RESEARCH INSIGHTS. How we are breaking in: Mobile Security. Author: Thomas Cannon

Similar documents
The Attacker s POV Hacking Mobile Apps. in Your Enterprise to Reveal Real Vulns and Protect the Business. Tony Ramirez

Topics. Ensuring Security on Mobile Devices

Maritime cyber security: Threats & Opportunities. Andy Davis, Research Director Yevgen Dyryavyy, Security Consultant

Deliver Strong Mobile App Security and the Ultimate User Experience

CSRF in the Modern Age

Bank Infrastructure - Video - 1

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Ch 1: The Mobile Risk Ecosystem. CNIT 128: Hacking Mobile Devices. Updated

Introspy Security Profiling for Blackbox ios and Android. Marc Blanchou Alban Diquet

AWS Security. Staying on Top of the Cloud

Coordinated Threat Control

Phishing Stories. Shaun Jones

Importing your or Personal Authentication certificate to Android Devices

Securing Today s Mobile Workforce

The Android security jungle: pitfalls, threats and survival tips. Scott

Mobile Payment Application Security. Security steps to take while developing Mobile Application s. SISA Webinar.

RISKS HIDING IN PLAIN SIGHT: MOBILE APP CYBER THREAT & VULNERABILITY BENCHMARKS. BRIAN LAWRENCE SENIOR SECURITY ENGINEER

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Effective Strategies for Managing Cybersecurity Risks

Product Security Briefing

Real World Application Threat Modelling By Example. 44Con 2013

How to secure your mobile application with RASP

C1: Define Security Requirements

Mobile software security Building trust in mobile apps

Unisys Security Insights: Australia A Consumer Viewpoint 2015

Consolidated Edition. 5th Annual State of Application Security Report Perception vs. Reality

Vidder PrecisionAccess

Authentication API SecurAccess API Guide Version /18

Cyber Moving Targets. Yashar Dehkan Asl

Endpoint Security - what-if analysis 1

Copyright

Penetration testing.

MOBILE SECURITY OVERVIEW. Tim LeMaster

Solutions Business Manager Web Application Security Assessment

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Author: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0

CS 356 Operating System Security. Fall 2013

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Symlink attacks. Do not assume that symlinks are trustworthy: Example 1

Checkpoint R80.10 Integration Guide (ASA)

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Atlassian. Atlassian Software Development and Collaboration Tools. Bugcrowd Bounty Program Results. Report created on October 04, 2017.

What Ails Our Healthcare Systems?

Atlassian Crowdsourced Penetration Test Results: January 2018

G/On. G/On is available for Windows, MacOS and Linux (selected distributions).

>MESSAGELABS END USER IT SECURITY GUIDE >WHAT STEPS CAN YOU TAKE TO KEEP YOURSELF, YOUR COLLEAGUES AND YOUR COMPANY SAFE ONLINE?

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

HP 2012 Cyber Security Risk Report Overview

Top 10 Database Security Threats and How to Stop Them. Rob Rachwald Director of Security Strategy

SecurEnvoy Windows Logon Agent Installation and Admin Guide v9.3 Including support for SecurPassword

The of Passw0rds: Notes from the field

Spectre, Meltdown, and the Impact of Security Vulnerabilities on your IT Environment. Orin Jeff Melnick

Security Awareness Training Courses

The PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference

Importing and Using your or Personal Authentication certificate with Mac OS X Mail / Apple Mail

Title Slide. Subtitle here

CLX.MAP & Mobile Security

Attackers Process. Compromise the Root of the Domain Network: Active Directory

Survey of Cyber Moving Targets. Presented By Sharani Sankaran

Creating Trust in a Highly Mobile World

COMPUTER NETWORK SECURITY

Quick Heal Mobile Security. Anti-Theft Security. Real-Time Protection. Safe Online Banking & Shopping.

C and C++ Secure Coding 4-day course. Syllabus

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Meeting 39. Guest Speaker Dr. Williams CEH Networking

Intranet Benchmarking Forum 2013 Research Programme Over 20% live intranet tours

Independent DeltaV Domain Controller

Introducing MVISION. Cohesive Cloud-based Management of Threat Countermeasures and Devices Leveraging Built-in Device Controls. Jon Parkes.

