the curious case of mobile app security.pptx
TRANSCRIPT
Ankit GiriSecurity Researcher
The curious case of
Mobile App Security
About Me: (@aankitgiri) Web and Mobile Application Security Researcher
Bug Hunter(Hall of Fame: EFF, GM, HTC, Sony, Mobikwik, Pagerduty )
Blogger, Orator and an active contributor to OWASP and null Community
The Most Viewed Writer in Web application Security, Network Security and Penetration Testing on Quora
About Today's Talk:
● Why we need to secure the mobile apps!● What do you check when installing an
app ?
● Mobile app security assessment● Some interesting cases of vulnerabilities● Let’s takeover your account● My Research and reported vulnerabilities
Why we need to secure the mobile apps!
● The mobile application is becoming the interface between enterprise and end user.
● In contrast to web applications, where if your website had a security vulnerability you could rectify it and release the safe code.In mobile app, the vulnerable version is very difficult to remove from the user’s devices.
Why we need to secure the mobile apps!
Have you seen this?
What do you check when installing an app ?
An application when being installed always asks you to provide it with certain permissions such as to read sms, listen to the mic etc.
Let’s takeover your account
Demo: Online accounting software for your small business
This vulnerability allowed a malicious app (or an attacker) to kill the following application being used by the user. If the same activity is being repeated by the attacker, the user will not be able to use app and do any meaningful work as the vulnerable app will keep on crashing.
This is also known as “Denial of Service”.
Reason: Improper permissions set in the app activities
Demo: Online accounting software for your small business
This vulnerability allowed an user to set a weak password, which was not possible in the web application of the same. The same can lead to account takeover of an user.
This is also known as “Password Policy bypass”.
Reason: Missing password policy implementation
Vulnerability - Authentication Bypass
Application - PayPal mobile app
Severity - High
Found By - Zach Lanier
PayPal 2FA Security Approval Restriction Auth Bypass Session Vulnerability
Description of the Attack
The authentication flow for PayPal’s API web services. In particular, api.paypal.com, a
REST-ful API which uses OAuth for authentication/authorization, does not directly enforce
two-factor authentication requirements server-side when authenticating a user.
*The standard browser-based PayPal web interface is not affected by the bypass. However, since an attacker
can simply use the underlying API to gain full account access, this distinction is purely academic.
Cause:The vulnerability lies primarily in the authentication flow for the PayPal API web service (api.paypal.com) — an API used by PayPal’s official mobile applications.
Impact
An attacker only needs a victim’s PayPal username and password in order to access a two-factor protected account and send money. The protection offered by the two-factor Security Key mechanism can be bypassed
and essentially nullified.
While PayPal’s mobile apps do not currently support 2FA-enabled accounts, it is possible to effectively trick the
PayPal mobile applications into ignoring the 2FA flag on the account, subsequently allowing the an attacker to
log in without requiring secondary authentication.
Thank You!Ankit Giri
www.securitycompass.com