Mobile Application Security Sharing Session

May 2013

PwC

Agenda

Introduction of speakers

Mobile Application Security – Trends and Challenges

5 Key Focus Areas for an mobile application assessment

May 20132

PwC

Introduction of speakers

May 2013

Felix Kan (Senior Consultant, PwC)

• PwC Global Mobile Core Team

• Certified Ethical Hacker (CEH)

3

PwC

Mobile application security

Trends and Challenges

4

PwC

Trends and ChallengesOverall

May 2013

Applications Device Network

• Security features

• Mobile device management

• Use case in business contexts

• Communication security

• Protocols

• Cellular carriers’ offerings

• Security design

• Secure coding

• Data protection

• Mobile application protection

5

We should stay succinct in this section…

PwC

Trends and ChallengesApplications

May 2013

• Offline access to data

• Anti-virus / malware

• Device compromise detections

• Social media apps

• Hidden (premium) features

6

PwC

Trends and ChallengesApplications

May 2013

Offline storage – Why?

The Challenges

Trends

Business applications enable business intelligence reports – store corporate data and credentials

Presentations Edit offline

Remote wipe?

IdentitytheftsData leakage

7

PwC

Trends and ChallengesApplications

May 2013

Why anti-malware?

Why malware?

Is it working?

Bouncer, an in-house malware discovery tool of Google, could be bypassed by malwares that “play dead” for 5 min.

Security

Code signature

Approval process

Compensation

Sandbox design

8

PwC

Trends and ChallengesApplications

May 2013

JB detection - Why?

The Challenges

Trends

Hacking tools can be downloaded to go around theJB detection and other validation logic (e.g., in-app purchase)

Reduce attack surface

Application integrity

9

PwC

Trends and ChallengesApplications

May 2013

Self destructed media

The Challenges

Trends

More sophisticated options are available for self destructed communications (e.g., encryptions)

For fun

Traceability Data leakage

Private communications

10

PwC

Trends and ChallengesApplications

May 2013

Hidden features – Why?

The Challenges

Trends

Back doors are not uncommon in mobile;Premium features are locked unless users have paid.

RevenueHacking activities

IdentitytheftsData leakage

11

PwC

Challenges

12

A Chicago-based digital forensics company performed a 2010-2011 assessment and discovered the following mobile statistics:

76%

10%

http://www.digitaltrends.com/mobile/viaforensics-10-pct-of-ios-android-apps-store-clear-text-passwords/Based on a sample size of 100 mobile apps.

— 76% of Android and iOS apps store Usernames in clear text on mobile devices

—10% of Android and iOS apps store Passwords in clear text on mobile devices

May 2013

PwC

The Importance of Application Security

13

“SQL injection attacks, cross-site scripting, authentication bypass, and exploitation of session variables contributed to nearly half of breaches attributed to hacking or network intrusion. It is no secret that attackers are moving up the stack and targeting the application layer. Why don’t our defences follow suit?”

39%

23%

18%

5%

15%

Application/Service LayerOS/Platform LayerExploits Know Vulnerability

Verizon DataBreach Report 2011 May 2013

PwC

Trends and ChallengesDevice

May 2013

• Enhanced security features on device

• QR reader

• Device tracking

• Data forensics

14

PwC

Trends and ChallengesDevice

May 2013

Jailbreak: Why?

Identity theftsData leakage

Jailbreak: So?Free Apps Awesome utilities

And the Demand:

JB tool was installed for 4Mdevices – by US and China users

15

PwC

Trends and ChallengesDevice

May 2013

Similarly…

Additionally…Free Apps Awesome utilities

Fundamentally…

PerformanceSecurity features

Bloatware

580% increase of malware in 2012.

Data on SD card can be stolen

Full disk encryption is not available

16

PwC

Trends and ChallengesDevice

May 2013

• Enhanced security features on device

• QR reader

• Device tracking

• Finger print detection (rumo

“QRishing”: Phishing with QR code

17

PwC

Trends and ChallengesDevice

May 2013

iOS 6

• more granular privacy controls

• From UDID to IDFA (Identifier for Advertising)

Mobile device management

• GPS tracking

Apps gathering your PII

PwC

Trends and ChallengesDevice

May 2013

Android

• Multiple tools available: XTC clip

• File extractions in recovery mode (yes, bypassing the device passcode)

• Boot into “HBOOT” mode and run “fastboot” command

iOS

• Data recovery for deleted files (passcode required)

Forensic on smart phones

19

PwC

Mobile application security

5 Key Focus Areas for an mobile application assessment

20

PwC

5 Key Focus Areas

Security strategy

Defined mobile security platform

architecture

Software development

life cycleApplication provisioning

Application security

assessment

21May 2013

PwC

Security across mobility requires an examination of the various layers across the mobile ecosystem

Security strategy and governance

Policies, standards, and procedures

Mobile security platform architecture

* Mobile Devices include Smartphones, tablets and supporting devices

Mobile Devices*Mobile

Devices*UsersUsers NetworkNetworkChannels / ApplicationsChannels /

Applications

Browser(WAP /

HTML 5)

Browser(WAP /

HTML 5)

SMSSMS

Email clientEmail client

Native clients(App)

Native clients(App)

VoiceVoice

IMIM

EnterpriseEnterprise

Application servers

Email /domainservers

DataApplications

USSDUSSD

MDM / MEAP servers

Content management

servers

Web services

OTA sync

CRM

Financial

Inventory management

( g )

Core back-office platforms (e.g. ERP)

Directoryservers

Sales

P2P

Business services &

integration

Secure API

Secure SOA

Other content

SSL / TLS

SSL / TLS

RFID /NFC

RFID /NFC

WPAWPA

802.22802.22

802.1x802.1x

Protocols

Web

Pu

blis

hing

Serv

er

MD

M

Gat

eway

Serv

er

DMZ

Publ

ic A

PI

LAN connectivity

BluetoothBluetooth

WIFIWIFI

2G /3G /4G /LTE

2G /3G /4G /LTE

WAN connectivity

Mob

ileM

iddl

ewar

e

RIARIA

Java MEJava ME

Mobile virtualization

solution

22May 2013

PwC

Pain points of secure application development process

23

In order to satisfy market demand and reap the benefits of mobile technology, organizations are often pushing these applications to production without considering security imperatives. The questions to the right are often present in client environments as they implement mobile solutions.

Data Classification

• What is the sensitivity of the data that will be accessed by the mobile applications?

Sufficient Risk Assessments

• What are the potential consequences that an application data breach may have on the organization?

Aligning Security Controls with Risk Appetite

• What regulatory requirements exist for relevant sensitive data?

• What security controls should be implemented in accordance with regulations and risk appetite?

While many traditional web application vulnerabilities remain present in the mobile environment, mobile-specific challenges must also be addressed.

Insecure Data Storage

• Does the business case require storage of data on the device?

• Can the application function locally and without server connectivity?

• Is all stored data sufficiently encrypted?

Application Reverse Engineering

• Can attackers access the application flow and create duplicates?

• Can attackers reverse engineer the application to circumnavigate security controls?

Via OWASP Top 10 Mobile Risks v1.0 May 2013

PwC

Considerations–Summary

24

Developers Architecture

Security Management Infrastructure

Mobile Application SDLC

Components

Mobile Application Security Considerations:

• Mobile security controls should be considered throughout every step of the SDLC to enhance secure development.

• Mobile application developers along with Infrastructure and Information Security personnel should consider implementing controls of the following domains as deemed appropriate by risk.

May 2013

PwC

Considerations–Developers

25

Developers Architecture

Security Management Infrastructure

Mobile Application SDLC Components

May 2013

Storage Authentication Authorization

Session Management

Audit / Logging Memory

Miscellaneous

PwC

Considerations–Architecture

26

Developers Architecture

Security Management Infrastructure

Mobile Application SDLC Components

May 2013

Security Maintainability

Scalability Availability

PwC

Considerations–Infrastructure

27

Developers Architecture

Security Management Infrastructure

Mobile Application SDLC Components

May 2013

Access to Network

ResourcesApplication

Behavior

Firewalls

PwC

Considerations–Security Management

28

Developers Architecture

Security Management Infrastructure

Mobile Application SDLC Components

May 2013

Privacy Policies

Risk Assessments

Application Behavior

PwC

Application provisioning

29January 2013

Mobile Device Management

Access Control

Apps Classifica

tion

PwC

Application security assessment

30

Model ThreatsTargeted

Automated Scanning

Advanced Manual Attacks

Remediation Validation

• Gather prerequisite information about the application and systems supporting the application to develop appropriate testing scenarios─Identify relevant

threats─Determine

applicable testing scenarios and attack vectors

• Perform targeted automated scanning against the mobile application’s web services and input fields for known vulnerabilities.

• Attempt to circumvent mobile application controls─OWASP top 10

mobile risks─Native application

and web-based attacks

─Network-based attacks

─Privilege escalation─Identify sensitive

data remaining on the device

• Conduct retesting of high and medium risk vulnerabilities to ensure defects have been adequately addressed

May 2013

PwC

Mobile Top Ten security risks

31

Common mobile application flaws published by industry groups, including the Open Web Application Security Project (OWASP) Mobile Top Ten security risks

May 2013

Insecure or unnecessary client-side data storage

Lack of data protection in transit

Personal data leakage

Failure to protect resources with strong authentication

Failure to implement least privilege authorization policy

Client-side injection

Client-side DOS

Malicious third-party code

Client-side buffer overflow

Failure to apply server-side controls

1

2

3

4

5

6

7

8

9

10

Questions?

This presentation has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.

© 2013 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers LLP (a limited liability partnership in the United Kingdom) which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.