RISKS HIDING IN PLAIN SIGHT: MOBILE APP CYBER THREAT ... · JSON-RPC Automatic Reference Counting Dynamic runtime injection Unintended permissions UI overlay/pin stealing Intent hijacking

© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.© ©©© CoCoCooCopypyyrightt 20200201818 NowwSeSecuc re, Inc. All Rights Reserved. Proprietary information. DDoo not didiststtririibbubub teteee...

RISKS HIDING IN PLAIN SIGHT:MOBILE APP CYBER THREAT & VULNERABILITY BENCHMARKS

BRIAN LAWRENCESENIOR SECURITY [email protected]

© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

NOWSECURE – DELIVERING SECURE MOBILE APPS FFASTER

2

MOBILE THREAT RESEARCH IS IN OUR DNADream team of security researchersEvery waking moment spent:• Discovering critical vulns• Identifying novel attack vectors• Creating/maintaining renowned open-source mobile

security tools/projects

THE NOWSECURE MISSIONSave the world from unsafe mobile appsEducate enterprises on the latest mobile threats

Open source

Books & Speaking

© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.3

TRAFFIC IS MOVING FROM WEB TO MOBILE APPS

© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.4

85% of Mobile Apps

In AppStores Have Security Vulnerabilities

49% of Mobile Apps

In AppStores Leak Data to Violate GDPR


INSIDE THE MOBILE ATTACK SURFACE

iOSAPPS

iOS FRAMEWORKS

iOS NATIVE LIBRARIES

iOS Mach/XNU KERNEL

iOS HAL

HARDWARE

CODE FUNCTIONALITY

DATA AT REST DATA IN MOTION

Data Center& App Backend

Network &Cloud Services

TESTAPP

▪ GPS spoofing▪ Buffer overflow▪ allowBackup Flag▪ allowDebug Flag▪ Code Obfuscation▪ Configuration manipulation▪ Escalated privileges

▪ URL schemes▪ GPS Leaking▪ Integrity/tampering/repacking▪ Side channel attacks▪ App signing key unprotected▪ JSON-RPC▪ Automatic Reference Counting

▪ Dynamic runtime injection▪ Unintended permissions▪ UI overlay/pin stealing▪ Intent hijacking▪ Zip directory traversal▪ Clipboard data▪ World Readable Files

▪ Data caching▪ Data stored in application directory▪ Decryption of keychain▪ Data stored in log files▪ Data cached in memory/RAM▪ Data stored in SD card

▪ OS data caching▪ Passwords & data accessible▪ No/Weak encryption▪ TEE/Secure Enclave Processor▪ Side channel leak▪ SQLite database▪ Emulator variance

▪ Wi-Fi (no/weak encryption)▪ Rogue access point▪ Packet sniffing▪ Man-in-the-middle▪ Session hijacking▪ DNS poisoning▪ TLS Downgrade▪ Fake TLS certificate▪ Improper TLS validation

▪ HTTP Proxies▪ VPNs▪ Weak/No Local authentication▪ App transport security▪ Transmitted to insecure server▪ Zip files in transit▪ Cookie “httpOnly” flag▪ Cookie “secure” flag

5

▪ Android rooting/iOS jailbreak▪ User-initiated code▪ Confused deputy attack▪ Media/file format parsers▪ Insecure 3rd party libraries▪ World Writable Files▪ World Writable Executables

WEB + SAST VENDORS


NOWSECURE BROADEST COVERAGE, HIGHEST ACCURACY

analyzes the binary post-compilation to discover vulnerabilities including those in third-party libraries

STATIC TESTINGattacks the binary & network environment to discover vulnerabilities within the appwith near zero false positives

BEHAVIORAL TESTINGobserves the binary at runtime to discover vulnerabilities withinthe app

DYNAMIC TESTING

AUTOMATED MOBILE APP SECURITY TESTING PLATFORM

Data Center& App Backend

Network &Cloud Services

iOSAPPS

iOS FRAMEWORKS

iOS NATIVE LIBRARIES

iOS Mach/XNU KERNEL

iOS HAL

HARDWARE

TESTAPP

6


ENABLING DIGITAL BUSINESS VALUE - SAFELY

AUTOMATION + INTEGRATION

BUSINESS VELOCITY

SLOW

TARGET

LEGACYAPPROACHES

FAST

LOW

HIG

H

SEC

UR

ITY

CO

VER

AG

E

...Is the only way to get from here to there“ “

SPEED

COVERAGE

ACCURACY

CONSISTENCY

PREDICTABILITY

EFFICIENCIES

7

© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.

ANALYSIS OF MOBILE APP STORE APPSBY INDUSTRY

VIA CVSS SCORED FINDINGS


Analysis of Mobile App Risk in Apple®

App Store® and the Google Play™ store via OWASP Mobile Top 10

Comprehensive Risk AnalysisSecurity vulnerabilitiesCompliance violationsPrivacy leakage

Rich ResultsIndustry Standard CVSS ScoresHigh AccuracyDetailed Results & Recommendations

BENCHMARKING 45,000 APPSTORE APPS

9


INSIDE NOWSECURE MOBILE APP RISK SCORING

10


INSIDE NOWSECURE MOBILE APP RISK SCORING

11


NOWSECURE BENCHMARKS: BANKING & FINANCE TOP 50

0 59 60-69 70-79 80-89 90-100

*Scoring algorithm based on Industry Standard CVSS Scored findingsLow RiskHgh Risk Caution

A significant 10 of 100 Apps (10%) fail w/ critical & high risks

Identified Failures: Man in Middle Attack, Invalid Certificate, Known Vulnerable 3rd Party Libraries, Unencrypted credentials/PII in local files or over HTTP

NowSecure Score Risk Range 46-100


NOWSECURE BENCHMARKS: HEALTHCARE TOP 35

0 59 60-69 70-79 80-89 90-100


A significant 7 of 70 Apps (10%) fail w/ critical & high risks




NOWSECURE BENCHMARKS: RETAIL TOP 40

0 59 60-69 70-79 80-89 90-100


NowSecure Score Risk Range 6-100 A shocking 27 of 80 Apps (38%) fail w/ critical & high risks



NOWSECURE BENCHMARKS: FANTASY SPORTS TOP 30

0 59 60-69 70-79 80-89 90-100


A significant 23 of 60 Apps (38%)fail w/ critical & high risks




APPSTORE SCORES INDUSTRY COMPARATIVE RESULTS

Analysis of Top 10 downloads in 11 Major Categories of apps used by employees

iOS Best Performing Scores■ Finance■ General■ Navigation

Android Best Performing Scores■ Finance ■ Medical■ Business

iOS 8 of 11 categories are 80-90 range

Android none are in 80-90 range, but 8 of 11 categories are 70-80 range


YOU ARE MOST LIKELY USING THESE

17

POPULAR BUSINESS NOTE TAKING

POPULAR BUSINESS INTELLIGENCE

POPULAR BUSINESS EMAIL

POPULAR BUSINESS CHAT APP

POPULAR BUSINESS CRM

POPULAR BUSINESS TRAVEL APP

POPULAR ERPWORKFORCE MGMT

POPULAR ERP FINANCIALS

© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.

ANALYSIS OF MOBILE APP STORE APPSALL INDUSTRIES

VIA OWASP MOBILE TOP 10


OWASP MOBILE TOP 10 [2016]

OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.

OWASP initiated MOBILE TOP 10 in 2011Recognized Mobile OS Platforms vary widelyUnique from web app model

Must consider more than the “Apps” Remote web services Platform integration (iCloud, GCM) Device (in)security considerations

Intended to be platform-agnostic Focused on areas of risk rather than individual vulnerabilitiesWeighted utilizing the OWASP Risk Rating Methodology


OWASP MOBILE TOP 10

M1 - Improper Platform Usage Misuse of features like Touch ID, permissions, Keychain

M2 - Insecure Data Storage Data Leakage, client-side injection, weak server-side controls

M3 - Insecure Communication Poor handshake, SSL/TLS/Cert issues, transfer in clear text

M4 - Insecure Authentication Improper identity mgmt, weak session mgmt

M5 - Insufficient Cryptography Lack of crypto, improper crypto use

M6 - Insecure Authorization Improper local auth, forced browsing

M7 - Client Code Quality Code mistakes eg. Buffer overflows, format string vulns

M8 - Code Tampering Binary patching, method hooking/swizzling, memory mods

M9 - Reverse Engineering Exposure to attacker reversing tools

M10 - Extraneous Functionality Dev/QA inadvertent disabling security, hidden backdoors


OWASP MOBILE TOP 10 - 3rd PARTY ANALYSIS


M2 - Insecure Data Storage Data Leakage, client-side injection, weak server-side controls 50% Fail


TESTING FOR RISK -- DATA AT REST

Local log/file dataAccount CredentialsPIIEmailGeolocationIMEI/Serial NumberWiFi

World Writable Executables

52% of Android Apps

Android iOS Total

M2-Insecure Data Storage 85% 16% 50%





M3 - Insecure Communication Poor handshake, SSL/TLS/Cert issues, transfer in clear text 48% Fail


