Mobile Malfeasance Exploring Dangerous Mobile Code Jason Haddix, Director of Penetration Testing Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
About the Presenter Director of Penetration Testing at HP Fortify on Demand. Previously worked in HP s Professional Services as a security consultant, and an engineer & pen tester for RedSpin, Citrix, etc. Frequent attender, presenter, & CTF participant at security cons such as Defcon, BlackHat, Brucon, DerbyCon, etc. Contributor/columnist to PentesterScripting.com, Ethicalhacker.net, Hakin9 magazine, Nmap, Nessus, Etc
About FoD Mobile
Mobile Trends and Threats Adoption Global mobile data traffic will increase 26-fold between 2010 and 2015 Two-thirds of the world s mobile data traffic will be video by 2015 There will be nearly one mobile device per capita by 2015 (~6 billion)
New Devices connection server os 6
Same Old Story server browser 7
Same Old Server Information Operations Software Security Services 8
Mobile Application Security Challenges Difficult to train and retain staff - very difficult to keep skills up-to-date Constantly changing environment New attacks constantly emerge Compliance Requirements Too many tools for various results Apps are getting launched on a daily basis with Security not being involved. Junior Developers are typically the ones creating the apps.
How you see your world Get Sales Data Get the username Get the password Edit my account Remember the User Generate Reports
How an attacker sees your world Insufficient Data Storage SQL Injection Data Leakage Cross Site Scripting Improper Session Handling Sensitive Information Disclosure Client Side Injection Weak Server Side Controls
OWASP Mobile Top 10 Risks M1 Insecure Data Storage M6 Improper Session Handling M2 Weak Server Side Controls M7 Security Decisions via Untrusted Inputs M3 Insufficient Transport Layer Protection M8 Side Channel Data Leakage M4 Client Side Injection M9 Broken Cryptography M5 Poor Authorization and Authentication M10 Sensitive Information Disclosure
M1 Insecure Data Storage M2 Weak Server Side Controls OWASP Mobile Top 10 Risks EVERYTHING in the OWASP Top 10 SQLite Logging Plist Files Manifest Files Binary data stores SD Card Storgage M6 Improper Session Handling M7 Security Insecure Decisions SSL via Untrusted Inputs Encryption M3 Insufficient Transport Layer Protection SQLite Injection Unsigned and Unforced Certificate Validation M8 Side Channel Data Leakage M4 Client Side Injection XSS via Webview LFI M9 Broken Poor Cryptography Password Complexity M5 Poor Authorization and Authentication Account disclosure via Login or Forgot Password M10 Sensitive Information Disclosure
Indefinite Sessions Weak cookie hashing OWASP Mobile Top 10 Risks home rolled session management M1 Insecure Data Storage Using phone ID as part of session M2 Weak Server Side Controls Keystroke logging Inter-process communication Android intents ios URL schemes M6 Improper Session Handling M7 Security Decisions via Untrusted Inputs Screenshot caching M3 Insufficient Transport Layer Protection Logs Temp files M4 Client Side Injection Hardcoded secrets! API keys, server-side database passwords, etc M5 Poor Authorization and Authentication Bad Crypto Encoding/ Obfuscation/ Serialization!= encryption M8 Side Channel Data Leakage M9 Broken Cryptography M10 Sensitive Information Disclosure
Case Study #1 Case study of 120 Mobile applications for 1 Enterprise client 234 vulnerabilities 66% of applications contained a critical or high vulnerability that: Disclosed 1 or more users personal data Exposed multiple users personal data Compromised the applications server 90 80 70 60 50 40 30 20 10 0 Critical High Medium Low Informational
Vulnerabilities by OWASP Mobile Top 10 Category 80 70 60 50 40 30 20 10 M1: Insecure Data Storage M2: Weak Server Side Controls M3: Insufficient Transport Layer Protection M4: Client Side Injection M5: Poor Authorization and Authentication M6: Improper Session Handling M7: Security Decisions Via Untrusted Inputs M8: Side Channel Data Leakage M9: Broken Cryptography M10: Sensitive Information Disclosure 0 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 Other
Other? Poor Code Quality and Applications Hardening Unreleased Resources No ASLR or Memory Management frameworks enabled. Privacy Leaks UUID, Wi-Fi, device names, geolocations, etc, leaked to Ad Agencies
Banking Case Study
Mobile SDLC Security Foundations Mobile Applications Plan Requirements Architecture & Design Build Test Production Mobile Security Development Standards Mobile Security Policies Application Specific Threat Modeling and Analysis Threat Modeling CBT for Developers Mobile Risk Dictionary Mobile Secure Coding Training Mobile Secure Coding Standards Wiki Static Analysis Mobile Application Security Assessment (Static, Dynamic, Server, Network, Client) Mobile Firewall MDM
How do we get started? 1. Find your published apps 2. Threat model them based on the information they handle 3. Assess and fix published apps 4. Give resources to developers to write secure code
Threat Modeling a Mobile App Identify business objectives: Types of data at risk with a mobile app: Identify the data the application will use Usernames & Passwords PII vs. Non-PII UDID Credentials & access Geolocation/address/zip Where is it stored? DoB Payment information? Device Name Network Connection Name Credit Card Data or Account Data Updates to Social media Chat logs Cookies Etc
Mobile Methodology Client Application Web Application Static Analysis Static Analysis Network Dynamic Analysis Dynamic Analysis
Mobile Methodology Mobile Assessment Application Mapping Client Attacks Network Attacks Server Attacks Platform Mapping Appl. Arch Binary Analysis File system Analysis Memory Analysis Runtime Hacking Priv Leaks TCP Attacks Web Attacks Under. App Data Flow Mapping Insecure API Sensitive File Artifact Weak Encrypt Plaintext Traffic Buffer Overflows SQLi XSS
Fortify On Demand s Mobile Application Security Risks, Controls, and Procedures Document
Android & ios Security Checklists
Other Resources for QA, Security Managers, and Devs Fortify s 7 Ways to Hang Yourself with Android Presentation Fortify on Demand s ios Penetration Testing Presentation Fortify s VulnCAT
Other Resources OWASP Top 10 Mobile Risks Page OWASP IOS Developer Cheat Sheet Google Androids Developer Security Topics 1 Google Androids Developer Security Topics 2 Apple's Introduction to Secure Coding
Parting Thoughts Remember that mobile sites face the Internet as well; obscurity!= security Start with Risk Profiling and exposure (deployed apps) Give developers guidance and resources Don t store it (PII) at all if you don t need to If you have a 3 rd party dev team deploy a contract that enforces coding based on secure mobile dev standards Mobile Device Management (MDM) is not a substitute for secure code Finally, don t be intimidated by mobile ; the same fundamentals are still in play
Thank you Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.