mobile application security threats through the eyes of the attacker
TRANSCRIPT
Mobile Application Security Threats through the Eyes of the Attacker
2
Our Speaker
Jason is the Director of Technical Operations at Bugcrowd. He trains and works with internal application security engineers to triage and validate hardcore vulnerabilities in mobile, web, and IoT applications/devices. He also works with Bugcrowd to improve the security industry’s relations with the researchers. Jason’s interests and areas of expertise include mobile penetration testing, black box web application auditing, network/infrastructural security assessments, binary reverse engineering, and static analysis.
Jason Haddix
@jhaddix
Mobile Application Security Threats through the Eyes of the Attacker
3
Agenda
o Mobile is everywhere o Top Ten Mobile App Risks
What are they? What are some examples?
o Focusing on the big 3 o Resources for security and dev teams o Questions
Mobile Application Security Threats through the Eyes of the Attacker
4
Mobile is everywhere Mobile is computing
• There are 1.2 billion mobile users. By 2018 that number with be 5 billion.
• Mobile adoption is growing 8x faster than traditional web applications.
• Mobile payments will exceed $90 Billion by 2017
Mobile Application Security Threats through the Eyes of the Attacker
5
Mobile is everywhere Attackers go where the users are
• It’s not just phones, tables, IoT devices, etc are all “mobile” now.
• With that kind of adoption hackers have shifted to these new surface areas.
Mobile Application Security Threats through the Eyes of the Attacker
6
2014 Draft OWASP Mobile Top 10 Risks
M1 – Weak Server Side
Controls
M10 – Lack of Binary
Protections
M9 – Improper Session
Handling
M5 – Poor Authorization
and Authentication
M6 – Broken Cryptography
M7 – Client Side
Injection
M8 – Security Decisions Via
Untrusted Inputs
M2 – Insecure
Data Storage
M3 – Insufficient Transport
Layer Protection
M4 – Unintended
Data Leakage
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Risks
Mobile Application Security Threats through the Eyes of the Attacker
8
Take a look at your mobile OS and ensure that none of the operating systems features leak private data. Unintended Data Leakage
iOS: • Logging (NSLog in production) • Application Background Screenshot • URL Caching • Keyboard Press Caching • Copy/Paste buffer Caching • Photo Sharing
Android • URL Caching (Both request and
response) • Logging (log.d) • Exported Content Providers
Mobile Application Security Threats through the Eyes of the Attacker
9
http://s3jensen.blogspot.com/2014/02/credit-karma-ios-vulnerability.html
Mobile Application Security Threats through the Eyes of the Attacker
10
Pro-Tips for the mobile dev Don’t Store or Store Securely
• If at all possible don’t store passwords or PII. • There are several storage mechanisms for each platform.
Some are safer than others.
• iOS: When storage is necessary for small data fragments, use the iOS keychain. In addition store all strings in encrypted format, even in the keychain. Never use plists for data storage (NSUserDefaults)
• iOS: For larger data-sets, files, and databases (coredata or sqlite), utilize Apple’s Data Protection API with a minimum of the designation NSFileProtectionCompleteUnlessOpen
• Android: Use the Andriod Keystore (crypted values) and avoid saving to the external storage (Sdcard) as it is a shared storage mechanism.
Mobile Application Security Threats through the Eyes of the Attacker
12
Poor TLS implementations Common Vulnerabilities
Mobile Application Security Threats through the Eyes of the Attacker
13
Over the Wire
o When the application runs, it will be talking to multiple servers. o It will also be using an untrusted network 50% of the time. o Always use HTTPS, disable HTTP endpoints.
o Set appropriate cookies: secure, HTTPonly o Use appropriate cipher strength for SSL o Use appropriate certificate management calls
o Use Certificate pinning where possible o https://github.com/iSECPartners/ssl-conservatory
Mobile Application Security Threats through the Eyes of the Attacker
14
Poor TLS implementations Common Vulnerabilities
• Trusting any certificate it sees • Allows expired certificates • Allows trivial MiTM attacks • Can connect to HTTPS once, and then fall back (mixed mode) • ++
SSL Checklist for Penetration Testers
Mobile Application Security Threats through the Eyes of the Attacker
16
Highlights Protect the Server
• The server side is the most often overlooked piece of the mobile application, and therefore usually yields the most critical vulnerabilities.
• Validate all input, use whitelisting approach for special/control characters.
• While not a silver bullet, there are several open source WAF’s and libraries depending on platform (modsecurity, OWASP ESAPI, IIS Sec modules)
• Think about authentication API requests and how they can be abused.
• Keep webserver software and framework updated. (this includes XML parsers ;)
• If the backend is WS based, return the proper content type. • Use POST instead of GET where possible. • "Cache-Control : no-cache, no-store“ is important
Mobile Application Security Threats through the Eyes of the Attacker
17
OWASP Proactive Controls
1: Parameterize Queries 2: Encode Data 3: Validate All Inputs 4: Implement Appropriate Access Controls 5: Establish Identity and Authentication Controls 6: Protect Data and Privacy 7: Implement Logging, Error Handling and Intrusion Detection 8: Leverage Security Features of Frameworks and Security Libraries 9: Include Security-Specific Requirements 10: Design and Architect Security In
Mobile Application Security Threats through the Eyes of the Attacker
19
Proxy the application during QA testing to audit for data leakage
http://codewithchris.com/tutorial-using-charles-proxy-with-your-ios-development-and-http-debugging/
Mobile Application Security Threats through the Eyes of the Attacker
20
Check for unencrypted files https://github.com/dmayer/idb
Mobile Application Security Threats through the Eyes of the Attacker
21
Data storage, protection, and testing on the device
iOS Developer ü iOS: Data Protection
Classes ü iOS: Encrypted Core Data
guide ü iOS Security Guide
iOS Tester ü idb iOS assessment tool ü OWASP iOS Testing Cheat
sheet
Android Developer ü Android: CERT Secure Coding
Practices for Android ü Jssec.org Secure Android
Coding Manual
Android Tester ü Android Debug Bridge (adb) ü Drozer Android Toolkit
Mobile Application Security Threats through the Eyes of the Attacker
22 22
Key Takeaways
1. Start with identifying and fixing the “top 3” 2. Keep a well trained and staffed
development and assessment team 3. Utilize provided resources
Mobile Application Security Threats through the Eyes of the Attacker
23
QUESTIONS?
bugcrowd.com [email protected] @jhaddix