testdroid: how to test security and vulnerability of your android and ios apps
DESCRIPTION
Interested in a presentation video? Sign up at testdroid.com/webinars-archive Majority of today’s mobile apps consist of third-party code/libraries. This is a prudent and well-accepted development practice that offloads the task of developing code for non-core functions of your mobile app – or game. Identifying third-party code, its vulnerabilities and its license restrictions, is highly critical in order to understand your security exposure and your liability.TRANSCRIPT
How to Test Security and Vulnerability of Your Android and iOS Apps
4 December 2013
Ville-Veikko HelppiTechnical Product [email protected]
Antti HäyrynenSecurity Specialist
Agenda• Mobile Apps & Third-Party Components• Security, Open Source and Licenses on
Different Mobile Subverticals• Is Your Mobile App Safe?• Testdroid Update• Demonstration• Q&A
webinar
© Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 2
Agenda• Mobile Apps & Third-Party Components• Security, Open Source and Licenses on
Different Mobile Subverticals• Is Your Mobile App Safe?• Testdroid Update• Demonstration• Q&A
webinar
© Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 3
Security Testing for Mobile Apps• How to test something you don’t know it exists? • Security testing doesn’t replace white/black box
testing but can complement it very well• e.g. Android protects
• User data• System resources• Application isolation
• Security at the OS level
webinar
© Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 4
Hot debate about Android security• Open Platform – All source code available• Linux security (e.g. users, process isolation, IPC)
• Filesystem permissions• Cryptography (API)
• Memory management• 1.5 -> 4.2
• Application security
• Android has defenses to protect itself – not data!
webinar
© Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 5
Mobile Apps & Open Source Components
webinar
© Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 6
BlurredBlurred
Mobile Apps & Third-Party Components• Majority of today’s applications consist largely of
third-party code/libraries and application-specific glue to hold everything together
• This is a prudent and well-accepted development practice that offloads the task of developing code for non-core functions of the application
• Each piece of third-party code has an associated license whose terms can affect the distribution and licensing of your application
webinar
© Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 7
Mobile Apps & Third-Party Components• Identifying 3rd party code, its vulnerabilities and its
licenses, is critical in order to understand your security exposure and your liability:• Know those 3rd party components/libs used in your app • Identify binding software licenses for 3rd party code • Identify vulnerabilities in 3rd party components that could
be security risks in your application (and its users)• 3rd party components evolve and change – it’s important
to know what is new and what makes your app vulnerable• Instant way of checking any app (Android & iOS) will
enable you to focus on your core activities
webinar
© Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 8
Agenda• Mobile Apps & Third-Party Components• Security, Open Source and Licenses on
Different Mobile Subverticals• Is Your Mobile App Safe?• Testdroid Update• Demonstration• Q&A
webinar
© Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 9
Apps for Mobile Subverticals
webinar
© Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 10
Mobile
Games
Utilities & Tools
Video Streaming & Multimedia
Banking & Payment
Retail & Travel
• Testdroid has helped thousands of app developers in these subverticals!
• What are the critical elements in each these verticals?
• How are the security requirements different in each subvertical?
Apps for Mobile Subverticals
webinar
© Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 11
Mobile
Games
Utilities & Tools
Video Streaming & Multimedia
Banking & Payment
Retail & Travel
•Top Requirements–User Experience!–Resource consumption &
validation (CPU, Mem…)–Fully utilizing hardware –
e.g. Touch screen–Access to graphics APIs (e.g.
OpenGL ES)•Open source license
Apps for Mobile Subverticals
webinar
© Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 12
Mobile
Games
Utilities & Tools
Video Streaming & Multimedia
Banking & Payment
Retail & Travel
•Top requirements–Usability!–Functional and Behavioral
testing –Metrics analysis for all
captured data (e.g. logs, screenshots, perf stats)
–Relation to other apps•Open source license
Apps for Mobile Subverticals
webinar
© Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 13
Mobile
Games
Utilities & Tools
Video Streaming & Multimedia
Banking & Payment
Retail & Travel
•Top requirements–Performance!–Connectivity, robustness
and durability–Screen orientation (portrait
vs. landscape)–Graphics quality, streaming
capabilities–User profiles
•Security & Vulnerability
Apps for Mobile Subverticals
webinar
© Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 14
Mobile
Games
Utilities & Tools
Video Streaming & Multimedia
Banking & Payment
Retail & Travel
•Top Requirements–Security!–Secure connectivity with
back-end systems–Top Quality – extremely
brand sensitive vertical–Compliances and verification
between real devices and infrastructure
•Security is the no. 1 thing
Apps for Mobile Subverticals
webinar
© Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 15
Mobile
Games
Utilities & Tools
Video Streaming & Multimedia
Banking & Payment
Retail & Travel
•Top Requirements–Data!–Connectivity and data
connection with back-ends–Configurability of the app–Bad quality WILL hurt the
brand and make customers leave your app
•Security, Licenses
Agenda•Mobile Apps & Third-Party Components•Security, Open Source and Licenses on Different Mobile Subverticals•Is Your Mobile App Safe?•Testdroid Update•Demonstration•Q&A
webinar
© Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 16
Is your mobile app safe?
Codenomicon AppCheck
Mobile software
•Software development is increasingly shifting into mobile•Android and iOS dominant platforms, followed by WP and Qt
–All different, even on preferred programming language level
•Volumes larger than traditionally, average revenue per user much lower
Mobile software paradigm
•Traditionally software opens files and handles them.
–Only Android supports this properly via registering as content handler
•The modern way is to have client / server architecture
–Mobile device is a client. Payload is usually json, protobuf, xml or media.
Traditional Threats
•Open malicious file / content (via email, web etc) that contains an exploit -> target popped.•In Android, content handlers can have these issues.
–Platform somewhat limits what the attacker can do unless privilege escalation is possible.
–For example PDF readers, video players etc.
Modern threats
•In the modern app paradigm, the mobile client “enriches” content from pre-defined server
–Usually SSL protected–Certificate checks?
• Cert pinning?
•Attacks somewhat limited to either–Man in the middle–Injecting malice via server
IOS apps
•IOS apps are Mach binaries usually written in Objective-C•Packaging follows the common paradigm – manifest, code and resources inside zip•Inside the device executable code is usually encrypted, but in clear before blessed by Apple.
–Can be decrypted on jailbroken devices.•Allows mixing of C into apps -> common OSS libs can be used.
Anatomy of an Android app
•The simplest form: simple java application.–Manifest, .dex, resource files
•Manifest has meta data (app name, permissions, content handler registrations etc)•DEX contains java byte code
–With or without proguard obfuscation.•Resource files contain images etc.•Optionally native code (usually just ARM) in lib/
Native code
•Sometimes java is not enough.–~15% of android apps contain native code
• .so’s in lib/–Among popular apps, the amount is much
higher•If the native code processes untrusted data, it’s out of dalvik supervision.
–Can corrupt memory and contain exploitable bugs.
Third party code
•Modern world contains plenty of ready components either as open source or licensable.•People use them to
– Avoid re-inventing the wheel– Save time and costs– Create better software – many of those components are
actually great at what they do.•Apps that use them inherit the bugs they have.•Since there’s no “package management” in Android like in Linux distros, apps bundle third party code with them.
– Fixing 3rd party bugs require actions from app vendor
Third party code in Android apps
•There are different types of 3rd party libs popular in Android, for example
–Ad networks–Protocol clients–Content decoders/encoders–Shiny UI widgets–Cross-platform app frameworks–Most of the Java 3rd party libs usable in Android
•Either Java or native
Introducing Appcheck
•Codenomicon Appcheck makes it easy and fast to increase your application security•Integrated into Testdroid•Works on binaries, no source code necessary.•Main idea is to look for third party code from apps and categorize them.
Vulnerabilities
•Third party libraries may contain vulnerabilities that endanger application security•Common pitfalls in android libraries include for example missing certificate checks, missing crypto, privacy issues•In native libraries common native code problems persist.•Vulnerability feeds provide vulnerability information on common components
– http://nvd.nist.gov/– Appcheck performs matching against vulnerability feeds
Ad networks
•Ad networks vary from benign to outright evil
–Some replace dial tone–Some have critical vulnerabilities–Some may send more information than user is
willing to accept•Appcheck detects all the common ad networks.
Licenses
•Third party code sometimes comes with some strings attached in form of licenses
– Eg. GPL requires you to distribute source code of derivative works
– Apache license requires some attribution– GPLv3 forbids DRM
•Common pitfall in Android would be to bundle for example LGPL lib in on .so with rest of the native code•Appcheck makes all the used licenses visible
Improving security
•By being aware of security issues of reusable third party components in their apps, developers can take action to fix issues•If you source software, you can use Appcheck to check what supplier has actually bundled inside the app.
Conclusions
•Mobile applications face threats and risks stemming from bundled 3rd party code.•Third party code scanning gives you actionable results to
–Remove or mitigate known vulnerabilities–Eliminate license risk–Remove overlapping and unwanted functionality
such as privacy leaks
Agenda•Mobile Apps & Third-Party Components•Security, Open Source and Licenses on Different Mobile Subverticals•Is Your Mobile App Safe?•Testdroid Update•Demonstration•Q&A
webinar
© Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 33
Testdroid Productswebinar
© Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved.
Complete Solution for Mobile Apps/Games Testing
34
webinar
© Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 35
Testdroid & Appcheck– Get Your App an Insurance for Security & Vulnerability!
webinar
© Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 36
Testdroid Blog and Webinars– Because it is important to how to automate your testing!
webinar
© Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 37
Codenomicon Website and Events
Agenda•Mobile Apps & Third-Party Components•Security, Open Source and Licenses on Different Mobile Subverticals•Is Your Mobile App Safe?•Testdroid Update•Demonstration•Q&A
webinar
© Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 38
Agenda•Mobile Apps & Third-Party Components•Security, Open Source and Licenses on Different Mobile Subverticals•Is Your Mobile App Safe?•Testdroid Update•Demonstration•Q&A
webinar
© Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 39
© Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved.
webinar
40