Tale of a mobile application ruining the security of global solution because of a broken API design. SIGS Geneva 21/09/2016 Jérémy MATOS

Similar documents
When providing a native mobile app ruins the security of your existing web solution. CyberSec Conference /11/2015 Jérémy MATOS

Abusing Android In-app Billing feature thanks to a misunderstood integration. Insomni hack 18 22/03/2018 Jérémy MATOS

The Android security jungle: pitfalls, threats and survival tips. Scott

The Attacker s POV Hacking Mobile Apps. in Your Enterprise to Reveal Real Vulns and Protect the Business. Tony Ramirez

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

C1: Define Security Requirements

MBFuzzer - MITM Fuzzing for Mobile Applications

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Security Best Practices. For DNN Websites

Bank Infrastructure - Video - 1

Certified Secure Web Application Engineer

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Weak Spots Enterprise Mobility Management. Dr. Johannes Hoffmann

RISKS HIDING IN PLAIN SIGHT: MOBILE APP CYBER THREAT & VULNERABILITY BENCHMARKS. BRIAN LAWRENCE SENIOR SECURITY ENGINEER

Android security enforcements

CSWAE Certified Secure Web Application Engineer

Copyright

CNIT 129S: Securing Web Applications. Ch 8: Attacking Access Controls

Welcome to the OWASP TOP 10

Breaking and Securing Mobile Apps

En partenariat avec CA Technologies. Genève, Hôtel Warwick,

Atlassian. Atlassian Software Development and Collaboration Tools. Bugcrowd Bounty Program Results. Report created on October 04, 2017.

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 2

Mobile Payment Application Security. Security steps to take while developing Mobile Application s. SISA Webinar.

Combating Common Web App Authentication Threats

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Secure Programming Techniques

ME?

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

Ch 7: Mobile Device Management. CNIT 128: Hacking Mobile Devices. Updated

Security Communications and Awareness

DreamFactory Security Guide

Man in the Middle Attacks and Secured Communications

Solutions Business Manager Web Application Security Assessment

Amsterdam April 12 th, 2018

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

Web Application Penetration Testing

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

TIBCO Cloud Integration Security Overview

Course 834 EC-Council Certified Secure Programmer Java (ECSP)

SECURITY OF VEHICLE TELEMATICS SYSTEMS. Daniel Xiapu Luo Department of Computing The Hong Kong Polytechnic University

TECHNICAL WHITE PAPER Penetration Test. Penetration Test. We help you build security into your software at every stage. 1 Page

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Application Layer Security

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

Securing Apache Tomcat. AppSec DC November The OWASP Foundation

OWASP Top 10 The Ten Most Critical Web Application Security Risks

How to secure your mobile application with RASP

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

INSE Lucky 13 attack - continued from previous lecture. Scribe Notes for Lecture 3 by Prof. Jeremy Clark (January 20th, 2014)

Introspy Security Profiling for Blackbox ios and Android. Marc Blanchou Alban Diquet

Fortify Software Security Content 2017 Update 4 December 15, 2017

Applications Security

CPET 499/ITC 250 Web Systems Chapter 16 Security. Topics

Evaluating the Security Risks of Static vs. Dynamic Websites

Integration Guide. LoginTC

Mobile hacking. Marit Iren Rognli Tokle

Web Application Vulnerabilities: OWASP Top 10 Revisited

Web Application Whitepaper

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13


LIPPU-API: Security Considerations

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

Web Tap Payment Authentication and Encryption With Zero Customer Effort

10 FOCUS AREAS FOR BREACH PREVENTION

IBM Future of Work Forum

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Web Security, Summer Term 2012

Web Security, Summer Term 2012

Sichere Software vom Java-Entwickler

CS November 2018

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Authentication Technology for a Smart eid Infrastructure.

CPSC 467: Cryptography and Computer Security

Secure Development Guide

OWASP TOP 10. By: Ilia

Managing Performance in Liferay DXP: An Overview of Liferay Connected Services

Professional Services Overview

Vulnerabilities in online banking applications

OWASP German Chapter Stammtisch Initiative/Ruhrpott. Android App Pentest Workshop 101

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Security+ SY0-501 Study Guide Table of Contents

Development*Process*for*Secure* So2ware

SECURITY TRENDS & VULNERABILITIES REVIEW FINANCIAL SYSTEMS

Ch 1: The Mobile Risk Ecosystem. CNIT 128: Hacking Mobile Devices. Updated

WAP Security. Helsinki University of Technology S Security of Communication Protocols

Secure Coding, some simple steps help. OWASP EU Tour 2013

Key Protection for Endpoint, Cloud and Data Center

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

CSCE 813 Internet Security Final Exam Preview

Atlassian Crowdsourced Penetration Test Results: January 2018

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

1 About Web Security. What is application security? So what can happen? see [?]

Security Communications and Awareness

django-secure Documentation

Man in the middle attack on TextSecure Signal. David Wind IT SeCX 2015

Transcription:

Tale of a mobile application ruining the security of global solution because of a broken API design SIGS Geneva 21/09/2016 Jérémy MATOS

whois securingapps Developer background Spent last 10 years working between Geneva and Lausanne on security products and solutions Focus on mobile since 2010 Now software security expert at my own company: SecuringApps Providing services to build security in software Mobile Web Cloud Internet Of Things Bitcoin/Blockchain Regular speaker at security conferences @SecuringApps

Introduction Providing mobile apps is required by business Native is often the choice Usability Performance Connectivity issues Most of the time integration to existing web solution is not straightforward: a new API is required Authentication logic/pages provided by application server Offline mode to be addressed As a consequence, it is tempting to move some code from server side to mobile app But it cannot be trusted anymore

Objectives 1. Demonstrate a loss of revenue can occur via the exploitation of a real world Android application because of a broken API design, even though web solution seems OK 2. Introduce OWASP Mobile Top 10 via examples not to follow Choice of target: French magazines reading app Motivation: renewal subscription bug Not sensitive content as it is public (but not free) Some kind of DRM in place to restrict the number of usable mobile devices Code of conduct Privacy matters, don t mess with user data Responsible disclosure

Strategy Define precisely what will be checked given the objectives 1. Access control (OWASP M6 Insecure Authorization) HTTP monitoring to see how documents are referenced in the API Use self service property of the system My personal account with paid content Creation of other free accounts 2. Authentication of mobile services (OWASP M4 Insecure Authentication) HTTP monitoring to see how API requests are authenticated Reverse engineering of the mobile app to understand authentication token management Android version far easier to read No updates between January 2014 and June 2016

Access Control 1/3 HTTP monitoring with BURP Fresh app install, then configure proxy Login with paying account Download a magazine already subscribed POST requests with JSON payload as parameter No HTTPS! (OWASP M3: Insecure Communication) No need to add a certificate on the mobile device to do MITM And even less to modify the app to bypass certificate pinning 3 different hostnames involved All run PHP 5.2.17 (January 2011.) Windows based: IIS 7.5 or Apache 2.2.19 Win32 (June 2011...) Increased confidence that security was not the priority

Access Control 2/3

Access Control 3/3 Access control validation Create free account: web only, no email validation Login with free account to retrieve auth token Replay previous requests but use the free auth token Bypass results User publications list Documents list Screenshots Document download info Document content/drm Screenshots of all magazines are publicly accessible OWASP M6 Insecure Authorization: OK

Authentication 1/9 Reverse engineer app to see the authentication token content Retrieve APK: e.g from apk-dl.com Avoid running this binary If you do so, use an emulator (e.g genymotion) jadx free tool automatically converts APK to readable Java code 1. convert Dalvik bytecode to Java bytecode 2. decompile Java bytecode to Java source code 3. display results in a lightweight IDE for static analysis

Authentication 2/9 Nothing is obfuscated Easily look for auth in the generated source code (OWASP M9: Reverse engineering)

Authentication 3/9 encrypt method Key and IV (OWASP M5: Insufficient Cryptography)

Authentication 4/9 Done with a few lines of Python Decrypt auth token Understand what is sent to server Easier than figuring it out from source code Spoof the server Modify clear text content of token Encrypt it to have it accepted by server

Authentication 5/9

Authentication 6/9 Quick look at userid and sessionid 32 bits positive integers (?) Even numbers for both accounts Create 10 free accounts in a batch Login/password accepted on mobile only a few minutes later userid is a sequence incremented by 2 sessionid are all even numbers In binary form, it is obvious they are all multiple of 2^16 (OWASP M4: Insecure Authentication) Googling for «PHP windows random»: rand method is predictable and range on Windows is 2^15

Authentication 7/9 Source code of rand method is available: Successfully predicts values on Win10 + PHP 5.6 Yet no link found between 10 latest sessionid Bruteforce is a reasonable strategy userid are known Only 32768 possible sessionid sessionid is valid at least several days No link to user data (web access requires login/password)

Authentication 8/9 Bruteforce 1 free account to determine locking behavior No locking at all Possible to bruteforce account by account Or find accounts with a given sessionid (locking resilient) Response time > 8s when invalid sessionid, <0.5s otherwise DRM server in practice has 2 hostnames (load balancing) Strategy Search for accounts with paying content (non empty list of publications) From more recent to older: more likely to have an up to date subscription

Authentication 9/9

Authentication bypass After a few hours of bruteforce, several accounts with latest magazines found. Inject userid+sessionid of a paying account in the mobile login response of a free account.

Bonus: break DRM Not enough time to go in details In a few words Use dynamic analysis Modify existing implementation with hooks (OWASP M8: Code Tampering) Bytecode patching enables to repackage the application with modified features Training at CyberSec Conference Improving applications security in practice for Android developers November 1st in Yverdon

OWASP API Security project OWASP Top Ten API Security Risks document not available yet Based on metrics from bug bounties and public breaches Current list 1. Improper Data Sanitization 2. Insufficient Access Control 3. Insecure Direct Object Reference 4. Insufficient Transport Layer Security 5. Sensitive Data Exposure 6. Weak Server-Side Security 7. Improper Key Handling 8. Inconsistent API Functionality 9. Security Misconfiguration

Access control: to be enforced server side on each and every available API call Recommendations 1/2 When providing an API for mobile, start with a threat model Target population: self service, existing premium accounts, etc.. Limit rights per user or device? Offline features required? Authentication Avoid implementing your own system Don t play with crypto, except if absolutely necessary Keeping secrets is difficult Key renewal to be designed from the very beginning Rather integrate existing Identity and Access Management solutions

Recommendations 2/2 Client side: consider all source code as public for Android Avoid embedding any sensitive logic: ask the server to do it Keep in mind that bypassing/replacing code is easy for an attacker using hooking (including jailbreak/emulator checks) Obfuscate to make reverse engineering longer: Proguard cost is 0 Also consider writing some essential logic in C (NDK) Use SSL with certificate pinning for all network calls Performance is not an issue anymore Self signed certificates are free Pinning is a must have to make MITM attacks/debugging more difficult Check your SSL server configuration with https://www.ssllabs.com/ssltest/

Thank you! Any question contact@securingapps.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback