assessing the security of 10 top enterprise apps

Assessing the Security of 10 Top Enterprise AppsMay 2016

SMARTWIRE LABS

Executive Summary

Mobile devices give employees access to the tools and data they need to be productive. Mobility can be an incredibly powerful driver for business as it provides seamless access to corporate data, at any time and from any location. As enterprise IT struggles to keep up with the demand for more access, it is not uncommon for security to be lagging or simply overlooked on these platforms. This is particularly troubling as mobile devices now have the ability to access the same valuable corporate data that is available on more protected desktop computers.

One common explanation for why companies underinvest in mobile security is that they believe the underlying software and app ecosystems to be sufficiently robust. As this report shows, this belief is misguided and as a result, has caused mobility teams to put sensitive data at risk.

In this report, Wandera’s SmartWire Labs team has performed a comprehensive security assessment of the most popular business apps used on corporate liable devices by enterprise customers across North America, United Kingdom, Europe and Asia. The 10 apps (all of which feature prominently on the App Store’s top charts) were put through an extensive security assessment, using the Open Web Application Security Project (OWASP) Mobile Security Risks as a foundation.

The 10 apps highlighted in this report have been downloaded an estimated 1.4 billion times, from the Google Play store. Within Apple’s App Store, the 10 apps we cover fall within the top 0.05% of all published apps and are primarily in the business and productivity categories. These are popular apps that are very widely used by enterprise employees around the globe.

KEY FINDINGS

Apps are vulnerable to at least three of the OWASP Top 10 Mobile Risks, including the two most fundamental issues: data storage security and data transport security.

ASSESSING THE SECURITY OF 10 TOP ENTERPRISE APPS SMARTWIRE LABS

PAGE 2

10/10

Apps contain at least five weaknesses of the 28 in total tested.10/10

Apps lack anti-jailbreak protection.10/10

Apps fail to use secure data storage to protect Personally Identifiable Information, which implies that the developers have relied heavily on capabilities provided by the device operating system.

10/10

Apps do not use Certificate Pinning at all, therefore are vulnerable to Man-in-the-Middle attacks, (the single application that does use this protection mechanism fails to implement it properly).

9/10

Apps allow the use of weak passwords.8/10

Apps allow the use of weak encryption.3/10

As this report shows, the overall state of mobile app security is far below where it needs to be, considering the sensitive data contained within these enterprise tools. The number of exposed vulnerabilities would provide attackers with a variety of options to easily exploit the apps and steal data. It is our hope that by highlighting these risks, enterprise app developers will use the OWASP framework to test apps and deliver more robust apps that have been hardened against attack.

Introduction

IT security budgets are stretched to support a number of important agendas: perimeter protection, access control, audit and compliance. Due partially to the fact that they are new technologies, mobile devices are considered to present less of a direct risk, and have traditionally received less investment to address security weaknesses. But the potential risks within the mobility ecosystem are on the rise and these devices are becoming a primary target for attackers looking to exploit the weakest link in the enterprise security chain.

Small pieces of both personal and corporate information that are contained within mobile devices and applications are of interest to an attacker. They can easily piece together the exposed data to create a complete profile of the end user and use that to initiate a sophisticated attack. The recent growth and success of these attacks point to the continued need to close all the potential security holes and maintain high levels of user education.

Data leaks from poorly designed apps and fundamental device vulnerabilities are becoming the building blocks for further cyber attacks on the enterprise. Our researchers have investigated the Top 10 enterprise apps used by our customers to understand where they are vulnerable, and more importantly, how they might be used as building blocks in more targetted cyber attacks.


PAGE 3

Testing Apps for Vulnerabilities

Our security researchers believed it would be of value to assess mobile application security by focusing our research on the most popular enterprise apps used by the employees of our global customers. Wandera’s Secure Mobile Gateway provides security for devices belonging to a diverse set of enterprise customers around the world. Using our solution’s visibility into mobile data usage, we have real-time usage statistics on which business applications were most popular in terms of data usage across a wide range of devices and customers. Business applications were chosen due to the fact that they not only hold personal, but also privileged corporate data. If this data were to be compromised, then it could have a significant impact on the organization, including but not limited to, potential financial loss and damage to the organization’s reputation.

