software security goes mobile
DESCRIPTION
Erik Costlow says that, as more and more business is transacted on mobile platforms, securing the applications and data that run on them is a business imperative. Developers and their managers are asked to make key decisions regarding data caching, authorized permissions, authentication requirements on the backend, and safe coding practices—all of which contribute to the protection of their organization’s intellectual property. However, hackers have taken advantage of a knowledge gap to develop creative attacks against mobile applications. Becoming more common is “intent spoofing” in which hackers write a special application that targets an existing app on the Android platform and directs it to take malicious actions. Erik guides you through the steps you can take—use of two-factor authentication, code analysis, and obfuscation—to protect your intellectual property and your customers’ data against these and other potential threats.TRANSCRIPT
BW8 Session 6/5/2013 2:15 PM
"Software Security Goes Mobile"
Presented by:
Erik Costlow HP Enterprise Security Products
Brought to you by:
340 Corporate Way, Suite 300, Orange Park, FL 32073 888‐268‐8770 ∙ 904‐278‐0524 ∙ [email protected] ∙ www.sqe.com
Erik Costlow HP Enterprise Security
Product manager for HP’s Enterprise Security group, Erik Costlow is responsible for product strategy, working closely with customers as well as development, sales, and marketing teams. He has contributed to industry best practices including OpenSAMM. Previously, Erik worked as a software security consultant for Fortify Software (acquired by HP). His projects there included designing and leading a security static analysis project at a large financial services firm, designing a project plan to guide developers of externally-facing applications across three continents, and preparing for a 2013 implementation of twenty key application security controls affecting 15,000 developers globally, across seven functional lines of business.
SOFTWARE SECURITY GOES MOBILE
Erik [email protected]
Erik Costlow
Product Manager
• Suite of software security products.– Help builders create secure
software.– Help buyers procure secure
software.– Help operators run software
securely.
About this presentation
What it is:
• Risks of building mobile
What it isn’t:
• Sky is fallingapps
• Some examples• Talk about viruses/malware• Platform A better than B• Code in PowerPointIntentionally dated.
Not going to disclose 0‐days.
Agenda
1. Motivation2. Landscape3. Mobile Threats4. Things to keep in mind
1. MOTIVATION
Smartphones outpacing PCs and Laptops
80%
100%
0%
20%
40%
60%
0%2005 2006 2007 2008 2009 2010E 2011E 2012E 2013E
Smartphones Laptops Desktops
Source: Morgan Stanley Research
Mobile Purchasers
4050
ers
0102030
$ /
% of p
urchase
$300/yearper user
Source: Google The Mobile Movement Study
Mobile threats and malwareThreats to your own apps:• Coding errors/omissions allow compromise/theft• Someone injects malware into your app and redistributes it• Steal credentials, commit fraudI 2012In 2012:• 100% of the Top 100 Android apps were found cracked and available on third‐party sites.• 92% of the Top 100 Apple iOS apps were found cracked and available on third‐party sitesSource: Arxan’s State of Security in the App Economy
FTC held public forum yesterday, June 4th
2. MOBILE LANDSCAPE
What isMobile?
serverconnection
device
os
Familiar model
device
serverserver
browser
Example: Many mobile applications can be written for browsers and cross‐compiled: Apache Cordova/PhoneGap, Sencha Touch, etc.
Same old server
InformationInformation
Security ServicesSecurity Services
OperationsOperations SoftwareSoftware
Client‐side persistence
Local data persistence
Similar to HTML 5
Alex
******
321‐15‐5124
Invisible to users and always available
Mobile OS
Benefit of hindsight
S i fSecurity features- Read‐only stack- Data encryption- Permissions
Confusingg- Wait, permissions?
Who cares about permissions?
Free app of the day 2/14
More people hated this than bothered to rate it.
Can’t we all just get along?Formal communication- Inter‐application
I t li ti- Intra‐application- With the OS
A new trust boundary
What matters?
Old
• Handling sensitive user and
New
• Local storage (e.g. SD card)app data
• Environment and configuration
• Standbys like XSS and SQL Injection
• Communication (SMS, MMS, GPS)
• Security features (privileges, crypto)
Injection • Increased risk of device loss
Who cares?
