mobile malfeasance - exploring dangerous mobile vulnerabilities

©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice

Mobile MalfeasanceExploring Dangerous Mobile CodeAnd Applications

Jason Haddix – Director of Penetration TestingFortify On Demand

• Jason Haddix (@jhaddix)

• Director of Penetration Testing at HP/Fortify on their ShadowLabs team.• Previously worked in HP’s Professional Services as a security consultant,

and an engineer & pen tester for Redspin. • Frequent attender, presenter, & CTF participant at security cons such as

Defcon, BlackHat, Brucon, DerbyCon, etc. • Contributor/columnist to PentesterScripting.com, Ethicalhacker.net, and

Hakin9 magazine.

About the Presenter

Overview

Data from Smart Insights, 2011

• Trends and the need for mobile appsec

• Overview of threat landscape

• Classifying vulnerabilities and exploring metrics

• Threat modeling and risk profiling mobile apps

• Exploring a few high risk areas

• The mobile app SDLC

• Fortify on Demand’s Testing Methods for QA and Security Groups

• Resources for development and QA teams facing mobile security

Trends and Threats | Adoption

• Global mobile data traffic will increase 26-fold between 2010 and 2015

• Two-thirds of the world’s mobile data traffic will be video by 2015

• There will be nearly one mobile device per capita by 2015 (~6 billion)

Data from Smart Insights, 2011

Regulations and Standards (PCI, HIPAA, SOX, etc)

Your critical business applications face the Internet

More than 60% of applications have serious flaws

Why do we care?

New Devices

7

serverconnection

os

Same Old Story

8

server

browser

Same Old Server

9

Security Services

Operations Software

Information

Mobile Application Security Challenges

• Difficult to train and retain staff - very difficult to keep skills up-to-date

• Constantly changing environment

• New attacks constantly emerge

• Compliance Requirements

• Too many tools for various results

• Apps are getting launched on a daily basis with Security not being involved.

• Junior Developers are typically the ones creating the apps.

How you see your world

Get the username

Get the password

Remember the User

Get Sales Data

Edit my account

Generate Reports

How an attacker sees your world

SQL Injection

Cross Site Scripting

Improper Session Handling

Data Leakage

Sensitive Information Disclosure

Weak Server Side ControlsClient Side Injection

Insufficient Data Storage


Exploring Insecure Mobile Code

OWASP Mobile Top 10 Risks

M1 – Insecure Data Storage M6 – Improper Session Handling

M2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs

M3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage

M4 – Client Side Injection M9 – Broken Cryptography

M5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure







SQLiteLogging

Plist FilesManifest Files

Binary data storesSD Card Storgage







EVERYTHING in the OWASP Top 10







Insecure SSL Encryption

Unsigned and Unforced

Certificate Validation







SQLite Injection

XSS via Webview

LFI

Etc







Poor Password Complexity

Account disclosure via Login or Forgot

Password







Indefinite Sessions

Weak cookie “hashing”

home rolled session

management

Using phone ID as part of session







Inter-process communication

Android intents

iOs URL schemes







Keystroke logging

Screenshot caching

Logs

Temp files







Rolling your own crypto

Antiquated crypto libraries

Encoding != encryption

Obfuscation != encryption

Serialization != encryption







Hardcoded secrets!

API keys, server-side database passwords, etc


Real Examples from in the Enterprise

Vulnerabilities by Risk

Critical High Medium Low Informational0

10

20

30

40

50

60

70

80

90• Case study of 120 Mobile

applications for 1 Enterprise client

• 234 vulnerabilities

• 66% of applications contained a critical or high vulnerability that:

• Disclosed 1 or more users personal data

• Exposed multiple users personal data

• Compromised the applications server

Vulnerabilities by OWASP Top 10 Category

M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 Other0

10

20

30

40

50

60

70

80

M1: Insecure Data StorageM2: Weak Server Side ControlsM3: Insufficient Transport Layer ProtectionM4: Client Side InjectionM5: Poor Authorization and AuthenticationM6: Improper Session HandlingM7: Security Decisions Via Untrusted InputsM8: Side Channel Data LeakageM9: Broken CryptographyM10: Sensitive Information Disclosure

Other?

