Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Similar documents
The Android security jungle: pitfalls, threats and survival tips. Scott

ME?

C1: Define Security Requirements

Bank Infrastructure - Video - 1

HP 2012 Cyber Security Risk Report Overview

Weak Spots Enterprise Mobility Management. Dr. Johannes Hoffmann

IBM Future of Work Forum

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Mobile Payment Application Security. Security steps to take while developing Mobile Application s. SISA Webinar.

TIBCO Cloud Integration Security Overview

10 FOCUS AREAS FOR BREACH PREVENTION

Certified Secure Web Application Engineer

SECURITY TESTING. Towards a safer web world

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

CSWAE Certified Secure Web Application Engineer

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Ethical Hacker Foundation and Security Analysts Course Semester 2

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Web Application Penetration Testing

INNOV-09 How to Keep Hackers Out of your Web Application

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Solutions Business Manager Web Application Security Assessment

Development*Process*for*Secure* So2ware

Your Turn to Hack the OWASP Top 10!

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

How NOT To Get Hacked

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

The Attacker s POV Hacking Mobile Apps. in Your Enterprise to Reveal Real Vulns and Protect the Business. Tony Ramirez

Ch 1: The Mobile Risk Ecosystem. CNIT 128: Hacking Mobile Devices. Updated

MBFuzzer - MITM Fuzzing for Mobile Applications

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Andrew van der Stock OWASP Foundation

Managed Application Security trends and best practices in application security

Effective Strategies for Managing Cybersecurity Risks

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Security Communications and Awareness

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Copyright

Security Communications and Awareness


Combating Common Web App Authentication Threats

Topics. Ensuring Security on Mobile Devices

What someone said about junk hacking

cs642 /introduction computer security adam everspaugh

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Advanced Diploma on Information Security

Atlassian. Atlassian Software Development and Collaboration Tools. Bugcrowd Bounty Program Results. Report created on October 04, 2017.

RISKS HIDING IN PLAIN SIGHT: MOBILE APP CYBER THREAT & VULNERABILITY BENCHMARKS. BRIAN LAWRENCE SENIOR SECURITY ENGINEER

Application. Security. on line training. Academy. by Appsec Labs

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Security Best Practices. For DNN Websites

Aguascalientes Local Chapter. Kickoff

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Training Program Catalog SECURITY INNOVATION

IT Privacy Certification Outline of the Body of Knowledge (BOK) for the Certified Information Privacy Technologist (CIPT)

LiveEngage Messaging Platform: Security Overview Document Version: 2.0 July 2017

Base64 The Security Killer

C and C++ Secure Coding 4-day course. Syllabus

Secure Coding, some simple steps help. OWASP EU Tour 2013

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Mobile Security 2013 Phenomenal Cosmic Power, Itty Bitty Living Space

CN!Express CX-6000 Single User Version PCI Compliance Status Version June 2005

ISDP 2018 Industry Skill Development Program In association with

V Conference on Application Security and Modern Technologies

Authentication Security

Application Layer Security

Web Application Security. Philippe Bogaerts

Who Am I? Mobile Security chess board - Attacks & Defense. Mobile Top 10 - OWASP. Enterprise Mobile Cases

Information Security. Gabriel Lawrence Director, IT Security UCSD

Seth & Ken s Excellent Adventures in Secure Code Review. Training Course 17th & 18th of October. Table of Contents

Web Security, Summer Term 2012

Zimperium Global Threat Data

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Engineering Your Software For Attack

Welcome to the OWASP TOP 10

IT Privacy Certification Outline of the Body of Knowledge (BOK) for the Certified Information Privacy Technologist (CIPT)

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

Application security : going quicker

Ingram Micro Cyber Security Portfolio

Certified Vulnerability Assessor

epldt Web Builder Security March 2017

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Tale of a mobile application ruining the security of global solution because of a broken API design. SIGS Geneva 21/09/2016 Jérémy MATOS

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Security Solutions. Overview. Business Needs

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

Applications Security

Vulnerabilities in online banking applications

Fortify Software Security Content 2017 Update 4 December 15, 2017

CAMSCANNER TURN YOUR PHONE AND TABLET INTO SCANNER FOR

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Under the hood testing - Code Reviews - - Harshvardhan Parmar

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Transcription:

Mobile Malfeasance Exploring Dangerous Mobile Code Jason Haddix, Director of Penetration Testing Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

About the Presenter Director of Penetration Testing at HP Fortify on Demand. Previously worked in HP s Professional Services as a security consultant, and an engineer & pen tester for RedSpin, Citrix, etc. Frequent attender, presenter, & CTF participant at security cons such as Defcon, BlackHat, Brucon, DerbyCon, etc. Contributor/columnist to PentesterScripting.com, Ethicalhacker.net, Hakin9 magazine, Nmap, Nessus, Etc

About FoD Mobile

Mobile Trends and Threats Adoption Global mobile data traffic will increase 26-fold between 2010 and 2015 Two-thirds of the world s mobile data traffic will be video by 2015 There will be nearly one mobile device per capita by 2015 (~6 billion)

New Devices connection server os 6

Same Old Story server browser 7

Same Old Server Information Operations Software Security Services 8

Mobile Application Security Challenges Difficult to train and retain staff - very difficult to keep skills up-to-date Constantly changing environment New attacks constantly emerge Compliance Requirements Too many tools for various results Apps are getting launched on a daily basis with Security not being involved. Junior Developers are typically the ones creating the apps.

How you see your world Get Sales Data Get the username Get the password Edit my account Remember the User Generate Reports

How an attacker sees your world Insufficient Data Storage SQL Injection Data Leakage Cross Site Scripting Improper Session Handling Sensitive Information Disclosure Client Side Injection Weak Server Side Controls

OWASP Mobile Top 10 Risks M1 Insecure Data Storage M6 Improper Session Handling M2 Weak Server Side Controls M7 Security Decisions via Untrusted Inputs M3 Insufficient Transport Layer Protection M8 Side Channel Data Leakage M4 Client Side Injection M9 Broken Cryptography M5 Poor Authorization and Authentication M10 Sensitive Information Disclosure

M1 Insecure Data Storage M2 Weak Server Side Controls OWASP Mobile Top 10 Risks EVERYTHING in the OWASP Top 10 SQLite Logging Plist Files Manifest Files Binary data stores SD Card Storgage M6 Improper Session Handling M7 Security Insecure Decisions SSL via Untrusted Inputs Encryption M3 Insufficient Transport Layer Protection SQLite Injection Unsigned and Unforced Certificate Validation M8 Side Channel Data Leakage M4 Client Side Injection XSS via Webview LFI M9 Broken Poor Cryptography Password Complexity M5 Poor Authorization and Authentication Account disclosure via Login or Forgot Password M10 Sensitive Information Disclosure

Indefinite Sessions Weak cookie hashing OWASP Mobile Top 10 Risks home rolled session management M1 Insecure Data Storage Using phone ID as part of session M2 Weak Server Side Controls Keystroke logging Inter-process communication Android intents ios URL schemes M6 Improper Session Handling M7 Security Decisions via Untrusted Inputs Screenshot caching M3 Insufficient Transport Layer Protection Logs Temp files M4 Client Side Injection Hardcoded secrets! API keys, server-side database passwords, etc M5 Poor Authorization and Authentication Bad Crypto Encoding/ Obfuscation/ Serialization!= encryption M8 Side Channel Data Leakage M9 Broken Cryptography M10 Sensitive Information Disclosure

Case Study #1 Case study of 120 Mobile applications for 1 Enterprise client 234 vulnerabilities 66% of applications contained a critical or high vulnerability that: Disclosed 1 or more users personal data Exposed multiple users personal data Compromised the applications server 90 80 70 60 50 40 30 20 10 0 Critical High Medium Low Informational

Vulnerabilities by OWASP Mobile Top 10 Category 80 70 60 50 40 30 20 10 M1: Insecure Data Storage M2: Weak Server Side Controls M3: Insufficient Transport Layer Protection M4: Client Side Injection M5: Poor Authorization and Authentication M6: Improper Session Handling M7: Security Decisions Via Untrusted Inputs M8: Side Channel Data Leakage M9: Broken Cryptography M10: Sensitive Information Disclosure 0 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 Other

Other? Poor Code Quality and Applications Hardening Unreleased Resources No ASLR or Memory Management frameworks enabled. Privacy Leaks UUID, Wi-Fi, device names, geolocations, etc, leaked to Ad Agencies

Banking Case Study

Mobile SDLC Security Foundations Mobile Applications Plan Requirements Architecture & Design Build Test Production Mobile Security Development Standards Mobile Security Policies Application Specific Threat Modeling and Analysis Threat Modeling CBT for Developers Mobile Risk Dictionary Mobile Secure Coding Training Mobile Secure Coding Standards Wiki Static Analysis Mobile Application Security Assessment (Static, Dynamic, Server, Network, Client) Mobile Firewall MDM

How do we get started? 1. Find your published apps 2. Threat model them based on the information they handle 3. Assess and fix published apps 4. Give resources to developers to write secure code

Threat Modeling a Mobile App Identify business objectives: Types of data at risk with a mobile app: Identify the data the application will use Usernames & Passwords PII vs. Non-PII UDID Credentials & access Geolocation/address/zip Where is it stored? DoB Payment information? Device Name Network Connection Name Credit Card Data or Account Data Updates to Social media Chat logs Cookies Etc

Mobile Methodology Client Application Web Application Static Analysis Static Analysis Network Dynamic Analysis Dynamic Analysis

Mobile Methodology Mobile Assessment Application Mapping Client Attacks Network Attacks Server Attacks Platform Mapping Appl. Arch Binary Analysis File system Analysis Memory Analysis Runtime Hacking Priv Leaks TCP Attacks Web Attacks Under. App Data Flow Mapping Insecure API Sensitive File Artifact Weak Encrypt Plaintext Traffic Buffer Overflows SQLi XSS

Fortify On Demand s Mobile Application Security Risks, Controls, and Procedures Document

Android & ios Security Checklists

Other Resources for QA, Security Managers, and Devs Fortify s 7 Ways to Hang Yourself with Android Presentation Fortify on Demand s ios Penetration Testing Presentation Fortify s VulnCAT

Other Resources OWASP Top 10 Mobile Risks Page OWASP IOS Developer Cheat Sheet Google Androids Developer Security Topics 1 Google Androids Developer Security Topics 2 Apple's Introduction to Secure Coding

Parting Thoughts Remember that mobile sites face the Internet as well; obscurity!= security Start with Risk Profiling and exposure (deployed apps) Give developers guidance and resources Don t store it (PII) at all if you don t need to If you have a 3 rd party dev team deploy a contract that enforces coding based on secure mobile dev standards Mobile Device Management (MDM) is not a substitute for secure code Finally, don t be intimidated by mobile ; the same fundamentals are still in play

Thank you Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback