mobile app security best practices
TRANSCRIPT
Mobile Security PitfallsCommon goofs we make and how to avoid them
Ynon Perek
tocode.co.il
You Don’t Need To Be a Hacker
✤ Bug -> Vulnerability -> Exploit
✤ Hackers use exploits
✤ We’ll focus on fixing bugs
Types of Vulnerabilities
Platform
Application ServerCommunicationTechnical
Human Factor
Platform
Need To Protect…
✤ Our own private data
✤ Server
✤ Application secrets
✤ Our user’s private data
Guidelines: Server
✤ Assume Evil Teddy Bear is writing your client app
✤ Now write the server
Common Security Pitfalls - Server
✤ Trusting client application with too much data
✤ Leaving secrets in application source code
✤ Leaving server unprotected
Demo: Tinder Location Bug
Demo: Tinder Location Bug
"birth_date": "1992-06-24T00:00:00.000Z", "gender": 1, "name": "Daisie", "pos": { "lon": -73.9977375759311, "lat": 40.72255556095288 }, "fbId": "185"
And the fix ???
"photos":[ ... ],"id":"52617e698525596018001418","common_friends":[],"common_likes":[ ],"common_like_count":0,"common_friend_count":0,"distance_mi":4.760408451724539
Found Ya!
How I Hacked Your Facebook Photos
Request :-DELETE /518171421550249 HTTP/1.1Host : graph.facebook.comContent-Length: 245access_token=CAACEdEose0cBAABAXPPuULhNCsYZA2cgSbajNEV99ZCHXoNPvp6LqgHmTNYvuNt3e5DD4wZA1eAMflPMCAGKVlaDbJQXPZAWqd3vkaAy9VvQnxyECVD0DYOpWm3we0X3lp6ZB0hlaSDSkbcilmKYLAzQ6ql1ChyViTiSH1ZBvrjZAH3RQoova87KKsGJT3adTVZBaDSIZAYxRzCNtAC0SZCMzKAyCfXXy4RMUZD
Response :-{"error":{"message":"(#200) Application does not have the capability to make this API call.","type":"OAuthException","code":200}}
Now let’s try with FB for Android token …
Request :-DELETE /518171421550249 HTTP/1.1Host : graph.facebook.comContent-Length: 245access_token=<Facebook_for_Android_Access_Token>
Response :-true
Interesting, Now let’s try another album…
Request :-DELETE /518171421550249 HTTP/1.1Host : graph.facebook.comContent-Length: 245access_token=<Facebook_for_Android_Access_Token>
Response :-true
OMG! Album Got Deleted
Bug Bounty Programs
https://hackerone.com/
Getting It Wrong: Parse Todo App
http://code.tutsplus.com/tutorials/getting-started-with-parse--net-28000
Getting It Right: Parse Todo App
http://todolist.parseapp.com/#
And now for the client
Platform
Application ServerCommunicationTechnical
Human Factor
Platform
Guidelines: Client app
✤ Assume phone was hijacked by evil teddy bear
✤ Assume server was hacked by evil teddy bear
✤ Assume all external data is fed in by evil teddy bear
Apple Storing Location Data in iOS4
What makes this issue worse is that the file is unencrypted and unprotected, and it’s on any machine you’ve synched with your iOS device…
http://radar.oreilly.com/2011/04/apple-location-tracking.html
JS Code Injections
Evil Hacker
Honest User
Web Application
(Email)
Send message to honest user
Message includes evil JS code
Why Is It Bad?
✤ PhoneGap apps provide no protection against evil JS
✤ Can use all device capabilities
JS Code Injections - PhoneGap
✤ WiFi network names
✤ QR Code
✤ NFC
✤ SMS
✤ Address Book
✤ iFrames
Communication Layer
Platform
Application ServerCommunicationTechnical
Human Factor
Platform
Guidelines: Communication
✤ Oh no evil teddy bear PWNS the router
✤ Encrypted
✤ Authenticated
✤ Tamper proof
✤ => HTTPS
Remember Firesheep?
Demo: Listening on unencrypted mobile traffic using a proxy
Q & A
Thanks For Listening
✤ Ynon Perek
✤ tocode.co.il