testdroid: how to test security and vulnerability of your android and ios apps

How to Test Security and Vulnerability of Your Android and iOS Apps

4 December 2013

Ville-Veikko HelppiTechnical Product [email protected]

Antti HäyrynenSecurity Specialist

[email protected]

mailto:[email protected]

mailto:[email protected]

Agenda• Mobile Apps & Third-Party Components• Security, Open Source and Licenses on

Different Mobile Subverticals• Is Your Mobile App Safe?• Testdroid Update• Demonstration• Q&A

webinar

© Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 2



webinar


Security Testing for Mobile Apps• How to test something you don’t know it exists? • Security testing doesn’t replace white/black box

testing but can complement it very well• e.g. Android protects

• User data• System resources• Application isolation

• Security at the OS level

webinar


Hot debate about Android security• Open Platform – All source code available• Linux security (e.g. users, process isolation, IPC)

• Filesystem permissions• Cryptography (API)

• Memory management• 1.5 -> 4.2

• Application security

• Android has defenses to protect itself – not data!

webinar


Mobile Apps & Open Source Components

webinar


BlurredBlurred

Mobile Apps & Third-Party Components• Majority of today’s applications consist largely of

third-party code/libraries and application-specific glue to hold everything together

• This is a prudent and well-accepted development practice that offloads the task of developing code for non-core functions of the application

• Each piece of third-party code has an associated license whose terms can affect the distribution and licensing of your application

webinar


Mobile Apps & Third-Party Components• Identifying 3rd party code, its vulnerabilities and its

licenses, is critical in order to understand your security exposure and your liability:• Know those 3rd party components/libs used in your app • Identify binding software licenses for 3rd party code • Identify vulnerabilities in 3rd party components that could

be security risks in your application (and its users)• 3rd party components evolve and change – it’s important

to know what is new and what makes your app vulnerable• Instant way of checking any app (Android & iOS) will

enable you to focus on your core activities

webinar




webinar


Apps for Mobile Subverticals

webinar


Mobile

Games

Utilities & Tools

Video Streaming & Multimedia

Banking & Payment

Retail & Travel

• Testdroid has helped thousands of app developers in these subverticals!

• What are the critical elements in each these verticals?

• How are the security requirements different in each subvertical?


webinar


Mobile

Games

Utilities & Tools


Banking & Payment

Retail & Travel

•Top Requirements–User Experience!–Resource consumption &

validation (CPU, Mem…)–Fully utilizing hardware –

e.g. Touch screen–Access to graphics APIs (e.g.

OpenGL ES)•Open source license


webinar


Mobile

Games

Utilities & Tools


Banking & Payment

Retail & Travel

•Top requirements–Usability!–Functional and Behavioral

testing –Metrics analysis for all

captured data (e.g. logs, screenshots, perf stats)

–Relation to other apps•Open source license


webinar


Mobile

Games

Utilities & Tools


Banking & Payment

Retail & Travel

•Top requirements–Performance!–Connectivity, robustness

and durability–Screen orientation (portrait

vs. landscape)–Graphics quality, streaming

capabilities–User profiles

•Security & Vulnerability


webinar


Mobile

Games

Utilities & Tools


Banking & Payment

Retail & Travel

•Top Requirements–Security!–Secure connectivity with

back-end systems–Top Quality – extremely

brand sensitive vertical–Compliances and verification

between real devices and infrastructure

•Security is the no. 1 thing


webinar


Mobile

Games

Utilities & Tools


Banking & Payment

Retail & Travel

•Top Requirements–Data!–Connectivity and data

connection with back-ends–Configurability of the app–Bad quality WILL hurt the

brand and make customers leave your app

•Security, Licenses

Agenda•Mobile Apps & Third-Party Components•Security, Open Source and Licenses on Different Mobile Subverticals•Is Your Mobile App Safe?•Testdroid Update•Demonstration•Q&A

webinar


Is your mobile app safe?

Codenomicon AppCheck

Mobile software

•Software development is increasingly shifting into mobile•Android and iOS dominant platforms, followed by WP and Qt

–All different, even on preferred programming language level

•Volumes larger than traditionally, average revenue per user much lower

Mobile software paradigm

•Traditionally software opens files and handles them.