The selected apps can be found on the official app store top charts for email clients, contact management apps, cloud storage apps, business oriented social networking apps and many others. The 10 apps highlighted in this report have been downloaded an estimated 1.4 billion times combined from the Google Play store. Within Apple’s App Store, the 10 apps we cover fall within the top 0.05% of all published apps and are primarily in the business and productivity categories. A vulnerability in any of the apps investigated, if exploited, would likely impact millions of users.

Wandera used the Top 10 Open Web Application Security Project (OWASP) Mobile Risks as a foundation methodology for testing. OWASP is a not-for-profit organization focused on improving the security of software. The OWASP Mobile Security Project seeks to provide developers and security teams with the resources required for building and maintaining secure mobile applications. The Top 10 Risks list provides an insight into the key risks facing mobile application security. Each of the Top 10 mobile risk categories were then further broken down into 28 separate vulnerability tests. The tests conducted in the research are as follows:


PAGE 4

APP SELECTION

TEST METHODOLOGY

Mobile Risk Category 1: Weak Server Side Controls

1. HTTP Communication test

2. PII Leaks test

3. Device Info Leaks test

4. API Calls Leaks test

Mobile Risk Category 2: Insecure Data Storage

5. PII stored in Unencrypted SQLite DB test

6. File Caching test

7. PII in Property List Files test


PAGE 5

Mobile Risk Category 3: Insufficient Transport Layer Protection

8. Allow Self-Signed Certificates test

9. No Certificate Pinning test

Mobile Risk Category 4: Unintended Data Leakage

10. PII in Custom Logs test

Mobile Risk Category 5: Poor Authorization and Authentication

11. Clear Text Authentication Leaks test

12. Allow Weak Passwords test

13. Allow Brute Force test

Mobile Risk Category 5: Poor Authorization and Authentication

14. Mobile Risk Category 6: Broken Cryptography

15. HTTPS Downgrade test

Mobile Risk Category 6: Broken Cryptography

14. Weak Encryption test

15. HTTPS Downgrade test

Mobile Risk Category 7: Client Side Injection

16. Stored XSS test

17. Vulnerable to Code Injection test

18. Reflected XSS in URL Parameters test

Mobile Risk Category 8: Security Decisions via Untrusted Inputs

19. Private Frameworks test

Mobile Risk Category 9: Improper Session Handling

20. Authentication Tokens Leaks test

21. Authentication Cookies Leaks test

22. Session Tokens Leaks test

Mobile Risk Category 10: Lack of Binary Protections

23. Anti-Jailbreak Protection test

24. Compiled with PIE test

25. Compiled with Stack Cookies test

26. Automatic Reference Counting test

27. Hardcoded Malicious URLs test

28. Hardcoded Suspicious URLs test

The tests were performed by Wandera’s SmartWire Labs team, simulating the same level of access to the applications as the average hacker would have and using publicly available tools. In order to provide control and consistency during the investigation, the latest version of iOS was installed on a single, non-jailbroken device from which all tests were executed.

The results matrix presented below summarizes the findings of this study. A indicates that the app implemented adequate protection mechanisms and is not vulnerable to the attack. A __ symbol highlights the presence of vulnerabilities. In addition, cases marked with represent apps with partial or improperly implemented protection mechanisms.


PAGE 6

RESULTS

OWASP Top 10 Security Risks App

1 2 3 4 5 6 7 8 9 10

M1: Weak Server Side Controls HTTP communication

PII Leaks

Device Info Leaks

API Calls Leaks

M2: Insecure Data Storage PII Stored in Unencrypted SQLite DB

File Caching

PII in Property List Files

M3: Insufficient Transport Layer Protection

Allow Self-Signed Certificates

No Certificate Pinning

M4: Unintended Data Leakage PII in Custom Logs

M5: Poor Authorization and Authentication

Clear Text Authentication Leaks

Allow Weak Passwords

Allow Brute Force

M6: Broken Cryptography

Weak Encryption

HTTPS Downgrade

M7: Client Side Injection Stored XSS

Vulnerable to Code Injection

Reflected XSS in URL Parameters

M8: Security Decisions via Untrusted Inputs

Private Frameworks

M9: Improper Session Handling Authentication Tokens Leaks

Authentication Cookies Leaks

Session Tokens Leaks

M10: Lack of Binary Protections Anti-Jailbreak Protection not Implemented

Compiled with PIE

Compiled with Stack Cookies

Automatic Reference Counting

Static Analysis Hardcoded Malicious URLs

Hardcoded Suspicious URLs

Weakness Partial Protection Protection Not Applicable

Research Analysis

Figure 4.1 summarizes how frequently our researchers encountered each OWASP Mobile Risk during their testing. This analysis shows that the most common vulnerabilities impacting mobile apps are as follows:

§ Insecure data storage

§ Insufficient transport layer protection

§ Lack of binary protections

§ Poor authorization and authentication


PAGE 7

THE MOST COMMON VULNERABILITIES

The vulnerabilities identified through this research can be divided into two groups based on their potential root cause. First, the use of insecure data storage and the lack of binary protection may be the result of app developers inherently trusting the security of the iOS platform, where they assume that the device encryption is unbreakable and the OS cannot be jailbroken. As a result, they do not feel it is necessary to provide the extra level of security, like encryption of app data or anti-jailbreak protection.

The second group of vulnerabilities include insufficient transport layer protections and poor authorization and authentication. These exposed risks might be attributed to the common belief that Man-in-the-Middle attacks are rare and difficult to execute. Unfortunately, there are plenty of commercial off-the-shelf products that allow attackers to set up remotely accessible rogue hotspots, avoiding the risk of physical presence. Furthermore, users not familiar with the mobile platforms could also be socially engineered to install dangerous certificates and crack their encrypted traffic wide open.

BAD DEVELOPERS OR BAD ASSUMPTIONS?

10

8

6

4

2

0

M1: Weak S

erver S

ide Controls

M2: Inse

cure

Data St

orage

M3:Insu

fficient T

ransp

ort La

yer P

rotecti

on

M4: Unintegr

ated Data Le

akage

M5: Poor A

uthoriz

ation and Auth

enticatio

n

M6: Bro

ken Cryp

tology

M7: Clie

nt Side In

jection

M8: Secu

rity D

ecisions v

ia Untru

sted In

puts

M9: Impro

per Sess

ion Handlin

g

M10: Lack

of Binary

Protecti

ons

OWASP TOP 10 MOBILE RISKS - PREVALENCE

Num

ber

of A

pps

Faili

ng

OWASP Top 10 Mobile Risks

Considering the popularity of each individual app included in the research, it was surprising to learn that at least one application failed every single one of the tests for weak server side controls.

Our Weak Server Side Controls tests look for the following risk indicators:

§ Plain text traffic (HTTP)

§ Exposure of PII information over HTTP

§ API calls made over HTTP

§ Device information sent in clear text

Whenever information is sent in clear text, it represents a great security risk for both the individual and the organization because the data is not protected from even the least sophisticated eavesdropper. Because the technical knowledge required in executing such an attack is minimal and can be learned in a matter of hours, our researchers consider this a significant vulnerability.


PAGE 8

VULNERABILITY ASSESSMENTS

M1: WEAK SERVER SIDE CONTROLS (2 OUT OF 10 APPS FAILED)

Our research confirmed another worrying trend whereby application developers store sensitive data in unencrypted SQLite databases on the device itself (see diagram below). SQLite is one of the most popular databases used by apps to store data. Many developers believe that modern mobile OSs provide strong volume encryption on the device, so further encrypting the app data is an unnecessary waste of time and resources. Although encryption might be strong, it represents a single point of failure, which means that if a method for breaking the native encryption is discovered, all data from all unencrypted SQLite instances will be accessible. All 10 apps tested were found to be vulnerable in this category.

M2: INSECURE DATA STORAGE: UNENCRYPTED APP DATA(10 OUT OF 10 APPS FAILED)

It is assumed that business apps undergo a more rigorous security screening and development process, especially when compared to mainstream consumer apps. It was alarming, therefore, to discover that 9 of the 10 apps tested do not use certificate pinning at all. Furthermore, the one application that did have the feature implemented failed to secure its login due to the fact that certificate pinning was enabled by the developer only after successful login, hence exposing the user’s credentials, which evades the protection completely.

What does the lack of certificate pinning mean for business users? A user targeted by a potential attacker could be tricked into allowing a bogus iOS profile to be installed on the device (example iOS profile shown in diagram), which in turn allows the attacker to see all encrypted traffic except the traffic of those apps that use certificate pinning. Failing to implement certificate pinning leaves sensitive information exchanged with the app vulnerable to attack. All 10 apps were seen to be at least partially vulnerable in this test.


PAGE 9

M3: INSUFFICIENT TRANSPORT LAYER SECURITY: CERTIFICATE PINNING(10 OUT OF 10 APPS FAILED)

Although the majority of the apps tested utilized transport layer security (TLS), at least one application failed to encrypt all of its traffic exposing PII information in clear text. Additionally, the lack of TLS renders the application vulnerable to code-injection attack (see diagram), where a users’ mobile traffic could be poisoned in transit with malicious code and further sensitive information could be stolen.

Unintended data leakage happens when an app unintentionally records sensitive information alongside its error and operational logging. For example, if an app crashes during user login, the user credentials might be recorded as part of the error for the crash. If the hacker knows about such unintended behaviour, he or she can design a secondary app, which can access the logs of the first app, and get access to the leaked information. Although modern mobile operating systems provide strong encryption and such a vulnerability might not be recognized as severe, users sometimes jailbreak their devices, which weakens the factory security controls and the above data leaks can then be easily exploited.

M4: UNINTENDED DATA LEAKAGE(2 OUT OF 10 APPS FAILED)

For decades, IT security professionals have communicated the importance of using strong passwords. As a result, it would not be unreasonable to assume that most application and website developers are well aware of the issue, and that they would mandate strong passwords as a standard requirement. Surprisingly, 8 of the 10 business apps analyzed do not enforce the use of strong passwords. Moreover, it was confirmed that two applications are vulnerable to a brute force attack which increases the likelihood of compromise and presents an even greater risk to sensitive corporate data.

Brute force attacks are not complex. The simplest brute force attack means trying all possible combinations of characters and digits until the password is found. Often this kind of attack is impractical, due to the tremendous amount of possible combinations. People tend not to use very long passwords, often omitting the use of capital letters or symbols, which reduces the amount of possible combinations, and lists of the most used passwords (collected as a result of data leaks) are freely available online to download and are even pre-built into offensive security tools.


PAGE 10

M5: POOR AUTHENTICATION AND AUTHORIZATION: WEAK PASSWORDS AND BRUTE FORCE ATTACKS(8 OUT OF 10 APPS FAILED)

Three out of ten applications were found to be susceptible to an encryption downgrade attack; this is where application-server communication is forced to use a cryptographically weak encryption algorithm, which could then be decrypted and read by an attacker. This type of attack is quite sophisticated and requires substantial effort, therefore it can be logically concluded that such an attack would be targeting valuable information. In practical terms, it means that an organization might have the false impression that the communication of the app is safe, protected by strong encryption, while in the background the attacker tricks the app’s back-end server to use older and weaker encryption technologies.

M6: BROKEN CRYPTOGRAPHY: WEAK ENCRYPTION(3 OUT OF 10 APPS FAILED)

The research identified that at least two apps are susceptible to Client Side Injections. This means a hacker with access to the app’s communication can craft and inject malicious code and accomplish the following: redirect to malicious or phishing website, send phishing messages to appear on the victim’s device, inject third party ads for monetary gain, etc. Applications don’t need to have all of their traffic in clear text in order to be vulnerable, even if the core functionality is well protected by encryption, often some support pages are left insecure, which might be enough for an attacker to exploit the app.

M7: CLIENT SIDE INJECTION(2 OUT OF 10 APPS FAILED)

Interprocess communication is where Application 1 allows its resources to be accessed from Application 2, or Application 1 accepts data coming from Application 2. A best practice in this category is to sanitize the data coming from outside and properly validate access to the app resources. Doing so ensures that a hacker cannot use the aforementioned Application 2 to access Application 1’s data. None of the tested apps showed signs of being vulnerable to this type of attack.


PAGE 11

M8: SECURITY DECISIONS VIA UNTRUSTED INPUTS(0 OUT OF 10 APPS FAILED)

In order for an application to be considered secure in terms of session handling it needs to adopt security best practices such as: proper session timeouts, proper rotation of authentication cookies, and proper generation of authentication tokens. The security implications of weak security means that a hacker is easily able to guess the authentication token if the generation is not adequately randomized. If cookies are improperly validated and set, the hacker can steal cookies from a user and use it to impersonate, and even access the user’s account. None of the tested apps showed signs of being vulnerable to this type of attack.

M9: IMPROPER SESSION HANDLING(0 OUT OF 10 APPS FAILED)

All 10 of the tested apps lack binary protection and guards against static analysis.

The testing revealed that at least one application failed to meet important security requirements by:

§ Exposing (in plain text) private device information, such as the IMEI number (used to uniquely identi-fy a particular device). Therefore, the user can be tracked even if the SIM card has been changed.

§ Containing a hard coded URL with a history of malicious activity – meaning that the app inherently accesses a potentially malicious URL with the user left oblivious to the potential threat.

§ Having a partially broken certificate validation – allowing the attacker to easily intercept encrypted traffic without using any sophisticated attacks.

The research also revealed that none of the applications tested have anti-jailbreak protection. Which, in practical terms, means that all 10 applications are fully functional on jailbroken devices and the respective unencrypted SQLite databases, and any other file containing personal data, could be exposed to third party applications and accessible via physical access to the device.

M10: LACK OF BINARY PROTECTION(10 OUT OF 10 APPS FAILED)


PAGE 12

VULNERABILITY PREVALENCE 57% of the tested vulnerabilities explored in this research are actually present in the apps, and their distribution across applications is relatively even according to the results matrix below. This leads us to conclude that there is no single app of the 10 tested that stands out as being sufficiently secure. Even more alarming, there is no single app with less than five vulnerabilities identified.

From an enterprise perspective, the results can only be interpreted in one way: mobile security requires investment and because these devices can be used anytime and anywhere, it is essential that they be protected both on the corporate premises and off.

10

8

6

4

2

0

Anti-Jailb

reak P

rotecti

on not Implemented

PII Sto

red in

Unencry

pted SQLit

e DB

PII in Pro

perty Li

st Fil

es

No Certifica

te Pinning

Allow W

eak Pass

words

Allow Bru

te Force

Weak Encry

ption

Vulnerable to

Code Injecti

on

PII in Custo

m Logs

HTTP Communicatio

n

VULNERABILITY PREVALENCE

Num

ber

of A

pps

PII Leaks

Device In

fo Le

aks

API Calls

Leaks

Allow Se

lf-Sign

ed Certifica

tes

Compiled w

ith St

ack Cookie

s

Susp

icious U

RLs

Conclusion

The 10 enterprise apps tested, which represent some of the most popular apps on both the iOS and Android platforms, have been found to be severely lacking in terms of their mobile security. Three separate OWASP tests failed for all apps tested. Mobile security teams should not ignore the fact that corporate data resides in these mobile apps and, due to these vulnerabilities, is at risk.

Our research has shown that the 10 applications tested have a number of weaknesses that can be easily exploited in an attacker’s pursuit of sensitive data. Wandera draws the following conclusions for enterprises concerned about their mobile security.

§ Although development practices and app security is improving, there will always be some weakness in development – therefore a third party safety net around application security is essential.

§ Data security must be addressed holistically. The OWASP test methodology proves that information is vulnerable to attacks from a number of threat vectors. It is essential that developers utilize a secure development process and thoroughly test code before releasing it to users that trust them to release secured apps.

§ Enterprises should adopt a security solution that provides an extra layer of security around fast moving mobile threats.


PAGE 13

Wandera is the leader in mobile data security and management, providing enterprises with unrivaled visibility into their mobile data, and protecting them with real-time threat prevention, compliance and data cost management.

WANDERA US | 180 SANSOME STREET, SAN FRANCISCO, CA 94104 T +1 (415) 935 3095 [email protected] WANDERA EMEA | 45 MORTIMER STREET, LONDON, W1W 8HJ T +44 (0) 203 301 2660 WWW.WANDERA.COM

ABOUT WANDERA

assessing the security of 10 top enterprise apps

Documents