Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Mobile App Security and Payments
Overview of mobile app security issues and mitigation strategies
© 2012 viaForensics viaForensics Proprietary 2
Key security challenges for mobile devices
! App runs na)vely on consumer device which, unlike corporate desktops or webservers, is out of your control
! There is an increased likelihood that an a;acker has physical access to a customer's device and data making previously low risks much higher
! You are now responsible for patching and deploying updates to customers (vs. browser-‐based apps)
! Tradi)onal security techniques useful but more advanced ones are needed to secure mobile
What’s different about mobile?
© 2012 viaForensics viaForensics Proprietary 3
Key security challenges for mobile devices
! App runs na)vely on consumer device which, unlike corporate desktops or webservers, is out of your control
! There is an increased likelihood that an a;acker has physical access to a customer's device and data making previously low risks much higher
! You are now responsible for patching and deploying updates to customers (vs. browser-‐based apps)
! Tradi)onal security techniques useful but more advanced ones are needed to secure mobile
What’s different about mobile?
© 2012 viaForensics viaForensics Proprietary 4
Our recent security study of 100 mobile app found a high number of issues in current mobile apps
appWatchdog findings (July 2011)
appWatchdog only uses about 10% of our appSecure techniques
Not found (24)
Found (76)
Usernames
Pass (90)
Fail (10)
Passwords
Pass (31)
Warn (38)
Fail (31)
App data
© 2012 viaForensics viaForensics Proprietary 5
First widely available mobile NFC device in US
! Google took security seriously but there are shortcomings
! Analysis of device aEer usage revealed nearly all data except the full 16-‐digit CC number and CCV ! Balance, limits, amount due, due date, transac)on dates/loca)ons ! Name, expira)on date, last 4 digits and email account ! When GW is reset by user, data remained
! Follow-‐up research has shown the PIN is recoverable
! We haven’t really even tested the NFC implementa)on yet
Case study: Google Wallet
© 2012 viaForensics viaForensics Proprietary 6
MoAvaAon and approach for cyber criminals
! Highly skilled a;ackers ! Sophis)cated tools available to them ! Your app, by defini)on, must be publically available ! They can download and test your app extensively ! A few days of work can yields millions or more in return ! They only have to succeed once
Cyber criminals - overview
© 2012 viaForensics viaForensics Proprietary 7
Espionage
• Goal: compromise classified materials
• Approach: highly sophis)cated and targeted
• Impact: Severe, threat to security
• Preven)on: Complex, expensive
Corporate TheD
• Goal: Steal trade secrets, IP and more
• Approach: Sophis)cated, some)mes targeted
• Impact: High, financial or R&D loss
• Preven)on: Strong security & policies
Consumer/IdenAty TheD
• Goal: Financial theE, iden)ty theE
• Approach: Trivial to sophis)cated, rarely targeted
• Impact: Individual, large groups
• Preven)on: secure mobile development
Three types of cyber attacks / crimes
© 2012 viaForensics viaForensics Proprietary 9
Mobile website
• Deploys on many pla\orms
• Most challenging to secure
• Overall, least expensive to develop
Wrapper app
• Quickest “na)ve” app to develop
• Some challenging security issues
• Hybrid approach, inherits good and bad traits
NaAve apps
• Offers greatest security
• Poten)al to provide highest usability
• Most expensive to develop
Three types of mobile apps (+1 emerging)
* HTML5 is an emerging standard but too early to evaluate security and usability
© 2012 viaForensics viaForensics Proprietary 10
Advice from the trenches
! Train your developers for secure mobile development
! Consider strategies which eliminate (or at least limit) poor choices users might make
! Avoid caching data, if needed use encryp)on
! Audit your mobile apps
How to secure mobile apps?
44 Best PracAces and counAng 1. Storing sensi)ve data on the device should be avoided 2. Caching app data on the device should be avoided 3. Avoid use of query string for sensi)ve data 4. Input from client 5. Code obfusca)ons 6. Address Space Layout Randomiza)on 7. Avoid simple logic 8. Beware of keyboard cache 9. Fully validate SSL/TLS 10. Thoroughly test third-‐party libraries 11. Crash logs 12. Geoloca)on 13. Avoid cached applica)on snapshots 14. Keychain 15. Secure data storage 16. Copy/Paste 17. Debug Logs 18. UUID 19. Tamper checking 20. Implement enhanced / 2-‐factor auth 21. Protect applica)on senngs 22. Hide Account Numbers 23. Prevent caching of username but s)ll provide saved username 24. Use SECURE senng for Cookies 25. Prevent decryp)on of encrypted app data 26. Ins)tute Local Session Timeout 27. Difficul)es in secure dele)on of data 28. Avoid use of MEID as user iden)fier 29. Android File Permissions 30. Android Intents 31. Android Ac)vi)es 32. Android Broadcasts 33. Android Pending Intents 34. Android Services 35. Android Intent Sniffing 36. Android Content Providers 37. Avoid storing cached camera images (i.e. check deposits) – Android solu)on 38. Protect against SSLStrip 39. Webserver: check session senngs 40. Prevent Framing and Clickjacking 41. Webserver configura)on 42. SSL Configura)on 43. Protect from XSRF with a form token 44. Protect and pen test web services
© 2012 viaForensics viaForensics Proprietary 11
What if development team says, “We’re on it”
§ How do you ensure and validate that no sensi)ve data is stored on the mobile device?
§ What steps do you take to validate that SSL and authen)ca)on implementa)on are secure against MITM exploits?
§ What is in your code when it gets released to the public? § How do you ensure that host valida)on works, to
protect clients from phishing via host spoofing? § How much )me is spent security regression tes)ng
applica)ons, compared to func)onal tes)ng?
Thoughtful questions for dev team
© 2012 viaForensics viaForensics Proprietary 12
The responsibility for mobile security is shared between
! Mobile operating system developers ! Users/consumers
! Enterprises/App Developers (YOU) (but don’t trust the users to make the correct choice or the OS developers to get it correct out of the box)
Who is responsible for mobile security?
Contact Us
Andrew Hoog, CIO [email protected] http://viaforensics.com Main Office: 1000 Lake St, Suite 203 Oak Park, IL 60301 Tel: 312-878-1100 | Fax: 312-268-7281