View
930
Download
3
Category
Tags:
Preview:
DESCRIPTION
Explaining common mobile application security weaknesses and how to mitigate them. Presentation by Adrian Hayter and Andy Swift at the CNS Security Chapter event series.
Citation preview
..
Mobile Application (In)securityExplaining common mobile application security weaknesses and
how to mitigate them.
Adrian Hayter & Andy Swift
CNS Hut 3 Teamadrian.hayter@hut3.net / andy.swift@hut3.net
.
..
Mobile Application (In)securityExplaining common mobile application security weaknesses and
how to mitigate them.
Adrian Hayter & Andy Swift
CNS Hut 3 Teamadrian.hayter@hut3.net / andy.swift@hut3.net
..20
13-1
2-10
Mobile Application (In)security
..
Attack Vectors
When penetration testing a mobile application, CNS Hut3 focuseson four distinct areas:
• The Mobile Application
• The Mobile Device – iPhone, Android, Windows Mobile, etc.
• The Network – everything between the device and the server!
• The Server – most mobile applications interface with one.
Adrian Hayter & Andy Swift Page: 2/25 .
..
Attack Vectors
When penetration testing a mobile application, CNS Hut3 focuseson four distinct areas:
• The Mobile Application
• The Mobile Device – iPhone, Android, Windows Mobile, etc.
• The Network – everything between the device and the server!
• The Server – most mobile applications interface with one.
..20
13-1
2-10
Mobile Application (In)security
Attack Vectors
..
Apps WorldCNS Hut3 went to Apps World...
...and met some random American guy (Steve Wozniak).
Adrian Hayter & Andy Swift Page: 3/25 .
..
Apps WorldCNS Hut3 went to Apps World...
...and met some random American guy (Steve Wozniak).
..20
13-1
2-10
Mobile Application (In)security
Apps World
..
How much do developers know about security?
Which of these counts as confidential data?
(a) Usernames & Passwords.
(b) Documents obtained after successful authentication.
(c) Session tokens.
(d) All of the above.
Adrian Hayter & Andy Swift Page: 4/25 .
..
How much do developers know about security?
Which of these counts as confidential data?
(a) Usernames & Passwords.
(b) Documents obtained after successful authentication.
(c) Session tokens.
(d) All of the above.
..20
13-1
2-10
Mobile Application (In)security
How much do developers know about security?
..
How much do developers know about security?
Which of these counts as confidential data?
(a) Usernames & Passwords. (8%)
(b) Documents obtained after successful authentication. (4%)
(c) Session tokens. (0%)
(d) All of the above. (88%)
Adrian Hayter & Andy Swift Page: 5/25 .
..
How much do developers know about security?
Which of these counts as confidential data?
(a) Usernames & Passwords. (8%)
(b) Documents obtained after successful authentication. (4%)
(c) Session tokens. (0%)
(d) All of the above. (88%)
..20
13-1
2-10
Mobile Application (In)security
How much do developers know about security?
..
How much do developers know about security?
Which of the following is best practice for data sent to web servers?
(a) Send login credentials over HTTPS. Use regular HTTP foreverything else.
(b) Force everything to be sent over HTTPS.
(c) Provide both HTTP and HTTPS and let the user choose.
(d) Allow HTTP but redirect immediately to HTTPS.
Adrian Hayter & Andy Swift Page: 6/25 .
..
How much do developers know about security?
Which of the following is best practice for data sent to web servers?
(a) Send login credentials over HTTPS. Use regular HTTP foreverything else.
(b) Force everything to be sent over HTTPS.
(c) Provide both HTTP and HTTPS and let the user choose.
(d) Allow HTTP but redirect immediately to HTTPS.
..20
13-1
2-10
Mobile Application (In)security
How much do developers know about security?
..
How much do developers know about security?
Which of the following is best practice for data sent to web servers?
(a) Send login credentials over HTTPS. Use regular HTTP foreverything else. (8%)
(b) Force everything to be sent over HTTPS. (76%)
(c) Provide both HTTP and HTTPS and let the user choose.(4%)
(d) Allow HTTP but redirect immediately to HTTPS. (12%)
Adrian Hayter & Andy Swift Page: 7/25 .
..
How much do developers know about security?
Which of the following is best practice for data sent to web servers?
(a) Send login credentials over HTTPS. Use regular HTTP foreverything else. (8%)
(b) Force everything to be sent over HTTPS. (76%)
(c) Provide both HTTP and HTTPS and let the user choose.(4%)
(d) Allow HTTP but redirect immediately to HTTPS. (12%)
..20
13-1
2-10
Mobile Application (In)security
How much do developers know about security?
..
How much do developers know about security?
How should passwords be stored?
(a) In plaintext.
(b) Encoded using Base64.
(c) Salted and then hashed.
(d) Hashed and then salted.
Adrian Hayter & Andy Swift Page: 8/25 .
..
How much do developers know about security?
How should passwords be stored?
(a) In plaintext.
(b) Encoded using Base64.
(c) Salted and then hashed.
(d) Hashed and then salted.
..20
13-1
2-10
Mobile Application (In)security
How much do developers know about security?
..
How much do developers know about security?
How should passwords be stored?
(a) In plaintext. (0%)
(b) Encoded using Base64. (20%)
(c) Salted and then hashed. (56%)
(d) Hashed and then salted. (24%)
Adrian Hayter & Andy Swift Page: 9/25 .
..
How much do developers know about security?
How should passwords be stored?
(a) In plaintext. (0%)
(b) Encoded using Base64. (20%)
(c) Salted and then hashed. (56%)
(d) Hashed and then salted. (24%)
..20
13-1
2-10
Mobile Application (In)security
How much do developers know about security?
..
How much do developers know about security?
Which of these is the best choice for encrypting sensitive files?
(a) SHA-3
(b) Develop our own (secret) in-house encryption mechanism.
(c) AES-256
(d) 3DES
Adrian Hayter & Andy Swift Page: 10/25 .
..
How much do developers know about security?
Which of these is the best choice for encrypting sensitive files?
(a) SHA-3
(b) Develop our own (secret) in-house encryption mechanism.
(c) AES-256
(d) 3DES
..20
13-1
2-10
Mobile Application (In)security
How much do developers know about security?
..
How much do developers know about security?
Which of these is the best choice for encrypting sensitive files?
(a) SHA-3 (16%)
(b) Develop our own (secret) in-house encryption mechanism.(4%)
(c) AES-256 (76%)
(d) 3DES (4%)
Adrian Hayter & Andy Swift Page: 11/25 .
..
How much do developers know about security?
Which of these is the best choice for encrypting sensitive files?
(a) SHA-3 (16%)
(b) Develop our own (secret) in-house encryption mechanism.(4%)
(c) AES-256 (76%)
(d) 3DES (4%)
..20
13-1
2-10
Mobile Application (In)security
How much do developers know about security?
..
How much do developers know about security?
Which is the correct attitude to have towards server-side security?
(a) We should put more focus on server-side security.
(b) We should put equal focus on both server-side and app-sidesecurity.
(c) We don’t need to focus on server-side security because the appis secure.
(d) We should put more focus on app-side security but be aware ofserver-side security issues.
Adrian Hayter & Andy Swift Page: 12/25 .
..
How much do developers know about security?
Which is the correct attitude to have towards server-side security?
(a) We should put more focus on server-side security.
(b) We should put equal focus on both server-side and app-sidesecurity.
(c) We don’t need to focus on server-side security because the appis secure.
(d) We should put more focus on app-side security but be aware ofserver-side security issues.
..20
13-1
2-10
Mobile Application (In)security
How much do developers know about security?
..
How much do developers know about security?
Which is the correct attitude to have towards server-side security?
(a) We should put more focus on server-side security. (20%)
(b) We should put equal focus on both server-side andapp-side security. (68%)
(c) We don’t need to focus on server-side security because the appis secure. (0%)
(d) We should put more focus on app-side security but be aware ofserver-side security issues. (12%)
Adrian Hayter & Andy Swift Page: 13/25 .
..
How much do developers know about security?
Which is the correct attitude to have towards server-side security?
(a) We should put more focus on server-side security. (20%)
(b) We should put equal focus on both server-side andapp-side security. (68%)
(c) We don’t need to focus on server-side security because the appis secure. (0%)
(d) We should put more focus on app-side security but be aware ofserver-side security issues. (12%)
..20
13-1
2-10
Mobile Application (In)security
How much do developers know about security?
..
Sensitive Data Storage
As an application developer, you have (almost) no control over theuser’s device. Presume the device is already compromised.
If at all possible, don’t store sensitive data on the device.