–Only Android supports this properly via registering as content handler

•The modern way is to have client / server architecture

–Mobile device is a client. Payload is usually json, protobuf, xml or media.

Traditional Threats

•Open malicious file / content (via email, web etc) that contains an exploit -> target popped.•In Android, content handlers can have these issues.

–Platform somewhat limits what the attacker can do unless privilege escalation is possible.

–For example PDF readers, video players etc.

Modern threats

•In the modern app paradigm, the mobile client “enriches” content from pre-defined server

–Usually SSL protected–Certificate checks?

• Cert pinning?

•Attacks somewhat limited to either–Man in the middle–Injecting malice via server

IOS apps

•IOS apps are Mach binaries usually written in Objective-C•Packaging follows the common paradigm – manifest, code and resources inside zip•Inside the device executable code is usually encrypted, but in clear before blessed by Apple.

–Can be decrypted on jailbroken devices.•Allows mixing of C into apps -> common OSS libs can be used.

Anatomy of an Android app

•The simplest form: simple java application.–Manifest, .dex, resource files

•Manifest has meta data (app name, permissions, content handler registrations etc)•DEX contains java byte code

–With or without proguard obfuscation.•Resource files contain images etc.•Optionally native code (usually just ARM) in lib/

Native code

•Sometimes java is not enough.–~15% of android apps contain native code

• .so’s in lib/–Among popular apps, the amount is much

higher•If the native code processes untrusted data, it’s out of dalvik supervision.

–Can corrupt memory and contain exploitable bugs.

Third party code

•Modern world contains plenty of ready components either as open source or licensable.•People use them to

– Avoid re-inventing the wheel– Save time and costs– Create better software – many of those components are

actually great at what they do.•Apps that use them inherit the bugs they have.•Since there’s no “package management” in Android like in Linux distros, apps bundle third party code with them.

– Fixing 3rd party bugs require actions from app vendor

Third party code in Android apps

•There are different types of 3rd party libs popular in Android, for example

–Ad networks–Protocol clients–Content decoders/encoders–Shiny UI widgets–Cross-platform app frameworks–Most of the Java 3rd party libs usable in Android

•Either Java or native

Introducing Appcheck

•Codenomicon Appcheck makes it easy and fast to increase your application security•Integrated into Testdroid•Works on binaries, no source code necessary.•Main idea is to look for third party code from apps and categorize them.

Vulnerabilities

•Third party libraries may contain vulnerabilities that endanger application security•Common pitfalls in android libraries include for example missing certificate checks, missing crypto, privacy issues•In native libraries common native code problems persist.•Vulnerability feeds provide vulnerability information on common components

– http://nvd.nist.gov/– Appcheck performs matching against vulnerability feeds

http://nvd.nist.gov/

Ad networks

•Ad networks vary from benign to outright evil

–Some replace dial tone–Some have critical vulnerabilities–Some may send more information than user is

willing to accept•Appcheck detects all the common ad networks.

Licenses

•Third party code sometimes comes with some strings attached in form of licenses

– Eg. GPL requires you to distribute source code of derivative works

– Apache license requires some attribution– GPLv3 forbids DRM

•Common pitfall in Android would be to bundle for example LGPL lib in on .so with rest of the native code•Appcheck makes all the used licenses visible

Improving security

•By being aware of security issues of reusable third party components in their apps, developers can take action to fix issues•If you source software, you can use Appcheck to check what supplier has actually bundled inside the app.

Conclusions

•Mobile applications face threats and risks stemming from bundled 3rd party code.•Third party code scanning gives you actionable results to

–Remove or mitigate known vulnerabilities–Eliminate license risk–Remove overlapping and unwanted functionality

such as privacy leaks


webinar


webinar


Testdroid & Appcheck– Get Your App an Insurance for Security & Vulnerability!

webinar


Testdroid Blog and Webinars– Because it is important to how to automate your testing!

webinar


Codenomicon Website and Events


webinar


testdroid: how to test security and vulnerability of your android and ios apps

Technology