Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Size: px

Start display at page:

Download "Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing"

Beverley Norris
6 years ago
Views:

1 Mobile Malfeasance Exploring Dangerous Mobile Code Jason Haddix, Director of Penetration Testing Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

2 About the Presenter Director of Penetration Testing at HP Fortify on Demand. Previously worked in HP s Professional Services as a security consultant, and an engineer & pen tester for RedSpin, Citrix, etc. Frequent attender, presenter, & CTF participant at security cons such as Defcon, BlackHat, Brucon, DerbyCon, etc. Contributor/columnist to PentesterScripting.com, Ethicalhacker.net, Hakin9 magazine, Nmap, Nessus, Etc

3 About FoD Mobile

Two-thirds of the world s mobile data traffic will be video

4 Mobile Trends and Threats Adoption Global mobile data traffic will increase 26-fold between 2010 and 2015 Two-thirds of the world s mobile data traffic will be video by 2015 There will be nearly one mobile device per capita by 2015 (~6 billion)

6 New Devices connection server os 6

7 Same Old Story server browser 7

8 Same Old Server Information Operations Software Security Services 8

Mobile Application Security Challenges Difficult to train and retain staff - very difficult to keep skills up-to-date Constantly changing environment New attacks constantly emerge

9 Mobile Application Security Challenges Difficult to train and retain staff - very difficult to keep skills up-to-date Constantly changing environment New attacks constantly emerge Compliance Requirements Too many tools for various results Apps are getting launched on a daily basis with Security not being involved. Junior Developers are typically the ones creating the apps.

10 How you see your world Get Sales Data Get the username Get the password Edit my account Remember the User Generate Reports

Scripting Improper Session Handling Sensitive

11 How an attacker sees your world Insufficient Data Storage SQL Injection Data Leakage Cross Site Scripting Improper Session Handling Sensitive Information Disclosure Client Side Injection Weak Server Side Controls

12 OWASP Mobile Top 10 Risks M1 Insecure Data Storage M6 Improper Session Handling M2 Weak Server Side Controls M7 Security Decisions via Untrusted Inputs M3 Insufficient Transport Layer Protection M8 Side Channel Data Leakage M4 Client Side Injection M9 Broken Cryptography M5 Poor Authorization and Authentication M10 Sensitive Information Disclosure

13 M1 Insecure Data Storage M2 Weak Server Side Controls OWASP Mobile Top 10 Risks EVERYTHING in the OWASP Top 10 SQLite Logging Plist Files Manifest Files Binary data stores SD Card Storgage M6 Improper Session Handling M7 Security Insecure Decisions SSL via Untrusted Inputs Encryption M3 Insufficient Transport Layer Protection SQLite Injection Unsigned and Unforced Certificate Validation M8 Side Channel Data Leakage M4 Client Side Injection XSS via Webview LFI M9 Broken Poor Cryptography Password Complexity M5 Poor Authorization and Authentication Account disclosure via Login or Forgot Password M10 Sensitive Information Disclosure

14 Indefinite Sessions Weak cookie hashing OWASP Mobile Top 10 Risks home rolled session management M1 Insecure Data Storage Using phone ID as part of session M2 Weak Server Side Controls Keystroke logging Inter-process communication Android intents ios URL schemes M6 Improper Session Handling M7 Security Decisions via Untrusted Inputs Screenshot caching M3 Insufficient Transport Layer Protection Logs Temp files M4 Client Side Injection Hardcoded secrets! API keys, server-side database passwords, etc M5 Poor Authorization and Authentication Bad Crypto Encoding/ Obfuscation/ Serialization!= encryption M8 Side Channel Data Leakage M9 Broken Cryptography M10 Sensitive Information Disclosure

15 Case Study #1 Case study of 120 Mobile applications for 1 Enterprise client 234 vulnerabilities 66% of applications contained a critical or high vulnerability that: Disclosed 1 or more users personal data Exposed multiple users personal data Compromised the applications server Critical High Medium Low Informational

16 Vulnerabilities by OWASP Mobile Top 10 Category M1: Insecure Data Storage M2: Weak Server Side Controls M3: Insufficient Transport Layer Protection M4: Client Side Injection M5: Poor Authorization and Authentication M6: Improper Session Handling M7: Security Decisions Via Untrusted Inputs M8: Side Channel Data Leakage M9: Broken Cryptography M10: Sensitive Information Disclosure 0 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 Other

17 Other? Poor Code Quality and Applications Hardening Unreleased Resources No ASLR or Memory Management frameworks enabled. Privacy Leaks UUID, Wi-Fi, device names, geolocations, etc, leaked to Ad Agencies

18 Banking Case Study

Mobile SDLC Security Foundations Mobile Applications Plan Requirements Architecture & Design Build Test Production Mobile Security Development Standards Mobile Security Policies Application Specific

19 Mobile SDLC Security Foundations Mobile Applications Plan Requirements Architecture & Design Build Test Production Mobile Security Development Standards Mobile Security Policies Application Specific Threat Modeling and Analysis Threat Modeling CBT for Developers Mobile Risk Dictionary Mobile Secure Coding Training Mobile Secure Coding Standards Wiki Static Analysis Mobile Application Security Assessment (Static, Dynamic, Server, Network, Client) Mobile Firewall MDM

20 How do we get started? 1. Find your published apps 2. Threat model them based on the information they handle 3. Assess and fix published apps 4. Give resources to developers to write secure code

21 Threat Modeling a Mobile App Identify business objectives: Types of data at risk with a mobile app: Identify the data the application will use Usernames & Passwords PII vs. Non-PII UDID Credentials & access Geolocation/address/zip Where is it stored? DoB Payment information? Device Name Network Connection Name Credit Card Data or Account Data Updates to Social media Chat logs Cookies Etc

22 Mobile Methodology Client Application Web Application Static Analysis Static Analysis Network Dynamic Analysis Dynamic Analysis

23 Mobile Methodology Mobile Assessment Application Mapping Client Attacks Network Attacks Server Attacks Platform Mapping Appl. Arch Binary Analysis File system Analysis Memory Analysis Runtime Hacking Priv Leaks TCP Attacks Web Attacks Under. App Data Flow Mapping Insecure API Sensitive File Artifact Weak Encrypt Plaintext Traffic Buffer Overflows SQLi XSS

24 Fortify On Demand s Mobile Application Security Risks, Controls, and Procedures Document

26 Android & ios Security Checklists

27 Other Resources for QA, Security Managers, and Devs Fortify s 7 Ways to Hang Yourself with Android Presentation Fortify on Demand s ios Penetration Testing Presentation Fortify s VulnCAT

29 Other Resources OWASP Top 10 Mobile Risks Page OWASP IOS Developer Cheat Sheet Google Androids Developer Security Topics 1 Google Androids Developer Security Topics 2 Apple's Introduction to Secure Coding

30 Parting Thoughts Remember that mobile sites face the Internet as well; obscurity!= security Start with Risk Profiling and exposure (deployed apps) Give developers guidance and resources Don t store it (PII) at all if you don t need to If you have a 3 rd party dev team deploy a contract that enforces coding based on secure mobile dev standards Mobile Device Management (MDM) is not a substitute for secure code Finally, don t be intimidated by mobile ; the same fundamentals are still in play

The Android security jungle: pitfalls, threats and survival tips. Scott

The Android security jungle: pitfalls, threats and survival tips Scott Alexander-Bown @scottyab The Jungle Ecosystem Google s protection Threats Risks Survival Network Data protection (encryption) App/device