TESTING FOR RISK -- DATA IN TRANSIT

Assume that the network layer is not secure and is susceptible to intercept

Frequent lack of proper iOS ATS and cross-platform SSL implementations

Unencrypted data OTA

Account CredentialsPIIEmailGeolocationIMEI/Serial Number

30% of iOS apps use HTTP (not HTTPS)

Android iOS Total

M3-Insecure Communication 20% 76% 48%

24






M4 - Insecure Authentication Improper identity mgmt, weak session mgmt 5% Fail

M5 - Insufficient Cryptography Lack of crypto, improper crypto use

M6 - Insecure Authorization Improper local auth, forced browsing 2% Fail

M7 - Client Code Quality Code mistakes eg. Buffer overflows, format string vulns, 3rd Party 32% Fail


TESTING FOR RISK -- CODE & 3rd PARTY

iOS enforces stronger code quality practices

Nearly all apps have 3rdparty/OSS libraries

Open source often unvettedInconsistent upgrading to latest patched library versions

Android app challenges

1465 arbitrary code injection 1133 SQL injection112 Debug flag on

Android iOS Total

M7-Client Code Quality 59% 4% 32%






M4 - Insecure Authentication Improper identity mgmt, weak session mgmt 5% Fail

M5 - Insufficient Cryptography Lack of crypto, mproper crypto use

M6 - Insecure Authorization Improper local auth, forced browsing 2% Fail

M7 - Client Code Quality Code mistakes eg. Buffer overflows, format string vulns 32% Fail

M8 - Code Tampering Binary patching, method hooking/swizzling, memory mods

M9 - Reverse Engineering Exposure to attacker reversing tools 32% Fail

M10 - Extraneous Functionality Dev/QA inadvertent disabling security, hidden backdoors 47% Fail


TESTING FOR RISK -- TAMPERING

Obfuscation insufficiently used by Android developers

90% of Android apps allow backup of data

1465 Android apps allow arbitrary code execution

Android iOS Total

M9-Reverse Engineering 64% 0% 32%

M10- Extraneous Functionality

92% 2% 47%


TESTING FOR RISK -- PERMISSIONS & ENTITLEMENTS

Risk Dependent on your corporate policies

Sample potentially risky permissionsContact list accessWrite external storageCalendarSend SMSNFC


TESTING FOR RISK -- IP ADDRESSES

Risk Dependent on your corporate policies

3rd party libraries, SDKs are common culprits

Ad networks frequently uniquely identify users and geo-locate them insecurely

Apps frequently have hundreds of connections(this one had 250)


BEST PRACTICES RECOMMENDATIONS

1. Recognize the risks of 3rd party apps on all mobile devices

Assume all are untrusted until validated, no matter who the developer

2. Put controls and processes in place to analyze and monitor 3rd party app risk

Inventory & analyze your existing mobile apps leveraging EMM/MDMAdapt processes to review and approve all new mobile apps before introductionLeverage automated tools for in depth testing and continuous monitoring

1. Train developers on secure coding best practices & fully vet 3rd party libraries

Leverage the NowSecure Guide to Secure Mobile App Development Best Practices

2. Ensure all mobile app releases are properly security tested

Leverage automated mobile appsec testing tools in SDLC lifecycle Leverage 3rd party expert mobile app pen testing

3. Find reputable sources to stay up to date on the latest mobile threats and vulnerabilitiesNowsecure #MobSec5 at www.nowsecure.com/go/subscribe and blog www.nowsecure.com/blogTHN, ThreatPost, Krebs, bankinfosecurity, etc. https://blog.feedspot.com/cyber_security_news_websites/

FOR SECURITY TEAMS FOR APP DEVELOPERS


GET A FREE MOBILE APP SECURITY REPORT

Free for All Attendees

Delivered by NowSecure Mobile App Security Experts

Choose a 3rd Party Mobile app used in your business

Surf to request:http://bit.ly/2BB8sAk


© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.©© © CoCoopypypyrighghtt 2002 1818 NNowSecurere,, InIncc. AAlll RRigighhts s ReReseservrvedd. PPropppprirrietetaary y iinformation. Do not diiststtririribubuuuteetete.

RISKS HIDING IN PLAIN SIGHT:MOBILE APP CYBER THREAT & VULNERABILITY BENCHMARKS


Documents

RISKS HIDING IN PLAIN SIGHT: MOBILE APP CYBER THREAT ... · JSON-RPC Automatic Reference Counting Dynamic runtime injection Unintended permissions UI overlay/pin stealing Intent hijacking