mobile malfeasance - exploring dangerous mobile vulnerabilities
DESCRIPTION
A look at the Top 10 Mobile Application vulnerabilities, and statistics around their manifestations.TRANSCRIPT
©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
Mobile MalfeasanceExploring Dangerous Mobile CodeAnd Applications
Jason Haddix – Director of Penetration TestingFortify On Demand
• Jason Haddix (@jhaddix)
• Director of Penetration Testing at HP/Fortify on their ShadowLabs team.• Previously worked in HP’s Professional Services as a security consultant,
and an engineer & pen tester for Redspin. • Frequent attender, presenter, & CTF participant at security cons such as
Defcon, BlackHat, Brucon, DerbyCon, etc. • Contributor/columnist to PentesterScripting.com, Ethicalhacker.net, and
Hakin9 magazine.
About the Presenter
Overview
Data from Smart Insights, 2011
• Trends and the need for mobile appsec
• Overview of threat landscape
• Classifying vulnerabilities and exploring metrics
• Threat modeling and risk profiling mobile apps
• Exploring a few high risk areas
• The mobile app SDLC
• Fortify on Demand’s Testing Methods for QA and Security Groups
• Resources for development and QA teams facing mobile security
Trends and Threats | Adoption
• Global mobile data traffic will increase 26-fold between 2010 and 2015
• Two-thirds of the world’s mobile data traffic will be video by 2015
• There will be nearly one mobile device per capita by 2015 (~6 billion)
Data from Smart Insights, 2011
Regulations and Standards (PCI, HIPAA, SOX, etc)
Your critical business applications face the Internet
More than 60% of applications have serious flaws
Why do we care?
New Devices
7
serverconnection
os
Same Old Story
8
server
browser
Same Old Server
9
Security Services
Operations Software
Information
Mobile Application Security Challenges
• Difficult to train and retain staff - very difficult to keep skills up-to-date
• Constantly changing environment
• New attacks constantly emerge
• Compliance Requirements
• Too many tools for various results
• Apps are getting launched on a daily basis with Security not being involved.
• Junior Developers are typically the ones creating the apps.
How you see your world
Get the username
Get the password
Remember the User
Get Sales Data
Edit my account
Generate Reports
How an attacker sees your world
SQL Injection
Cross Site Scripting
Improper Session Handling
Data Leakage
Sensitive Information Disclosure
Weak Server Side ControlsClient Side Injection
Insufficient Data Storage
©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
Exploring Insecure Mobile Code
OWASP Mobile Top 10 Risks
M1 – Insecure Data Storage M6 – Improper Session Handling
M2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs
M3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage
M4 – Client Side Injection M9 – Broken Cryptography
M5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
OWASP Mobile Top 10 Risks
M1 – Insecure Data Storage M6 – Improper Session Handling
M2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs
M3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage
M4 – Client Side Injection M9 – Broken Cryptography
M5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
SQLiteLogging
Plist FilesManifest Files
Binary data storesSD Card Storgage
OWASP Mobile Top 10 Risks
M1 – Insecure Data Storage M6 – Improper Session Handling
M2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs
M3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage
M4 – Client Side Injection M9 – Broken Cryptography
M5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
EVERYTHING in the OWASP Top 10
OWASP Mobile Top 10 Risks
M1 – Insecure Data Storage M6 – Improper Session Handling
M2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs
M3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage
M4 – Client Side Injection M9 – Broken Cryptography
M5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
Insecure SSL Encryption
Unsigned and Unforced
Certificate Validation
OWASP Mobile Top 10 Risks
M1 – Insecure Data Storage M6 – Improper Session Handling
M2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs
M3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage
M4 – Client Side Injection M9 – Broken Cryptography
M5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
SQLite Injection
XSS via Webview
LFI
Etc
OWASP Mobile Top 10 Risks
M1 – Insecure Data Storage M6 – Improper Session Handling
M2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs
M3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage
M4 – Client Side Injection M9 – Broken Cryptography
M5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
Poor Password Complexity
Account disclosure via Login or Forgot
Password
OWASP Mobile Top 10 Risks
M1 – Insecure Data Storage M6 – Improper Session Handling
M2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs
M3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage
M4 – Client Side Injection M9 – Broken Cryptography
M5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
Indefinite Sessions
Weak cookie “hashing”
home rolled session
management
Using phone ID as part of session
OWASP Mobile Top 10 Risks
M1 – Insecure Data Storage M6 – Improper Session Handling
M2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs
M3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage
M4 – Client Side Injection M9 – Broken Cryptography
M5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
Inter-process communication
Android intents
iOs URL schemes
OWASP Mobile Top 10 Risks
M1 – Insecure Data Storage M6 – Improper Session Handling
M2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs
M3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage
M4 – Client Side Injection M9 – Broken Cryptography
M5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
Keystroke logging
Screenshot caching
Logs
Temp files
OWASP Mobile Top 10 Risks
M1 – Insecure Data Storage M6 – Improper Session Handling
M2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs
M3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage
M4 – Client Side Injection M9 – Broken Cryptography
M5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
Rolling your own crypto
Antiquated crypto libraries
Encoding != encryption
Obfuscation != encryption
Serialization != encryption
OWASP Mobile Top 10 Risks
M1 – Insecure Data Storage M6 – Improper Session Handling
M2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs
M3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage
M4 – Client Side Injection M9 – Broken Cryptography
M5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
Hardcoded secrets!