• Poor Code Quality and Applications Hardening

• Unreleased Resources• No ASLR or Memory

Management frameworks enabled.

• Privacy Leaks

• UUID, Wifi, device names, geolocations, etc, leaked to Ad Agencies


Fixing the Problem

Mobile SDLCSecurity Foundations – Mobile Applications

Build ProductionTestArchitecture

& DesignRequirementsPlan

Mobile Security Development

Standards

Application Specific Threat Modeling and

Analysis

Mobile Secure Coding Training

Mobile Application Security Assessment (Static, Dynamic, Server,

Network, Client)

Threat Modeling CBT for Developers

Mobile Secure Coding Standards

Wiki

Mobile Risk Dictionary

Mobile Application Security Process

Design

Mobile Firewall

Mobile Security Policies

Static AnalysisMDM

How do we get started?

1. Find your published apps

2. Threat model them based on the information they handle

3. Assess and fix published apps

4. Give resources to developers to write secure code

Threat Modeling a Mobile App

Identify business objectives:

• Identify the data the application will use

• PII vs Non-PII

• Credentials & access

• Where is it stored?

• Payment information?

Types of data at risk with a mobile app:• Usernames & Passwords

• UDID

• Geolocation/address/zip

• DoB

• Device Name

• Network Connection Name

• Credit Card Data or Account Data

• Updates to Social media

• Chat logs

• Cookies

• Etc…


How to Assess?

Web Application

Mobile Methodology

Network

Client Application

Static Analysis

Dynamic Analysis

Static Analysis

Dynamic Analysis

BlackBox Mobile Methodology

MobileAssessment

ApplicationMapping

ClientAttacks

Network Attacks

ServerAttacks

PlatformMapping

Appl.Arch

BinaryAnalysis

File systemAnalysis

MemoryAnalysis

InstallTraffic

RunTTraffic

TCPAttack

s

HTTPAttack

s

Under.App

Data FlowMapping

InsecureAPI

Sensitive File Artifact

WeakEncrypt

PlaintextTraffic

BufferOverflows

SQLiXSS

MOBILE ASSESSMENT – TOOLS

• Fortify• WebInspect• IDAPro• Jad• Undx• Burp Suite• AdpSmali / Backsmali• AndroGuard• Blackberry Swiss Army

Knife• iPhone SDK• Mallory• Netfilter / iptables• Custom iOS and Android

Scripts


Resources

Fortify On Demand’s Mobile Application Security Risks, Controls, and Procedures Document

Fortify on Demand’s Android & iOS Security Checklists

• Fortify’s 7 Ways to Hang Yourself with Android Presentation

• Fortify on Demand’s iOS Penetration Testing Presentation

• Fortify’s VulnCAT

Other Resources for QA, Security Managers, and Devs

• OWASP Top 10 Mobile Risks Page

• OWASP IOS Developer Cheat Sheet

• Google Androids Developer Security Topics 1

• Google Androids Developer Security Topics 2

• Apple's Introduction to Secure Coding

Other Resources

https://www.owasp.org/index.php/OWASP_Mobile_Security_Project

https://www.owasp.org/index.php/IOS_Developer_Cheat_Sheet

https://www.owasp.org/index.php/IOS_Developer_Cheat_Sheet

http://source.android.com/tech/security/

http://developer.android.com/guide/topics/security

https://developer.apple.com/library/mac/


Parting Thoughts

Parting Thoughts

• Remember that mobile sites face the Internet as well; obscurity != security

• Web teams and mobile teams often not the same; mobile development teams are often behind in security training

• Track the data flow; threat modeling / risk assessment

• Start with Risk Profiling and exposure (deployed apps)

• It all starts with the code; coding standards are pivotal

Parting Thoughts II

• Give developers prescriptive guidance, show with examples

• Don’t store it (PII) at all if you don’t need to

• If you have a 3rd party dev team deploy a contract that enforces coding based on secure mobile dev standards

• Mobile Device Management (MDM) is not a substitute for secure code

• Finally, don’t be intimidated by “mobile”; the same fundamentals are still in play

Questions?

Contact:

[email protected]

mobile malfeasance - exploring dangerous mobile vulnerabilities

Technology