AppOwners
AppDevelopersDevice
Builders
OSAuthors Network
Providers
Users
3. MOBILE THREATS
Mobile Threats
• Shoot yourself in the foot1. Intent Hijacking2. Intent Spoofing3. Insecure network communication4. Promiscuous Privileges
• Outrun the bear1. Increased risk of loss2. Effective authentication
Effects on app developers
• Other apps monitor yours• Other apps communicate inside yours• Negative reviews from permissions• Leverage permissions of other apps• Etc.
Criminals in the audience today?
Intent Hijacking
Description: Malicious app intercepts an intent bound for another app to compromise data or alter behavior
1 of 4
Cause: Implicit intents (do not require strong permissions to receive)
Fix: Explicit intents and receiver permissions
Intent Hijacking – Expected Action1 of 4
ShowtimeSearch Results UI Handles Actions:
willUpdateShowtimes,showtimesNoLocationError
IMDb App
Implicit IntentAction: willUpdateShowtimes
Intent Hijacking – In the wild
IMDB Application
User wants to get showtimes:
1 of 4
• willupdateShowtimes• showtimesNoLocationError
Examples are intentionally dated.
Intent Hijacking – Illustrated Example
IMDb App
1 of 4
ShowtimeSearch Results UI Handles Actions:
willUpdateShowtimes,showtimesNoLocationError
Implicit IntentAction: willUpdateShowtimes
Handles Actions: willUpdateShowtimes,showtimesNoLocationError
Eavesdropping AppMaliciousReceiver
Intent Spoofing
Description: Malicious app spoofs a legitimate intent to inject data or alter behavior.
2 of 4
Cause: Public components (necessary to receive implicit intents)
Fix: Explicit intents and receiver permissionsSensitive operations in private components
Intent Spoofing – Illustrated Example2 of 4
Malicious ComponentAction: showtimesNoLocationError
Spoofing App
ShowtimeSearch
Results UI Handles Actions: willUpdateShowtimes,showtimesNoLocationError
IMDb App
Intent Spoofing – In the wild
How to execute
• Monitor other intents.
2 of 4
• Look at replies.• Malicious app offers other
replies.
Examples are intentionally dated.
Insecure Network Communication
Description:Unencrypted channels can be intercepted by attackers sniffing network
3 of 4
Cause: Non‐HTTPS WebView connections
Fix: Send sensitive data only over encrypted channels.
Insecure Network Communication
Twitter: Tweets are sent in the clear
3 of 4
https://freedom‐to‐tinker.com/blog/dwallach/things‐overheard‐wifi‐my‐android‐smartphone
Examples are intentionally dated.
Unencrypted tweets? Who cares.
• Social activist groups.• Coordinating protests.
3 of 4
Insecure network communication
Facebook: Despite ‘fully encrypted’ option on
3 of 4
p y yp pthe Web, mobile app sends in the clear
Examples are intentionally dated.
Ignoring Secure Socket Layer
SSL certificates?Just because it’s mobile doesn’t mean you should ignore them
Network‐level attacks
3 of 4
should ignore them.Found in popular open source mobile applications.
ssl_con.setHostnameVerifier(new HostnameVerifier(){
public boolean verify(String host,SSLSession session ){return( true );
}});
If CAs are ignored, easy to spoof DNS/ARP, make people download other things.
Insecure Network Communication
Telco network (4G, CDMA, etc)Fewer people can monitor.• Telco monitoring
Wireless networksEasy to monitor/hijack.• Easier for you to monitor
3 of 4
• Telco monitoring• Government tap
• US• External
• Easier for you to monitor• Wireshark• Cain & Abel
• Evil Twin attack
Promiscuous Privileges
Description:Extra permissions permit privilege escalation and desensitize users
4 of 4
Cause:Deputies, Artifacts from testing, confusion (inaccurate/incomplete resources)
Fix: Identify unnecessary permissions
Promiscuous Privileges: Example
User App Camera App
4 of 4
User App Camera App
Does NOT need CAMERA permission
Needs CAMERA permission
Wants PictureTakesPicture
Handles Action: IMAGE_CAPTURE
Implicit IntentAction:IMAGE_CAPTURE
Misleading training on permissions
• Third hit on Google search
4 of 4
Third hit on Google search
http://stackoverflow.com/questions/2676044/broadcast-intent-when-network-state-has-changend
Not true for android.net.wifi.STATE_CHANGE
Promiscuous Privileges used by malware
You don’t need extra permissions just for ads
4 of 4
Users can’t tell 3rd party libraries from your app
Random downloads to your phoneFive of the 100 identified libraries contain functionality that downloads and runs code from the Internet… In one instance, the team discovered an ad library embedded in several apps which downloaded a .jar file containing code to listen to
permissions just for ads.
which downloaded a .jar file containing code to listen to remote commands and turn the host app into a bot. The team actually reported these discoveries to Google, which quickly removed seven incriminated apps from Google Play.Android Authority / Boy Genius Report (2012)
Empirical Results: DEFCON ‘11
Vulnerability Type % of Apps
1 Intent Hijacking 50%1. Intent Hijacking 50%
2. Intent Spoofing 40%
3. Sticky Broadcast Tampering 6%
4. Insecure Storage 28%
5. Insecure Communication N/A
6. SQL Injection 17%
7. Promiscuous Privileges 31%
Examples are intentionally dated.
Outrun the bear
Common joke:Three people walk in woods. Grizzly bear starts to chase.“I don’t have to outrun the bear, I just have to outrun you.”
“I don’t need an ultra‐secure system, I just have to be hard enough to break that people go elsewhere.”
If you haven’t heard this joke before then it’s funny!
Increased risk of loss
Loss• Somewhat common
E i t l th d kt
Theft• Snatch & grab
St l f hi l• Easier to lose than a desktop • Stolen from vehicles
Jan 4 2013, Mountain View CA.“five Apple iPads… No Microsoft products were reported stolen.”
“Cava22, in San Francisco's Mission District, where another unreleased iPhone apparently went missing [July 2011.]”(Credit: James Martin/CNET)
Why does loss/theft matter to application developers?
• Persistent authentication: keep me logged in.• Does your app use money in any useful way?
– Transfer money– Buy goods– Stocks– Bitcoins
Maine Firm Sues Bank After $588 000 Cyber Heist$588,000 Cyber HeistOriginal ‐> The firm won
First line of defense (loss/theft)
Lock screen/password• May not even be present.• 4 digit PIN == month/year or month/dayg /y / y• Can be bypassed.
– Galaxy S31. On the code entry screen press
Emergency Call.2. Then press Emergency Contacts.3. Press the Home button once.4. Just after pressing the Home button
press the power button quickly.5 If successful pressing the power5. If successful, pressing the power
button again will bring you to the S3's home screen.(May take ~20 tries or 10 minutes)
– iPhone had similar issue when adding camera to the lock screen
• Can be recorded.– Remember keyloggers?
Second line of defense (loss/theft)
Two factor authentication
• Something you have:– The phone
• Something you know:– The password
Harder to lose both.
SMS when logging in from unknown computer: Enter this code too.Salesforce does this.
Great advice for high security
“Authenticate the transaction, not the user.”– Bruce Schneier, 2006
Flag risky transactionsBack‐end fraud monitoring:“If a customer from Nebraska signs on from, say, Romania, the bank can determine that the log‐on always be considered suspect.”
Real‐world example:• US infrastructure company employee
outsourced his job to China• Shipped his “something you have”
– Or point a webcam at it
• Caught because he worked mostlyCaught because he worked mostly off‐hours… from China.
Employee watched “Detective Mittens” on YouTube, caught by actual sleuths.
4. THINGS TO KEEP IN MIND
Questions to consider1. Who is the customer?
– User or the advertisers?– If it’s advertisers, then give them complete power.
2. How do we verify the application?– Mobile application is both frontend & backend.– Static analysis, dynamic analysis, and/or security incident event monitoring.
3. Do we really use all privileges?– Can other apps hijack our privileges?
4 Should transactions continue if someone loses their device?4. Should transactions continue if someone loses their device?– What does my application do?– Do actions have real‐world effects?– Authentication the transaction, not the user.
Want to learn more in practice?
Where?
Security Research Blog
iGoat GoatDroid WebGoat
Vulnerable training applications
Security Research Blog
iGoat GoatDroid WebGoat
AGENDA1 M ti ti1. Motivation2. Landscape3. Mobile Threats4. Things to keep in mind
THANK YOUSOFTWARE SECURITY GOES MOBILESOFTWARE SECURITY GOES MOBILEErik Costlow [email protected]