API keys, server-side database passwords, etc
©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
Real Examples from in the Enterprise
Vulnerabilities by Risk
Critical High Medium Low Informational0
10
20
30
40
50
60
70
80
90• Case study of 120 Mobile
applications for 1 Enterprise client
• 234 vulnerabilities
• 66% of applications contained a critical or high vulnerability that:
• Disclosed 1 or more users personal data
• Exposed multiple users personal data
• Compromised the applications server
Vulnerabilities by OWASP Top 10 Category
M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 Other0
10
20
30
40
50
60
70
80
M1: Insecure Data StorageM2: Weak Server Side ControlsM3: Insufficient Transport Layer ProtectionM4: Client Side InjectionM5: Poor Authorization and AuthenticationM6: Improper Session HandlingM7: Security Decisions Via Untrusted InputsM8: Side Channel Data LeakageM9: Broken CryptographyM10: Sensitive Information Disclosure
Other?
• Poor Code Quality and Applications Hardening
• Unreleased Resources• No ASLR or Memory
Management frameworks enabled.
• Privacy Leaks
• UUID, Wifi, device names, geolocations, etc, leaked to Ad Agencies
©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
Fixing the Problem
Mobile SDLCSecurity Foundations – Mobile Applications
Build ProductionTestArchitecture
& DesignRequirementsPlan
Mobile Security Development
Standards
Application Specific Threat Modeling and
Analysis
Mobile Secure Coding Training
Mobile Application Security Assessment (Static, Dynamic, Server,
Network, Client)
Threat Modeling CBT for Developers
Mobile Secure Coding Standards
Wiki
Mobile Risk Dictionary
Mobile Application Security Process
Design
Mobile Firewall
Mobile Security Policies
Static AnalysisMDM
How do we get started?
1. Find your published apps
2. Threat model them based on the information they handle
3. Assess and fix published apps
4. Give resources to developers to write secure code
Threat Modeling a Mobile App
Identify business objectives:
• Identify the data the application will use
• PII vs Non-PII
• Credentials & access
• Where is it stored?
• Payment information?
Types of data at risk with a mobile app:• Usernames & Passwords
• UDID
• Geolocation/address/zip
• DoB
• Device Name
• Network Connection Name
• Credit Card Data or Account Data
• Updates to Social media
• Chat logs
• Cookies
• Etc…
©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
How to Assess?
Web Application
Mobile Methodology
Network
Client Application
Static Analysis
Dynamic Analysis
Static Analysis
Dynamic Analysis
BlackBox Mobile Methodology
MobileAssessment
ApplicationMapping
ClientAttacks
Network Attacks
ServerAttacks
PlatformMapping
Appl.Arch
BinaryAnalysis
File systemAnalysis
MemoryAnalysis
InstallTraffic
RunTTraffic
TCPAttack
s
HTTPAttack
s
Under.App
Data FlowMapping
InsecureAPI
Sensitive File Artifact
WeakEncrypt
PlaintextTraffic
BufferOverflows
SQLiXSS
MOBILE ASSESSMENT – TOOLS
• Fortify• WebInspect• IDAPro• Jad• Undx• Burp Suite• AdpSmali / Backsmali• AndroGuard• Blackberry Swiss Army
Knife• iPhone SDK• Mallory• Netfilter / iptables• Custom iOS and Android
Scripts
©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
Resources
Fortify On Demand’s Mobile Application Security Risks, Controls, and Procedures Document
Fortify on Demand’s Android & iOS Security Checklists
• Fortify’s 7 Ways to Hang Yourself with Android Presentation
• Fortify on Demand’s iOS Penetration Testing Presentation
• Fortify’s VulnCAT
Other Resources for QA, Security Managers, and Devs
• OWASP Top 10 Mobile Risks Page
• OWASP IOS Developer Cheat Sheet
• Google Androids Developer Security Topics 1
• Google Androids Developer Security Topics 2
• Apple's Introduction to Secure Coding
Other Resources
©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
Parting Thoughts
Parting Thoughts
• Remember that mobile sites face the Internet as well; obscurity != security
• Web teams and mobile teams often not the same; mobile development teams are often behind in security training
• Track the data flow; threat modeling / risk assessment
• Start with Risk Profiling and exposure (deployed apps)
• It all starts with the code; coding standards are pivotal
Parting Thoughts II
• Give developers prescriptive guidance, show with examples
• Don’t store it (PII) at all if you don’t need to
• If you have a 3rd party dev team deploy a contract that enforces coding based on secure mobile dev standards
• Mobile Device Management (MDM) is not a substitute for secure code
• Finally, don’t be intimidated by “mobile”; the same fundamentals are still in play