SecurEnvoy Microsoft Server Agent Installation and Admin Guide v9.3

Enterprise Ready. Sean Yarger. Sr. Manager, Mobility and Identity. Making Android Enterprise Ready 1

INNOVATIVE IT- SECURITY FOR THE BANKING AND PAYMENT INDUSTRY

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Microsoft Outlook Web Access 2016 Installation Guide

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

COPYRIGHTED MATERIAL. Contents. Part I: The Basics in Depth 1. Chapter 1: Windows Attacks 3. Chapter 2: Conventional and Unconventional Defenses 51

Quick User Guide. Soliton Secure Container - DME. DME 5.1 for ios with DME 5.0 Server. Document version 0.2

Ch 8: Mobile Development Security. CNIT 128: Hacking Mobile Devices. Revised

Smart Attacks require Smart Defence Moving Target Defence

VMWARE VIEW WITH JUNIPER NETWORKS SA SERIES SSL VPN APPLIANCES

Dissecting Data Breaches. What Keeps Going Wrong?

Ethical Hacking and Countermeasures: Secure Network Operating Systems and Infrastructures, Second Edition

Microsoft O365 Integration Guide

A (sample) computerized system for publishing the daily currency exchange rates

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

Deep Freeze Cloud. Architecture and Security Overview

VMware Horizon Workspace Security Features WHITE PAPER

Juniper Networks Secure Access 700

12/5/2013. work-life blur. more mobile. digital generation. multiple devices. tech. fast savvy

Zimperium Global Threat Data

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Authentication System

Recommendations for Device Provisioning Security

Man in the Middle Attacks and Secured Communications

Importing and Using your or Personal Authentication certificate with The Bat!

You ve Been Hacked Now What? Incident Response Tabletop Exercise

Security: The Key to Affordable Unmanned Aircraft Systems

1 Comodo One Home Edition - FAQ

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Securing ArcGIS Services

Transcription:

RESEARCH INSIGHTS How we are breaking in: Mobile Security Author: Thomas Cannon

CONTENTS Author 3 Introduction 4 How We Are Breaking In: Mobile Security 6 Introduction 6 Common Issues 7 Conclusion 8 NCC Group Research Insights 2

AUTHOR THOMAS CANNON Thomas has worked in the Information Security industry for over eight years holding a variety of roles. Prior to joining NCC Group, Thomas held the position of Director of R&D for mobile security firm NowSecure where he performed cutting edge research into mobile device exploitation. Thomas has led mobile security engagements for phone manufacturers, Government, banking, medical and the US Army. Thomas is active in the mobile security community, contributing to books, certification development, speaking engagements at DEF CON and launching an open source mobile security Linux distribution. All Rights Reserved. NCC Group 2014 NCC Group Research Insights 3

INTRODUCTION The proliferation of the personal and business use of mobile devices has created a strong demand for mobile security assurance. Mobile apps and devices can suffer from many of the same vulnerabilities as traditional systems but also require new approaches to security testing and risk assessment. Some of the unique risks mobile introduces are: Given the amount of new risks that mobile introduces on top of traditional risks, it is perhaps not surprising to find a wide range of issues in a typical mobile assessment. This Research Insights aims to illustrate some of the common issues NCC Group finds within mobile. They can be exposed to hostile network environments (such as public WiFi) They remove data from the physical confines of a home or data centre and are at high risk of theft They typically are not protected with complex passcodes or two-factor authentication because it hampers usability They offer always-connected computing power with sensors such as camera, microphone, GPS, facilitating surveillance and remote access They are a new fast-changing platform with new attack techniques that developers are not experienced in protecting against NCC Group Research Insights 4

How We Are Breaking In: Mobile Security COMMON ISSUES IN MOBILE Data At Rest No Encryption No encryption Apps do not encrypt sensitive data, relying on OS controls to prevent access. This puts data at risk from malware and physical access in the event of a lost or stolen device. Not Erased Poor Access Control It is typical for apps to delete a sensitive, unencrypted file but leave it available to recovery with a forensic tool. NCC Group performs forensic techniques to see what data an app leaves behind. Apps which store data as world readable or on the SD Card (Android) make data available to any other app or malware. Transport Improper SSL Handling Apps which do not properly check the certificate of the server they are connecting to, or allow redirects to non-ssl connections, allowing Man in The Middle attacks No Certificate Pinning SSL was designed for clients to securely connect to servers which are not known in advance, requiring trust of a central certificate authority to verify identity. Mobile apps usually know the backend server they are going to connect to, so can validate the certificate itself, protecting against rogue CAs or stolen certificates. Cached UI Caching An example would be a banking app for Android which displays a list of transactions and the user then logs out. Because Android does not actually terminate the app by design, that information can still be stored on the transaction screen and it is possible to directly invoke the screen to see the last data displayed there. Memory Thumbnail Images Browser Sensitive data not erased after use ios devices take a screenshot when switching away from an app and if it is not disabled for sensitive screens it can include that data in the image. When using an embedded browser in an app it can cache data in the app s cache directory by default. Mobile devices are at higher risk of theft or loss and therefore NCC Group emulate a threat scenario where an attacker has access to a device and dumps the memory (RAM). This can reveal login credentials, encryption keys and other sensitive data. NCC Group Research Insights 6

