application developers?

• Persistent authentication: keep me logged in.• Does your app use money in any useful way?

– Transfer money– Buy goods– Stocks– Bitcoins

Maine Firm Sues Bank After $588 000 Cyber Heist$588,000 Cyber HeistOriginal ‐>  The firm won

First line of defense (loss/theft)

Lock screen/password• May not even be present.• 4 digit PIN == month/year or month/dayg /y / y• Can be bypassed.

– Galaxy S31. On the code entry screen press 

Emergency Call.2. Then press Emergency Contacts.3. Press the Home button once.4. Just after pressing the Home button 

press the power button quickly.5 If successful pressing the power5. If successful, pressing the power 

button again will bring you to the S3's home screen.(May take ~20 tries or 10 minutes)

– iPhone had similar issue when adding camera to the lock screen

• Can be recorded.– Remember keyloggers?

Second line of defense (loss/theft)

Two factor authentication

• Something you have:– The phone

• Something you know:– The password

Harder to lose both.

SMS when logging in from unknown computer: Enter this code too.Salesforce does this.

Great advice for high security

“Authenticate the transaction, not the user.”– Bruce Schneier, 2006

Flag risky transactionsBack‐end fraud monitoring:“If a customer from Nebraska signs on from, say, Romania, the bank can determine that the log‐on always be considered suspect.”

Real‐world example:• US infrastructure company employee 

outsourced his job to China• Shipped his “something you have”

– Or point a webcam at it

• Caught because he worked mostlyCaught because he worked mostly off‐hours… from China.

Employee watched “Detective Mittens” on YouTube, caught by actual sleuths.

4. THINGS TO KEEP IN MIND

Questions to consider1. Who is the customer?

– User or the advertisers?– If it’s advertisers, then give them complete power.

2. How do we verify the application?– Mobile application is both frontend & backend.– Static analysis, dynamic analysis, and/or security incident event monitoring.

3. Do we really use all privileges?– Can other apps hijack our privileges?

4 Should transactions continue if someone loses their device?4. Should transactions continue if someone loses their device?– What does my application do?– Do actions have real‐world effects?– Authentication the transaction, not the user.

Want to learn more in practice?

Where?

Security Research Blog

iGoat GoatDroid WebGoat

Vulnerable training applications

Security Research Blog

iGoat GoatDroid WebGoat

AGENDA1 M ti ti1. Motivation2. Landscape3. Mobile Threats4. Things to keep in mind

THANK YOUSOFTWARE SECURITY GOES MOBILESOFTWARE SECURITY GOES MOBILEErik Costlow erik.costlow@hp.com