Sensitive Data includes:• Credentials (e.g. passwords, keys, etc.)• Session tokens (e.g. cookies)• Files containing user information.
Mitigation: If you handle sensitive data, encrypt it before saving itto the device. Use a strong encryption algorithm like AES-256.
Adrian Hayter & Andy Swift Page: 14/25 .
..
Sensitive Data Storage
As an application developer, you have (almost) no control over theuser’s device. Presume the device is already compromised.
If at all possible, don’t store sensitive data on the device.
Sensitive Data includes:• Credentials (e.g. passwords, keys, etc.)• Session tokens (e.g. cookies)• Files containing user information.
Mitigation: If you handle sensitive data, encrypt it before saving itto the device. Use a strong encryption algorithm like AES-256.
..20
13-1
2-10
Mobile Application (In)security
Sensitive Data Storage
..
Device Caches
Many devices keep caches of user input and other data relating tothe application.
• Temporary Files – Downloads, Documents, etc.• User Dictionary – Depending on input type.• Application Snapshots (iOS)
Mitigation: Remove files once they are no longer needed. Specifycorrect input types. Disable caches if possible.
Adrian Hayter & Andy Swift Page: 15/25 .
..
Device Caches
Many devices keep caches of user input and other data relating tothe application.
• Temporary Files – Downloads, Documents, etc.• User Dictionary – Depending on input type.• Application Snapshots (iOS)
Mitigation: Remove files once they are no longer needed. Specifycorrect input types. Disable caches if possible.
..20
13-1
2-10
Mobile Application (In)security
Device Caches
..
Device Caches: iOS Dictionary
Accessible via jailbreaking:• /private/var/mobile/Library/Keyboard/dynamic-text.dat• /private/var/mobile/Library/Keyboard/en_GB-dynamic-
text.dat
The iOS “DynamicDictionary” keeps a record of everything typedinto text boxes (Google searches, Facebook messages, SMS, email,etc.)
Adrian Hayter & Andy Swift Page: 16/25 .
..
Device Caches: iOS Dictionary
Accessible via jailbreaking:• /private/var/mobile/Library/Keyboard/dynamic-text.dat• /private/var/mobile/Library/Keyboard/en_GB-dynamic-
text.dat
The iOS “DynamicDictionary” keeps a record of everything typedinto text boxes (Google searches, Facebook messages, SMS, email,etc.)
..20
13-1
2-10
Mobile Application (In)security
Device Caches: iOS Dictionary
..
Insecure Data Transmission
If data is sent over an unencrypted channel, it can be interceptedand modified.
You can’t control which networks a user connects to. How manypeople can resist free WiFi networks at coffee shops?
Even trusted networks can’t be relied on due to Evil-twin attacks.
Mitigation: Transmit data over an SSL / TLS connection at alltimes.
Adrian Hayter & Andy Swift Page: 17/25 .
..
Insecure Data Transmission
If data is sent over an unencrypted channel, it can be interceptedand modified.
You can’t control which networks a user connects to. How manypeople can resist free WiFi networks at coffee shops?
Even trusted networks can’t be relied on due to Evil-twin attacks.
Mitigation: Transmit data over an SSL / TLS connection at alltimes.
..20
13-1
2-10
Mobile Application (In)security
Insecure Data Transmission
..
SSL / TLS
SSL / TLS misconfigurations are some of the most commonsecurity weaknesses.
Application side:• Weak cipher selection.• Accepting invalid certificates.
Server side:• Supporting old protocols, weak ciphers.• Renegotiation Denial of Service, BEAST, CRIME, BREACH
Mitigation: Mostly configuration file changes!
Adrian Hayter & Andy Swift Page: 18/25 .
..
SSL / TLS
SSL / TLS misconfigurations are some of the most commonsecurity weaknesses.
Application side:• Weak cipher selection.• Accepting invalid certificates.
Server side:• Supporting old protocols, weak ciphers.• Renegotiation Denial of Service, BEAST, CRIME, BREACH
Mitigation: Mostly configuration file changes!
..20
13-1
2-10
Mobile Application (In)security
SSL / TLS
..
Jailbreaking / Rooting
People are always going to jailbreak / root their phones. They willbe able to access your application files, and possibly decompile theapplication.
There is no point trying to perform “jailbreak detection”techniques. Your application runs with low privileges. A jailbroken/ rooted device will always be able to evade this detection.
Mitigation: Focus more on security of your application that tryingto prevent people reading your code. If you have code in yourapplication that you don’t want people to see, you shouldn’t beletting people put it on their devices in the first place!
Adrian Hayter & Andy Swift Page: 19/25 .
..
Jailbreaking / Rooting
People are always going to jailbreak / root their phones. They willbe able to access your application files, and possibly decompile theapplication.
There is no point trying to perform “jailbreak detection”techniques. Your application runs with low privileges. A jailbroken/ rooted device will always be able to evade this detection.
Mitigation: Focus more on security of your application that tryingto prevent people reading your code. If you have code in yourapplication that you don’t want people to see, you shouldn’t beletting people put it on their devices in the first place!
..20
13-1
2-10
Mobile Application (In)security
Jailbreaking / Rooting
..
Android “Master Key” Exploits
A vulnerability found in early 2013 effectively allowed an attackerto embed malicious code within a trusted and signed applicationwithout invalidating the signature.
Despite its name, the “Master Key” exploits don’t actually exposeany Android keys. Instead, a vulnerability in the handling of theZIP-based APK files allows code modification.
Mitigation: Upgrade to Android 4.4. All previous versions arevulnerable (approximately 99% of all Android devices).
Adrian Hayter & Andy Swift Page: 20/25 .
..
Android “Master Key” Exploits
A vulnerability found in early 2013 effectively allowed an attackerto embed malicious code within a trusted and signed applicationwithout invalidating the signature.
Despite its name, the “Master Key” exploits don’t actually exposeany Android keys. Instead, a vulnerability in the handling of theZIP-based APK files allows code modification.
Mitigation: Upgrade to Android 4.4. All previous versions arevulnerable (approximately 99% of all Android devices).
..20
13-1
2-10
Mobile Application (In)security
Android “Master Key” Exploits
..
User Stupidity
Mitigation: None Known.
Adrian Hayter & Andy Swift Page: 21/25 .
..
User Stupidity
Mitigation: None Known.
..20
13-1
2-10
Mobile Application (In)security
User Stupidity
..
User Stupidity
Mitigation: None Known.Adrian Hayter & Andy Swift Page: 21/25 .
..
User Stupidity
Mitigation: None Known.
..20
13-1
2-10
Mobile Application (In)security
User Stupidity
..
Vulnerabilities vs. Malware
Number of vulnerabilities per mobile OS
iOS vulnerabilitiesare by far the most common.
Jailbreak exploits,lock screen bypasses, numerousnative application related bugs.
Android on the otherhand has less vulnerabilitiesoverall (open source code).
Adrian Hayter & Andy Swift Page: 22/25 .
..
Vulnerabilities vs. Malware
Number of vulnerabilities per mobile OS
iOS vulnerabilitiesare by far the most common.
Jailbreak exploits,lock screen bypasses, numerousnative application related bugs.
Android on the otherhand has less vulnerabilitiesoverall (open source code).
..20
13-1
2-10
Mobile Application (In)security
Vulnerabilities vs. Malware
..
Vulnerabilities vs. MalwareNumber of malware families per mobile OS
Number ofvulnerabilities is not necessarilyan indication of the amount ofmalware a system suffers from.
iOS vulnerabilities areoften more complex, requirea lot of user interaction.
Apple have a rigorous vettingprocess for apps. Android’s
app store has almost no protection whatsoever.
Adrian Hayter & Andy Swift Page: 23/25 .
..
Vulnerabilities vs. MalwareNumber of malware families per mobile OS
Number ofvulnerabilities is not necessarilyan indication of the amount ofmalware a system suffers from.
iOS vulnerabilities areoften more complex, requirea lot of user interaction.
Apple have a rigorous vettingprocess for apps. Android’s
app store has almost no protection whatsoever.
..20
13-1
2-10
Mobile Application (In)security
Vulnerabilities vs. Malware
..
Demos
Adrian Hayter & Andy Swift Page: 24/25 .
..
Demos
..20
13-1
2-10
Mobile Application (In)security
..
Questions?
Ask away, or email:
adrian.hayter@hut.net / andy.swift@hut3.net
Adrian Hayter & Andy Swift Page: 25/25 .
..
Questions?
Ask away, or email:
adrian.hayter@hut.net / andy.swift@hut3.net
..20
13-1
2-10
Mobile Application (In)security
Questions?
Recommended