It is clear from the output of mobile assessments over the last few years that data protection is not improving in mobile apps. COMMON ISSUES IN MOBILE CONT... Data cont... Permissions Incorrectly set or handled Android apps can communicate with each other in a standard way to share data or invoke functionality. Such access is usually controlled via permissions but some apps set permissions incorrectly or export functionality unintentionally. This can result in data manipulation or leakage. Logs Logging sesitive data Logging data to the system log or including it in crash logs when the app crashes. Input Validation There are some areas in mobile which are similar to both web and desktop regarding validation of data input. SQLite data Path validation Exploit mitigation Database injection techniques Traversal attacks ASLR and PIE not enabled Mobile apps often store data in SQLite databases and are subject to SQL Injection. On Android there is a standard way to share data via inter-process communication and this is often mapped to queries of the app s data store. By supplying a malformed request, malware can sometimes cause a target app to execute SQL commands and reveal or manipulate data. Apps which accept file names or paths as input do not always check for dangerous characters such as.. which can be used to access or write to files which the attacker would not otherwise have permission to do. To better protect against issues such as buffer overflows due to malformed data, apps should be compiled with protection such as Position Independent Executable (PIE) and Address Space Layout Randomisation (ASLR). App Protection Reverse engineering Lack of code obfuscation It takes more effort for an attacker to reverse engineer an obfuscated app which is otherwise quite trivial on mobile platforms. While not directly protecting against vulnerabilities obfuscation does reduce the risk of a vulnerability being found and exploited. NCC Group Research Insights 7

CONCLUSION It can be seen that the common issues on mobile are heavily biased towards data protection. Whereas traditional infrastructure assessment may be biased towards protecting against gaining entry in the first place, mobile testing has to assume the attacker already has some level of access. Access can be gained via malware installation, physical access or access to the network the device is connected to. It is clear from the output of mobile assessments over the last few years that data protection is not improving in mobile apps. Mobile device manufacturers are improving their devices to help mitigate this problem with features such as: Fingerprint readers Full device encryption by default Explicitly requiring enablement of higher risk features Providing hardware backed secure data stores Additionally NCC Group has seen new features of mobile platforms open up categories of issues that developers are failing to defend against. With mobile devices storing an ever increasing amount of sensitive data about our lives and work it is more important than ever to ensure it is being adequately protected. With mobile devices storing an ever increasing amount of sensitive data about our lives and work it is more important than ever to ensure it is being adequately protected. Nevertheless, it is the responsibility of developers to ensure they protect their users and data regardless of platform security features. NCC Group Research Insights 8

CONTACT US 0161 209 5200 response@nccgroup.trust @nccgroupplc www.nccgroup.trust United Kingdom Manchester - Head office Manchester Technology Centre Oxford Road Manchester M1 7EF Cheltenham Eagle Tower Montpellier Drive Cheltenham GL50 1TA Milton Keynes Suite 526-528 Elder House Eldergate Milton Keynes MK9 1LR Edinburgh 37 York Place Edinburgh EH1 3HP Leatherhead Kings Court Kingston Road Leatherhead KT22 7SL Glasgow The Beacon 176 St Vincent Street Glasgow G2 5SG London Floor 4 Tavistock House North London WC1H 9HR Europe Switzerland Ibelweg 18A CH-6300 Zug Switzerland The Netherlands Veemkade 396 1019 HE Amsterdam The Netherlands Germany Heimeranstrasse 37 D-80339 Munchen Germany Denmark Tranevej 16-18 DK-2400 Kobehavn NV Copenhagen Denmark North America San Francisco Suite 1020 123 Mission Street San Francisco CA 94105 Texas 4029 South Capital of Texas Hwy Suite 100 Austin, TX 78704 New York 39 W. 14th St. Suite 202 New York NY 10011 Chicago 53 W.Jackson Suite 464 Chicago, IL 60604 USA Seattle 720 3rd Avenue Suite 2101 Seattle Sunnyvale 111 West Evelyn Avenue Suite 101/103 Sunnyvale, CA 94086 Asia Pacific Australia 2.08/56 Bowman street Pyrmont NSW 2009 Australia

www.nccgroup.trust @nccgroupplc

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback